Hi There! What would possibly disable/bypass BombRe and BombDataRe(and sometimes RBL) in ASSP when processing a "normal" mails that is not whitelisted in any way (at least not that I know of).
Is there any cache that ASSP uses that makes BombRe and BombDataRe obsolete? The mails becomes "discarded" and if I run analyze on it I get: Feature Matching: . DKIM-check returned OK body altered - header passed - suspicious-OK . SPF-check returned OK for 78.46.206.67 -> [email protected], mail.puppytreasure.com . SPF: pass (cache) ip=78.46.206.67 [email protected] helo=mail.puppytreasure.com . DMARC-check returned OK . URIBL check: 'OK' . Valid Format of HELO: 'mail.puppytreasure.com' . IP in Helo check: 'OK' . AUTH would be disabled . RBLCacheCheck returned OK for 78.46.206.67: inserted as not ok at 2017-03-07 13:08:01 , listed by zen.spamhaus.org{127.0.0.3} - message score: 35 . RBLScore: zen.spamhaus.org -> 127.0.0.3 -> 35 . domain puppytreasure.com (in Mail From: , From , Reply-To) has a valid MX record: mail.puppytreasure.com . domainMX mail.puppytreasure.com has a valid A record: 78.46.206.67 . 78.46.206.67 is in PTRCache: status=PTR OK - mail.puppytreasure.com . 78.46.206.67 is in RWLCache: status=not listed . 78.46.206.67 SenderBase: status=not classified, data=[CN=DE, ORG=HETZNER ONLINE GMBH, DOM=your-server.de, BLS=, HNM=Y, CIDR=28, HN=mail.puppytreasure.com] This is a well made spam mail and if BombRe and BombDataRe whould have been processed on the mail it would be in the dump. RBLScore is 35 and Baysian is set to spam so there should be added some more points, but if I check the headers of the passed mail it only reports Bayesian and not like above RBL. That also should have put a nail in the koffin for this mail. Here is the ASSP log: Mar-07-17 13:04:34 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] diagnostic: FileScan will run command - /usr/local/assp/virusscan/avg.sh /run/avg/a.3.74087.eml 2>&1 Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] diagnostic: FileScan returned OK Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] FileScan: scanned 10754 bytes in message - OK Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] Bayesian Check [scoring] - Prob: 1.00000 => spam - answer/query relation: 100% of 112 Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] Message-Score: added 41 for Bayesian Probability: 1.00000, total score for this message is now 41 Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit] 78.46.206.67 <[email protected]> to: [email protected] info: Maillog - created file discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit] 78.46.206.67 <[email protected]> to: [email protected] [spam found] and possibly passing because messagescore(41) low [F mer luft i konomien med 44 762 kroner p kontoen] -> discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] info: Maillog - removed old file discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] info: Maillog - created file discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] spam found and passing [F mer luft i konomien med 44 762 kroner p kontoen] -> discarded/8330--1341231.eml Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67 <[email protected]> to: [email protected] info: received and processed all DATA I'm confused when or when not tests are made? Analyze utilizes some and real scan some others? What am I missing, why is ASSP not doing some checks of this mail and adding it together? Especially when it's passing the real scan. Regards, Pontus ASSP version 2.5.6(17060) on Ubuntu. --- Detta e-postmeddelande har sökts igenom efter virus med antivirusprogram från Avast. https://www.avast.com/antivirus ------------------------------------------------------------------------------ Announcing the Oxford Dictionaries API! The API offers world-renowned dictionary content that is easy and intuitive to access. Sign up for an account today to start using our lexical data to power your apps and projects. Get started today and enter our developer competition. http://sdm.link/oxford _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
