Thank you Colin - I've found the bug.
Thomas
Von: Colin <a...@lanternhosting.co.uk>
An: assp-test@lists.sourceforge.net,
Datum: 20.09.2012 18:58
Betreff: Re: [Assp-test] Antwort: Re: Antwort: Re: Antwort:
Backscatter problem
Hi Thomas,
Setting it to verbose seems to have changed nothing. As per the log
below the system is detecting the message as a bounce but does not
appear to be logging any MSIG validation attempt.
2012-09-20 14:40:58 [Worker_6] Connected: 82.198.189.153:58621 >
195.88.101.110:25 > 127.0.0.1:125
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 [SMTP Reply] 220
mail.smtphost.co.uk ESMTP Exim 4.76 Thu, 20 Sep 2012 14:40:58 +0100
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 [SMTP Reply] 250 HELP
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 info: got STARTTLS request
from 82.198.189.153
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 [SMTP Reply] 220 TLS go
ahead
2012-09-20 14:40:59 [Worker_6] [TLS-in] [TLS-out] 82.198.189.153 [SMTP
Reply] 250 HELP
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 info: found message size announcement: 7.85 kByte
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
[isbounce] 82.198.189.153 bounce message detected
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 Message-Score: added -10 (tlsValencePB) for
SSL-TLS-connection-OK, total score for this message is now -10
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 [SMTP Reply] 250 OK
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 250 Accepted
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 354 Enter
message, ending with "." on a line by itself
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [scoring] SPF: none
ip=82.198.189.153 helo=mail.rosreestr.ru
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld Regex:BombRe 'PB 20: for
Undeliverable:'
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
[bombRe] 82.198.189.153 to: vida.melnik...@domain.tld [scoring] (bombRe
'Undeliverable:')
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld Message-Score: added 20 for
Regex:BombRe 'PB 20: for Undeliverable:' bombRe: 'Undeliverable:',
total score for this message is now 10
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld HMM Check [scoring] - Prob:
1.00000 => spam
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld Message-Score: added 22 for
HMM Probability: 1.0000, total score for this message is now 32
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld Bayesian Check [scoring] -
Prob: 0.00000 => ham
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [Plugin] calling plugin
ASSP_AFC
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [Plugin] calling plugin
ASSP_DCC
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
[MessageOK] 82.198.189.153 to: vida.melnik...@domain.tld message ok
[Undeliverable]
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 250 OK
id=1TEgzz-0007xX-Ve
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out]
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 221
mail.smtphost.co.uk closing connection
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [SSL-out]
82.198.189.153 to: vida.melnik...@domain.tld finished message - received
DATA size: 0 Byte - sent DATA size: 8.06 kByte
2012-09-20 14:41:01 [Worker_6] Disconnected: 82.198.189.153 - processing
time 3 seconds
On 18/09/2012 16:43, Thomas Eckardt wrote:
> What is your setting for 'MSGIDsigLog' ?
>
> Thomas
>
>
>
>
> Von: Colin <a...@lanternhosting.co.uk>
> An: assp-test@lists.sourceforge.net,
> Datum: 18.09.2012 17:21
> Betreff: Re: [Assp-test] Antwort: Re: Antwort: Backscatter
> problem
>
>
>
> I have just checked some outbound emails and they all bear a Message-ID:
> header so it looks like MSGID is working.
>
> In the case of this one domain it would seem that ASSP is failing to
> block the messages even though they do not bear an MSGID header
>
> All the best,
> Colin
>
> On 18/09/2012 15:19, Thomas Eckardt wrote:
>> Colin, if you use the MSGID-signature, all mails sent for your
domain(s)
>> should be tagedr - otherwise this does not make sense to me.
>> If any webserver sents out messages without the tag and a bounce comes
> in
>> because of such a mail, assp should block it.
>>
>> So, if I understand it right, the MSGID-signature check is not working
?
>>
>> Thomas
>>
>>
>>
>>
>> Von: Colin <a...@lanternhosting.co.uk>
>> An: assp-test@lists.sourceforge.net,
>> Datum: 18.09.2012 16:04
>> Betreff: Re: [Assp-test] Antwort: Backscatter problem
>>
>>
>>
>> The junk emails are nothing to do with our servers.
>>
>> The website I believe to be generating the original junk is hosted
>> elsewhere and deals with emails however it wants. The bounce messages
>> are coming from various Russian servers that have been hit by the spam.
>> As such ratelimiting and frequency won't do anything.
>>
>> The only reason I am seeing these messages in the queues is because
they
>> are sent to invalid recipients - if recipient validation was to ocurr
on
>> received bounce messages as per my original message then the whole
issue
>> would go away as far as I am concerned. If the client wants us to argue
>> the compromised website with the web developer then that is another
> issue.
>> All the best,
>> Colin Waring.
>>
>>
>>
>> On 18/09/2012 08:03, Grayhat wrote:
>>>> has you set 'MSGIDpreTag' and 'MSGIDSec' ?
>>>>
>>>> Both have to be set! The default value is NOT valid for 'MSGIDSec'!
>>> good point; also, if the customer is also *sending* out emails through
>>> ASSP, it may be a good idea enabling the outbound rate limiter, that
is
>>> setting appropriate values for LocalFrequencyInt/LocalFrequencyNumRcpt
>>> (and possibly for NoLocalFrequency *or* LocalFrequencyOnly not both);
>>> in my experience the limiter greatly helps finding sudden "outbound
>>> emails flurries" which are often caused by compromised boxes (or
either
>>> by regular users thinking that mass-mailing is cool :P)
>>>
>>> For a starter, you may try setting up the following
>>>
>>> LocalFrequencyInt := 1800
>>>
>>> LocalFrequencyNumRcpt := 120
>>>
>>> then populate EITHER the NoLocalFrequency or LocalFrequencyOnly with
>>> something like file:files/nolocalfreq.txt of file:files/localfreq.txt
>>> and edit the file populating it with the desired recipients; I use the
>>> first one and populated the file with addresses beloning to mailing
>>> lists or newsletter, but if you prefer you may use the second one and
>>> just insert into it the sender addresses which you want to "monitor";
>>> in either case, you'll then get back an alert in case someone sends
out
>>> more than 120 messages in 1800 seconds (you may fine tune those
values,
>>> but they are usually a good starting point)
>>>
>>>
>
------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond.
>> Discussions
>>> will include endpoint security, mobile security and the latest in
>> malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Assp-test mailing list
>>> Assp-test@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
> Discussions
>> will include endpoint security, mobile security and the latest in
> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential,
> legally
>> privileged and protected in law and are intended solely for the use of
> the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>>
>>
>
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
> Discussions
>> will include endpoint security, mobile security and the latest in
> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
Discussions
> will include endpoint security, mobile security and the latest in
malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond.
Discussions
> will include endpoint security, mobile security and the latest in
malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test