Re: [Assp-test] Attachment from "good" list blocked

2017-07-27 Thread Grayhat 
:: On Tue, 18 Jul 2017 11:58:09 -0400
:: 
:: "Robert K Coffman Jr. -Info From Data Corp."
 wrote:

> https://pastebin.com/NKPYnZsD
> 
> 
> I have UserAttach set up for huntington.com (see bottom of the paste)
> but their html attachments are still being blocked.  Why is that?

Jul-18-17 09:58:09 m1-86288-10388 [Worker_1] [TLS-in] [Attachment]
170.128.35.52  to:
usern...@hyperglobalmega.com SPAM FOUND bad attachment
'securedoc_20170718T095806.html' cause: 'Java script - possibly locky
(ransomware) virus'

check out where you defined that "possibly locky..." message and you'll
find what's blocking the mail

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible feature requests

2017-06-29 Thread Grayhat 
:: On Wed, 28 Jun 2017 08:38:34 -0700
::
 
::
Daniel Miller  wrote:

> Again, my request is to auto-block *IPs* of *failed* auths. Not lock
> the account. Not block valid auths. Regular users would never see a
> problem.

The "problem" with such an approach are the critters I call "slow
crackers"; basically it's a distributed network of bots, those are
coordinated and will attempt, one at a time, to bruteforce a given
account, this means that you may see two/three logon attempts from
IP#1, then other two/three from IP#2 and so on, rotating IP through the
whole botnet, this means that, when the penalty time will expire, the
botnet had completed quite a number of attempt and can quietly reuse
IP#1 and so on to go on for the next cycle and, while such an approach
may seem slow, it isn't, imagine having multiple bots attempting to
crack a given account and performing the above in parallel, ASSP will
ban the IPs... sure, but that won't help

On the other hand, banning the account (username) isn't a good idea,
since, as already noted, someone may just lock off a legit user from
his inbox by running a distributed bruteforce attack.

A possible approach may be the following:

Upon a successful logon, ASSP stored the /24 user subnet, and does the
same for different ones, so ASSP will keep (say) 10 or the like IP
ranges associated with an account (ranges may have a timestamp so will
be removed after some time if they aren't used again)

After a number of failed logons from "unknown" IPs, ASSP will "block"
the account, but the block will ONLY be applied to logon attempts
coming from "unknown" IPs, regular one will be allowed to go through

The above means that a (say) German user coming from a given IP block
will be able to access the SMTP even if the user account was blocked
due to repeated bruteforce attempts, at the same time, attempts coming
from (say) China will be rejected with a "no such user" (or the like)





--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] crazy forum post

2017-02-12 Thread Grayhat 
:: On Mon, 13 Feb 2017 06:53:48 +0100
::

 ::
Thomas Eckardt  wrote:

> http://assp.sourceforge.net/forum/viewtopic.php?f=6=3031
> 
> I don't want to start a discussion about this! It's only for your 
> information. I don't know, if I should cry or laugh.

Plain vanilla trolling imHo, see, the terms "whitelist" and "blacklist"
have been in use for years worldwide and are commonly accepted, so, if
that folk wants to go on, he'd better start from roots, not from ASSP
which just uses the common, accepted terminology.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] LetsEncrypt SSL Certs with ASSP

2017-01-23 Thread Grayhat 
:: On Sun, 22 Jan 2017 07:55:22 -0500
:: 
:: Doug Lytle  wrote:

> Hey guys,
> 
> I just followed and setup LetsEncrypt SSL Certificates for my Zimbra 
> mail server following the below link:
> 
> https://forums.zimbra.org/viewtopic.php?f=15=60781
> 
> I wanted to know if this could also be used for SSL/TLS
> communications with ASSP?

Well, given that ASSP is written in Perl, I suspect that, willing to
implement support for the "Let's Encrypt" framework, one should start
from stuff like

https://github.com/do-know/Crypt-LE

https://metacpan.org/pod/Net::ACME

https://metacpan.org/pod/Protocol::ACME

either one of the above should do, then, by the way the thing should be
implemented inside ASSP (not sure it may fit into a plugin); as for the
"Let's Encrypt" initiative, for the ones which don't know about it

https://letsencrypt.org/

HTH



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] assp settings new installation

2016-10-20 Thread Grayhat 
:: On Wed, 19 Oct 2016 22:04:31 +0530
:: 
:: Vaibhav Jaiman  wrote:

> - have setup assp and mailenable on the same box .
> - ASSP listening on 25|587|2525
> - MailServer listening on 125
> 
> (Inbound)
> Internet -> ASSP -> MailServer -> Remote
> 
> have configured below settings
> 
> listenport - 25|587|127.0.0.1:2525
> smtpDestination - 127.0.0.1:125
> RelayHost - 127.0.0.1:125
> Relay Port - 127.0.0.1:2525|127.0.0.1:587|127.0.0.1:25
> allowRelayCon - 127.0.0.1

My suggestion is the following

* Inbound

sender
|
|
ASSP: 25, 587
|
|
MailEnable: 8025


* OutBound

MailEnable
|
|
ASSP: 8025 (relayport - just local)
|
|
IIS SMTP: 9025 (just local)
|
|
destination

the idea is that the inbound mail flows through ASSP to the backend
MailEnable server where it's then distributed as needed; the outbound
mail, originated from MailEnable is sent to ASSP which then forwards it
to the IIS SMTP acting as the outbound mail router; you'll probably
need to proper tweak thing, but the above, once configured will work
quite well; oh and ensure to disable authentication on port 25 (at
least for plain vanilla, non-SSL connections and *force* it on port
587) and to properly configure the IIS SMTP to route bounces/errors

What else... oh, yeah, if you feel ok with MailEnable then, good for
you, but personally, I think that hMailServer is better than ME, also
since it supports a webmail client (RoundCube) which has addons which
allow to integrate it quite strictly with hMailServer


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat 
:: On Wed, 19 Oct 2016 13:31:55 +0200
::

 ::
Thomas Eckardt  wrote:

> 4. I'm unable to password protect RTF files  (tried office 2003, XP,
> 2013) - password is removed

I suspect it isn't a real RTF file but a passworded zip with a modified
extension; basically whoever builds such kind of trash creates a
script, adds it to a passworded "zip" and renames it to "rtf"



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat 
:: On Wed, 19 Oct 2016 09:14:44 +0200
:: <20161019091444.5...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> Ok for the sigs being up-to-date; but my point was about the "extra"
> signatures offered by SaneSecurity, not the regular ones; I found that
> the regular signatures are often "behind" while the ones offered by
> SaneSecurity are faster to catch-up, so my suggestion was to add those
> signatures to your ClamAV scanner to help improve its efficiency; I've
> been using a number of signatures from SaneSecurity along with the
> regular clamav signatures and I found them to be quite effective at
> blocking "junk" (spam, malware and so on) that's why I'm suggesting to
> give them a spin

just in case, here's the list of additional signatures I'm using;
notice that it's important to always include the first two since they
allow to quickly fix false-positives issues (if any, by the way) and to
improve the scanner performances

rsync://rsync.sanesecurity.net/sanesecurity/sanesecurity.ftm
rsync://rsync.sanesecurity.net/sanesecurity/sigwhitelist.ign2
rsync://rsync.sanesecurity.net/sanesecurity/junk.ndb
rsync://rsync.sanesecurity.net/sanesecurity/jurlbla.ndb
rsync://rsync.sanesecurity.net/sanesecurity/lott.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phish.ndb
rsync://rsync.sanesecurity.net/sanesecurity/rogue.hdb
rsync://rsync.sanesecurity.net/sanesecurity/scam.ndb
rsync://rsync.sanesecurity.net/sanesecurity/spam.ldb
rsync://rsync.sanesecurity.net/sanesecurity/spamimg.hdb
rsync://rsync.sanesecurity.net/sanesecurity/spamattach.hdb
rsync://rsync.sanesecurity.net/sanesecurity/blurl.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_cracked_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_phishing_URL.ndb
rsync://rsync.sanesecurity.net/sanesecurity/bofhland_malware_attach.hdb
rsync://rsync.sanesecurity.net/sanesecurity/scamnailer.ndb
rsync://rsync.sanesecurity.net/sanesecurity/crdfam.clamav.hdb
rsync://rsync.sanesecurity.net/sanesecurity/porcupine.ndb
rsync://rsync.sanesecurity.net/sanesecurity/phishtank.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_malware_links.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_phish_complete.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow.complex.patterns.ldb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_spam_complete.ndb
rsync://rsync.sanesecurity.net/sanesecurity/winnow.attachments.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_extended_malware.hdb
rsync://rsync.sanesecurity.net/sanesecurity/winnow_bad_cw.hdb
rsync://rsync.sanesecurity.net/sanesecurity/foxhole_generic.cdb
rsync://rsync.sanesecurity.net/sanesecurity/foxhole_filename.cdb
rsync://rsync.sanesecurity.net/sanesecurity/malwarehash.cdb

HTH


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat 
:: On Tue, 18 Oct 2016 11:29:44 -0400
:: 
:: K Post  wrote:

> > I suppose that, since you're talking (ok, writing) about AFC, you're
> > running ClamAV; now... are you using the extra signatures available
> > from SaneSecurity ? I'm referring to
> >
> > http://sanesecurity.com/usage/signatures/

> We are using up to date clamav sigs.  The problem is that these files
> are encrypted so they're not being detected.

Ok for the sigs being up-to-date; but my point was about the "extra"
signatures offered by SaneSecurity, not the regular ones; I found that
the regular signatures are often "behind" while the ones offered by
SaneSecurity are faster to catch-up, so my suggestion was to add those
signatures to your ClamAV scanner to help improve its efficiency; I've
been using a number of signatures from SaneSecurity along with the
regular clamav signatures and I found them to be quite effective at
blocking "junk" (spam, malware and so on) that's why I'm suggesting to
give them a spin

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Grayhat 
:: On Tue, 18 Oct 2016 17:19:55 +0200
:: <20161018171955.3...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> :: On Tue, 18 Oct 2016 10:27:10 -0400
> ::
> <calhpkamx-umhq93g4pshni-xjs4doujhvhty7r1cywfkwtj...@mail.gmail.com> ::
> K Post <nntp.p...@gmail.com> wrote:
> 
> > VirusTotal has zero hits on the samples that I submitted, but if
> > they're encrypted, that explains why...  
> 
> I suppose that, since you're talking (ok, writing) about AFC, you're
> running ClamAV; now... are you using the extra signatures available
> from SaneSecurity ? I'm referring to
> 
> http://sanesecurity.com/usage/signatures/
> 
> to use them you'll need to schedule one of the update scripts
> available on Steve's (sanesecurity) site, depending from your OS to
> ensure your ClamAV will also use updated "extra" signatures; then, in
> case the AV doesn't catch the critters, you may submit samples to
> Steve and he'll add signatures on the fly so that you'll have them
> available in a really short time :)

Forgot; since I'm at it, Thomas, if you're reading this, please have a
look at the script found here

http://sanesecurity.com/statistics/

I think it may be "added" to ASSP to generate AV stats ;-)

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Grayhat 
:: On Tue, 18 Oct 2016 10:27:10 -0400
:: 
:: K Post  wrote:

> VirusTotal has zero hits on the samples that I submitted, but if
> they're encrypted, that explains why...

I suppose that, since you're talking (ok, writing) about AFC, you're
running ClamAV; now... are you using the extra signatures available
from SaneSecurity ? I'm referring to

http://sanesecurity.com/usage/signatures/

to use them you'll need to schedule one of the update scripts available
on Steve's (sanesecurity) site, depending from your OS to ensure your
ClamAV will also use updated "extra" signatures; then, in case the AV
doesn't catch the critters, you may submit samples to Steve and he'll
add signatures on the fly so that you'll have them available in a
really short time :)


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

2016-08-02 Thread Grayhat 
:: On Tue, 2 Aug 2016 18:02:25 +0200
::

 ::
Thomas Eckardt  wrote:

 
> I really don't know what I can do to fix up the SSL/TLS problems. 

Well, Thomas, if the OP agrees, you may make private contacts and
connect to his ASSP box to run some tests, maybe reproducing the issue
while "at the console" may allow you to see what's going on (just an
idea, and maybe a crazy one, but when everything else fails...)

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

2016-08-02 Thread Grayhat 
:: On Mon, 1 Aug 2016 18:06:11 -0400
::

Re: [Assp-test] Very slow TLS sessions - Windows server

2016-06-09 Thread Grayhat 
:: On Thu, 9 Jun 2016 17:27:28 +0200
:: <20160609172728.0...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> also, what OS are you running on ?

I mean windows version, btw; also, is the box also running an AV (other
than the ClamD used by ASSP) and if yes, which one ?


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Very slow TLS sessions - Windows server

2016-06-09 Thread Grayhat 
:: On Wed, 1 Jun 2016 22:55:00 -0400
:: 
:: K Post  wrote:

> Could this be the problem?  Is OpenSSL even used by ASSP for receiving
> email? I feel like it's not, but thought I'd put this out there.

What do you have in SSL_version and  SSL_cipher_list ?

If empty, try the following config

SSL_version SSLv23:!SSLv3:!SSLv2
SSL_cipher_list 
kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

also, what OS are you running on ?

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

2016-06-03 Thread Grayhat 
:: On Fri, 3 Jun 2016 12:29:01 +0200
:: <20160603122901.7...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> :: On Fri, 3 Jun 2016 10:17:58 +
> :: <5ad00d80569e0f4f9a12bbb01f00ee795a868...@bcsw-smx07.mymhp.net>
> :: Martin Voßloh <martin.voss...@mhp.com> wrote:
> 
> > Hi,
> >   
> > it´s possible that the entry is going wrong in this mail?
> > 
> > kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
> > 
> > the "k" in front of some entrys?  
> 
> no, the "k" is correct, stands for "key exchange" and is accepted by
> OpenSSL w/o problems (also tried it with other apps using OpenSSL to
> implement SSL support)

notice that, using the above string, you'll offer the following ciphers

Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.2  128 bits  RC4-SHA
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.1  128 bits  RC4-SHA
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.0  128 bits  RC4-SHA

if using a normal certificate, if instead you have an ECDSA enabled
certificate, you'll also offer the following ciphers in addition to
the above (and preferred)

ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256

as you see, the setup offers the stronger ciphers firts while still
mantaining support for weaker, older ones as a last resource which
helps mantaining compatibility with older clients


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

2016-06-03 Thread Grayhat 
:: On Fri, 3 Jun 2016 10:17:58 +
:: <5ad00d80569e0f4f9a12bbb01f00ee795a868...@bcsw-smx07.mymhp.net>
:: Martin Voßloh  wrote:

> Hi,
> 
> it´s possible that the entry is going wrong in this mail?  
> 
> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
> 
> the "k" in front of some entrys?

no, the "k" is correct, stands for "key exchange" and is accepted by
OpenSSL w/o problems (also tried it with other apps using OpenSSL to
implement SSL support)


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Couldn't upgrade to TLS for client

2016-06-03 Thread Grayhat 
:: On Thu, 2 Jun 2016 11:55:38 +
:: <5ad00d80569e0f4f9a12bbb01f00ee795a865...@bcsw-smx07.mymhp.net>
:: Martin Voßloh  wrote:

> Hello,
> 
> I have very often this error in my logs:
> Jun-01-16 11:39:39 [Worker_5] Error: Couldn't upgrade to TLS for
> client XXX.XXX.XXX.XXX:
> 
> These settings I have for: SSL version used for transmission
> (SSL_version) SSLv23:!SSLv3:!SSLv2

first of all, try the following

DoTLS   do TLS
SSL_version SSLv23:!SSLv3:!SSLv2
SSL_cipher_list 
kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the above will give you a decent cipher suites combo offering strong
ciphers first but allowing to downgrade to weak ones in case the remote
client doesn't support the stronger ones; sure, you may still see some
"TLS" messages, but in such a case, those will probably come from  very
old clients which don't support TLS and only support "SSLvX" (or from
bots trying to exploit the SSL bugs to extract infos) so, just ignore
those errors :)

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.5.2 build 16137

2016-05-18 Thread Grayhat 
:: On Wed, 18 May 2016 09:37:39 +0200
:: <20160518093739.4...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> :: On Mon, 16 May 2016 17:25:00 +0200
> ::
> <titc.7944f04b18.off5af21ce.9dfbb52e-onc1257fb5.005468e1-c1257fb5.0054b...@thockar.com>
>  ::
> Thomas Eckardt <thomas.ecka...@thockar.com> wrote:
> 
> > Hi all,
> > 
> > fixed in assp 2.5.2 build 16137:
> > 
> > - the termination reply, if 'preHeaderRe' matched, was send to the
> > wrong peer  
> 
> bug: connection debug files reappeared (debug folder) !

forgot, rolling back to 2.5.2 build 16134 solves the issue

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.5.2 build 16137

2016-05-18 Thread Grayhat 
:: On Mon, 16 May 2016 17:25:00 +0200
::

 ::
Thomas Eckardt  wrote:

> Hi all,
> 
> fixed in assp 2.5.2 build 16137:
> 
> - the termination reply, if 'preHeaderRe' matched, was send to the
> wrong peer

bug: connection debug files reappeared (debug folder) !

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SSL wants a read first

2016-05-11 Thread Grayhat 
:: On Wed, 11 May 2016 13:57:47 +0200
::

 ::
Thomas Eckardt  wrote:

> >Error: Worker_2 accept_SSL  SSL wants a read first  
> 
> Accept failes because there are data at the socket which have to be
> read first. But there is nobody who can read this data (without an
> accept) except the Net::SSLeay layer itself.
> IMHO the client sends a sequence that can't be processed by the SSL
> layer 
> - for example plain data.

Not sure these are related, but may be worth checking

https://github.com/libwww-perl/net-http/pull/11

https://www.mail-archive.com/openssl-users@openssl.org/msg74631.html


--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SSL wants a read first

2016-05-11 Thread Grayhat 
:: On Wed, 11 May 2016 11:11:33 +0200
:: <2016051133.7...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> Just upgraded to the latest version and noticed a number of these
> messages appearing in the log (ok, dbgview) for different IPs

just to be clear, maybe the issue has been there for a while, I just
noticed it after upgrading but it may have been affecting previous
versions as well

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] SSL wants a read first

2016-05-11 Thread Grayhat 

Just upgraded to the latest version and noticed a number of these
messages appearing in the log (ok, dbgview) for different IPs

[5756] (ASSP): 2016-05-11 02:00:12 [Worker_2] Error: Worker_2 accept_SSL to 
client 192.0.2.0 failed IO::Socket::SSL=GLOB(0x3c3d38c4) (timeout: 10 s) : SSL 
wants a read first

I know that this issue surfaced time ago and was dealt with, but I
wonder if some of the latest changes cause the issue to resurface.

--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] [request] AFC and rar archives

2016-05-09 Thread Grayhat 
:: On Mon, 9 May 2016 14:14:20 +0200
::

Re: [Assp-test] [request] AFC and rar archives

2016-04-28 Thread Grayhat 
:: On Thu, 28 Apr 2016 12:05:35 +0200
:: 
:: aquilinux  wrote:

> Hi Thomas, any chance in having assp processing rar archives?

well, in theory it should be possible (rar and 7z below)

http://search.cpan.org/dist/Compress-Deflate7/lib/Compress/Deflate7.pm

http://search.cpan.org/~jmbo/Archive-Rar-1.9/Rar.pm

in practice, I don't know if it may be worth

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] TLS problems of connectivity?

2016-04-12 Thread Grayhat 
:: On Tue, 12 Apr 2016 11:23:57 +0200
::

 ::
Thomas Eckardt  wrote:

> SSL_version:=SSLv2/3:!SSLv3:!SSLv2
> SSL_cipher_list:=DEFAULT:!aNULL:!RC4:!MD5

in case someone is interested, here's my config (watch the wrap)

DoTLS := do TLS
SSL_version := SSLv23:!SSLv3:!SSLv2
SSL_cipher_list :=
kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

the above prioritizes strong ciphers while allowing a graceful fallback
to weaker ones to mantain support for obsolete clients; it's serving me
well and I feel like I can recommend it; the resulting ciphers offered
by ASSP with the above config will then be the following


Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384  
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256  
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256  
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.2  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.2  256 bits  AES256-SHA
Accepted  TLSv1.2  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.2  128 bits  AES128-SHA
Accepted  TLSv1.2  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.2  128 bits  RC4-SHA
Preferred TLSv1.1  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.1  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.1  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.1  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.1  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.1  256 bits  AES256-SHA
Accepted  TLSv1.1  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.1  128 bits  AES128-SHA
Accepted  TLSv1.1  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.1  128 bits  RC4-SHA
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA   
Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA   
Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA 
Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA 
Accepted  TLSv1.0  256 bits  AES256-SHA
Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
Accepted  TLSv1.0  128 bits  AES128-SHA
Accepted  TLSv1.0  128 bits  ECDHE-RSA-RC4-SHA  
Accepted  TLSv1.0  128 bits  RC4-SHA

as you see, the ciphers allow to fallback all the way down to RC4-SHA
so allowing even really obsolete clients to connect over SSL; at the
same time, the preferred ciphers are the strongest one offered, this
means that up-to-date clients will have strong security

HTH

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Opposite of Block Report

2016-02-19 Thread Grayhat 
:: On Fri, 19 Feb 2016 09:59:58 -0500
::

Re: [Assp-test] Unable to run versions newer than 16018

2016-02-10 Thread Grayhat 
:: On Wed, 10 Feb 2016 11:14:45 -0500
:: 
:: Scott MacLean  wrote:

> Any idea where I could start to try to figure out what is going on?

I'd try the following:

stop assp

remove the assp\sl-cache folder

run a 

ppm update --install

once the update completes run a

ppm log --errors 60

check for update errors, fix them and repeat the update; done so, start
assp from the command line and let it run so; this way, in case of
errors or crashes, you'll see the full message(s) on the console






--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Connection issues

2016-01-21 Thread Grayhat 
:: On Thu, 21 Jan 2016 11:20:23 +
:: 
:: cw  wrote:


> 2016-01-19 20:31:15 m1-35475-10020 [Worker_6] [TLS-in] 94.186.192.136
>  info: found message size announcement: 5.36 MByte

here the sender announces the message size

> Accepted 2016-01-19 20:31:16 m1-35475-10020 [Worker_6] [TLS-in]
> 94.186.192.136  to: recipi...@domain.tld [SMTP
> Reply] 354 Enter message, ending with "." on a line by itself

and here starts the DATA phase for the message

> 2016-01-20 04:08:24 m1-35475-10020 [Worker_6] [TLS-in] 94.186.192.136
>  to: recipi...@domain.tld info: 1 attachment found
> for Level-1
> 2016-01-20 04:08:24 m1-35475-10020 [Worker_6] [TLS-in] 94.186.192.136
>  to: recipi...@domain.tld message proxied without
> processing (no bad attachments)
> 2016-01-20 04:08:24 m1-35475-10020 [Worker_6] [TLS-in] [MessageOK]
> 94.186.192.136  to: recipi...@domain.tld message
> ok - (noProcessing - message size (5623467) is above 512000 (npSize))
> - [KFI] -> /usr/local/assp/store/okmail/KFI--1513900.eml

then ASSP stores the message w/o problems

> 2016-01-20 04:08:24 m1-35475-10020 [Worker_6] [TLS-in] 94.186.192.136
>  to: recipi...@domain.tld info: received all data
> - all data moved to send queue (8)

all ok till now, but then ...

> 2016-01-20 04:08:25 m1-35475-10020 [Worker_6] [TLS-in] 94.186.192.136
>  to: recipi...@domain.tld info: no (more) data
> readable from 94.186.192.136 (connection closed by peer) - last
> command was 'DATA'

here seems to lie the problem, sounds like the remote end isn't sending
a QUIT command as it should, so ASSP keeps waiting for further commands
from the remote end and keeps the connection active even if idle; then,
after some time, the remote end decides to close the connection; now,
I'm just shooting in the dark here, but ... does your SMTP server offer
the "PIPELINE" option ? If so, it may be possible that the sender sees
and uses it, in such a case the sender will send the DATA command
followed by the dot and the QUIT command in a single swoop and I wonder
if ASSP handles this properly

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ASSP version 2.4.7(16004) :: MainLoop WebTraffic start

2016-01-09 Thread grayhat 
It was Fri, 8 Jan 2016 17:21:21 +0100 when
Thomas Eckardt  wrote:

> Does the same happens using http ?

just a note; since previous versions of ASSP didn't allow the use of
HTTPS, in some cases, I used stunnel https://www.stunnel.org to setup
things so that ASSP was/is listening over SSL; the whole setup is easy
and quick and can also be used to reach other stuff running on the box

;)

--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Logs not rolling

2015-12-28 Thread grayhat 
It was Mon, 28 Dec 2015 12:46:12 +0100 when
Thomas Eckardt  wrote:

> The only reason I can see for this is a online filesystem virus
> scanner (defender, MSE, ), that is locking the just closed
> maillog.txt. Define a scan exception rule for the 'assp/logs' folder.

Or, even better, exclude the whole ASSP folder from AV checks; as
you know, Thomas, ASSP may (and probably will) store "phish" and other
nasty stuff (including viruses if configured to do so) to use them for
the corpus so, an AV scan may delete that stuff and that won't do any
good to ASSP, so better excluding the whole ASSP folder from scans and
let ASSP work as it was designed :) sure, from time to time, one may
schedule a scan (no removal, just check and signal) on the folder just
to ensure things are ok, but aside from that, better leaving it alone


--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Grayhat 
:: On Mon, 9 Nov 2015 12:36:00 +0100
:: <20151109123600.3...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:


> No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
> feature, the idea is to attempt protecting the mail system from bots
> attempting to abuse stolen credentials to pump out spam; ASSP already
> has a rate limiter which helps detecting "mass mailing", slowing them
> down and alerting the admin but, till now, ASSP had no way to deal
> with a flock of bots with a bunch of different IPs authenticating
> using some stolen credentials and sending (say) 1 or 2 messages each;
> both issues can now be taken care of using the new feature :)

hmmm... maybe I'm wrong, but after a quick eyeball at the code it
sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth
attempts while, to be effective it should work with *successful* ones
so that, if a given user account gets successful authentication from a
number of different IPs in less than a given time T, then we could
assume that the account got compromised and is being abused by bots,
but the above makes sense only if the check is performed on *valid*
auth not on errors



--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Grayhat 
:: On Sun, 8 Nov 2015 12:09:34 -0500
:: 
:: Scott MacLean  wrote:

> This sounds like a great feature, but as soon as I turned it on (I
> used 3 600), EVERY user attempting to send email, even those
> connecting for the first time (including myself) were blocked with a
> 4.7.1, and subsequent attempts got them added to PBBlack as well. I
> had to turn it off and clean out recent entries to PBBlack to get
> things back on track.

well, at least it works, doesn't it :D ?

No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
feature, the idea is to attempt protecting the mail system from bots
attempting to abuse stolen credentials to pump out spam; ASSP already
has a rate limiter which helps detecting "mass mailing", slowing them
down and alerting the admin but, till now, ASSP had no way to deal with
a flock of bots with a bunch of different IPs authenticating using some
stolen credentials and sending (say) 1 or 2 messages each; both issues
can now be taken care of using the new feature :)


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.6 build 15312

2015-11-09 Thread Grayhat 
:: On Mon, 9 Nov 2015 12:36:00 +0100
:: <20151109123600.3...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> No, ok, seriously, sounds like Thomas fixed it with #15313; as for the
> feature, the idea is to attempt protecting the mail system from bots
> attempting to abuse stolen credentials to pump out spam; ASSP already
> has a rate limiter which helps detecting "mass mailing", slowing them
> down and alerting the admin but, till now, ASSP had no way to deal
> with a flock of bots with a bunch of different IPs authenticating
> using some stolen credentials and sending (say) 1 or 2 messages each;
> both issues can now be taken care of using the new feature :)

forgot, as for the notify, one may want to add the following to the
"NotifyRe"

warning: too many recipients
too many authentication attempts

to get notifications for both the rate limiter *and* the new auth IP
checker, this could allow mail admins to be quickly alerted about
possible outbound spamruns and/or compromised accounts


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Possible auth bug

2015-10-17 Thread grayhat 
It was Fri, 16 Oct 2015 10:12:49 +0200 when
Thomas Eckardt  wrote:

> offering PLAIN and discard it - is an admin config mistake
> doing PLAIN if it is not offered - is a client fault and will be
> counted doing wrong authentication - is a client fault and will be
> counted

the server offers (and accepts) both PLAIN and LOGIN, but for some
reason, the client is failing the PLAIN one (which works, tested it)
 
> no no no  :) ! Seems you had a bad night and you need a very
> strong coffee this morning :):):)
> Yeah Andrea - I also suffer on the shorter and shorter daylight.

LOL ... yeah, that's an issue, I must admit it :) !

Anyhow, will keep an eye on the reported (by a couple users) issue and
if possible (and if it repeats) send you a copy of the logs just to let
you see what I'm seeing; as you wrote I always though the mechanism was
set up to reset the failcount at the first successful login, but this,
apparently, doesn't seem to be the case; I'll need to fathom it a bit
and, if I won't find a way out, try having another couple eyes on the
issue in case it may be a bug :)


--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Possible auth bug

2015-10-16 Thread Grayhat 

I'm running the latest version of ASSP and I've possibly spotted a bug;
some clients try authenticating with "PLAIN" login, fail, retry using
the "LOGIN" mechanism and succeed, here's a log snippet

info: authentication - plain is used
info: authentication (PLAIN) realms - foruser:u...@domain.xyz, 
user:u...@domain.xyz
[SMTP Error] 535 Authentication failed. Restarting authentication process.
info: authentication - login is used
info: authentication (LOGIN) realms - user:u...@domain.xyz
authenticated to 192.0.2.1

now, the problem is that (apparently) after the successful
authentication ASSP does not reset the "failed login count" for the
sending IP, so, if the client sends a number of messages, after a while
ASSP locks out the IP due to "too many auth failures"; now this sounds
like a bug to me, since, after the IP successfully authenticates, its
"fail count" should be reset to zero

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Don't to DNSBL for a from domain

2015-10-08 Thread Grayhat 
:: On Thu, 8 Oct 2015 11:23:49 -0400
::

Re: [Assp-test] BUG? DNS Server Rotation 15255

2015-09-18 Thread Grayhat 
:: On Fri, 18 Sep 2015 17:46:12 +0200
:: <20150918174612.6...@gmx.net>
:: Grayhat <gray...@gmx.net> wrote:

> :: On Fri, 18 Sep 2015 11:39:06 -0400
> ::
>

Re: [Assp-test] BUG? DNS Server Rotation 15255

2015-09-18 Thread Grayhat 
:: On Fri, 18 Sep 2015 11:39:06 -0400
::

Re: [Assp-test] error: RWL check failed : send: Bad file descriptor

2015-09-16 Thread Grayhat 
:: On Wed, 16 Sep 2015 09:04:55 -0400
::

Re: [Assp-test] SURBL changes

2015-08-12 Thread grayhat 
It was Tue, 11 Aug 2015 08:47:55 +0200 when
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 Thank you for the information -Tom. At this time I'm unable to use
 these very nice new features of SURBL in assp. Implementing them in
 the current URIBL-code, will make the code too complex.
 The current code has to be redesigned, or a new code and logic must
 be written for SURBL.
 I'll put it on the TODO list.

A possible tweak may be writing an ASSP module to deal with SURBL

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Public suffixes (TLDs) list

2015-07-23 Thread Grayhat 
:: On Thu, 23 Jul 2015 15:00:06 +0200
:: 20150723150006.2...@gmx.net
:: Grayhat gray...@gmx.net wrote:

 
 Not sure ASSP needs it, but in case, here's the main site
 
 https://publicsuffix.org/
 
 and here's the list
 
 https://publicsuffix.org/list/public_suffix_list.dat
 
 notice that it's used from (e.g.) mozilla and others to find out
 TLDs, also notice that the file uses some particular syntax, so some
 records may contains stuff like *.tld or !prefix.tld not a real
 problem, but better knowing it; anyhow, the list contains all the TLDs
 including the double ones and is constantly updated.

also, and since ASSP is written in Perl

https://github.com/usrflo/registered-domain-libs/

:)

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Public suffixes (TLDs) list

2015-07-23 Thread Grayhat 

Not sure ASSP needs it, but in case, here's the main site

https://publicsuffix.org/

and here's the list

https://publicsuffix.org/list/public_suffix_list.dat

notice that it's used from (e.g.) mozilla and others to find out
TLDs, also notice that the file uses some particular syntax, so some
records may contains stuff like *.tld or !prefix.tld not a real
problem, but better knowing it; anyhow, the list contains all the TLDs
including the double ones and is constantly updated.

HTH

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 15130

2015-05-11 Thread Grayhat 
:: On Sun, 10 May 2015 22:54:08 -0400
:: CALhpkAkJ83fODX8sO9h8EHYrs6Ev=oozgitp7zngrqqznkb...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 example:
 63.249.66.210 SenderBase: status=not classified, data=US, CRUZIO,
 cruzio.com, , Y, 19, changedetection.com
 SO GREAT that it shows the changedetection.com hostname in the
 analyze gui now, but it's not matching my whitelist, because the
 domain of cruzio.com takes priority.  If only ASSP would look to the
 hostname as well, regardless of if there's a domain listed, we'd be
 golden.

the purpose for the senderbase queries is different, it's used to find
the IP *owner* country (as opposed as the IP country, a big player may
use IPs spread all over the globe but be based in country XX) and the
owner informations; when it comes to IPs and domain/host names we have
DNS lists and URI lists... and sincerely it seems to me that you are
missing the inner working of ASSP, see, the code uses a layered check
approach where each bit and piece contributes to the scoring; my humble
suggestion is to try reading the archives of this list and/or looking
at the ASSP source code


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

2015-05-08 Thread Grayhat 
:: On Thu, 7 May 2015 14:35:35 -0400
:: calhpkamvo4yb2h2wsmywmpjzuwphzec_inrygywmggcgkw8...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 However, a nslookup for the txt record only shows
 38.100.169.66.query.senderbase.org  text =
 
 0-0=1|1=CHARTER
 COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
 Worth|5
 1=TX|52=76114|53=US|54=-97.3972|55=32.7807

reverse the IP, luke

dig +short 66.169.100.38.query.senderbase.org. TXT

0-0=1|1=COGENT
COMMUNICATIONS|2=7.7|3=7.7|6=0|7=317|8=24457518|9=49497|20=mta60
2.e.delta.com|22=Y|40=4.9|41=4.7|43=4.7|44=9.7|45=N|46=21|48=24|53=US|54=-97.0|5
5=38.0

or, using nslookup

nslookup -type=TXT 66.169.100.38.query.senderbase.org.

but the result will be the same; the org_name (1) will be COGENT and
the hostname (20) mta602.e.delta.com while the country (53) is US; for
further details about the results, see here

http://cpansearch.perl.org/src/JOENIO/Net-SenderBase-1.02/lib/Net/SenderBase/Results.pm



--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Feature Idea: DMARC aggregate reporting parsing?

2015-05-05 Thread Grayhat 
:: On Mon, 4 May 2015 12:47:33 -0400
:: CALhpkA=NgD+KSyNOuncxzfOWKmpHb+ai=q2r3emxwnnc9dv...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 Yeah, a chuckle (and I hope that didn't come across as mean spirited
 or anything - certainly wasn't intended that way - I just gave a
 chuckle, because it's more of a yeah right - that'll never be
 approved type of situation - I didn't mean it as a commend on you in
 any way)
 
 The problem is that dmarcian's free service doesn't have much in the
 way of reporting and doesn't have any email alerts.  Their pay
 service sounds terrific, but that's just not a possibility here.  So,
 I was hoping to see ASSP handle some of this for us.It appears
 that its already able to send the aggregated XML reports to the dmarc
 addresses per domain, so I'm wondering if it's reasonable to extend
 ASSP to parse those xml reports that come inbound.  Do you think that
 would be a useful feature?

I see... but then, if I'm not wrong, the codebase over which the
dmarcian site has been built is open source, so nobody forbids you (or
whoever else, for that) to pick the very same code and build your own
DMARC parsing and reporting app; and no, I don't think that building
such a feature inside ASSP would be a good idea; ASSP is (and I hope
will be) a mail (SMTP) filter, trying to add to it features which are
outside of its purpose and may negatively impact over its primary one

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

2015-05-05 Thread Grayhat 
:: On Tue, 5 May 2015 10:42:12 -0400
:: CALhpkA=j9zy3y8tpmgwyn2f6oosn5k578e2vtv1yp_brobj...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 Take Delta Airlines for example.  They send a message from
 38.100.169.66
 
 Looking at senderbase:
 http://www.senderbase.org/lookup/?search_string=38.100.169.66
 I get
 Hostname mta602.e.delta.com
 Domain  Help e.delta.com
 Network Owner  Help Cogent Communications

http://www.senderbase.org/lookup/ip/?search_string=38.100.169.66

:)

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

2015-05-05 Thread Grayhat 
:: On Tue, 5 May 2015 11:22:07 -0400
:: CALhpkAnP1_EObYXMgfduF7smppj82gPx1=tbtp+vpsq0xlj...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

  Sorry Greyhat, you lost me.  What does this show different from
  what I was
 saying?   Maybe I wasn't clear.
 When I pull up the analyze interface in assp it shows only Cogent,
 doesn't show e.delta.com, do it's not a match to my regex, and
 thereby doesn't get the whitesenderorg bonus.

yeah, you're right, it's a strange behavior; I wonder if ASSP is using
the /24 instead of the IP (didn't check the code) ...

 And here's another issue I'm seeing with Senderbase:
 
 12.130.137.89 snapfish.4...@envfrm.rsys2.com to: u...@ourcharity.org
 DKIM-Signature found

and here ASSP says that the message contains a DKIM signature

 12.130.137.89 snapfish.4...@envfrm.rsys2.com to: u...@ourcharity.org
 info: domain emails.snapfish.com has published a DMARC record

and that the sending MTA domain (emails...) publishes a DMARC record

http://www.senderbase.org/lookup/?search_string=12.130.137.89

 [MissingMX] 12.130.137.89 snapfish.4...@envfrm.rsys2.com to:
 u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
 12.130.137.89 snapfish.4...@envfrm.rsys2.com to: u...@ourcharity.org
 Message-Score: added 10 (mxValencePB) for MX missing:
 emails.snapfish.com, total score for this message is now 10

wrong, the domain has two MX records, that is

MX 10 imh.rsys2.net.
MX 20 imh2.rsys2.net.

 12.130.137.89 snapfish.4...@envfrm.rsys2.com to:
 u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 = spam
 12.130.137.89 snapfish.4...@envfrm.rsys2.com to: u...@ourcharity.org
 Message-Score: added 49 for HMM Probability: 1., total score for
 this message is now 59

ok sounds like HMM isn't properly trained, let's skip this one for the
moment ...

 The from IP in the Responsys network, and I've got that network
 whitelisted in my senderbasewhite org config.  I've got senderbase
 set to score. Senderbase logging is set to normal.

here's what senderbase replies when queried (over DNS) for that IP

IP address   : 12.130.137.89
version  : 1
org_name : RESPONSYS
org_daily_magnitude  : 7.3
org_monthly_magnitude: 7.2
org_first_message: 0
org_domains_count: 3
org_ip_controlled_count  : 5640
org_ip_used_count: 2889
hostname : omp.emails.snapfish.com
hostname_matches_ip  : Y
ip_daily_magnitude   : 4.1
ip_monthly_magnitude : 4.7
ip_average_magnitude : 4.8
ip_30_day_volume_percent : 7.8
ip_in_bonded_sender  : N
ip_cidr_range: 12.130.136.0/22
undocumented #48 : 24
ip_country   : US
ip_longitude : -97.0
ip_latitude  : 38.0

so, yes, the ASSP org check should match that RESPONSYS if you placed
it in whiteorg

 
 In the ASSP analyze interface, it shows a WHITE match  as it should)
 12.130.137.89 SenderBase: status=white SenderBase,
 data=US, RESPONSYS, , , Y, 22
 but where's the senderbase line in the log?

good point but I've no answer, sounds like you found a bug


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Feature Idea: DMARC aggregate reporting parsing?

2015-05-04 Thread Grayhat 
:: On Sat, 2 May 2015 18:56:45 -0400
:: CALhpkAma-LHYogv95zH4SoqQEFdSEJanfn52E=flxxvbthy...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 I'm loving the idea of DMARC.  We've been getting reports for a couple
 different .org domains.  The problem is that they need to be parsed
 manually.
 
 Any chance that ASSP could intercept DMARC reports (aggregate and
 failure reports), extract the xml from the zip and simply toss the
 results into a database?
 
 Do you think people would find this useful.  Failure reports will help
 identify what servers are sending mail as us that shouldn't be.
 Aggregate will give us a good idea of the volume of email that's
 going to each of the providers who send reports.  Would be terrific
 to be able to see stats and specifics per domain.
 
 Certainly not a critical feature...
 
 Thoughts?

yes, have a look here https://dmarcian.com/get_started/ :)

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Feature Idea: DMARC aggregate reporting parsing?

2015-05-04 Thread Grayhat 
:: On Mon, 4 May 2015 11:36:22 -0400
:: CALhpkA=5pxi9xM7rrP-gO3guwN5LkEd_UTdubf=L=fdkkue...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 On Mon, May 4, 2015 at 2:28 AM, Grayhat gray...@gmx.net wrote:
 
 
  yes, have a look here https://dmarcian.com/get_started/ :)
 
 
 Thanks for the chuckle grayhat!  Ah, the joys of a virtually no IT
 budget charity.

Chuckle ? Well, you asked for some kind of tool to parse DMARC reports
and draw some eye candy and the above has what you asked for, just look
at the domain lifter

https://dmarcian.com/domain_lifter/

the basic account is free and you can automatically reroute (or
forward) your DMARC reports to them so that they'll be automagically
parsed :P



--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Prevent certain domains to be used with amiguous origin (as anti-phishing)

2015-03-24 Thread Grayhat 
:: On Tue, 24 Mar 2015 14:06:29 +0100
:: zarafa.55116155.be48.464ae5f7799bf59d@zarafa-server.mirmana.local
:: Jean-Pierre van Melis j...@mirmana.com wrote:

 coming from banks that are local in my country. Some of these banks
 use SPF-records and I've set all these domains to convert these
 SPF-records to strict.
 
 This isn't enough because these spammers are now using
 envelope-addresses and they are not scanned for SPF (well they
 shouldn't be)

uh... SPF *does* check envelope FROM ! It doesn't check the mime part
of the message but that's by design; sure, one may decide to implement
the SenderID and the so-called PRA mechanism

https://tools.ietf.org/html/rfc4407

but sincerely I'm not sure it would bring advantages and, for sure it
may cause a whole lot of false-positives :P


--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 15067

2015-03-09 Thread Grayhat 
:: On Mon, 9 Mar 2015 06:37:32 +0100
::
titc.75106d84be.offee15045.c8f559d7-onc1257e03.001cdd31-c1257e03.001ee...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 The concept of the central RDB (for HMM and Bayesian) backend is not
 fast enough to process several hundred thousands or million mails a
 day. If 100.000 mails have to be processed with HMM and/or Bayesian
 in a day, this will lead in to 6.000.000 - 60.000.000 SQL queries a
 day (only for HMM).
 What DB engine (cluster) is able to do this? And this is only the
 average calculation - what about the peaks?

Hmmm... MongoDB :) ? Or maybe some other NoSQL DB; the problem is that
the code would need to be extensively modified to use them

http://kkovacs.eu/cassandra-vs-mongodb-vs-couchdb-vs-redis



--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 15067

2015-03-08 Thread grayhat 
It was Sun, 8 Mar 2015 13:38:51 +0100 when
Thomas Eckardt thomas.ecka...@thockar.com wrote:


   Such a setup requires an enormous and expensive amount of hardware 
 resources, a very high knowledge in


does this mean that if one upgrades ASSP it will not work anymore due
to system constraints ?

--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Net::SMTP::SSL Broken

2015-03-02 Thread Grayhat 
:: On Fri, 27 Feb 2015 22:14:43 +
:: sig.2500180832.54f0ec53.6070...@gmail.com
:: Colin colin.war...@gmail.com wrote:

 This isn't an ASSP bug, but a heads up to anyone building a new
 system. As it turns out, apparently Net::SMTP::SSL hasn't been
 updated in many years. Recent changes in libnet (post 1.27) mean that
 Net::SMTP::SSL will no longer pass build tests.

Noticed that, lately my ASSP logs an error in the moduleloaderrors
logfile about the fact that it can't load Net::SMTP::SSL, yet the SSL
and TLS support are working just fine, so I suspect this isn't a big
issue

--
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Changing to MySQL

2014-12-29 Thread grayhat 
It was Sun, 28 Dec 2014 16:50:22 -0500 when
Trevor Jacques tre...@videlicet.com wrote:


  27-Dec-2014 22:26:34 [Worker_1] Delaydb database error:
  TIEHASH: Can't open dbi:mysql:database=assp;host=127.0.0.1, Can't
  connect to MySQL server on '127.0.0.1' (61) at assp.pl line 8259
  thread 1.

First of all, ensure to run ASSP from console, that is NOT as a daemon
but as a regular, manually started process; this way you'll be able to
see messages on the console (and errors too), next, did you try
enabling the MySQL logging (and increasing its level) to check MySQL
logs and try seeing if there's some MySQL side error ?

Did you check if the DB and tables needed by ASSP have been correctly
created (even if not populated) ? In case, have a look here (check the
MySQL related portion of the instructions)

http://wiki.linuxservertech.com/index.php?action=artikelcat=16id=20artlang=en

Also, and as a final note; when migrating from flat files or BDB to
MySQL it would be a good idea disabling SMTP so that ASSP will have all
the time to import data into the DB tables


--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Changing to MySQL

2014-12-29 Thread grayhat 
It was Mon, 29 Dec 2014 08:59:15 +0100 when
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 Can't connect to MySQL server on '127.0.0.1'
 MySQL-Server: my.ini - max_connections=800  (very old assp versions
 may require this)
 
 assp.pl diff: 2.1.2(11329) - 2.4.4(14355)
 
 4500 changed lines
 14000 missing lines
 
 :-( :-( :-(

I suspect it may be a very good idea upgrading to the latest version of
ASSP, sure, it may/will require time and effort, but for sure it will
solve a number of issues and ensure to have all the latest patches and
improvements :)

--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Changing to MySQL

2014-12-29 Thread grayhat 
It was Mon, 29 Dec 2014 07:18:56 -0500 when
Trevor Jacques tre...@videlicet.com wrote:

 Understood, but: 
 
  The version of asap is the latest that my server config can run,...
 
 I’m not yet in a position to change that configuration. It’s an old
 box. :-/  All other indications are that using a db should work with
 this set up. 

ok Trevor, try the following; setup a virtual machine (VMWare, Virtual
Box, whatever floats your boat), install the OS which you have/need,
next install all the other bits and pieces along with MySQL and, by the
way, the latest ASSP with all the needed modules and stuff, at that
point, your VM image may be uploaded/used onto whatever hoster and in
the mean time you will still have your current box/setup running :)

--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Changing to MySQL

2014-12-29 Thread grayhat 
It was Mon, 29 Dec 2014 09:36:48 -0500 when
Trevor Jacques tre...@videlicet.com wrote:

  microseconds 29-Dec-2014 07:34:01 [Worker_1] Delaydb database
  error: TIEHASH: Can't open dbi:mysql:database=assp;host=127.0.0.1,
  Can't connect to MySQL server on '127.0.0.1' (61) at assp.pl line

try editing the hosts file, add something like mysql.assp.local
there pointing the entry to 127.0.0.1, then change the ASSP setup to
use mysql.assp.local as the DB server (and before doing so, check
that such a host is working from [say] cmdline mysql)


--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SMTP AUTH Failure Logging FEATURE REQUEST

2014-12-29 Thread grayhat 
It was Sat, 27 Dec 2014 04:03:40 -0800 when
Mr. Courtney Creighton a...@dezignguy.com wrote:

 Mr. Courtney Creighton wrote on 12/27/2014 1:17 AM:
  So, I'd like to ask if it's possible to add additional logging info
  so that ASSP can log the SMTP AUTH attempts in a manner to
  distinguish failures?
 
 Well, I've got a workaround for now... with some adjustments to my 
 settings, I can look for the line when ASSP triggers on MaxAUTHErrors 
 (lowered my setting), and my logscanner can then pass that IP to the 
 firewall.
 
 Blocked 119.29.xx.xx - too many AUTH errors (2)
 
 Still, it might be nice to know just how many AUTH attempts are
 failing, and not just when they reach the MaxAUTHErrors threshold.

2 attempts in the above case :)

--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Changing to MySQL

2014-12-29 Thread grayhat 
It was Mon, 29 Dec 2014 10:04:03 -0500 when
Trevor Jacques tre...@videlicet.com wrote:

 
  try the following; setup a virtual machine ...install the OS which
  you have/need,
 
 One can’t do that with OS X Server Leopard. :-(  I have to find a way

Hmmm... sounds like using VirtualBox and a couple tricks it should be
possible

http://lifehacker.com/5583650/run-mac-os-x-in-virtualbox-on-windows

 to get assp to work in the current environment, or just leave it
 using files for databases. 

or you may move ASSP to a separate box/instance :)



--
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Question about TLS

2014-12-22 Thread Grayhat 

First of all, the config; ASSP SSL is configured as follows

DoTLS = do TLS
SSL_version = TLSv1
SSL_cipher_list = HIGH:!LOW:@STRENGTH

so basically the SSL configuration isn't so strict (for the sake of
testing I left the cipher list quite relaxed); now the problem: using
openssl I tested the ASSP as follows:

openssl s_client -connect my.assp.xyz:25

openssl s_client -starttls smtp -connect my.assp.xyz:25

both the above work without problems, they report that the connection
is encrypted and that the used protocol is TLSv1... but then, if I try
the following

openssl s_client -starttls smtp -tls1_1 -connect my.assp.xyz:25

openssl s_client -starttls smtp -tls1_2 -connect my.assp.xyz:25

in both cases the result is a failure; now... why is ASSP only
supporting TLSv1 and not 1.1 and 1.2 ?







--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Question about TLS

2014-12-22 Thread Grayhat 
:: On Mon, 22 Dec 2014 12:02:48 +0100
::
titc.9433ab725d.of306905e4.80bd1da5-onc1257db6.003ae7d5-c1257db6.003ca...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 Net::SSLeay

C:\ ppm s Net-SSLeay
1: Net-SSLeay
   Perl extension for using OpenSSL (1.0.1j)
   Version: 1.66
   Author: Maintained by Mike McCauley and Florian Ragwitz since
November 2005 Repo: bribes.org
   CPAN: http://search.cpan.org/dist/Net-SSLeay-1.66/
   Installed: 1.66 (site)
   Installed: 1.52 (perl)

sounds like the installed version should support TLS1.1 and 1.2 but
judging from the openssl tests I ran this doesn't seem to be the case;
I wonder if that version difference between site and perl may be
the source of the issue (not sure what it means)

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Question about TLS

2014-12-22 Thread Grayhat 
:: On Mon, 22 Dec 2014 12:22:10 +0100
::
titc.6433be3d22.ofa02dfcab.80f8e04f-onc1257db6.003e277c-c1257db6.003e7...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 Sets the version of the SSL protocol used to transmit data.
 'SSLv23' uses a handshake compatible with SSL2.0, SSL3.0 and TLS1.x,
 while 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1' or 'TLSv1_2' restrict
 handshake and protocol to the specified version.

I tried entering

SSLv23:!SSLv3:!SSLv2

in SSL_version but ASSP refuses the above popping up an invalid
cipher message :( ... solved it by entering the following string

SSLv2/3:!SSLv2:!SSLv3

which in effect disables SSL while allowing TLS 1.0 and up so now,
connections on port 25 are accepted in clear or using STARTTLS which
is exactly what I needed; thanks.




--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14355

2014-12-21 Thread grayhat 
It was Sun, 21 Dec 2014 17:56:12 +0100 when
ObiWan an...@gmx.net wrote:

 It was Sun, 21 Dec 2014 16:05:10 +0100 when
 Thomas Eckardt thomas.ecka...@thockar.com wrote:
 
  Hi all,
  
  fixed in assp 2.4.4 build 14355:
  
  - the 'Received:' header line parser in the analyzer code was not
  working correct in every case
 
 Not sure it's related, but I didn't notice this problem with previous
 version:
 
 [2544] (ASSP): 2014-12-21 08:53:32 [Worker_1] Downloading
 griplist.conf via direct HTTP connection
 
 [2544] (ASSP): 2014-12-21 08:53:32 [Worker_1] AdminInfo:
 griplist.conf download failed: 500 write failed: Bad file descriptor
 
 [2544] (ASSP): 2014-12-21 08:53:32 [Worker_1] Downloading
 Griplist via direct HTTP connection 
 
 [2544] (ASSP): 2014-12-21 08:53:33 [Worker_1] AdminInfo: Griplist
 download failed: 500 write failed: Bad file descriptor 
 
 [2544] (ASSP): 2014-12-21 08:53:33 [Worker_1] Info: next Griplist
 download in 1 hour 40 mins 
 
 while after upgrading to 14355 I noticed the above in the log

same issue with blocklist and other lists :( (oh and there's enough
free space on disk)



--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14355

2014-12-21 Thread grayhat 
It was Sun, 21 Dec 2014 18:13:34 +0100 when
grayhat gray...@gmx.net wrote:

 same issue with blocklist and other lists :( (oh and there's enough
 free space on disk)

sounds like it's unrelated; rolled back to previous version and the
issue remains, same error riplist download failed: 500 write failed:
Bad file descriptor also, while I was checking the logs I also found
this error in the log

error: Couldn't upgrade to TLS for client 146.101.78.103: SSL accept
attempt failed error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number

so... what should I do to solve the griplist/blocklist errors and... is
the above SSL error a transient one or something I'll need to somewhat
fix (and how) ?



--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Grayhat 
:: On Thu, 11 Dec 2014 14:55:31 +0100
:: 028501d0154a$210e68a0$632b39e0$@scandinavianhosting.se
:: Pontus Hellgren pon...@scandinavianhosting.se wrote:

 Hi there!
 
 Got some people complaining about not getting mail from domains
 hosted at googles mailservers.
 
 Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 info: got STARTTLS
 request from 209.85.214.182
 Dec-11-14 14:44:24 [Worker_1] 209.85.214.182 [SMTP Error] 502 command
 not implemented
 Dec-11-14 14:44:24 [Worker_1] Disconnected: session:AA61610
 209.85.214.182 - processing time 1 seconds

hmmm... why don't you just configure your ASSP to act as a TLS proxy ?
I suspect that your mail server is offering TLS but ASSP isn't
configured to deal with it, so the Goog tries to use TLS and getting
a 5xx error just does what the RFCs say, that is, generates an NDR.

If your backend SMTP server doesn't support TLS it may be a good idea
to configure doTLS to do TLS and, by the way, to add the needed
certificates to ASSP.

On a second thought... not sure about it, probably Thomas may shed some
light... let's suppose the backend SMTP server is configured to do TLS
and offers a 250-STARTTLS to the EHLO command, now, let's also say
that ASSP doTLS is set to drop TLS; in such a case, the sender will
see a Hey, I support TLS message but when it tries to use TLS, ASSP
will drop it and emit an error... if that's the case then the issue is
related to ASSP which will need to eat the STARTTLS offer emitted by
the server... although, sincerely, I think the real issue is due to a
wrong setup, not to the ASSP code :P


--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Google drops NoTLS?

2014-12-11 Thread Grayhat 
:: On Thu, 11 Dec 2014 22:50:05 +0100
:: 009a01d0158c$6ce8b860$46ba2920$@scandinavianhosting.se
:: Pontus Hellgren pon...@scandinavianhosting.se wrote:

 Thanx for all info!
 
 ASSP was set to proxy TLS but I guess I have some work to do on the
 MTA and ASSP because the chain of delivery is not working as I would
 like it to do. I do want assp to check all mail so I will try and
 make assp make use of the MTAs certificate.
 For now I will have to live with ASSP and no TLS, because clearly
 the MTA is not doing TLS right.
 
 Thanks for a great program and a Great forum.

if you want to use TLS you'll need to install on ASSP the same
certificate(s) you're using for your MTA, next, set ASSP to do TLS
this way, ASSP will deal with the TLS negotiation *and* will be able to
see the incoming email in clear so being able to filter it

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14295

2014-10-22 Thread Grayhat 
:: On Wed, 22 Oct 2014 14:42:58 +0200
::
titc.03729f3878.ofcd7ece66.f480b515-onc1257d79.0045488a-c1257d79.0045d...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 'FileLogScan','Scan Stored Files for Virus with FileScan'
 'If virus check is enabled ( DoFileScan ), every file/mail in the 
 'resendmail' (except reports) folder and 

Thomas... why don't you change this feature to some kind of stored
mail scan; that is, if the flag is enabled, ASSP may queue received
mails into some list, then a separate, background thread will call
the ClamAV scanner to scan each file and, if needed, quarantine it (as
a note the quarantine folder may be used during spamcorpus rebuild :D)


--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14295

2014-10-22 Thread Grayhat 
:: On Wed, 22 Oct 2014 14:49:43 +0200
:: 20141022144943.0...@gmx.net
:: Grayhat gray...@gmx.net wrote:

 Thomas... why don't you change this feature to some kind of stored
 mail scan; that is, if the flag is enabled, ASSP may queue received
 mails into some list, then a separate, background thread will call
 the ClamAV scanner to scan each file and, if needed, quarantine it (as
 a note the quarantine folder may be used during spamcorpus rebuild :D)

to explain it better, ASSP will save files as it does, but it will also
queue names so that the worker handling the scan will extract them from
the queue and scan them; this will avoid the need of separately
scanning them *and* may allow placing a notice in the spamreport which
will show infected :)


--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14295

2014-10-22 Thread Grayhat 
:: On Wed, 22 Oct 2014 15:09:47 +0200
::
titc.6372c6e693.of581c4ccf.bef7cd3e-onc1257d79.00471ba1-c1257d79.00484...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 How ever, assp has to make sure, that no other assp process is able
 to access the file before it was scanned - so, a long term queue
 (anytime queue) is not an option.

thinking loud:

store the file in a separate scan folder, then the scanner process
will decide where to move it (regular storage or quarantine); this way
only the scanner will know where the file is :)

As for using a regular thread or an high one... I wonder why you aren't
spawning another thread just for this task; all in all it will run only
if this scan is enabled :)

--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14295

2014-10-22 Thread Grayhat 
:: On Wed, 22 Oct 2014 16:03:05 +0200
::
titc.5372cf6baa.of7b87b0fb.218efdb5-onc1257d79.004a1b98-c1257d79.004d2...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:


 used by the rebuildspamdb to make the spam detection more accuate.
 Only the resend is dangerous - an infected file should not (never) be
 resent.

uhm... well, in general I'd agree, but think about AV false
positives; in such cases having the ability to get the email may be
quite useful :)

--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Whitelisted Domain | still getting blocked by DNSBL

2014-10-10 Thread Grayhat 
:: On Thu, 2 Oct 2014 07:57:27 +
:: 998763f529fc47b793af998c7c7b1cba@GTIEXMB02.ghobash.local
:: Nadeem Abdulla nadeem.abdu...@abaninvestment.com wrote:

 172.29.1.106

The above IP is a PRIVATE, unroutable one; see

http://en.wikipedia.org/wiki/Private_network

for details; if that's the IP you're trying to whitelist and if it's
reaching your ASSP over a public internet connection then you have some
big networking problem

--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Running ASSP with MS Exchange?

2014-09-24 Thread Grayhat 
:: On Mon, 22 Sep 2014 19:47:22 +
:: 5ccb67a6fa6f8244bed9f1a68b59fec00198148...@newman.corp.necomm.com
:: Jay Tarbox jtar...@necomm.com wrote:

 I've been running it with Exchange for years now.  The way I do it is
 - Exchange is configured with an outbound smarthost which is the
 relay port of ASSP.
 
 ASSP has a relay host of a.b.c.d:55587 pointing back at the IP of
 Exchange server.  This allows ASSP to see email that's gone out, so
 as to whitelist and allow a response.
 
 I have installed IIS's SMTP engine in the Exchange server which
 listens on 55587, then sends email out to the internet.
 
 Inbound, I simply have ASSP pointed at Exchange, port 25 as the SMTP
 destination.

just some notes; I prefer having the IIS SMTP running on the ASSP box
so that outbound emails don't go back to the backend server; same goes
for the DB, the ASSP box also runs the DB engine (whatever you choose
to setup) used to store all the needed infos


--
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14253

2014-09-11 Thread Grayhat 
 
 may fetch the notes and email them to the admin
 
 Joining any of the available assp user mailinglists solves this
 problem :):):)
 the 'Notify' feature will do it , if configured this way  - eg.
 somthing like: Info: autoupdate: new assp\.pl\.gz
 downloaded=ad...@mydomain.org
 
 If someone does'nt enable  'AutoUpdateASSP' and has'nt joined any of
 the assp user mailinglists , I assume that he/she is not interested
 in any further information about assp.

I know :) but then, often, your short emails announcing new/updated
versions are more informative than the whatsnew that's why I asked,
then, sure, whoever runs the beta should join this list but the real
point is that one may miss some announcements (for a reason or another)
so having them included into the hey admin, there's new version email
could be useful imHo :)

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.4 build 14253

2014-09-10 Thread Grayhat 
:: On Wed, 10 Sep 2014 07:29:23 +0200
::
titc.0330ce0a1a.ofd73851c5.b7a19be5-onc1257d4f.001d6340-c1257d4f.001e2...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 Hi all,
 
 fixed in assp 2.4.4 build 14253:
 
 - the fix for invalid UTF8 data in build 14250 was too strict and has 
 possibly destroyed mail data

Thanks Thomas; just a note/request, given that ASSP can alert the admin
about available updates, what about placing the release notes (the same
you email here) on the server so that upon checking for a new version,
ASSP may fetch the notes and email them to the admin along with the
notice of the new available version ? 

--
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] New installation ASSP

2014-06-10 Thread Grayhat 
:: On Tue, 10 Jun 2014 14:17:49 +0200
::
ofe2777f5c.4eb81c38-onc1257cf3.0041552b-c1257cf3.00438...@dometic.se ::
Anders Westin anders.wes...@dometic.com wrote:

 
 Today:
 I´m running two linux servers:
 
 Server 1: (MX weight 10), it´s on this server i run Rebuild SpamDb
 dist:( 2.6.32-5-686-bigmem (Debian 2.6.32-39squeeze1))
 Mysql
 ASSP
 Bind
 
 Server 2: (MX weight 20)
 dist:( 2.6.32-5-686-bigmem (Debian 2.6.32-39squeeze1))
 ASSP
 Bind
 
 Tomorrow:
 I´m planning at least three servers one DB server and two ASSP
 machines:

First of all, why don't you use VMs :) ? Then... if you're planning to
use 3 boxes (virtual or not) consider using unbound in place of Bind
as the DNS resolver (see http://www.unbound.net/), you may then
consider running RBLDNSD (http://www.corpit.ru/mjt/rbldnsd.html) on the
DB box so that you'll be able to both run your own blacklists or keep a
local copy of external DNSBLs








--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing  Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] New installation ASSP

2014-06-10 Thread Grayhat 
:: On Tue, 10 Jun 2014 15:41:36 +0200
::
of06006753.84cf443d-onc1257cf3.004ab36a-c1257cf3.004b3...@dometic.se ::
Anders Westin anders.wes...@dometic.com wrote:

 Hi Grayhat
 
 Of course i run them virtual
 thanks for the tip of unbound and local RBL

oh, you're welcome; as for unbound, for further configuration tips and
ideas, have a look at https://calomel.org/unbound_dns.html the site has
some quite interesting tips ;)

--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing  Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Perl and HeartBleed

2014-04-10 Thread Grayhat 

Folks, not sure you followed the lates security issue regarding
OpenSSL, if you didn't, have a look here

http://heartbleed.com/

http://filippo.io/Heartbleed/

https://github.com/FiloSottile/Heartbleed

basically, the issue is due to a bug affecting the *whole* OpenSSL
1.0.0x series and causing the libs to disclose data; now, patching is a
need, not an option, but what about ASSP ? See, if you try looking at
the Perl folder (e.g. ActivePerl on 2k8) you'll find a bunch of OpenSSL
DLLs spread around inside a number of different folders... so, HOW do
you patch that beast so that ASSP is *not* vulnerable ?


--
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test  Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.2 build 14092

2014-04-04 Thread Grayhat 
:: On Fri, 4 Apr 2014 17:26:20 +1100
:: 3f0c3797-6756-4e57-9577-ad7b56281...@bordo.com.au
:: James Brown jlbr...@bordo.com.au wrote:

 Looks like it is still happening under Mac OS X:
 
 Apr-04-14 01:01:11 [Worker_10001] Warning: got unexpected signal SEGV
 in Worker_10001: package - main, file - sub main::BayesWordClean,
 line - 11!
 
 ASSP version 2.4.2(14092)
 
 I know what you are going to say about Perl versions! (I’m just too
 scared to upgrade in case it breaks things!)

All I can say is that I upgraded to 5.16 without too much hassle; as a
note, a good way to run such upgrades is running ASSP inside a
dedicated VM; in such a case you may just clone the VM, upgrade Perl
and the modules and once everything will be ok, update the corpus of
the new VM with the one from the live ASSP and then swap the VMs;
notice though that in my case I just upgraded the current ASSP Perl in
place w/o doing the above (the above is just a suggestion to help
running the upgrade in safe mode)



--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] DKIM spam

2014-03-14 Thread Grayhat 
:: On Fri, 14 Mar 2014 13:51:37 -
:: sig.91501147d0.01cf3f8c$85a7ed20$90f7c760$@lanternhosting.co.uk
:: Colin Waring co...@lanternhosting.co.uk wrote:

 I was wondering if anyone else was seeing an increase in spam
 messages that come with a valid DKIM signature? It has gotten to the
 point where I have had to set DoDKIM to disabled because so much
 rubbish is coming through and I can't think of many circumstances
 where DKIM is actually used extensively.

I don't think it's a DKIM issue (or an SPF one or whatever); see, the
number of bots trying to bruteforce credentials (either over SMTP or
POP3/IMAP) dramatically raised (and I'm not counting the malware which
steals them from victim's machines) and once those credentials are
upped to some botnet controller, the bots will just start pumping a
lot of junk through a server using the stolen credentials and DKIM or
SPF won't be able to do much; bottom line, ensure to check for bounces
and keep an eye on your servers; as for bounces; if someone here is
running on win and using the IIS SMTP as the outbound mail router, it
may (will !) be a good idea to configure it to also send a copy of NDR
emails to some mailbox you manage (say ndr...@example.com) so that
you'll be able to see the bounces and take action (ok, this is a raw
and straight approach but as a first step it's better than nothing)



--
Learn Graph Databases - Download FREE O'Reilly Book
Graph Databases is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Spammers able to go through ASSP with false credentials... (as it seems to be for me)

2014-02-24 Thread Grayhat 


 @Grayhat  It does appear there is such an increase... These people
 had these passwords for a long time (which in itself is wrong, of
 course).

Couple notes; if possible, try enforcing password complexity rules
[1] a little bit and ask your users to change their passwords or, if
possible setup some password expiry policy so that passwords will
change in time; also, be warned about the so-called password reuse [2]
which is a perfect way to compromise everything at once :)

[1] http://xkcd.com/936/

[2] http://xkcd.com/792/


--
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis  security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Spammers able to go through ASSP with false credentials... (as

2014-02-24 Thread Grayhat 

 ASSP development mailing list assp-test@lists.sourceforge.net
 schreibt:
 
 It now gives me exactly the credentials being used...

just a bit of warning; logging usernames AND passwords means that
anyone having access to the logs will be able to access those email
accounts; not so nice imVHo better if ASSP could only log failed
attempts credentials.

--
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis  security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Spammers able to go through ASSP with false credentials... (as it seems to be for me)

2014-02-23 Thread Grayhat 
:: On Sun, 23 Feb 2014 19:38:38 +0400
::
titc.713176f2cf.offd9ec82f.07a8fced-onc1257c88.00556a78-44257c88.0055f...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 Feb-21-14 17:44:09 [Worker_2] [TLS-out] 116.203.191.142 [SMTP Reply]
 235 
 2.7.0 Authentication successful
[...] 
 The connected server (85.214.251.232:25) has replied  '235 2.7.0 
 Authentication successful'  - why should assp assume that this is
 wrong?

Also, and since we're at it, sounds like there has been an increase in
email credetials bruteforcing attempts; if you check ASSP (or
mailserver) logs you may notice quite a number of logon failures and
most of them coming from flocks of different IPs (also check POP3 and
IMAP on mailserver logs); sounds like botmasters are using lists of
email addresses scraped on the 'net to try finding weak passwords and
then abuse the accounts to pump out junk

--
Flow-based real-time traffic analytics software. Cisco certified tool.
Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
Customize your own dashboards, set traffic alerts and generate reports.
Network behavioral analysis  security monitoring. All-in-one tool.
http://pubads.g.doubleclick.net/gampad/clk?id=126839071iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ASSP log file update frequency

2014-02-17 Thread Grayhat 

 I think the possibly maximum is around 50 seconds. The MainThread is 
 monitored by the MaintThread for actions. If the delay is too long,
 it may happen that the assp process will restart.

the only real solution (assuming we need it ... and I'm not sure about
it) would be setting up the log as a queue so that each and every log
write enqueues a line to the log, then we may have a logger thread
which will run lazy picking up (popping if you prefer) items from the
queue and writing them to the log... still, I'm not sure I'd like it;
also, and since we're at it, I don't think this is an ASSP issue rather
a fail2ban one

--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ASSP log file update frequency

2014-02-17 Thread Grayhat 
:: On Mon, 17 Feb 2014 14:05:38 -0500
:: sigth.1125b22c27.2d291066-e804-491c-91f8-5a1807df2...@videlicet.com
:: Trevor Jacques tre...@videlicet.com wrote:

 
 On 17 Feb 2014, at 9:59, Thomas Eckardt thomas.ecka...@thockar.com
 wrote:
 
  hmmm ... lazy - to log, or not to log, that is the question :):):)
 
 :-) 
 
  Be sure, delayed logging will never become a feature in assp.
 
 Given that it takes only two lines and that it might be useful, so
 that some of use can make assp play even more nicely with others, I
 can’t imagine why not. :-)  There are many features and settings in
 assp that are noted as something like “change at your own risk” and
 many others that most assp admins never touch; that does not mean
 that they should be absent. By having a setting in the assp GUI to
 set the ‘logWriteDelay’ to a few seconds could help those of us who
 both need it and who do not write perl code. 

if the above should find room in ASSP code, I think it shouldn't go
into the gui, rather as an option in the override module; that said,
I don't think that slowing down the logging could be a good idea; see,
the log is there for a purpose and, in your case, a possible solution
may be configuring ASSP to write to syslog and then use those logs
for fail2ban


--
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] rebuildspamdb always hangs at certain position

2014-02-12 Thread Grayhat 

 Is there anyone else having a problem with a stucking rebuild process
 or hanging workers  (on HMM or Bayes) running ASSP_WordStem 1.24 and
 Perl 5.16.3 or later?

perl -v

This is perl 5, version 16, subversion 3 (v5.16.3) built for
MSWin32-x86-multi-thread

upgraded to latest ASSP *and* latest wordstem; ASSP didn't complete
rebuild since 07/02 (reporting now since I wanted to be sure); no
problems before; rolled back to 2.3.4 (14029) and forced a rebuild
right now, will report in a while, but I think that there may be
something wrong with latest ASSP, not sure if it's related to the
wordstem or something else



--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] rebuildspamdb always hangs at certain position

2014-02-12 Thread Grayhat 
  Is there anyone else having a problem with a stucking rebuild
  process or hanging workers  (on HMM or Bayes) running ASSP_WordStem
  1.24 and Perl 5.16.3 or later?
 
 perl -v
 
 This is perl 5, version 16, subversion 3 (v5.16.3) built for
 MSWin32-x86-multi-thread
 
 upgraded to latest ASSP *and* latest wordstem; ASSP didn't complete
 rebuild since 07/02 (reporting now since I wanted to be sure); no
 problems before; rolled back to 2.3.4 (14029) and forced a rebuild
 right now, will report in a while, but I think that there may be
 something wrong with latest ASSP, not sure if it's related to the
 wordstem or something else

confirmed, using a previous ASSP version, the rebuild completes w/o
problems so the issue must be related to some change made after the
version 2.3.4 (14029); just to add some details, I suspect the issue
may be related to changes made after 2.3.4 (14037)

HTH

--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] rebuildspamdb always hangs at certain position

2014-02-12 Thread Grayhat 
:: On Wed, 12 Feb 2014 19:01:23 +0400
::
titc.912072d482.of89b6fc3e.45f2cf2e-onc1257c7d.0051beb9-44257c7d.00528...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 
 Andrea, please create the 'assp/rebuilddebug.txt' file before running
 the rebuild. If the rebuild stucks, the last line of the file will
 show the .eml file, which caused the problem.
 If you have some time, zip and send me the .eml file.

aye, did it, but before zipping and all that, thougth to retry running
a rebuild with a previous version of ASSP, still running, but sounds
like even using the *latest* wordstem (with a previous ASSP) the
problem disappears, so I don't think it's a wordstem issue
 

--
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Bayes, HMM and valence

2014-01-31 Thread Grayhat 

By default the bays and HMM valence values are set to 49 and 55
(regular and local); now... according to the interface if one enables
both checks (setting them to score), the values should be revised...
the problem is that it's unclear how to set them; I mean, if I read the
GUI it says

for this reason it is recommended to use both Bayesian and HMM. If you
enable both checks, check your settings for baysValencePB,
HMMValencePB, bayslocalValencePB and HMMlocalValencePB - eg. divide
them by 2. or set the bayes values to 1/3 and the HMM values to 2/3.

now... following the above one would set values to (say) 24 and 27 (or
25 and 28) but... is this correct ? Also, I tried enabling HMM (that
is setting it to score) and then running a rebuild to ensure its table
was correctly populated but even then, ASSP logged messages like this

HMM-Check has given less than 6 results - using monitoring mode only

and while I can't understand the above (ok, probably I'm just dumb) the
above means that HMM won't score the message so I'd be left running on
bayes and since I changed bayes to 24, some spam could get through...

Bottom line; what's the correct way (step by step) to enable HMM, how
to correctly set the valence(s) and... what does that less than...
message mean ?


--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Bayes, HMM and valence

2014-01-31 Thread Grayhat 
:: On Fri, 31 Jan 2014 15:56:48 +0100
::
titc.91085f2ee9.ofe5f40407.12ddb897-onc1257c71.004c28b4-c1257c71.00521...@thockar.com
 ::
Thomas Eckardt thomas.ecka...@thockar.com wrote:

 HMM-Check has given less than 6 results - using monitoring mode
 only
 
 This is related to 'maxBayesValues'.
 monitoring only if $this-{hmmres}  int($maxBayesValues / 12 + 1)
 scoring only if $this-{hmmres}  int($maxBayesValues / 3 + 1)
[... snippage ...]

First of all, Thomas, thank you very much for the clarification, I
think I got it now, thanks again; then ...

 forget the locals, I don't scan local mails. But you see, I want to
 block anything that smells somehow like spam. I had no false postive

I do the same (don't check local - except for AV scan :D) but then, I
had to ask, others may be interested :)

 I'm using several automatic spam collecting (honeypots) addresses
 with just in time reporting. So, I get the newest spam very quick,
 but not on my account :-)

As for collecting... I wrote a fake smtp receiver (plain vanilla C
code) which I use to implement the so-called MX Sandwich or no
listing trick, that is

http://nolisting.org/
http://wiki.apache.org/spamassassin/OtherTricks
http://www.mail-archive.com/users@spamassassin.apache.org/msg51583.html

basically, I've something like this

@  IN MX 10 mx01.example.com.
@  IN MX 20 mx02.example.com.
@  IN MX 30 mx03.example.com.

where mx01 resolves to an IP where port 25/tcp is (and will always be)
in filtered state, mx02 is where ASSP sits and listens and mx03 is
where my fake smtp receiver listens; the latter will emit a tempfail
as soon as it receives a DATA command and, at the same time will
gather data about the connecting IP (senderbase, DNSBL...) and log
them, for example


2014-01-31|08:02:58|01A4D596|
3462|1.164.213.150|1.160.0.0/12|1.164.0.0/16|1-164-213-150.dynamic.hinet.net|mailserver.localhost.com|SoftFail|BL|zen.spamhaus.org|TW|CHTD,
CHUNGHWA TELECOM CO.,
LTD.|Taipei|25.0392|121.525|0|0|0|1|gabriella_co...@gabriella-coria.us|skyki...@example.com|no-error|mx01.example.com|192.0.2.151

2014-01-31|08:03:21|B86B9F9A|
32613|184.107.159.154|184.107.0.0/16|184.107.0.0/16|www.strongmoments.com|216.155.126.36|SoftFail|BL|zen.spamhaus.org|CA|IWEB
TECHNOLOGIES|Montréal|45.5|-73.5833|0|0|0|1|gtstjqkk2460227964...@docomo.ne.jp|da...@example.com|no-error|mx01.example.com|192.0.2.151

2014-01-31|08:03:25|C26A1006|
6739|194.106.16.6|194.106.16.0/21|194.106.0.0/19|194.106.16.6.static.user.ono.com|194.106.16.6.static.user.ono.com|SoftFail|BL|zen.spamhaus.org|ES|ONO|Madrid|40.4391|-3.674|0|0|0|1|davidsonvzezodjmoas...@spray.se|millysdonteventhinkaboutmailin...@example.com|no-error|mx01.example.com|192.0.2.151


now, the above are three log records and, while I'm not going to detail
the various data columns (may be that in case you're interested), I
think it's easy to see that they contain quite a bunch of useful infos;
my problem, at the moment is feeding such data to ASSP, I may write
some code to load/parse/filter entries but I don't know how to feed the
data to ASSP to help it filtering ... any idea ? 

Oh, and by the way, in case you're interested the code is available
*and* if you want, I may arrange things to send your way a mail feed
with the logs so that you may use them to feed the ASSP filters ;-)

--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

2014-01-30 Thread Grayhat 

 On my way to a new version - this is the nudge that I needed.
 (pending some more answers to my other thread on general windows
 recommendations and the requirements of hmm)

Well, as for the hMM, start vanilla, that is, install your new ASSP,
configure it, migrate your files, upgrade to DB and then once it will
be working, you may experiment by enabling HMM but, as Thomas wrote,
just one step at a time :)

--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

2014-01-29 Thread Grayhat 
:: On Tue, 28 Jan 2014 13:56:42 -0500
:: CALhpkAkknxNz3w4GAtpt120=duav_aypbm39e+obtsvynau...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 Hey, would you look at that!  There's a setting for senderbase log
 verbosity!  Changing it to verbose, gives me:
 Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
 e/Query/DNS.pm
 
 DNSTimeout was 5 seconds.  Changed to 10, no difference.
 
 Any suggestions?  DNS settings on the server seem fine and are
 responsive.

ensure that you're able to run DNS queries over TCP not just over UDP;
if your firewall is blocking queries to 53/TCP then you're in trouble;
on windows, fire up nslookup without parameters, next enter

server 8.8.8.8
set vc

and done that enter some hostnames to see if resolution is ok; on
Linux, use dig +tcp host.name @8.8.8.8 where host.name will be a
valid hostname; in both cases the queries will be sent to the google
DNS resolver over TCP and if they fail...





--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Install advise on new Windows box

2014-01-29 Thread Grayhat 

 I'm going to be starting from scratch on a new Windows install, but
 migrating data over from an older 2.x install.  That current install
 uses all flat files, no database.

well... in theory flat-files should work as they are but I'd wait for
some notes from Thomas about it; that said...

 1) This will likely be a Windows 2012 r2 box, so 64 bit.  Any specific
 issues on W2k12?  Is it preferable to use an older OS?

No problem, just use a 32bits Perl, using a 64 bits one won't give you
any advantage 
 
 4) Install the latest OpenSSL version 0.9.x (don't use version 1.x.x
 on production systems)
 http://www.slproweb.com/products/Win32OpenSSL.html
 
 Is that still advisable?

I think that picking the latest from http://www.openssl.org/ and
ensuring that the libs (DLLs) are on the PATH may be ok

 3) Also that quickstart says to use activestate perl 5.12.  That
 can't be up to date can it?  What's recommended, 5.16, 5.18?  Lower?

This is perl 5, version 16, subversion 3 (v5.16.3) built for
MSWin32-x86-multi-t hread

:)
 
 a) Now that I'm hoping to use HMM, I need a database (right?).  What's
 recommended MySQL or BerkleyDB?  I saw the post by Thomas that said
 that BerkleyDB is now stable with perl 5.16/5.18, but I don't know if
 that's better than using MySQL.

Berkeley is ok but has little tools to manage the DB in case you'll
ever need to put your hands in; in my case I found that MSSQL is a
good pick; if you can't or don't want to use the full version the
free express will just fit the bill... then, ok, you may decide to go
for MySQL which is fine too, but sincerely I don't trust Oracle so much
and not knowing what will happen to MySQL... :P

As a note I'd like to see a patch (or something like that) allowing
to run ASSP over MariaDB and/or FireBirdSQL but then... :)

 a) Is there an up to date guide on moving from flat files to a proper
 database?

Well... start by installing ASSP and configuring everything (ASSP,
clamAV+signatures, domains...) and once all ok, move your files to the
new box and ensure all's ok; done that *BACKUP* the config and then
just follow the directions to migrate files to DB; notice that if
you're planning to use hMM instead of Bayes, you'll need to ensure that
your DB is up to the task since hMM poses quite a *load* on the DB (and
the machine running it)





--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Install advise on new Windows box

2014-01-29 Thread Grayhat 

  I'm going to be starting from scratch on a new Windows install, but
  migrating data over from an older 2.x install.  That current install

 clamAV+signatures, domains...) and once all ok, move your files to the
 new box and ensure all's ok; done that *BACKUP* the config and then

forgot; a good approach (if you have the hardware and all the needed
stuff) would be using a Virtual Machine, that way you won't only be
able to quickly backup the whole installation, but you won't depend
from hardware and even be able to create snapshots and roll them back
in case something goes berserkr :) 

--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

2014-01-28 Thread Grayhat 
:: On Tue, 28 Jan 2014 09:02:50 -0500
:: CALhpkAnvBsA3FGYqSNCcg08eL1utRny+sr_Ac4Xa0YjNRuB=y...@mail.gmail.com
:: K Post nntp.p...@gmail.com wrote:

 Confirmed that it seems like only the cached entries are working.
 Every one of the 300+ senderbase matches from today, are from the
 cache. For example:
 199.101.162.46

couple questions:

1: are there any DNS-related messages in your logs ?

2: are you using your own (no forwarders) DNS resolvers or are you
   using public resolvers like OpenDNS, Google or whatever else ?


--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

2014-01-28 Thread Grayhat 

 Hey Grayhat- been a while...  Thanks for your followup.

Hi there, yes, been (and being sigh) busy
 
 I'm using our internal dns servers, without forwarders.  I see DNSBL
 messages, RWL, etc as expected.

ok, one thing less to check (I hope) :)
 
 Could a format error in the whiteSenderBase be the culprit?  I don't
 see an error when it's loaded.  There's 1000+ entries, hard to check

well, maybe, sure or may be due to some check kicking in *before* the
senderbase one; carefully checking the logs and/or increasing logging
would be a good idea imVHo

--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] upgrading from ASSP version 2.3.3(13276) to 2.3.4(latest)

2013-11-12 Thread Grayhat 

 hi all.
 is there any caveat or recommendation or special modules/packages
 requirements for upgrading from ASSP version 2.3.3(13276) to version
 2.3.4(latest)?
 i'm running a 2 hosts production system on Linux, perl 5.14, all
 databases as tables on Mysql.

upgrade your Perl runtime and all the packages; upgrade ASSP and ensure
to run the module installation script, then upgrade your packages
again, that should do the trick; notice that making a good backup won't
hurt; all in all, Murphy was right, so let's try minimizing issues :D

--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Virus scanners

2013-09-27 Thread Grayhat 
 
 
 We have ClamAV running on our mailserver and are currently suffering a
 significant number of Trojans getting past.

ClamAV is a more than decent mail AVscanner but you'll need to feed it
with some additional signatures, namely the ones available here

http://www.sanesecurity.co.uk/databases.htm

just have an look at the various available sigs to decide which ones
you want to use, then, to use them, pick one of the updater scripts
available on the same site (see usage)

HTH
 

--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register 
http://pubads.g.doubleclick.net/gampad/clk?id=60133471iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Virus scanners

2013-09-27 Thread Grayhat 
 
 So far I have identified two domains that most mail claims as the from
 address. Both publish SPF records but define ~all so I have added
 them to strictSPFRe.

Hmmm... now I'm becoming curious; you're running ASSP, so, which
filters did you enable (set aside SPF and AV scanning) ? See, it sounds
like you're running w/o some filters (e.g. DNSBL/DNSWL and URIBL/URIWL)

--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register 
http://pubads.g.doubleclick.net/gampad/clk?id=60133471iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] assp dying

2013-09-20 Thread Grayhat 
 
 I have a cron job for this (attached). It opens a connection to both
 the SMTP and Web interface ports and makes sure it gets a connection

hmm... not bad, but before that, I think you'd better check if the ASSP
process is running, then, if it's running (and only if it's running)
you may go on and check if it's also correctly responding to requests :)

--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp Re: assp spawning spam

2013-05-22 Thread Grayhat 

  Subj: assp spawning spam
  on an installation of mine
 they managed to get hold of the boss address (of all addresses) 
 and they send spam to the outside world.
 
 they  -- is who?  
 Computer with antispam?  
 Or computers of internal users?

I suspect that someone bruteforced or either obtained by other means
(a virus, phishing...) the email credentials and is now using them to
authenticate and spit out junk; there are a couple settings in ASSPv2
which I'd recommend to avoid such issues; first of all, the rate
limiter which allows you to configure the max number of messages per
time interval which a given account can send; start by setting up it
this way

LocalFrequencyInt:=1800
LocalFrequencyNumRcpt:=120
LocalFrequencyOnly:=
NoLocalFrequency:=file:files/nolocalfrequency.txt

and configure the files/nolocalfrequency.txt file to contain just the
local assp address (used to send reports and so on); also, ensure that
the notification email to (Notify) under logging contains a valid
address since ASSP will then send infos about senders tripping over the
rate limiter to such an address; next, edit lib\CorrectASSPcfg.pm and
add it (or uncomment) the following

$main::AUTHLogUser = 1;

save the file and restart ASSP, the above tells ASSP to log a line to
the maillog containing a given authenticated user name, this way,
you'll be able to check who is logging (or trying to log) into your
box... then, sit back and monitor your ASSP for a while



--
Try New Relic Now  We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app,  servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

  1   2   3   4   5   6   7   8   9   >