Re: [Assp-test] AFC plugin again

[katip]

Thomas,

i sent from my webmail (external, non-white, non-red) a pdf with same 
(supposed) filename (çatı t-1.pdf). below full diagnostic sessionLog + 
verbose attachment logging. it looks fine with filename with extended 
chars, that's ok.

but now i'm confused. according to my setup (and what i used to see 
without AFC since years) it should be
1. blocked with BadAttachment tag,
2. moved to discarded folder and
3. sent to ccSpam.

however it arrives with lowlimit tag (because of Bayes) to ccSpam only. 
Not to the user (although lowlimit!!). but on the other hand, it was 
copied to discarded folder too as i see it in file system. no trace 
about an attachment in headers despite "SPAM FOUND bad attachment 'çatı 
t-1.pdf'" log entry!!


*ASSP headers:*
X-Assp-Version: 2.5.6(17104) on blah...
X-Assp-ID: blah... id-66712-03431
X-Assp-Session: 5B1E9278 (mail 1)
X-Assp-Envelope-From: ka...@fastmail.ca
X-Assp-Original-Subject: çatı 2
X-Original-Authentication-Results: blah...; dkim=pass spf=pass
X-Assp-Detected-URI: fastmail.ca(3), messagingengine.com(2)
X-Assp-Message-Score: 45 (Bayesian Probability: 0.99994)
X-Assp-IP-Score: 45 (Bayesian Probability: 0.99994)
X-Assp-Spam-Prob: 0.99994
X-Assp-HMM-Spam-Prob: 0.99870
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES (Probably)
X-Spam-Status: YES
X-Assp-Spam-Reason: MessageScore passed low limit
X-Assp-Message-Totalscore: 45
X-Assp-Spam-Level: **********
X-Assp-Intended-For: u...@domain.com
X-Assp-Copy-Spam: Yes


*loglines:*
16.04.2017 21:18:31 [Worker_1] 66.111.4.25 [SMTP Reply] 220 mail.domain.com
16.04.2017 21:18:32 [Worker_1] info: wrote 36 byte to server
16.04.2017 21:18:32 [Worker_1] 66.111.4.25 [SMTP Reply] 250 HELP
16.04.2017 21:18:32 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> info: found message size announcement: 423.02 kByte
16.04.2017 21:18:32 [Worker_1] info: wrote 43 byte to server
16.04.2017 21:18:32 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> [SMTP Reply] 250 OK
16.04.2017 21:18:32 [Worker_1] u...@domain.com matches u...@domain.com 
in LocalAddresses_Flat
16.04.2017 21:18:33 [Worker_1] info: wrote 31 byte to server
16.04.2017 21:18:33 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 250 OK
16.04.2017 21:18:33 [Worker_1] Info: incoming mail detected
16.04.2017 21:18:33 [Worker_1] info: wrote 6 byte to server
16.04.2017 21:18:33 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 354 OK, send.
16.04.2017 21:18:34 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com DKIM-Signature found
16.04.2017 21:18:34 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [scoring] DKIM signature 
verified-OK - header-passed - sender policy is: neutral - author policy 
is: neutral
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com HMM-Check has given less than 6 
results - using monitoring mode only
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com HMM Check [monitoring] - Prob: 
0.99870 => spam - answer/query relation: 9% of 11
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com Bayesian Check [scoring] - Prob: 
0.99994 => spam - answer/query relation: 50% of 14
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com Message-Score: added 45 for 
Bayesian Probability: 0.99994, total score for this message is now 45
16.04.2017 21:18:37 id-66712-03431 [Worker_1] [MessageLimit][lowlimit] 
66.111.4.25 <ka...@fastmail.ca> to: u...@domain.com info: Maillog - 
created file c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] [MessageLimit][lowlimit] 
66.111.4.25 <ka...@fastmail.ca> to: u...@domain.com [spam found] and 
possibly passing because messagescore(45) low [çatı 2] -> 
c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com spam found and passing [çatı 2] 
-> c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:37 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: read and processed 8244 
byte of DATA
16.04.2017 21:18:37 [Worker_1] to: u...@domain.com info: wrote 30 byte 
to server
16.04.2017 21:18:37 [Worker_1] to: u...@domain.com info: wrote 30 byte 
to server
(etc...)

16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: received the end of the DATA
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [Plugin] calling plugin ASSP_AFC
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: block set to BlockExes (3) 
- attachlog set to extAttachLog (7) - default
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: attachment çatı t-1.pdf 
found for Level-3
16.04.2017 21:18:39 [Worker_1] Info: notification message queued to sent 
to ad...@domain.com
16.04.2017 21:18:39 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com SPAM FOUND bad attachment 'çatı 
t-1.pdf'
16.04.2017 21:18:39 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com Message-Score: added 35 
(baValencePB) for bad attachment 'çatı t-1.pdf', total score for this 
message is now 80
16.04.2017 21:18:39 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: Plugin ASSP_AFC has set 
the collection parameter to '7' = discard folder & sendAllSpam
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com mail blocked by Plugin ASSP_AFC 
- reason BadAttachment - log is set to '7'
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: logfile 
c:/assp/discarded/3431--1219548.eml removed
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: Maillog - created file 
c:/assp/discarded/3431--1219548.eml
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [spam found] (BadAttachment) 
[çatı 2] -> c:/assp/discarded/3431--1219548.eml;
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 250 OK
16.04.2017 21:18:40 id-66712-03431 [Worker_1] [Attachment] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com info: received and processed all 
DATA
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 6 byte to 
server
16.04.2017 21:18:40 [Worker_1] 66.111.4.25 <ka...@fastmail.ca> to: 
u...@domain.com info: message forwarded to c...@domain.com
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com [SMTP Reply] 221 
<HilalTrans.KillingFloor> closing transmission
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com finished message - received DATA 
size: 423.17 kByte - sent DATA size: 0 Byte
16.04.2017 21:18:40 id-66712-03431 [Worker_1] 66.111.4.25 
<ka...@fastmail.ca> to: u...@domain.com disconnected: session:5B1E9278 
66.111.4.25 - processing time 9 seconds
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
16.04.2017 21:18:40 [Worker_1] to: u...@domain.com info: wrote 8192 byte 
to server
(etc...)

thanks for any clarification.

Katip


-------- Original Message --------
Subject: Re: [Assp-test] AFC plugin again
From: Thomas Eckardt <thomas.ecka...@thockar.com>
To: ASSP development mailing list <assp-test@lists.sourceforge.net>
Date: Sun, 16 Apr 2017 08:58:00 +0200
Set 'SessionLog' to diagnostic and show the complete loglines for such 
a mail.

15.04.2017 19:28:35 id-73707-03273 [Worker_1] [Attachment] 40.92.70.55
<qwe...@hotmail.com> to: ke...@domain.com [spam found] (BadAttachment)
[çatı t-1];

this shows, that there is no logging level set for this mail -> result 
is no collection

Thomas





Von: katip <ka...@katip.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 16.04.2017 04:15
Betreff: [Assp-test] AFC plugin again
------------------------------------------------------------------------




another AFC issue..

detection is ok. sender was external (not whitelisted) and pdf is set to
block. however message is totally lost after receipt, despite all
blocked attachment levels set to "discard folder & sendAllSpam"

15.04.2017 19:28:35 id-73707-03273 [Worker_1] [Attachment] 40.92.70.55
<qwe...@hotmail.com> to: ke...@domain.com mail blocked by Plugin
ASSP_AFC - reason BadAttachment
15.04.2017 19:28:35 id-73707-03273 [Worker_1] [Attachment] 40.92.70.55
<qwe...@hotmail.com> to: ke...@domain.com [spam found] (BadAttachment)
[çatı t-1];
15.04.2017 19:28:35 id-73707-03273 [Worker_1] 40.92.70.55
<qwe...@hotmail.com> to: ke...@domain.com [SMTP Reply] 250 OK
15.04.2017 19:28:35 id-73707-03273 [Worker_1] 40.92.70.55
<qwe...@hotmail.com> to: ke...@domain.com finished message - received
DATA size: 289.58 kByte - sent DATA size: 0 Byte

without AFC, collections to discard folder and CCspam are fine. fyi..

Katip





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, 
legally privileged and protected in law and are intended solely for 
the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test