i found out that i had 'send250OK' checked....
maybe this is what confuses assp at some point..
turning it off now makes assp fire a SMTP Error about forbidden files
(good) and the file is stored in discarded folder (good)...
On Thu, Mar 24, 2016 at 10:11 AM, aquilinux <[email protected]> wrote:
> in this case the email is correctly stored instead:
>
> Mar-24-16 10:00:35 [Worker_4] 86.98.212.218 [SMTP Reply] 220 EAIT - Keep
> it legit, or keep out
> Mar-24-16 10:00:36 [Worker_4] 86.98.212.218 [SMTP Reply] 250 DSN
> Mar-24-16 10:00:36 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> [SMTP Reply] 250 2.1.0 Ok
> Mar-24-16 10:00:36 [Worker_4] [email protected] matches [email protected] in
> noProcessing
> Mar-24-16 10:00:36 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> noprocessing Regex: noProcessing
> 'liquidazione.fusion@europassista'
> Mar-24-16 10:00:36 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] [SMTP Reply] 250
> 2.1.5 Ok
> Mar-24-16 10:00:36 [Worker_4] [email protected] matches [email protected] in
> noProcessing
> Mar-24-16 10:00:36 m1-10036-04835 [Worker_4] [TLS-out] [NoProcessing]
> 86.98.212.218 <[email protected]> to: [email protected]
> message proxied without processing (except checks enabled for noprocessing
> mails)
> Mar-24-16 10:00:36 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] [SMTP Reply] 354 End
> data with <CR><LF>.<CR><LF>
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] [Plugin] calling
> plugin ASSP_AFC
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] info: attachment
> LN4244786.docm found for Level-1
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] info: using user
> based compressed attachment check
> Mar-24-16 10:00:38 [Worker_4] Info: will detect executables in compressed
> files
> Mar-24-16 10:00:38 [Worker_4] Info: analyzing compressed file
> /opt/assp/tmp/zip_4_1458810038/LN4244786.docm at zip-level 0
> Mar-24-16 10:00:38 [Worker_4] Info: looking for filetype in: .zip
> Mar-24-16 10:00:38 [Worker_4] Info: found compressed file with type: 'zip'
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] [Attachment]
> 86.98.212.218 <[email protected]> to: [email protected] SPAM
> FOUND bad attachment 'LN4244786.docm' is a 'compressed file
> 'LN4244786.docm' - contains forbidden executable file vbaProject.bin -
> type: Windows-Scripting-Host script'
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] [Attachment]
> 86.98.212.218 <[email protected]> to: [email protected] info:
> Plugin ASSP_AFC has set the collection parameter to '6' = discard folder
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] [Attachment]
> 86.98.212.218 <[email protected]> to: [email protected] mail
> blocked by Plugin ASSP_AFC - reason BadAttachment
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] [Attachment]
> 86.98.212.218 <[email protected]> to: [email protected] [spam
> found] (BadAttachment) [Your order has been despatched] ->
> /opt/assp/discarded/Your_order_has_been_despatched--3181134.eml;
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] [SMTP Reply] 250 OK
> Mar-24-16 10:00:38 m1-10036-04835 [Worker_4] [TLS-out] 86.98.212.218 <
> [email protected]> to: [email protected] [SMTP Reply] 221 <
> assp2.europassistance.it> closing transmission
>
> hope this helps further investigating...
>
> On Wed, Mar 23, 2016 at 5:31 PM, aquilinux <[email protected]> wrote:
>
>> i don't know what's happening...
>> again, no email stored...
>>
>> Mar-23-16 17:26:16 [Worker_2] 74.125.82.46 [SMTP Reply] 220 EAIT - Keep
>> it legit, or keep out
>> Mar-23-16 17:26:16 [Worker_2] 74.125.82.46 [SMTP Reply] 250 DSN
>> Mar-23-16 17:26:16 [Worker_2] 74.125.82.46 [SMTP Reply] 220 2.0.0 Ready
>> to start TLS
>> Mar-23-16 17:26:16 [Worker_2] [TLS-in] [TLS-out] 74.125.82.46 [SMTP
>> Reply] 250 DSN
>> Mar-23-16 17:26:16 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> info: found message size
>> announcement: 15.05 kByte
>> Mar-23-16 17:26:16 [Worker_2] [email protected] matches
>> [email protected] in noDelayAddresses
>> Mar-23-16 17:26:16 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> [SMTP Reply] 250 2.1.0 Ok
>> Mar-23-16 17:26:16 [Worker_2] [email protected] matches [email protected] in
>> spamLovers
>> Mar-23-16 17:26:16 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] [SMTP Reply] 250
>> 2.1.5 Ok
>> Mar-23-16 17:26:16 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] [SMTP Reply] 354
>> End data with <CR><LF>.<CR><LF>
>> Mar-23-16 17:26:17 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] Whitelisted sender
>> address: [email protected] for recipient [email protected]
>> Mar-23-16 17:26:17 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] Admininfo:
>> whitelist addition: [email protected] - AutoWhite on sent mail by
>> [email protected]
>> Mar-23-16 17:26:17 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] DKIM-Signature
>> found
>> Mar-23-16 17:26:17 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] [Plugin] calling
>> plugin ASSP_AFC
>> Mar-23-16 17:26:17 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] info: attachment
>> test.zip found for Level-1
>> Mar-23-16 17:26:17 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] info: using user
>> based compressed attachment check
>> Mar-23-16 17:26:17 [Worker_2] Info: will detect executables in compressed
>> files
>> Mar-23-16 17:26:17 [Worker_2] Info: analyzing compressed file
>> /opt/assp/tmp/zip_2_1458750377/test.zip at zip-level 0
>> Mar-23-16 17:26:17 [Worker_2] Info: looking for filetype in: .zip
>> Mar-23-16 17:26:17 [Worker_2] Info: found compressed file with type: 'zip'
>> Mar-23-16 17:26:17 [Worker_2] Info: analyzing compressed file
>> /opt/assp/tmp/zip_2_1458750377/.10/assp_attch_test.docx at zip-level 1
>> Mar-23-16 17:26:17 [Worker_2] Info: looking for filetype in: .zip
>> Mar-23-16 17:26:17 [Worker_2] Info: found compressed file with type: 'zip'
>> Mar-23-16 17:26:17 [Worker_2] Info: analyzing compressed file
>> /opt/assp/tmp/zip_2_1458750377/.10/assp_attch_test.xlsx at zip-level 1
>> Mar-23-16 17:26:17 [Worker_2] Info: looking for filetype in: .zip
>> Mar-23-16 17:26:17 [Worker_2] Info: found compressed file with type: 'zip'
>> Mar-23-16 17:26:18 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> [Attachment] 74.125.82.46 <[email protected]> to: [email protected] SPAM
>> FOUND bad attachment 'test.zip' is a 'compressed file 'test.zip' - contains
>> forbidden file /opt/assp/tmp/zip_2_1458750377/.10/pippo.js'
>> Mar-23-16 17:26:18 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> [Attachment] 74.125.82.46 <[email protected]> to: [email protected] info:
>> Plugin ASSP_AFC has set the collection parameter to '6' = discard folder
>> Mar-23-16 17:26:18 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> [Attachment] 74.125.82.46 <[email protected]> to: [email protected] mail
>> blocked by Plugin ASSP_AFC - reason BadAttachment
>> Mar-23-16 17:26:18 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> [Attachment] 74.125.82.46 <[email protected]> to: [email protected] [spam
>> found] (BadAttachment) [Fwd test zip files];
>> Mar-23-16 17:26:18 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] [SMTP Reply] 250 OK
>> Mar-23-16 17:26:18 m1-50376-07789 [Worker_2] [TLS-in] [TLS-out]
>> 74.125.82.46 <[email protected]> to: [email protected] [SMTP Reply] 221 <
>> assp1.europassistance.it> closing transmission
>>
>> i tried to set a different collect folder for attachment (quarantine) but
>> it seems the collection parameter is not changing (maybe hardcoded?).
>>
>> regards,
>>
>> On Wed, Mar 23, 2016 at 5:05 PM, aquilinux <[email protected]> wrote:
>>
>>> Thomas, i don't really know what caused that regression.
>>> I mean, after 16081 i didn't have the issue with cwd anymore.
>>> then, it suddendly stopped working for me and i was back to the cwd
>>> issue.
>>> i was really puzzled...
>>> so i tried 16081 in test, and cwd was working!
>>> the same assp version, perl modules, and AFC plugin gave me 2 different
>>> behaviours....
>>>
>>> now, i upgraded to 16083 and everything is working fine again..
>>>
>>> Mar-23-16 16:41:15 [Worker_1] Info: will detect executables in
>>> compressed files
>>> Mar-23-16 16:41:15 [Worker_1] Info: analyzing compressed file
>>> /opt/assp/tmp/zip_1_1458747675/test.zip at zip-level 0
>>> Mar-23-16 16:41:15 [Worker_1] Info: looking for filetype in: .zip
>>> Mar-23-16 16:41:15 [Worker_1] Info: found compressed file with type:
>>> 'zip'
>>> Mar-23-16 16:41:15 [Worker_1] Info: analyzing compressed file
>>> /opt/assp/tmp/zip_1_1458747675/.10/assp_attch_test.docx at zip-level 1
>>> Mar-23-16 16:41:15 [Worker_1] Info: looking for filetype in: .zip
>>> Mar-23-16 16:41:15 [Worker_1] Info: found compressed file with type:
>>> 'zip'
>>> Mar-23-16 16:41:15 [Worker_1] Info: analyzing compressed file
>>> /opt/assp/tmp/zip_1_1458747675/.10/assp_attch_test.xlsx at zip-level 1
>>> Mar-23-16 16:41:15 [Worker_1] Info: looking for filetype in: .zip
>>> Mar-23-16 16:41:15 [Worker_1] Info: found compressed file with type:
>>> 'zip'
>>> Mar-23-16 16:41:16 m1-47674-12726 [Worker_1] [TLS-in] [TLS-out]
>>> 74.125.82.45 <[email protected]> to: [email protected] whitelisted (no
>>> bad attachments)
>>>
>>> so, is it possible that assp files (maybe in sl-cache) get corrupted in
>>> any way?
>>> how can this behaviour be explained?
>>>
>>>
>>> About MaxAllowedDups, i always set it to 0 because i didn't care about
>>> this feature..
>>> I know that there is a flaming discussion about this, but, really, i
>>> trust your implementation of Bayes and HMM, so i don't care arguing about
>>> this or opening the box to have a look at what's inside.
>>> i was just wondering now (since this issue about moved files) what's the
>>> best setting for MaxAllowedDups in order to have both:
>>>
>>> - no problem with resend requests (yes, even if this is really spam) so,
>>> any blocked email should be elegible for a resend
>>>
>>> - the best results on bayes/hmm training with the less amount of useless
>>> stored email.
>>>
>>> i don't know if any of these sentences make sense :)
>>> but i hope i've been clear enough.
>>>
>>> thanks, as usual,
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Mar 23, 2016 at 4:25 PM, Thomas Eckardt <
>>> [email protected]> wrote:
>>>
>>>> just released updates for assp.pl and ASSP_AFC at CVS
>>>>
>>>> - fixes the unexpected stop of decompression in ASSP_AFC
>>>>
>>>> - using build 16081 - files were unexpected moved from 'spam' to
>>>> 'discarded' if 'MaxAllowedDups' was set to zero
>>>>
>>>> - the resend link in BlockReports was missing, if a collected file was
>>>> moved from 'spam' to 'discarded'
>>>>
>>>> Thomas
>>>>
>>>>
>>>>
>>>>
>>>> Von: aquilinux <[email protected]>
>>>> An: For Users of ASSP <[email protected]>
>>>> Datum: 23.03.2016 16:07
>>>> Betreff: Re: [Assp-user] bad attachment [...] possibly a virus
>>>> infected file (can't extract archive)'
>>>>
>>>>
>>>>
>>>> On Wed, Mar 23, 2016 at 3:44 PM, Thomas Eckardt
>>>> <[email protected]>
>>>> wrote:
>>>>
>>>> > perl -e 'use Cwd;print cwd();'
>>>>
>>>>
>>>> this works:
>>>>
>>>> root@assp1:~# perl -e 'use Cwd;print cwd();'
>>>> /rootroot@assp1:~#
>>>>
>>>> i'll do more extensive tests.
>>>>
>>>> thanks
>>>> --
>>>> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>>>>
>>>> Nessuno mi pettina bene come il vento.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Transform Data into Opportunity.
>>>> Accelerate data analysis in your applications with
>>>> Intel Data Analytics Acceleration Library.
>>>> Click to learn more.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>>>> _______________________________________________
>>>> Assp-user mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>>
>>>>
>>>>
>>>>
>>>> DISCLAIMER:
>>>> *******************************************************
>>>> This email and any files transmitted with it may be confidential,
>>>> legally
>>>> privileged and protected in law and are intended solely for the use of
>>>> the
>>>>
>>>> individual to whom it is addressed.
>>>> This email was multiple times scanned for viruses. There should be no
>>>> known virus in this email!
>>>> *******************************************************
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Transform Data into Opportunity.
>>>> Accelerate data analysis in your applications with
>>>> Intel Data Analytics Acceleration Library.
>>>> Click to learn more.
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>>>> _______________________________________________
>>>> Assp-user mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/assp-user
>>>>
>>>>
>>>
>>>
>>> --
>>> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>>>
>>> Nessuno mi pettina bene come il vento.
>>>
>>
>>
>>
>> --
>> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>>
>> Nessuno mi pettina bene come il vento.
>>
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>
--
"Madness, like small fish, runs in hosts, in vast numbers of instances."
Nessuno mi pettina bene come il vento.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
