[Assp-user] Spam lover mail is stored even it contains virus

[Marcus B. <ber...@te...>]

Hi All,

I'm using ASSP 2.1.1(12090). I have configured SpamVirusLog:=0. Inside the maillog.txt I found one message which is stored in ./spam. Here is the log:

May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> Message-Score: added 5 (fiphValencePB) for Suspicious HELO - contains IP: '[37.45.95.183]', total score for this message is now 5
May-18-12 07:52:27 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> [scoring] (Suspicious HELO - contains IP: '[37.45.95.183]')
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... [scoring] SPF: fail ip=37.45.95.183 mai...@bm... helo=[37.45.95.183]
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... Message-Score: added 10 (spfValencePB) for SPF fail, total score for this message is now 15
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [DNSBL] 37.45.95.183 <fli...@bm...> to: us...@do... [scoring] DNSBL: neutral, 37.45.95.183 listed in zen.spamhaus.org
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... Message-Score: added 25 for DNSBL: neutral, 37.45.95.183 listed in zen.spamhaus.org, total score for this message is now 40
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [PTRmissing] 37.45.95.183 <fli...@bm...> to: us...@do... [scoring] (PTR missing)
May-18-12 07:52:28 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... Message-Score: added 10 (ptmValencePB) for PTR missing, total score for this message is now 50
May-18-12 07:52:28 m1-20347-11296 [Worker_2] [MessageLimit][sl] 37.45.95.183 <fli...@bm...> to: us...@do... [spam found] and possibly passing because spamlover for this check, otherwise blocked (MessageScore 50, limit 50) [FW Check the attachment you have to react somehow to this picture] -> /opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... ClamAV: scanned 60690 bytes in  message - FOUND Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... Message-Score: added 50 (vdValencePB) for virus detected: 'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)', total score for this message is now 100
May-18-12 07:52:38 m1-20347-11296 [Worker_2] [VIRUS] 37.45.95.183 <fli...@bm...> to: us...@do... [spam found] (virus detected: 'Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)') [FW Check the attachment you have to react somehow to this picture] -> /opt/assp/spam/FW_Check_the_attachment_you_have_to_react_somehow_--140588.eml;
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... [SMTP Error] 554 5.7.1 Mail appears infected with \[Email.Trojan-324(0c917161a5c9f158203112f7bce8b94c:60690)\].
May-18-12 07:52:38 m1-20347-11296 [Worker_2] 37.45.95.183 <fli...@bm...> to: us...@do... [SMTP Status] 451 4.7.1 Greylisted - Please try again later

After the message gets some penalty points because of HELO, SPF, DNSBL and PTR the MessageScore limit of 50 is reached and the message is stored in ./spam folder. Then ASSP detects via ClamAV that the message contains a virus and rejects it. Shouldn't ASSP do the virus check before the spam check, reject and don't store the message? We want to use the following policy: faked local sender or unknown local receiver or message contains virus -> reject them all, don't store; all other spam -> reject (e.g. DNSBL) or tag (e.g. Baysian), store in ./spam for resed via reports.

Thank you,
Marcus