This is not what I'm looking for. I need a log from a mail that is processed by ASSP_AFC with no hit - but a virus is detected by the postcheck.
This examle is one for which the postprocessing is made for. The mail was blocked by any feature (except/before attchment + virus check). The stored file is post scanned and a virus is detected. The file is moved to quantaine to prevent bockreport resends. The related internal flags are set to tell this the post plugins like ASSP_ARC and ASSP_RSS. Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> Datum: 11.01.2019 05:32 Betreff: Re: [Assp-test] ClamAV catching spam, but still delivered I found one, sort of. The message was still blocked because they spoofed our domain and was otherwise pretty bad, but ClamAV didn't scan until after. Does this log help figure out why? In this case, i don't even see AFC launching (vs the previous example where it did). Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> Message-Score: added 15 (fiphValencePB) for Suspicious HELO - contains IP: '[92.1xx.xx.xx]', total score for this message is now 15 Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> [scoring] (Suspicious HELO - contains IP: '[92.1xx.xx.xx]') Jan-10-19 12:14:17 98437-10602 [SpoofedSender] 92.1xx.xx.xx <ouru...@ourcharityh.org> [scoring] (No Spoofing Allowed 'ouru...@ourcharityh.org' in 'mailfrom') Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> Message-Score: added 5 (slValencePB) for No Spoofing Allowed 'ouru...@ourcharityh.org' in 'mailfrom', total score for this message is now 20 Jan-10-19 12:14:21 98437-10602 [SpoofedSender] 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] (No Spoofing Allowed 'ouru...@ourcharityh.org' in 'from') Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] DKIM domain-check skipped - OurCharityh.org does not support DKIM Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] SPF: softfail ip=92.1xx.xx.xx mailfrom=ouru...@ourcharityh.org helo=[92.1xx.xx.xx] Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org Message-Score: added 5 (spfsValencePB) for SPF softfail, total score for this message is now 25 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org Message-Score: added 110 for DNSBL: failed, 92.1xx.xx.xx listed in bb.barracudacentral.org bl.spamcop.net cbl.abuseat.org, total score for this message is now 135 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] DNSBL: failed, 92.1xx.xx.xx listed in ( bb.barracudacentral.org<-127.0.0.2; bl.spamcop.net<-127.0.0.2; cbl.abuseat.org<-127.0.0.2) Jan-10-19 12:14:22 98437-10602 [ValidHELO] 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] (not valid HELO: '[92.1xx.xx.xx]') Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org Message-Score: added 10 (ihValencePB) for not valid HELO: '[92.1xx.xx.xx]', total score for this message is now 145 Jan-10-19 12:14:22 98437-10602 [PTRmissing] 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [scoring] (PTR missing) Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org Message-Score: added 10 (ptmValencePB) for PTR missing, total score for this message is now 155 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org HMM Check [scoring] - Prob: 1.00000 - Confidence: 1.00000 => confident.spam - answer/query relation: 100% of 201 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org Message-Score: added 50 for HMM Probability: 1.00000, total score for this message is now 205 Jan-10-19 12:14:22 98437-10602 [PenaltyBox] 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [monitoring] totalscore for 92.1xx.xx.xx is 265, last bad penalty was 'HMM' Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org deleting spamming safelisted tuplet: (92.181.45.0,OurCharityh.org) age: 4s Jan-10-19 12:14:22 98437-10602 [MessageLimit] 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org MaxAllowedDups (3) reached for this subject - moved oldest file messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3093512.txt to c:/assp/messages/discarded/The_decision_to_suspend_your_account_Waiting_for_payment--3093512.txt Jan-10-19 12:14:22 98437-10602 [MessageLimit] 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [spam found] (MessageScore 205, limit 50) [The decision to suspend your account Waiting for payment] -> messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3096260.txt; Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org [SMTP Error] 554 5.7.1 Not Delivered [98437-10602 AAD59CE8] Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org info: PB-IP-Score for '92.1xx.xx.xx' is 265, added 205 in this session Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org finished message - received DATA size: 2.43 kByte - sent DATA size: 0 Byte Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org disconnected: session:AAD59CE8 92.1xx.xx.xx - processing time 7 seconds Jan-10-19 12:14:22 Info: connected to ClamAV daemon at 127.0.0.1:3310 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org ClamAV: scanned 4586 bytes in file messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3096260.txt - FOUND Sanesecurity.Phishing.Fake.Coin.27601.UNOFFICIAL Jan-10-19 12:14:23 98437-10602 92.1xx.xx.xx <ouru...@ourcharityh.org> to: ouru...@ourcharityh.org Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.Phishing.Fake.Coin.27601.UNOFFICIAL', total score for this message is now 255 On Thu, Jan 10, 2019 at 10:24 AM K Post <nntp.p...@gmail.com> wrote: I made the change. Will report back as soon as I can catch something. FYI, I removed securiteite's marketing list from ClamAV. The majority of the post detections were hitting those signatures, and they were usually false positives. On Wed, Jan 9, 2019 at 12:39 PM Thomas Eckardt <thomas.ecka...@thockar.com > wrote: set AttachmentLog and ScanLog to the highest level post the complete log for a passed mail (post detected) Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" < assp-test@lists.sourceforge.net> Datum: 09.01.2019 18:33 Betreff: Re: [Assp-test] ClamAV catching spam, but still delivered I've been running AFC 4.88 for a while now. I will update to 4.89, but it doesn't sound like that's it. I just did a search on "ClamAV: scanned" and see a ton of these lines in today's log appearing after delivery. I believe I'm only seeing the logs when clamav actually catches something after the fact. Could it NEVER be scanning the stream itself? Is there a setting that I have wrong? What should I check? Any other ideas as to why the clam scan seems to fairly regularly be either skipped or fails during the delivery process? Could ASSP somehow detect this problem before delivery, scan the file instead of the stream, and then decide to deliver or not? Spam's annoying, but if some slips through because of this, I don't really care. It's the fear of a detectable true virus being sent through because ClamAV sometimes isn't working on the stream that's scaring me. thanks Ken On Wed, Jan 9, 2019 at 11:06 AM Thomas Eckardt <thomas.ecka...@thockar.com > wrote: any of your settings or a bug prevents ASSP_AFC from scanning the mail >ClamAV: scanned 2805 bytes in file messages/okmail/Spam_Subject--3092281.txt This is a security (post)scan forced by 'ClamAVLogScan'. Stored files are scanned, if not already done while processing the mail. notice: a security BUG was fixed in ASSP_AFC 4.88 and 4.89 ---- some MIME types were not correctly detected while processing the mail, but if files were scanned - seems you use an outdated ASSP_AFC Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" < assp-test@lists.sourceforge.net> Datum: 09.01.2019 16:45 Betreff: [Assp-test] ClamAV catching spam, but still delivered Hi Thomas, Back in July 2018, I started a thread where ClamAV was catching spam, but only AFTER delivery. You suggested that the ASSP_AFC plugin wasn't scanning the MIME headers and then fixed that in AFC 4.83. I just received a report of spam that still came through, despite ClamAV catching it. In reviewing the log, I see a low scoring message being delivered and then 1 second later ClamAV via AFC showing a hit. It's a normal sounding email, so I understand why bayesian / HMM wouldn't catch it. I'm glad that clamav did, but it's pointless if the scan is after the delivery right? The last time I brought this up, you initially said that I have a setting that prevents ClamAV from running until after delivery. Can you tell me what that setting is? Thanks log: Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [scoring] DKIM domain-check skipped - spam.xx does not support DKIM Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [scoring] SPF: softfail ip=37.xx.xx.xx.xx mailfrom=thespam...@spam.xx helo=randomhost.com Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Message-Score: added 5 (spfsValencePB) for SPF softfail, total score for this message is now 5 Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org checking MX/A for spam.xx , otherspam.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org spam.xx - MX 'mx1.compromised.net' - got IP (18.xx.xx.xx) Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org otherspam.xx - MX 'mx2.mail.otherspam.xx' - got IP (14.xx.xx.xx) Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org MX found: spam.xx (Mail From: , From) -> mx1.compromised.net Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org A record found for MX: spam.xx (Mail From: , From) -> 18.xx.xx.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org MX found: otherspam.xx (Reply-To) -> mx2.mail.otherspam.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org A record found for MX: otherspam.xx (Reply-To) -> 14.xx.xx.xx Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [scoring] found valid PTR hosted-by-xx.com Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org HMM-Check has given less than 6 results - using monitoring mode only Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org HMM Check [monitoring] - Prob: 1.00000 - Confidence: 0.00028 => doubtful.spam - answer/query relation: 0% of 137 Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Bayesian Check [scoring] - Prob: 1.00000 - Confidence: 0.00000 => doubtful.spam - answer/query relation: 100% of 138 Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Message-Score: added 25 for Bayesian Probability: 1.00000, total score for this message is now 30 WE'RE AT 30 Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org [Plugin] calling plugin ASSP_AFC AFC CALLED Jan-08-19 03:02:55 17771-28711 [MessageOK] 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org message ok [ Subject] -> messages/okmail/Spam_Subject--3092281.txt Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org info: PB-IP-Score for '37.xx.xx.xx.xx' is 5, added 5 in this session Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org finished message - received DATA size: 1.87 kByte - sent DATA size: 2.97 kByte Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org disconnected: session:11EAAF22 37.xx.xx.xx.xx - processing time 5 seconds DELIVERED Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org ClamAV: scanned 2805 bytes in file messages/okmail/Spam_Subject--3092281.txt - FOUND winnow.spam.ts.xmailer.2.UNOFFICIAL Spam (Virus) found 1 second after AFC called Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org deleting spamming safelisted tuplet: (37.48.120.0,spam.xx) age: 3s Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <thespam...@spam.xx> to: our.u...@ourcharity.org Message-Score: added 50 (vdValencePB) for virus detected: 'winnow.spam.ts.xmailer.2.UNOFFICIAL', total score for this message is now 80 ADDED 50, but only after delivery _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
