Before you start the test, please upgrade assp.pl and ASSP_AFC.pm to the
latest dev version!
Thomas
Von: aquilinux <[email protected]>
An: For Users of ASSP <[email protected]>
Datum: 18.03.2016 16:45
Betreff: Re: [Assp-user] bad attachment [...] possibly a virus
infected file (can't extract archive)'
Monday i'll try to reproduce it.
it should be quite easy, since it happened a couple of times during my
attachment blocking tests..
On Fri, Mar 18, 2016 at 3:29 PM, Thomas Eckardt
<[email protected]>
wrote:
> Even the [MessageOK] detection before the plugin is called is missing! I
> can't reproduce this and I've no clue, how this can be happen - I'm
sorry.
>
> If you can reproduce this - set SessionLog to diagnostic and
AttachmentLog
> to verbose. Or debug such a mail.
>
> Thomas
>
>
>
>
> Von: aquilinux <[email protected]>
> An: For Users of ASSP <[email protected]>
> Datum: 17.03.2016 13:41
> Betreff: Re: [Assp-user] bad attachment [...] possibly a virus
> infected file (can't extract archive)'
>
>
>
> and in this case the message is blocked, but it is not stored anywhere:
>
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> info: found message size announcement:
> 23.25 kByte
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> [SMTP Reply] 250 2.1.0 Ok
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 250 2.1.5
Ok
> Mar-17-16 13:19:16 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 354 End
data
> with <CR><LF>.<CR><LF>
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] DKIM-Signature found
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] info: found known good
> HELO 'smtp.tiscali.it' - weight is -2
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] Message-Score: added
-40
> for KnownGoodHelo, total score for this message is now -40
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] info: domain tiscali.it
> has published a DMARC record
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] strictspf Regex:
> strictSPFRe 'tiscali.it'
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] Message-Score: added
-15
> (pbwValencePB) for In Penalty White Box, total score for this message is
> now -55
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] removed
> Disposition-Notification headers from mail
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] HMM Check [scoring] -
> Prob: 0.00000 => ham - answer/query relation: 22% of 50
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] Bayesian Check
[scoring]
> -
> Prob: 0.00000 => ham - answer/query relation: 71% of 52
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] [Plugin] calling plugin
> ASSP_AFC
> Mar-17-16 13:19:17 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] info: using user based
> compressed attachment check
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 213.205.33.246 <[email protected]> to: [email protected] SPAM FOUND
> bad attachment 'N 19 convitto barcellona 20 23 marzo.xlsx' is a ' - the
> file extension: '.xlsx' does not match the content based detected file
> type
> '''
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 213.205.33.246 <[email protected]> to: [email protected] mail
blocked
> by Plugin ASSP_AFC - reason BadAttachment
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> [Attachment] 213.205.33.246 <[email protected]> to: [email protected] [spam
found]
> (BadAttachment) [societa sardinia new tavel polizza 33489q 19 2016];
> Mar-17-16 13:19:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 250 OK
> Mar-17-16 13:20:18 m1-17156-26856 [Worker_1] [TLS-in] [TLS-out]
> 213.205.33.246 <[email protected]> to: [email protected] [SMTP Reply] 221
> <myassphost> closing transmission
>
> this message is actually marked as spam but it is LOST....
>
> On Thu, Mar 17, 2016 at 12:41 PM, aquilinux <[email protected]> wrote:
>
> > here's a different case of uncorrect detection:
> >
> > Mar-17-16 12:33:38 m1-14417-13392 [Worker_3] [TLS-in] [TLS-out]
> > [Attachment] 92.246.34.74 <[email protected]> to: [email protected] SPAM FOUND
> > bad attachment 'Copia di Lista mezzi Truckcenter.xlsx' is a ' - the
file
> > extension: '.xlsx' does not match the content based detected file type
> '''
> >
> >
> > On Thu, Mar 17, 2016 at 10:40 AM, aquilinux <[email protected]>
wrote:
> >
> >> Upgraded, thanks.
> >> I have now an issue with another legitimate attachment:
> >>
> >> Mar-17-16 09:37:24 m1-03839-03606 [Worker_4] [TLS-in] [TLS-out]
> >> [Attachment] 212.82.97.124 <[email protected]> to: [email protected] SPAM FOUND
> >> bad attachment 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' is a
> 'compressed
> >> file 'CITYLIFE INTERVENTI ESEGUITI 16.03.16.zip' - contains forbidden
> >> executable file CITYLIFE - type: possibly a virus infected file
(can't
> >> read)'
> >>
> >> the zip file contains a folder (with spaces), containing 6 PDF files
> >> (with spaces), all clean.
> >> So, i removed the spaces from the zip (in folder and file names) and
> now
> >> the mail gets through as expected.
> >> I think there is an issue with zip attachment with spaces that
prevets
> >> AFC from detecting correct file extensions.
> >>
> >> Regards,
> >>
> >> On Thu, Mar 17, 2016 at 7:36 AM, Thomas Eckardt <
> >> [email protected]> wrote:
> >>
> >>> To detect .emz files you need to upgrade MIME::Types at least to
> version
> >>> 2.13 (CPAN has it).
> >>>
> >>> Thomas
> >>>
> >>>
> >>>
> >>>
> >>> Von: aquilinux <[email protected]>
> >>> An: For Users of ASSP <[email protected]>
> >>> Datum: 16.03.2016 10:08
> >>> Betreff: Re: [Assp-user] bad attachment [...] possibly a
virus
> >>> infected file (can't extract archive)'
> >>>
> >>>
> >>>
> >>> thanks Thomas, i upgraded both assp.pl and plugin.
> >>> now i'm facing this:
> >>>
> >>> Mar-16-16 09:56:08 m1-18566-15642 [Worker_5] [TLS-in] [TLS-out]
> >>> [Attachment] 92.246.34.74 <[email protected]> to: [email protected] SPAM FOUND
bad
> >>> attachment 'image001.emz' is a ' - the file extension: '.emz' does
not
> >>> match the content based detected file type '''
> >>>
> >>> Mar-16-16 09:56:08 [Worker_5] Warning: possibly a virus infected
file
> >>> (can't read) '/opt/assp/tmp/zip_5_1458118567/.10/.10' - Not a
> directory
> >>>
> >>>
> >>> regards,
> >>> aqx
> >>>
> >>> On Wed, Mar 16, 2016 at 8:13 AM, Thomas Eckardt
> >>> <[email protected]>
> >>> wrote:
> >>>
> >>> > ASSP version 2.4.8(16074) + ASSP_AFC 3.26
> >>> >
> >>> > both available at SF-CVS
> >>> >
> >>> > will fix this.
> >>> >
> >>> > Thomas
> >>> > ps: please use the "ASSP List" [email protected] if
> you
> >>> use
> >>> > a dev version 2.4.8
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > Von: aquilinux <[email protected]>
> >>> > An: For Users of ASSP <[email protected]>
> >>> > Datum: 15.03.2016 15:00
> >>> > Betreff: [Assp-user] bad attachment [...] possibly a virus
> >>> infected
> >>> > file (can't extract archive)'
> >>> >
> >>> >
> >>> >
> >>> > Hi all,
> >>> > I recently enforced attachment blocking with zip inspection but
> >>> legitimate
> >>> > attachements are blocked because of this:
> >>> >
> >>> > Mar-15-16 14:09:55 [Worker_5] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
> >>> >
> >>> >
> >>>
> >>>
>
>
'/opt/assp/tmp/zip_5_1458047395/MSC_Implementation_Activities_15.03.2016.xlsx'
> >>> >
> >>> > Mar-15-16 14:39:15 [Worker_10] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
> >>> >
> >>> >
> >>>
> >>>
>
>
'/opt/assp/tmp/zip_10_1458049154/20150922_GAA_Global_Corporate_Commercial_ok.docx'
> >>> > - - Could not chdir back to start dir '': '
> >>> >
> >>> > Mar-15-16 14:04:22 [Worker_1] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
> >>> > '/opt/assp/tmp/zip_1_1458047062/Figures_wo_VolvoTrucks.xlsm' - -
> Could
> >>> > not
> >>> > chdir back to start dir '': '
> >>> >
> >>> > Mar-15-16 14:08:09 [Worker_1] Warning: possibly a virus infected
> file
> >>> > (can't extract archive)
'/opt/assp/tmp/zip_1_1458047289/errori.zip'
> -
> >>> -
> >>> > Could not chdir back to start dir '': '
> >>> >
> >>> > what's happening?
> >>> > ASSP version 2.4.8(16060) + ASSP_AFC 3.19
> >>> >
> >>> > thanks!
> >>> >
> >>> > --
> >>> > "Madness, like small fish, runs in hosts, in vast numbers of
> >>> instances."
> >>> >
> >>> > Nessuno mi pettina bene come il vento.
> >>> >
> >>> >
> >>>
> >>>
>
>
------------------------------------------------------------------------------
> >>> > Transform Data into Opportunity.
> >>> > Accelerate data analysis in your applications with
> >>> > Intel Data Analytics Acceleration Library.
> >>> > Click to learn more.
> >>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> > _______________________________________________
> >>> > Assp-user mailing list
> >>> > [email protected]
> >>> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > DISCLAIMER:
> >>> > *******************************************************
> >>> > This email and any files transmitted with it may be confidential,
> >>> legally
> >>> > privileged and protected in law and are intended solely for the
use
> of
> >>> the
> >>> >
> >>> > individual to whom it is addressed.
> >>> > This email was multiple times scanned for viruses. There should be
> no
> >>> > known virus in this email!
> >>> > *******************************************************
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
> >>>
>
>
------------------------------------------------------------------------------
> >>> > Transform Data into Opportunity.
> >>> > Accelerate data analysis in your applications with
> >>> > Intel Data Analytics Acceleration Library.
> >>> > Click to learn more.
> >>> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> > _______________________________________________
> >>> > Assp-user mailing list
> >>> > [email protected]
> >>> > https://lists.sourceforge.net/lists/listinfo/assp-user
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> "Madness, like small fish, runs in hosts, in vast numbers of
> instances."
> >>>
> >>> Nessuno mi pettina bene come il vento.
> >>>
> >>>
>
>
------------------------------------------------------------------------------
> >>> Transform Data into Opportunity.
> >>> Accelerate data analysis in your applications with
> >>> Intel Data Analytics Acceleration Library.
> >>> Click to learn more.
> >>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> _______________________________________________
> >>> Assp-user mailing list
> >>> [email protected]
> >>> https://lists.sourceforge.net/lists/listinfo/assp-user
> >>>
> >>>
> >>>
> >>>
> >>> DISCLAIMER:
> >>> *******************************************************
> >>> This email and any files transmitted with it may be confidential,
> legally
> >>> privileged and protected in law and are intended solely for the use
of
> >>> the
> >>>
> >>> individual to whom it is addressed.
> >>> This email was multiple times scanned for viruses. There should be
no
> >>> known virus in this email!
> >>> *******************************************************
> >>>
> >>>
> >>>
> >>>
>
>
------------------------------------------------------------------------------
> >>> Transform Data into Opportunity.
> >>> Accelerate data analysis in your applications with
> >>> Intel Data Analytics Acceleration Library.
> >>> Click to learn more.
> >>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> >>> _______________________________________________
> >>> Assp-user mailing list
> >>> [email protected]
> >>> https://lists.sourceforge.net/lists/listinfo/assp-user
> >>>
> >>>
> >>
> >>
> >> --
> >> "Madness, like small fish, runs in hosts, in vast numbers of
> instances."
> >>
> >> Nessuno mi pettina bene come il vento.
> >>
> >
> >
> >
> > --
> > "Madness, like small fish, runs in hosts, in vast numbers of
instances."
> >
> > Nessuno mi pettina bene come il vento.
> >
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>
>
------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
> _______________________________________________
> Assp-user mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-user
>
>
--
"Madness, like small fish, runs in hosts, in vast numbers of instances."
Nessuno mi pettina bene come il vento.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
