What is your setting for 'MSGIDsigLog' ?
Thomas
Von: Colin <a...@lanternhosting.co.uk>
An: assp-test@lists.sourceforge.net,
Datum: 18.09.2012 17:21
Betreff: Re: [Assp-test] Antwort: Re: Antwort: Backscatter
problem
I have just checked some outbound emails and they all bear a Message-ID:
header so it looks like MSGID is working.
In the case of this one domain it would seem that ASSP is failing to
block the messages even though they do not bear an MSGID header
All the best,
Colin
On 18/09/2012 15:19, Thomas Eckardt wrote:
> Colin, if you use the MSGID-signature, all mails sent for your domain(s)
> should be tagedr - otherwise this does not make sense to me.
> If any webserver sents out messages without the tag and a bounce comes
in
> because of such a mail, assp should block it.
>
> So, if I understand it right, the MSGID-signature check is not working ?
>
> Thomas
>
>
>
>
> Von: Colin <a...@lanternhosting.co.uk>
> An: assp-test@lists.sourceforge.net,
> Datum: 18.09.2012 16:04
> Betreff: Re: [Assp-test] Antwort: Backscatter problem
>
>
>
> The junk emails are nothing to do with our servers.
>
> The website I believe to be generating the original junk is hosted
> elsewhere and deals with emails however it wants. The bounce messages
> are coming from various Russian servers that have been hit by the spam.
> As such ratelimiting and frequency won't do anything.
>
> The only reason I am seeing these messages in the queues is because they
> are sent to invalid recipients - if recipient validation was to ocurr on
> received bounce messages as per my original message then the whole issue
> would go away as far as I am concerned. If the client wants us to argue
> the compromised website with the web developer then that is another
issue.
>
> All the best,
> Colin Waring.
>
>
>
> On 18/09/2012 08:03, Grayhat wrote:
>>> has you set 'MSGIDpreTag' and 'MSGIDSec' ?
>>>
>>> Both have to be set! The default value is NOT valid for 'MSGIDSec'!
>> good point; also, if the customer is also *sending* out emails through
>> ASSP, it may be a good idea enabling the outbound rate limiter, that is
>> setting appropriate values for LocalFrequencyInt/LocalFrequencyNumRcpt
>> (and possibly for NoLocalFrequency *or* LocalFrequencyOnly not both);
>> in my experience the limiter greatly helps finding sudden "outbound
>> emails flurries" which are often caused by compromised boxes (or either
>> by regular users thinking that mass-mailing is cool :P)
>>
>> For a starter, you may try setting up the following
>>
>> LocalFrequencyInt := 1800
>>
>> LocalFrequencyNumRcpt := 120
>>
>> then populate EITHER the NoLocalFrequency or LocalFrequencyOnly with
>> something like file:files/nolocalfreq.txt of file:files/localfreq.txt
>> and edit the file populating it with the desired recipients; I use the
>> first one and populated the file with addresses beloning to mailing
>> lists or newsletter, but if you prefer you may use the second one and
>> just insert into it the sender addresses which you want to "monitor";
>> in either case, you'll then get back an alert in case someone sends out
>> more than 120 messages in 1800 seconds (you may fine tune those values,
>> but they are usually a good starting point)
>>
>>
>
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
> Discussions
>> will include endpoint security, mobile security and the latest in
> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
Discussions
> will include endpoint security, mobile security and the latest in
malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
Discussions
> will include endpoint security, mobile security and the latest in
malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
