noScanIP ignored (outgoing mail)?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

noScanIP ignored (outgoing mail)?

Dirk Kulmsee-2
Hi all,
my internal mailserver is  fully equipped with antivirus software, so i
decided to declare it a „noScanIP“ for assp (ASSP version 2.5.4(16294)).
The outbound mail flow is: Exchange (192.168.12.241) -> ASSP
(192.168.12.242:25) -> Postfix (127.0.0.1:125) -> internet

Here is an (anonymized) excerpt from the log which looks like assp ignores
this setting and scans outgoing mails for virus regardless:

2016-10-25 19:59:53 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> info: found message size announcement:
13.09 kByte
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] [Plugin]
calling plugin ASSP_AFC
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] info: 1
attachment found for Level-0
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] local (no bad
attachments)
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out] [MessageOK]
192.168.12.241 <[hidden email]> to: [hidden email] message ok
[Interesting subject here] -> /opt/assp/notspam/11989.eml
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] finished message - received
DATA size: 11.92 kByte - sent DATA size: 12.55 kByte
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] disconnected:
session:7FF1A5AF63D0 192.168.12.241 - processing time 1 seconds
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] ClamAV: scanned 12206 bytes in
file /opt/assp/notspam/11989.eml - OK
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] FileScan: scanned 12206 bytes
in file /opt/assp/notspam/11989.eml – OK


This is not a big deal at all, better scan twice than never. I‘d just like
to know the wise guys‘ explanation for this unexpected behaviour.

Best regards
Dirk


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: noScanIP ignored (outgoing mail)?

Thomas Eckardt/eck
If a mail was not virus scanned for any reason, the file stored in the
corpus is scanned for security reasons.

You can see this, looking at the sequence

2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] disconnected:
session:7FF1A5AF63D0 192.168.12.241 - processing time 1 seconds
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] ClamAV: scanned 12206 bytes
in
file /opt/assp/notspam/11989.eml - OK
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] FileScan: scanned 12206
bytes
in file /opt/assp/notspam/11989.eml – OK

the connection was closed, the .eml file was stored - every thing
finished. But assp knows that ClamAV is enabled and the mail was not
checked - the .eml file is checked.

Thomas







Von:    "Dirk Kulmsee" <[hidden email]>
An:     "'ASSP development mailing list'"
<[hidden email]>
Datum:  26.10.2016 12:10
Betreff:        [Assp-test] noScanIP ignored (outgoing mail)?



Hi all,
my internal mailserver is  fully equipped with antivirus software, so i
decided to declare it a „noScanIP“ for assp (ASSP version 2.5.4(16294))..
The outbound mail flow is: Exchange (192.168.12.241) -> ASSP
(192.168.12.242:25) -> Postfix (127.0.0.1:125) -> internet

Here is an (anonymized) excerpt from the log which looks like assp ignores
this setting and scans outgoing mails for virus regardless:

2016-10-25 19:59:53 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> info: found message size announcement:
13.09 kByte
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] [Plugin]
calling plugin ASSP_AFC
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] IP
192.168.12.241 matches noScanIP - with 192.168.12.241/32
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] info: 1
attachment found for Level-0
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
192.168.12.241 <[hidden email]> to: [hidden email] local (no bad
attachments)
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] [TLS-out]
[MessageOK]
192.168.12.241 <[hidden email]> to: [hidden email] message ok
[Interesting subject here] -> /opt/assp/notspam/11989.eml
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] finished message - received
DATA size: 11.92 kByte - sent DATA size: 12.55 kByte
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] disconnected:
session:7FF1A5AF63D0 192.168.12.241 - processing time 1 seconds
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] ClamAV: scanned 12206 bytes
in
file /opt/assp/notspam/11989.eml - OK
2016-10-25 19:59:54 m1-18393-11989 [Worker_1] [TLS-in] 192.168.12.241
<[hidden email]> to: [hidden email] FileScan: scanned 12206
bytes
in file /opt/assp/notspam/11989.eml – OK


This is not a big deal at all, better scan twice than never. I‘d just like
to know the wise guys‘ explanation for this unexpected behaviour.

Best regards
Dirk


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test