OH - so senderbase is only looking at the network name? If that's the case, the sample whiteorg.txt file at http://assp.cvs.sourceforge.net/viewvc/assp/assp2/files/whiteorg.txt threw me off based on its listings.
Does this mean that for something like Delta Airlines, who doesn't generally send from a network that Senderbase identifies as theirs, that we'd have to match against a giant network like Cogent instead of the hostname or better domain name that senderbase sees? On Fri, May 8, 2015 at 11:50 AM, Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >Shouldn't it? > > No - it is not used. > > >, , Y, 11 > > the Y shows that the hostname matches the IP > > Thomas > > > > Von: K Post <nntp.p...@gmail.com> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > Datum: 08.05.2015 17:11 > Betreff: Re: [Assp-test] Senderbase not always matching domain > > > > And here's another, also from a delta.com address, this time them sending > (legitimate) boarding passes. > > Came from IP 153.69.214.203 > > querying > 203.214.69.153.query.senderbase.org (yes I reversed it) > returns > 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20= > csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4 > > .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791 > > parameter 20 shows the hostname > > However, in the analyze GUI, it shows: > 153.69.214.203 SenderBase: status=not classified, data=US, NCR > CORPORATION, > , , Y, 11 > The hostname doesn't appear. Shouldn't it? > > > > On Fri, May 8, 2015 at 10:28 AM, K Post <nntp.p...@gmail.com> wrote: > > > Thank you both for sticking with this. > > > > Greyhat, my name's Ken :) Seriously though, the Force has taught me > that > > you need to reverse the IP, which makes much more sense. Thanks. > > > > Thomas, I know ASSP uses DNS, I just didn't know if it was querying > > differently than I was testing - and it is, the RIGHT way - reversing > the > > IP. > > > > I now see the hostname being returned, and I can match on that through a > > regex. Doesn't that open up vulnerability though if a spammer has their > > SMTP server's IP address reverse to mtaxxx.e.delta.com? Likely, > > probably not, but it's what I would do if I were trying to send spam > > appearing to be from Delta - or worse, one of the banks. > > > > My language was also incorrect in my original post. I talked about > > hostname, but what I'd really like to do is match on the "guess" DOMAIN > > name that the senderbase website shows, in this case e.delta.com. So: > > 1) Is there a way to have Senderbase return the DOMAIN that it's > guessing? > > 2) Is there a way to specify in the White Org file that ASSP uses to > only > > match against network name, hostname, or domain name? > > > > > > > > > > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt > <thomas.ecka...@thockar.com > > > wrote: > > > >> ASSP uses DNS queries for Senderbase. > >> > >> Thomas > >> > >> > >> > >> > >> > >> Von: K Post <nntp.p...@gmail.com> > >> An: ASSP development mailing list <assp-test@lists.sourceforge.net> > >> Datum: 07.05.2015 20:36 > >> Betreff: Re: [Assp-test] Senderbase not always matching domain > >> > >> > >> > >> It doesn't seem like the domain is being returned, just the network > name, > >> so a lot domains that should result in a white org score, aren't > hitting. > >> This doesn't appear to be an ASSP problem > >> > >> I just did a lookup for the ip 38.100.169.66 > >> At the senderbase website, it shows a domain of e.delta.com, which I > have > >> whitelisted (Delta Airlines) > >> > >> However, a nslookup for the txt record only shows > >> 38.100.169.66.query.senderbase.org text = > >> > >> "0-0=1|1=CHARTER > >> > >> > > COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort > >> Worth|5 > >> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807" > >> > >> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is > >> this the same way that ASSP queries senderbase? Is there a way to have > >> ASSP ask senderbase to return the best guess domain name just like > >> SenderBase does on its website? That would solve the problem where the > >> netblock is a major carrier, that carrier can't be whitelisted, but the > >> domain that's returned (or hostname) is whitelisted. > >> > >> > >> > >> > >> > >> > >> On Tue, May 5, 2015 at 5:34 PM, K Post <nntp.p...@gmail.com> wrote: > >> > >> > SenderBaseLog was set to standard before. Set it to diagnostic. > >> > > >> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt < > >> > thomas.ecka...@thockar.com> wrote: > >> > > >> >> > > but where's the senderbase line in the log? > >> >> > >> >> check SenderBaseLog > >> >> > >> >> Thomas > >> >> > >> >> > >> >> > >> >> > >> >> Von: K Post <nntp.p...@gmail.com> > >> >> An: ASSP development mailing list > <assp-test@lists.sourceforge.net > >> > > >> >> Datum: 05.05.2015 18:21 > >> >> Betreff: Re: [Assp-test] Senderbase not always matching > domain > >> >> > >> >> > >> >> > >> >> >good point but I've no answer, sounds like you found a bug > >> >> Hopefully Thomas will have some time to look into this. > >> >> > >> >> Thanks again. > >> >> > >> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat <gray...@gmx.net> wrote: > >> >> > >> >> > :: On Tue, 5 May 2015 11:22:07 -0400 > >> >> > :: > >> <CALhpkAnP1_EObYXMgfduF7smppj82gPx1=tbtp+vpsq0xlj...@mail.gmail.com> > >> >> > :: K Post <nntp.p...@gmail.com> wrote: > >> >> > > >> >> > > > Sorry Greyhat, you lost me. What does this show different > from > >> >> > > > what I was > >> >> > > saying? Maybe I wasn't clear. > >> >> > > When I pull up the analyze interface in assp it shows only > Cogent, > >> >> > > doesn't show e.delta.com, do it's not a match to my regex, and > >> >> > > thereby doesn't get the whitesenderorg bonus. > >> >> > > >> >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is > >> using > >> >> > the /24 instead of the IP (didn't check the code) ... > >> >> > > >> >> > > And here's another issue I'm seeing with Senderbase: > >> >> > > > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: > >> >> u...@ourcharity.org > >> >> > > DKIM-Signature found > >> >> > > >> >> > and here ASSP says that the message contains a DKIM signature > >> >> > > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: > >> >> u...@ourcharity.org > >> >> > > info: domain emails.snapfish.com has published a DMARC record > >> >> > > >> >> > and that the sending MTA domain (emails...) publishes a DMARC > record > >> >> > > >> >> > http://www.senderbase.org/lookup/?search_string=12.130.137.89 > >> >> > > >> >> > > [MissingMX] 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: > >> >> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: > >> >> u...@ourcharity.org > >> >> > > Message-Score: added 10 (mxValencePB) for MX missing: > >> >> > > emails.snapfish.com, total score for this message is now 10 > >> >> > > >> >> > wrong, the domain has two MX records, that is > >> >> > > >> >> > MX 10 imh.rsys2.net. > >> >> > MX 20 imh2.rsys2.net. > >> >> > > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: > >> >> > > u...@ourcharity.org HMM Check [scoring] - Prob: 1.00000 => spam > >> >> > > 12.130.137.89 <snapfish.4...@envfrm.rsys2.com> to: > >> >> u...@ourcharity.org > >> >> > > Message-Score: added 49 for HMM Probability: 1.0000, total score > >> for > >> >> > > this message is now 59 > >> >> > > >> >> > ok sounds like HMM isn't properly trained, let's skip this one for > >> the > >> >> > moment ... > >> >> > > >> >> > > The from IP in the Responsys network, and I've got that network > >> >> > > whitelisted in my senderbasewhite org config. I've got > senderbase > >> >> > > set to score. Senderbase logging is set to normal. > >> >> > > >> >> > here's what senderbase replies when queried (over DNS) for that IP > >> >> > > >> >> > IP address : 12.130.137.89 > >> >> > version : 1 > >> >> > org_name : RESPONSYS > >> >> > org_daily_magnitude : 7.3 > >> >> > org_monthly_magnitude : 7.2 > >> >> > org_first_message : 0 > >> >> > org_domains_count : 3 > >> >> > org_ip_controlled_count : 5640 > >> >> > org_ip_used_count : 2889 > >> >> > hostname : omp.emails.snapfish.com > >> >> > hostname_matches_ip : Y > >> >> > ip_daily_magnitude : 4.1 > >> >> > ip_monthly_magnitude : 4.7 > >> >> > ip_average_magnitude : 4.8 > >> >> > ip_30_day_volume_percent : 7.8 > >> >> > ip_in_bonded_sender : N > >> >> > ip_cidr_range : 12.130.136.0/22 > >> >> > undocumented #48 : 24 > >> >> > ip_country : US > >> >> > ip_longitude : -97.0 > >> >> > ip_latitude : 38.0 > >> >> > > >> >> > so, yes, the ASSP org check should match that "RESPONSYS" if you > >> placed > >> >> > it in whiteorg > >> >> > > >> >> > > >> >> > > In the ASSP analyze interface, it shows a WHITE match as it > >> should) > >> >> > > 12.130.137.89 SenderBase: status=white SenderBase, > >> >> > > data=US, RESPONSYS, , , Y, 22 > >> >> > > but where's the senderbase line in the log? > >> >> > > >> >> > good point but I've no answer, sounds like you found a bug > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> > >> > > ------------------------------------------------------------------------------ > >> >> > One dashboard for servers and applications across > >> Physical-Virtual-Cloud > >> >> > Widest out-of-the-box monitoring support with 50+ applications > >> >> > Performance metrics, stats and reports that give you Actionable > >> Insights > >> >> > Deep dive visibility with transaction tracing using APM Insight. > >> >> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> >> > _______________________________________________ > >> >> > Assp-test mailing list > >> >> > Assp-test@lists.sourceforge.net > >> >> > https://lists.sourceforge.net/lists/listinfo/assp-test > >> >> > > >> >> > >> >> > >> > >> > > ------------------------------------------------------------------------------ > >> >> One dashboard for servers and applications across > >> Physical-Virtual-Cloud > >> >> Widest out-of-the-box monitoring support with 50+ applications > >> >> Performance metrics, stats and reports that give you Actionable > >> Insights > >> >> Deep dive visibility with transaction tracing using APM Insight. > >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> >> _______________________________________________ > >> >> Assp-test mailing list > >> >> Assp-test@lists.sourceforge.net > >> >> https://lists.sourceforge.net/lists/listinfo/assp-test > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> DISCLAIMER: > >> >> ******************************************************* > >> >> This email and any files transmitted with it may be confidential, > >> legally > >> >> privileged and protected in law and are intended solely for the use > of > >> the > >> >> > >> >> individual to whom it is addressed. > >> >> This email was multiple times scanned for viruses. There should be > no > >> >> known virus in this email! > >> >> ******************************************************* > >> >> > >> >> > >> >> > >> > >> > > ------------------------------------------------------------------------------ > >> >> One dashboard for servers and applications across > >> Physical-Virtual-Cloud > >> >> Widest out-of-the-box monitoring support with 50+ applications > >> >> Performance metrics, stats and reports that give you Actionable > >> Insights > >> >> Deep dive visibility with transaction tracing using APM Insight. > >> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> >> _______________________________________________ > >> >> Assp-test mailing list > >> >> Assp-test@lists.sourceforge.net > >> >> https://lists.sourceforge.net/lists/listinfo/assp-test > >> >> > >> > > >> > > >> > >> > > ------------------------------------------------------------------------------ > >> One dashboard for servers and applications across > Physical-Virtual-Cloud > >> Widest out-of-the-box monitoring support with 50+ applications > >> Performance metrics, stats and reports that give you Actionable > Insights > >> Deep dive visibility with transaction tracing using APM Insight. > >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> _______________________________________________ > >> Assp-test mailing list > >> Assp-test@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/assp-test > >> > >> > >> > >> > >> > >> > >> DISCLAIMER: > >> ******************************************************* > >> This email and any files transmitted with it may be confidential, > legally > >> privileged and protected in law and are intended solely for the use of > the > >> > >> individual to whom it is addressed. > >> This email was multiple times scanned for viruses. There should be no > >> known virus in this email! > >> ******************************************************* > >> > >> > >> > > ------------------------------------------------------------------------------ > >> One dashboard for servers and applications across > Physical-Virtual-Cloud > >> Widest out-of-the-box monitoring support with 50+ applications > >> Performance metrics, stats and reports that give you Actionable > Insights > >> Deep dive visibility with transaction tracing using APM Insight. > >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > >> _______________________________________________ > >> Assp-test mailing list > >> Assp-test@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/assp-test > >> > > > > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
