I found one, sort of. The message was still blocked because they spoofed our domain and was otherwise pretty bad, but ClamAV didn't scan until after. Does this log help figure out why? In this case, i don't even see AFC launching (vs the previous example where it did).
Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <[email protected]> Message-Score: added 15 (fiphValencePB) for Suspicious HELO - contains IP: '[92.1xx.xx.xx]', total score for this message is now 15 Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <[email protected]> [scoring] (Suspicious HELO - contains IP: '[92.1xx.xx.xx]') Jan-10-19 12:14:17 98437-10602 [SpoofedSender] 92.1xx.xx.xx <[email protected]> [scoring] (No Spoofing Allowed '[email protected]' in 'mailfrom') Jan-10-19 12:14:17 98437-10602 92.1xx.xx.xx <[email protected]> Message-Score: added 5 (slValencePB) for No Spoofing Allowed '[email protected]' in 'mailfrom', total score for this message is now 20 Jan-10-19 12:14:21 98437-10602 [SpoofedSender] 92.1xx.xx.xx <[email protected]> to: [email protected] [scoring] (No Spoofing Allowed '[email protected]' in 'from') Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] [scoring] DKIM domain-check skipped - OurCharityh.org does not support DKIM Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] [scoring] SPF: softfail ip=92.1xx.xx.xx [email protected] helo=[92.1xx.xx.xx] Jan-10-19 12:14:21 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] Message-Score: added 5 (spfsValencePB) for SPF softfail, total score for this message is now 25 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] Message-Score: added 110 for DNSBL: failed, 92.1xx.xx.xx listed in bb.barracudacentral.org bl.spamcop.net cbl.abuseat.org, total score for this message is now 135 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] [scoring] DNSBL: failed, 92.1xx.xx.xx listed in ( bb.barracudacentral.org<-127.0.0.2; bl.spamcop.net<-127.0.0.2; cbl.abuseat.org<-127.0.0.2) Jan-10-19 12:14:22 98437-10602 [ValidHELO] 92.1xx.xx.xx <[email protected]> to: [email protected] [scoring] (not valid HELO: '[92.1xx.xx.xx]') Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] Message-Score: added 10 (ihValencePB) for not valid HELO: '[92.1xx.xx.xx]', total score for this message is now 145 Jan-10-19 12:14:22 98437-10602 [PTRmissing] 92.1xx.xx.xx <[email protected]> to: [email protected] [scoring] (PTR missing) Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] Message-Score: added 10 (ptmValencePB) for PTR missing, total score for this message is now 155 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] HMM Check [scoring] - Prob: 1.00000 - Confidence: 1.00000 => confident.spam - answer/query relation: 100% of 201 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] Message-Score: added 50 for HMM Probability: 1.00000, total score for this message is now 205 Jan-10-19 12:14:22 98437-10602 [PenaltyBox] 92.1xx.xx.xx <[email protected]> to: [email protected] [monitoring] totalscore for 92.1xx.xx.xx is 265, last bad penalty was 'HMM' Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] deleting spamming safelisted tuplet: (92.181.45.0,OurCharityh.org) age: 4s Jan-10-19 12:14:22 98437-10602 [MessageLimit] 92.1xx.xx.xx <[email protected]> to: [email protected] MaxAllowedDups (3) reached for this subject - moved oldest file messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3093512.txt to c:/assp/messages/discarded/The_decision_to_suspend_your_account_Waiting_for_payment--3093512.txt Jan-10-19 12:14:22 98437-10602 [MessageLimit] 92.1xx.xx.xx <[email protected]> to: [email protected] [spam found] (MessageScore 205, limit 50) [The decision to suspend your account Waiting for payment] -> messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3096260.txt; Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] [SMTP Error] 554 5.7.1 Not Delivered [98437-10602 AAD59CE8] Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] info: PB-IP-Score for '92.1xx.xx.xx' is 265, added 205 in this session Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] finished message - received DATA size: 2.43 kByte - sent DATA size: 0 Byte Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] disconnected: session:AAD59CE8 92.1xx.xx.xx - processing time 7 seconds Jan-10-19 12:14:22 Info: connected to ClamAV daemon at 127.0.0.1:3310 Jan-10-19 12:14:22 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] ClamAV: scanned 4586 bytes in file messages/spam/The_decision_to_suspend_your_account_Waiting_for_payment--3096260.txt - FOUND Sanesecurity.Phishing.Fake.Coin.27601.UNOFFICIAL Jan-10-19 12:14:23 98437-10602 92.1xx.xx.xx <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.Phishing.Fake.Coin.27601.UNOFFICIAL', total score for this message is now 255 On Thu, Jan 10, 2019 at 10:24 AM K Post <[email protected]> wrote: > I made the change. Will report back as soon as I can catch something. > FYI, I removed securiteite's marketing list from ClamAV. The majority of > the post detections were hitting those signatures, and they were usually > false positives. > > On Wed, Jan 9, 2019 at 12:39 PM Thomas Eckardt <[email protected]> > wrote: > >> set AttachmentLog and ScanLog to the highest level >> >> post the complete log for a passed mail (post detected) >> >> Thomas >> >> >> >> >> >> Von: "K Post" <[email protected]> >> An: "ASSP development mailing list" < >> [email protected]> >> Datum: 09.01.2019 18:33 >> Betreff: Re: [Assp-test] ClamAV catching spam, but still delivered >> ------------------------------ >> >> >> >> I've been running AFC 4.88 for a while now. I will update to 4.89, but >> it doesn't sound like that's it. >> >> I just did a search on "ClamAV: scanned" and see a ton of these lines in >> today's log appearing after delivery. I believe I'm only seeing the logs >> when clamav actually catches something after the fact. Could it NEVER be >> scanning the stream itself? Is there a setting that I have wrong? What >> should I check? >> >> Any other ideas as to why the clam scan seems to fairly regularly be >> either skipped or fails during the delivery process? Could ASSP somehow >> detect this problem *before* delivery, scan the file instead of the >> stream, and then decide to deliver or not? >> >> Spam's annoying, but if some slips through because of this, I don't >> really care. It's the fear of a detectable true virus being sent through >> because ClamAV sometimes isn't working on the stream that's scaring me. >> >> thanks >> Ken >> >> >> On Wed, Jan 9, 2019 at 11:06 AM Thomas Eckardt < >> *[email protected]* <[email protected]>> wrote: >> any of your settings or a bug prevents ASSP_AFC from scanning the mail >> >> >ClamAV: scanned 2805 bytes in file >> messages/okmail/Spam_Subject--3092281.txt >> >> This is a security (post)scan forced by 'ClamAVLogScan'. Stored files are >> scanned, if not already done while processing the mail. >> >> notice: a security BUG was fixed in ASSP_AFC 4.88 and 4.89 ---- some MIME >> types were not correctly detected while processing the mail, but if files >> were scanned - seems you use an outdated ASSP_AFC >> >> Thomas >> >> >> >> >> >> Von: "K Post" <*[email protected]* <[email protected]>> >> An: "ASSP development mailing list" < >> *[email protected]* <[email protected]>> >> Datum: 09.01.2019 16:45 >> Betreff: [Assp-test] ClamAV catching spam, but still delivered >> ------------------------------ >> >> >> >> Hi Thomas, >> Back in July 2018, I started a thread where ClamAV was catching spam, but >> only AFTER delivery. You suggested that the ASSP_AFC plugin wasn't >> scanning the MIME headers and then fixed that in AFC 4.83. >> >> I just received a report of spam that still came through, despite ClamAV >> catching it. In reviewing the log, I see a low scoring message being >> delivered and then 1 second later ClamAV via AFC showing a hit. >> >> It's a normal sounding email, so I understand why bayesian / HMM wouldn't >> catch it. I'm glad that clamav did, but it's pointless if the scan is >> after the delivery right? >> >> The last time I brought this up, you initially said that I have a setting >> that prevents ClamAV from running until after delivery. Can you tell me >> what that setting is? >> Thanks >> >> log: >> >> Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] [scoring] DKIM domain-check skipped - spam.xx >> does not support DKIM >> Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] [scoring] SPF: softfail ip=37.xx.xx.xx.xx >> [email protected] helo=*randomhost.com* >> <http://randomhost.com/> >> Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] Message-Score: added 5 (spfsValencePB) for SPF >> softfail, total score for this message is now 5 >> Jan-08-19 03:02:54 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] checking MX/A for spam.xx , otherspam.xx >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] spam.xx - MX '*mx1.compromised.net* >> <http://mx1.compromised.net/>' - got IP (18.xx.xx.xx) >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] otherspam.xx - MX 'mx2.mail.otherspam.xx' - got >> IP (14.xx.xx.xx) >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] MX found: spam.xx (Mail From: , From) -> >> *mx1.compromised.net* <http://mx1.compromised.net/> >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] A record found for MX: spam.xx (Mail From: , >> From) -> 18.xx.xx.xx >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] MX found: otherspam.xx (Reply-To) -> >> mx2.mail.otherspam.xx >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] A record found for MX: otherspam.xx (Reply-To) >> -> 14.xx.xx.xx >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] [scoring] found valid PTR *hosted-by-xx.com* >> <http://hosted-by-xx.com/> >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] HMM-Check has given less than 6 results - using >> monitoring mode only >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] HMM Check [monitoring] - Prob: 1.00000 - >> Confidence: 0.00028 => doubtful.spam - answer/query relation: 0% of 137 >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] Bayesian Check [scoring] - Prob: 1.00000 - >> Confidence: 0.00000 => doubtful.spam - answer/query relation: 100% of 138 >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] Message-Score: added 25 for Bayesian >> Probability: 1.00000, total score for this message is now 30 *WE'RE AT >> 30* >> Jan-08-19 03:02:55 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] [Plugin] calling plugin ASSP_AFC *AFC CALLED* >> Jan-08-19 03:02:55 17771-28711 [MessageOK] 37.xx.xx.xx.xx >> <[email protected]> to: [email protected] message ok [ Subject] >> -> messages/okmail/Spam_Subject--3092281.txt >> Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] info: PB-IP-Score for '37.xx.xx.xx.xx' is 5, >> added 5 in this session >> Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] finished message - received DATA size: 1.87 >> kByte - sent DATA size: 2.97 kByte >> Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] disconnected: session:11EAAF22 37.xx.xx.xx.xx - >> processing time 5 seconds *DELIVERED* >> Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] ClamAV: scanned 2805 bytes in file >> messages/okmail/Spam_Subject--3092281.txt - FOUND >> winnow.spam.ts.xmailer.2.UNOFFICIAL *Spam (Virus) found 1 second after >> AFC called* >> Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] deleting spamming safelisted tuplet: >> (37.48.120.0,spam.xx) age: 3s >> Jan-08-19 03:02:56 17771-28711 37.xx.xx.xx.xx <[email protected]> to: >> [email protected] Message-Score: added 50 (vdValencePB) for virus >> detected: 'winnow.spam.ts.xmailer.2.UNOFFICIAL', total score for this >> message is now 80 *ADDED 50, but only after delivery* >> >> _______________________________________________ >> Assp-test mailing list >> *[email protected]* <[email protected]> >> *https://lists.sourceforge.net/lists/listinfo/assp-test* >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> *[email protected]* <[email protected]> >> *https://lists.sourceforge.net/lists/listinfo/assp-test* >> <https://lists.sourceforge.net/lists/listinfo/assp-test> >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >
_______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
