>Shouldn't it? No - it is not used.
>, , Y, 11 the Y shows that the hostname matches the IP Thomas Von: K Post <nntp.p...@gmail.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 08.05.2015 17:11 Betreff: Re: [Assp-test] Senderbase not always matching domain And here's another, also from a delta.com address, this time them sending (legitimate) boarding passes. Came from IP 153.69.214.203 querying 203.214.69.153.query.senderbase.org (yes I reversed it) returns 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20= csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4 .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791 parameter 20 shows the hostname However, in the analyze GUI, it shows: 153.69.214.203 SenderBase: status=not classified, data=US, NCR CORPORATION, , , Y, 11 The hostname doesn't appear. Shouldn't it? On Fri, May 8, 2015 at 10:28 AM, K Post <nntp.p...@gmail.com> wrote: > Thank you both for sticking with this. > > Greyhat, my name's Ken :) Seriously though, the Force has taught me that > you need to reverse the IP, which makes much more sense. Thanks. > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > differently than I was testing - and it is, the RIGHT way - reversing the > IP. > > I now see the hostname being returned, and I can match on that through a > regex. Doesn't that open up vulnerability though if a spammer has their > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, > probably not, but it's what I would do if I were trying to send spam > appearing to be from Delta - or worse, one of the banks. > > My language was also incorrect in my original post. I talked about > hostname, but what I'd really like to do is match on the "guess" DOMAIN > name that the senderbase website shows, in this case e.delta.com. So: > 1) Is there a way to have Senderbase return the DOMAIN that it's guessing? > 2) Is there a way to specify in the White Org file that ASSP uses to only > match against network name, hostname, or domain name? > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt <thomas.ecka...@thockar.com > > wrote: > >> ASSP uses DNS queries for Senderbase. >> >> Thomas >> >> >> >> >> >> Von: K Post <nntp.p...@gmail.com> >> An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> Datum: 07.05.2015 20:36 >> Betreff: Re: [Assp-test] Senderbase not always matching domain >> >> >> >> It doesn't seem like the domain is being returned, just the network name, >> so a lot domains that should result in a white org score, aren't hitting. >> This doesn't appear to be an ASSP problem >> >> I just did a lookup for the ip 38.100.169.66 >> At the senderbase website, it shows a domain of e.delta.com, which I have >> whitelisted (Delta Airlines) >> >> However, a nslookup for the txt record only shows >> 38.100.169.66.query.senderbase.org text = >> >> "0-0=1|1=CHARTER >> >> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort >> Worth|5 >> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" >> >> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is >> this the same way that ASSP queries senderbase? Is there a way to have >> ASSP ask senderbase to return the best guess domain name just like >> SenderBase does on its website? That would solve the problem where the >> netblock is a major carrier, that carrier can't be whitelisted, but the >> domain that's returned (or hostname) is whitelisted. >> >> >> >> >> >> >> On Tue, May 5, 2015 at 5:34 PM, K Post <nntp.p...@gmail.com> wrote: >> >> > SenderBaseLog was set to standard before. Set it to diagnostic. >> > >> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < >> > thomas.ecka...@thockar.com> wrote: >> > >> >> > > but where's the senderbase line in the log? >> >> >> >> check SenderBaseLog >> >> >> >> Thomas >> >> >> >> >> >> >> >> >> >> Von: K Post <nntp.p...@gmail.com> >> >> An: ASSP development mailing list <assp-test@lists.sourceforge.net >> > >> >> Datum: 05.05.2015 18:21 >> >> Betreff: Re: [Assp-test] Senderbase not always matching domain >> >> >> >> >> >> >> >> >good point but I've no answer, sounds like you found a bug >> >> Hopefully Thomas will have some time to look into this. >> >> >> >> Thanks again. >> >> >> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat <gray...@gmx.net> wrote: >> >> >> >> > :: On Tue, 5 May 2015 11:22:07 -0400 >> >> > :: >> <CALhpkAnP1_EObYXMgfduF7smppj82gPx1=tbtp+vpsq0xlj...@mail.gmail.com> >> >> > :: K Post <nntp.p...@gmail.com> wrote: >> >> > >> >> > > > Sorry Greyhat, you lost me. What does this show different from >> >> > > > what I was >> >> > > saying? Maybe I wasn't clear. >> >> > > When I pull up the analyze interface in assp it shows only Cogent, >> >> > > doesn't show e.delta.com, do it's not a match to my regex, and >> >> > > thereby doesn't get the whitesenderorg bonus. >> >> > >> >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is >> using >> >> > the /24 instead of the IP (didn't check the code) ... >> >> > >> >> > > And here's another issue I'm seeing with Senderbase: >> >> > > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: >> >> u...@ourcharity.org >> >> > > DKIM-Signature found >> >> > >> >> > and here ASSP says that the message contains a DKIM signature >> >> > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: >> >> u...@ourcharity.org >> >> > > info: domain emails.snapfish.com has published a DMARC record >> >> > >> >> > and that the sending MTA domain (emails...) publishes a DMARC record >> >> > >> >> > http://www.senderbase.org/lookup/?search_string=12.130.137.89 >> >> > >> >> > > [MissingMX] 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: >> >> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: >> >> u...@ourcharity.org >> >> > > Message-Score: added 10 (mxValencePB) for MX missing: >> >> > > emails.snapfish.com, total score for this message is now 10 >> >> > >> >> > wrong, the domain has two MX records, that is >> >> > >> >> > MX 10 imh.rsys2.net. >> >> > MX 20 imh2.rsys2.net. >> >> > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: >> >> > > u...@ourcharity.org HMM Check [scoring] - Prob: 1.00000 => spam >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: >> >> u...@ourcharity.org >> >> > > Message-Score: added 49 for HMM Probability: 1.0000, total score >> for >> >> > > this message is now 59 >> >> > >> >> > ok sounds like HMM isn't properly trained, let's skip this one for >> the >> >> > moment ... >> >> > >> >> > > The from IP in the Responsys network, and I've got that network >> >> > > whitelisted in my senderbasewhite org config. I've got senderbase >> >> > > set to score. Senderbase logging is set to normal. >> >> > >> >> > here's what senderbase replies when queried (over DNS) for that IP >> >> > >> >> > IP address : 12.130.137.89 >> >> > version : 1 >> >> > org_name : RESPONSYS >> >> > org_daily_magnitude : 7.3 >> >> > org_monthly_magnitude : 7.2 >> >> > org_first_message : 0 >> >> > org_domains_count : 3 >> >> > org_ip_controlled_count : 5640 >> >> > org_ip_used_count : 2889 >> >> > hostname : omp.emails.snapfish.com >> >> > hostname_matches_ip : Y >> >> > ip_daily_magnitude : 4.1 >> >> > ip_monthly_magnitude : 4.7 >> >> > ip_average_magnitude : 4.8 >> >> > ip_30_day_volume_percent : 7.8 >> >> > ip_in_bonded_sender : N >> >> > ip_cidr_range : 12.130.136.0/22 >> >> > undocumented #48 : 24 >> >> > ip_country : US >> >> > ip_longitude : -97.0 >> >> > ip_latitude : 38.0 >> >> > >> >> > so, yes, the ASSP org check should match that "RESPONSYS" if you >> placed >> >> > it in whiteorg >> >> > >> >> > >> >> > > In the ASSP analyze interface, it shows a WHITE match as it >> should) >> >> > > 12.130.137.89 SenderBase: status=white SenderBase, >> >> > > data=US, RESPONSYS, , , Y, 22 >> >> > > but where's the senderbase line in the log? >> >> > >> >> > good point but I've no answer, sounds like you found a bug >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> > One dashboard for servers and applications across >> Physical-Virtual-Cloud >> >> > Widest out-of-the-box monitoring support with 50+ applications >> >> > Performance metrics, stats and reports that give you Actionable >> Insights >> >> > Deep dive visibility with transaction tracing using APM Insight. >> >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> > _______________________________________________ >> >> > Assp-test mailing list >> >> > Assp-test@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> >> > >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> >> Widest out-of-the-box monitoring support with 50+ applications >> >> Performance metrics, stats and reports that give you Actionable >> Insights >> >> Deep dive visibility with transaction tracing using APM Insight. >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> _______________________________________________ >> >> Assp-test mailing list >> >> Assp-test@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> >> >> >> >> >> >> >> >> >> DISCLAIMER: >> >> ******************************************************* >> >> This email and any files transmitted with it may be confidential, >> legally >> >> privileged and protected in law and are intended solely for the use of >> the >> >> >> >> individual to whom it is addressed. >> >> This email was multiple times scanned for viruses. There should be no >> >> known virus in this email! >> >> ******************************************************* >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> One dashboard for servers and applications across >> Physical-Virtual-Cloud >> >> Widest out-of-the-box monitoring support with 50+ applications >> >> Performance metrics, stats and reports that give you Actionable >> Insights >> >> Deep dive visibility with transaction tracing using APM Insight. >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> _______________________________________________ >> >> Assp-test mailing list >> >> Assp-test@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> > >> > >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> > > ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
