Thank you Thomas!
FYI, for anyone following this thread:
fixed in assp 2.6.2 *Fortress* build 18204:
ASSP_AFC 4.83 now scans the MIME header for viruses (possibly used by some
UNOFFICIAL clamav signatures)
On Sat, Jul 21, 2018 at 4:18 PM K Post <[email protected]> wrote:
> Okay, I clearly don't understand why that would be difficult, so let this
> be, but leave you with this parting thought on this:
>
> ClamAV has unofficial signatures that match known spam, apparently
> sometimes only when some header information is included. It's a shame that
> we can't make use of this match when the header is required, especially
> since ASSP is smart enough to catch the spam (virus as far as ASSP knows)
> AFTER the message has been delivered. I don't understand why we would
> want to do it this way, but there's obviously a reason. What if this were
> actually a VIRUS vs just a pesky spam message that wasn't otherwise
> caught? I just figure that if we can catch something and
> block/reject/remove, why not do that prior to delivery?
>
> No need to reply unless you have the desire. Hopeful that you'll give
> this some consideration again sometime in the future.
>
> Thanks
>
>
> On Thu, Jul 19, 2018 at 4:17 PM Thomas Eckardt <[email protected]>
> wrote:
>
>> >Would it be a big deal to have AFC also scan the header?
>>
>> Yes
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von: "K Post" <[email protected]>
>> An: "ASSP development mailing list" <
>> [email protected]>
>> Datum: 19.07.2018 20:12
>> Betreff: Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> Would it be a big deal to have AFC also scan the header? it's not like
>> message headers are that big. This might help catch these pesky spam
>> messages in foreign languages that bayesian/hmm are useless for.
>>
>> On Thu, Jul 19, 2018 at 1:49 AM Thomas Eckardt <
>> *[email protected]* <[email protected]>> wrote:
>> - the header and body scan in *assp.pl* <http://assp.pl/> is skipped, if
>> ASSP_AFC is active
>> - ASSP_AFC does not scan the MIME header - it only scans MIME parts.
>> - the final filescan scans the complete mail (header and body)
>>
>> So : 'SecuriteInfo.com.Spam-718.UNOFFICIAL' must be a hit in the MIME
>> header.
>>
>> Thomas
>>
>>
>>
>>
>> Von: "K Post" <*[email protected]* <[email protected]>>
>> An: "ASSP development mailing list" <
>> *[email protected]* <[email protected]>>
>> Datum: 18.07.2018 17:10
>> Betreff: Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> I can't find any setting that would prohibit a regular scan from
>> happening for the instances that I've found. Do you have suggestions of
>> where to look?
>>
>> On Sun, Jul 15, 2018 at 1:38 AM Thomas Eckardt <
>> *[email protected]* <[email protected]>> wrote:
>> >I'm sorry, I don't understand what you mean. What do you mean "any
>> header part causes this detection?"
>>
>> for example: ASSP_AFC scans each MIME part separately (MIME is decoded
>> here)
>> or : any defined scan exception prevents the regular scan (check your
>> setup)
>>
>> The final scan is done for the complete MIME source, if the regular scan
>> was skipped for any reason. It may happen, that a unofficial hit is found
>> for this case - but not in any other case.
>>
>> Thomas
>>
>>
>>
>> Von: "K Post" <*[email protected]* <[email protected]>>
>> An: "ASSP development mailing list" <
>> *[email protected]* <[email protected]>>
>> Datum: 14.07.2018 21:10
>> Betreff: Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> I'm sorry, I don't understand what you mean. What do you mean "any
>> header part causes this detection?"
>>
>> The unofficial securiteinfo clam definitions do a nice job of detecting
>> spam that bayesian might not. I just don't understand why all of a sudden
>> >some< mail doesn't seem to be scanned during delivery.
>>
>>
>> On Sat, Jul 14, 2018 at 12:55 AM Thomas Eckardt <
>> *[email protected]* <[email protected]>> wrote:
>> >SecuriteInfo.com.Spam-718.UNOFFICIAL
>>
>> For me it looks like any header part causes this detection. The header is
>> not scanned regulary - but the complete mail (the file) is scanned finaly.
>>
>> Thomas
>>
>>
>>
>>
>> Von: "K Post" <*[email protected]* <[email protected]>>
>> An: "ASSP development mailing list" <
>> *[email protected]* <[email protected]>>
>> Datum: 13.07.2018 16:24
>> Betreff: Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> Thanks Thomas as always. Where is that setting though? I've never seen
>> this happen before, the signatures regularly reject messages >prior< to
>> delivery. Could anything else be causing the scan to be skipped during the
>> delivery process?
>>
>> On Fri, Jul 13, 2018 at 1:54 AM Thomas Eckardt <
>> *[email protected]* <[email protected]>> wrote:
>> Your settings prevent assp from scanning the mail regulary (while
>> processed). Because this is (may be) wanted, assp scans the stored corpus
>> file to be sure, that there is no virus in the file.
>> You can see this - the file is scanned after disconnect.
>>
>>
>> Thomas
>>
>>
>>
>> Von: "K Post" <*[email protected]* <[email protected]>>
>> An: "ASSP development mailing list" <
>> *[email protected]* <[email protected]>>
>> Datum: 12.07.2018 18:18
>> Betreff: Re: [Assp-test] Spam found using ClamAV still being
>> delivered?
>> ------------------------------
>>
>>
>>
>> and sorry, this one was Swedish, but still.
>>
>> On Thu, Jul 12, 2018 at 12:15 PM K Post <*[email protected]*
>> <[email protected]>> wrote:
>> I can't figure this one out.
>>
>> French language message slips through bayesian and HMM because almost
>> everything is in English here. BUT, one of the SecureSite unofficial
>> clamav lists catches it. GREAT.
>>
>> However, for some reason, this message was still delivered to our user.
>> In the log, it goes to OK mail and THEN gets scored by ClamAV. That's not
>> normal right?
>>
>> What could I be missing on this one?
>>
>> Jul-12-18 06:19:31 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] DKIM-Signature
>> found
>> Jul-12-18 06:19:39 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] checking MX/A
>> for *apsis.com* <http://apsis.com/> , *chef.anpdm.com*
>> <http://chef.anpdm.com/> , *chef.se* <http://chef.se/>
>> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] *apsis.com*
>> <http://apsis.com/> - MX '*aspmx.l.google.com*
>> <http://aspmx.l.google.com/>' - got IP (209.85.201.27)
>> Jul-12-18 06:19:40 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected]
>> *chef.anpdm.com* <http://chef.anpdm.com/> - MX '*mx10.anpdm.com*
>> <http://mx10.anpdm.com/>' - got IP (91.213.250.35)
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] *chef.se*
>> <http://chef.se/> - MX '*chef-se.mail.protection.outlook.com*
>> <http://chef-se.mail.protection.outlook.com/>' - got IP
>> (213.199.154.106)
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] MX found:
>> *apsis.com* <http://apsis.com/> (List-Unsubscribe) ->
>> *aspmx.l.google.com* <http://aspmx.l.google.com/>
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] A record found
>> for MX: *apsis.com* <http://apsis.com/> (List-Unsubscribe) ->
>> 209.85.201.27
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] MX found:
>> *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) ->
>> *mx10.anpdm.com* <http://mx10.anpdm.com/>
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] A record found
>> for MX: *chef.anpdm.com* <http://chef.anpdm.com/> (Mail From:) ->
>> 91.213.250.35
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] MX found:
>> *chef.se* <http://chef.se/> (Reply-To , From) ->
>> *chef-se.mail.protection.outlook.com*
>> <http://chef-se.mail.protection.outlook.com/>
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] A record found
>> for MX: *chef.se* <http://chef.se/> (Reply-To , From) -> 213.199.154.106
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] HMM-Check has
>> given less than 6 results - using monitoring mode only
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] Bayesian Check
>> [scoring] - Prob: 1.00000 - Confidence: 0.00004 => doubtful.spam -
>> answer/query relation: 27% of 54
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] Message-Score:
>> added 25 for Bayesian Probability: 1.00000, total score for this message is
>> now 25
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] info: found
>> DKIM signature identity '@*anpdm.com* <http://anpdm.com/>'
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] [scoring] DKIM
>> signature verified-OK - pass - identity is: @*anpdm.com*
>> <http://anpdm.com/> - sender policy is: neutral - author policy is:
>> neutral
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] Message-Score:
>> added -5 (dkimOkValencePB) for DKIM pass, total score for this message is
>> now 20
>> Jul-12-18 06:19:41 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] [Plugin]
>> calling plugin ASSP_AFC
>> Jul-12-18 06:19:41 59810-00211 [MessageOK] x.x.208.208 <
>> *[email protected]* <[email protected]>> to:
>> [email protected] message ok [Saknar du din chef p semestern
>> Nominera hen till Chefgalan] ->
>> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
>>
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] finished
>> message - received DATA size: 21.73 kByte - sent DATA size: 22.85 kByte
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] disconnected:
>> session:F51B9E10 x.x.208.208 - processing time 13 seconds
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] ClamAV:
>> scanned 22973 bytes in file
>> messages/okmail/Saknar_du_din_chef_p_semestern_Nominera_hen_till_Chefgalan--2657839.txt
>> - FOUND SecuriteInfo.com.Spam-718.UNOFFICIAL
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] deleting
>> spamming safelisted tuplet: (x.x.208.0,*chef.anpdm.com*
>> <http://chef.anpdm.com/>) age: 11s
>> Jul-12-18 06:19:42 59810-00211 x.x.208.208 <*[email protected]*
>> <[email protected]>> to: [email protected] Message-Score:
>> added 50 (vdValencePB) for virus detected:
>> 'SecuriteInfo.com.Spam-718.UNOFFICIAL', total score for this message is now
>> 70
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> *[email protected]* <[email protected]>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
