Quantcast

BombRe and BombDataRe or not?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

BombRe and BombDataRe or not?

Pontus Hellgren-2
Hi There!

What would possibly disable/bypass BombRe and BombDataRe(and sometimes RBL)
in ASSP when processing a "normal" mails that is not whitelisted in any way
(at least not that I know of).

Is there any cache that ASSP uses that makes BombRe and BombDataRe obsolete?

The mails becomes "discarded" and if I run analyze on it I get:

Feature Matching:

. DKIM-check returned OK body altered - header passed - suspicious-OK
. SPF-check returned OK for 78.46.206.67 -> [hidden email],
mail.puppytreasure.com
 . SPF: pass (cache) ip=78.46.206.67 mailfrom=[hidden email]
helo=mail.puppytreasure.com
. DMARC-check returned OK
. URIBL check: 'OK'
. Valid Format of HELO: 'mail.puppytreasure.com'
. IP in Helo check: 'OK'
. AUTH would be disabled
. RBLCacheCheck returned OK for 78.46.206.67: inserted as not ok at
2017-03-07 13:08:01 , listed by zen.spamhaus.org{127.0.0.3} - message score:
35
 . RBLScore: zen.spamhaus.org -> 127.0.0.3 -> 35
. domain puppytreasure.com (in Mail From: , From , Reply-To) has a valid MX
record: mail.puppytreasure.com
. domainMX mail.puppytreasure.com has a valid A record: 78.46.206.67
. 78.46.206.67 is in PTRCache: status=PTR OK - mail.puppytreasure.com
. 78.46.206.67 is in RWLCache: status=not listed
. 78.46.206.67 SenderBase: status=not classified, data=[CN=DE, ORG=HETZNER
ONLINE GMBH, DOM=your-server.de, BLS=, HNM=Y, CIDR=28,
HN=mail.puppytreasure.com]

This is a well made spam mail and if BombRe and BombDataRe whould have been
processed on the mail it would be in the dump.

RBLScore is 35 and Baysian is set to spam so there should be added some more
points, but if I check the headers of the passed mail it only reports
Bayesian and not like above RBL. That also should have put a nail in the
koffin for this mail.

Here is the ASSP log:
Mar-07-17 13:04:34 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] diagnostic: FileScan will
run command - /usr/local/assp/virusscan/avg.sh /run/avg/a.3.74087.eml 2>&1
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] diagnostic: FileScan
returned OK
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] FileScan: scanned 10754
bytes in message - OK
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] Bayesian Check [scoring] -
Prob: 1.00000 => spam - answer/query relation: 100% of 112
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] Message-Score: added 41 for
Bayesian Probability: 1.00000, total score for this message is now 41
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit]
78.46.206.67 <[hidden email]> to: [hidden email] info: Maillog -
created file discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit]
78.46.206.67 <[hidden email]> to: [hidden email] [spam found]
and possibly passing because messagescore(41) low [F mer luft i konomien med
44 762 kroner p kontoen] -> discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] info: Maillog - removed old
file discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] info: Maillog - created file
discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] spam found and passing [F
mer luft i konomien med 44 762 kroner p kontoen] ->
discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] info: received and processed
all DATA


I'm confused when or when not tests are made?
Analyze utilizes some and real scan some others?

What am I missing, why is ASSP not doing some checks of this mail and adding
it together?
Especially when it's passing the real scan.

Regards,
Pontus
ASSP version 2.5.6(17060) on Ubuntu.




---
Detta e-postmeddelande har sökts igenom efter virus med antivirusprogram från Avast.
https://www.avast.com/antivirus



------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: BombRe and BombDataRe or not?

Thomas Eckardt/eck
Set 'BombLog' to diagnostic - it will show the bomb check results in any case. Otherwise only hits will be shown.

Thomas



Von:        "Pontus Hellgren" <[hidden email]>
An:        "'ASSP development mailing list'" <[hidden email]>
Datum:        07.03.2017 13:41
Betreff:        [Assp-test] BombRe and BombDataRe or not?




Hi There!

What would possibly disable/bypass BombRe and BombDataRe(and sometimes RBL)
in ASSP when processing a "normal" mails that is not whitelisted in any way
(at least not that I know of).

Is there any cache that ASSP uses that makes BombRe and BombDataRe obsolete?

The mails becomes "discarded" and if I run analyze on it I get:

Feature Matching:

. DKIM-check returned OK body altered - header passed - suspicious-OK
. SPF-check returned OK for 78.46.206.67 -> [hidden email],
mail.puppytreasure.com
. SPF: pass (cache) ip=78.46.206.67 mailfrom=[hidden email]
helo=mail.puppytreasure.com
. DMARC-check returned OK
. URIBL check: 'OK'
. Valid Format of HELO: 'mail.puppytreasure.com'
. IP in Helo check: 'OK'
. AUTH would be disabled
. RBLCacheCheck returned OK for 78.46.206.67: inserted as not ok at
2017-03-07 13:08:01 , listed by zen.spamhaus.org{127.0.0.3} - message score:
35
. RBLScore: zen.spamhaus.org -> 127.0.0.3 -> 35
. domain puppytreasure.com (in Mail From: , From , Reply-To) has a valid MX
record: mail.puppytreasure.com
. domainMX mail.puppytreasure.com has a valid A record: 78.46.206.67
. 78.46.206.67 is in PTRCache: status=PTR OK - mail.puppytreasure.com
. 78.46.206.67 is in RWLCache: status=not listed
. 78.46.206.67 SenderBase: status=not classified, data=[CN=DE, ORG=HETZNER
ONLINE GMBH, DOM=your-server.de, BLS=, HNM=Y, CIDR=28,
HN=mail.puppytreasure.com]

This is a well made spam mail and if BombRe and BombDataRe whould have been
processed on the mail it would be in the dump.

RBLScore is 35 and Baysian is set to spam so there should be added some more
points, but if I check the headers of the passed mail it only reports
Bayesian and not like above RBL. That also should have put a nail in the
koffin for this mail.

Here is the ASSP log:
Mar-07-17 13:04:34 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] diagnostic: FileScan will
run command - /usr/local/assp/virusscan/avg.sh /run/avg/a.3.74087.eml 2>&1
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] diagnostic: FileScan
returned OK
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] FileScan: scanned 10754
bytes in message - OK
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] Bayesian Check [scoring] -
Prob: 1.00000 => spam - answer/query relation: 100% of 112
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] Message-Score: added 41 for
Bayesian Probability: 1.00000, total score for this message is now 41
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit]
78.46.206.67 <[hidden email]> to: [hidden email] info: Maillog -
created file discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] [MessageLimit][lowlimit]
78.46.206.67 <[hidden email]> to: [hidden email] [spam found]
and possibly passing because messagescore(41) low [F mer luft i konomien med
44 762 kroner p kontoen] -> discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] info: Maillog - removed old
file discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] info: Maillog - created file
discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] spam found and passing [F
mer luft i konomien med 44 762 kroner p kontoen] ->
discarded/8330--1341231.eml
Mar-07-17 13:04:37 m1-88272-08330 [Worker_3] 78.46.206.67
<[hidden email]> to: [hidden email] info: received and processed
all DATA


I'm confused when or when not tests are made?
Analyze utilizes some and real scan some others?

What am I missing, why is ASSP not doing some checks of this mail and adding
it together?
Especially when it's passing the real scan.

Regards,
Pontus
ASSP version 2.5.6(17060) on Ubuntu.




---
Detta e-postmeddelande har sökts igenom efter virus med antivirusprogram från Avast.
https://www.avast.com/antivirus



------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...