Hi Thomas thanks for your help. I have some way to actívate a log? or some that help me to find out why this messages are marked like ok? My value of the local penalty limit is similar to the classic penalty limit. I only enable the okmail folder to view if some spam email pass like if was ok. Actually we haven’t any policy to the files we receive, and for now I try to mark the suspect/bad files like spam.
These are the change what I made when I started to configure the attach policy: Feb-27-19 11:05:06 [Main_Thread] AdminUpdate: [root 127.0.0.1] DoBlockExes changed from 'disabled (0)' to 'monitor (2)' Feb-27-19 11:06:33 [Main_Thread] AdminUpdate: [root 127.0.0.1] BlockExes changed from 'no check (0)' to 'Level 1 (1)' Feb-27-19 11:19:02 [Main_Thread] AdminUpdate: [root 127.0.0.1] DoASSP_AFC updated from '0' to '1' Feb-27-19 11:43:49 [Main_Thread] AdminUpdate: [root 127.0.0.1] ASSP_AFCinsize changed from '1024' to '' Feb-27-19 11:43:49 [Main_Thread] AdminUpdate: [root 127.0.0.1] ASSP_AFCoutsize changed from '1024' to '' Feb-27-19 12:27:53 [Main_Thread] AdminUpdate: [root 127.0.0.1] baValencePB updated from '20' to '40' - new message score: 40 , new IP score 40 Feb-27-19 16:14:52 [Main_Thread] AdminUpdate: [root 127.0.0.1] baysNonSpamLog changed from 'no collection (0)' to 'okmail folder (4)' When I start to view the behaviour of the incoming attachments I decide to score it: Mar-21-19 15:24:28 [Main_Thread] AdminUpdate: [root 127.0.0.1] DoBlockExes changed from 'monitor (2)' to 'score (3)' Thanks in advance, I really appreciate the work you do with this product! De: Thomas Eckardt [mailto:[email protected]] Enviado el: miércoles, 27 de marzo de 2019 07:28 Para: For Users of ASSP Asunto: Re: [Assp-user] Problem with ASSP_AFC > [scoring] bad attachment > added 40 (baValencePB) for bad attachment It make no sense to me, to let a bad attachment pass, if the attachment is the only issue. Bad attachments should be blocked or replaced. How ever, scoring is a valid option and should work. > message ok [Febrero Factura de servicio y soporte] -> c:/assp/okmail/ It looks like assp has detected the mail as local mail, because the mail is stored in 'okmail'. In this case the scoring limits are used from LocalPenaltyMessageLow and LocalPenaltyMessageLimit. - DoLocalPenaltyMessage instead of PenaltyMessageLow and PenaltyMessageLimit. - DoPenaltyMessage The scoring-engine ignores the result from the plugin. Thomas Von: "Leandro N. Castro - INSETEC Informática" <[email protected]<mailto:[email protected]>> An: "For Users of ASSP" <[email protected]<mailto:[email protected]>> Datum: 26.03.2019 21:23 Betreff: [Assp-user] Problem with ASSP_AFC ________________________________ Hi everyone I start to use the ASSP_AFC plugin after some monitoring testing and I detect a problem, may be because a fault in my configuration. I’m actually using ASSP version 2.6.1 *Fortress* build 19007, and ASSP_AFC ver 4.89. The thing is that AFC correctly add point to the mail, but then it’s send without this added points, for example (this is part of my log, I changed the domains): ----- Mar-26-19 10:02:42 [Worker_3] Connected: session:5A2161D0 95.142.156.27:60415 > 172.20.1.55:25 > 172.20.1.22:25 Mar-26-19 10:02:42 [Worker_3] 95.142.156.27 [SMTP Reply] 220 mail.MyDomain.com.ar Microsoft ESMTP MAIL Service ready at Tue, 26 Mar 2019 10:02:39 -0300 Mar-26-19 10:02:43 [Worker_3] 95.142.156.27 [SMTP Reply] 250 NOOP Mar-26-19 10:02:43 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> info: found message size announcement: 236.78 kByte Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> [SMTP Reply] 250 2.1.0 Sender OK Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [SMTP Reply] 250 2.1.5 Recipient OK Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [SMTP Reply] 354 Start mail input; end with <CRLF>.<CRLF> Mar-26-19 10:02:44 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> info: detected IP's on the mail routing way: 103.255.5.254 Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> info: detected source IP: 103.255.5.254 Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] [MsgID] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [scoring] (Message-ID missing) Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> Message-Score: added 10 (midmValencePB) for Message-ID missing, total score for this message is now 10 Mar-26-19 10:02:45 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> info: remove IP-score from 95.142.156.27 - this mail passed the SPF check Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> Message-Score: added 25 for Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED), total score for this message is now 35 Mar-26-19 10:02:46 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [scoring] SenderBase -- Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED) Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> HMM-Check has given less than 6 results - using monitoring mode only Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> HMM Check [monitoring] - Prob: 0.00000 => ham - answer/query relation: 9% of 41 Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 40% of 44 ---- … at this point the message score is 35, my low limit start in 40. --- Mar-26-19 10:02:47 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [Plugin] calling plugin ASSP_AFC Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [scoring] bad attachment 'Fa_Num_X216754265.doc' cause: 'MS Office Macro' Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> Message-Score: added 40 (baValencePB) for bad attachment 'Fa_Num_X216754265.doc' cause: 'MS Office Macro', total score for this message is now 75 Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [Attachment] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> info: 1 attachment found for Level-1 --- After AFC the total score is 75 but the message pass like MessageOK ¿? --- Mar-26-19 10:02:48 m1-05363-09821 [Worker_3] [MessageOK] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> message ok [Febrero Factura de servicio y soporte] -> c:/assp/okmail/Febrero_Factura_de_servicio_y_soporte--960167.eml Mar-26-19 10:02:51 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [SMTP Reply] 250 2.6.0 <[email protected]<mailto:[email protected]>> Queued mail for delivery Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> [SMTP Reply] 221 2.0.0 Service closing transmission channel Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> info: PB-IP-Score for '95.142.156.0' is 0, added 10 in this session Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> finished message - received DATA size: 236.96 kByte - sent DATA size: 237.62 kByte Mar-26-19 10:02:52 m1-05363-09821 [Worker_3] 95.142.156.27 <[email protected]<mailto:[email protected]>> to: [email protected]<mailto:[email protected]> disconnected: session:5A2161D0 95.142.156.27 - processing time 10 seconds --- This is the header in the Outlook client that receive that mail like NOT Spam: Received: from outmx-004.london.gridhost.co.uk (172.20.1.55) by mail.MyDomain.com.ar (172.20.1.22) with Microsoft SMTP Server id 8.3.406.0; Tue, 26 Mar 2019 10:02:42 -0300 X-Assp-ID: fwas.MyDomain.com.ar m1-05363-09821 X-Assp-Session: 5A2161D0 (mail 1) X-Assp-Detected-RIP: 103.255.5.254 X-Assp-Source-IP: 103.255.5.254 X-Assp-Envelope-From: [email protected]<mailto:[email protected]> X-Assp-Intended-For: [email protected]<mailto:[email protected]> X-Assp-Version: 2.6.1(19007) on fwas.MyDomain.com.ar X-Assp-Message-Score: 10 (Message-ID missing) X-Assp-IP-Score: 10 (Message-ID missing) X-Original-Authentication-Results: fwas.MyDomain.com.ar; spf=pass X-Assp-Message-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED)) X-Assp-IP-Score: 25 (Blocked IP-Country GB (PARAGON INTERNET GROUP LIMITED)) X-Assp-Spam-Level: ******** Received: from outmx-004.london.gridhost.co.uk ([95.142.156.27] helo=outmx-004.london.gridhost.co.uk) by fwas.MyDomain.com.ar with SMTP (2.6.1); 26 Mar 2019 10:02:42 -0300 Received: from [103.255.5.254] (unknown [103.255.5.117]) (Authenticated sender: [email protected]<mailto:[email protected]>) by outmx-004.london.gridhost.co.uk (Postfix) with ESMTPA id 52B9620B77F90 for <[email protected]<mailto:[email protected]>>; Tue, 26 Mar 2019 13:02:39 +0000 (GMT) Date: Tue, 26 Mar 2019 18:02:39 +0500 From: Ricardo Horacio <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Subject: Febrero, Factura de servicio y soporte MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_63752_1379494856.26294462821815354808" Message-ID: <[email protected]<mailto:[email protected]>> Return-Path: [email protected]<mailto:[email protected]> --- Someone can help me to figure it out what could be happened? Thanks in advance! :) _______________________________________________ Assp-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
