We could do a 421 or 521 but with whatever message we wanted, like simply
"terminated." That way malicious actors wouldn't be able to easily
identify ASSP as the one saying that. A little security through obscurity
- but it's really not important. If it's a pain to implement, don't. not
worth it.
I understood the max errors idea, in terms of scoring the ip, but we don't
want to allow bad guys to do anything more once we catch them. If we catch
the favicon request, we want to kill the connect right there (as ASSP
already does so well), but then stop them from connecting again... I
figured ASSP could do this pretty easily by simply giving a bad score to
the IP, but again, if that's a pain to write, skip it.
On Mon, May 16, 2016 at 11:14 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:
> >1) Give us the ability to customize the 421 message
>
> What else would you send? Reasonable and possibly better would be the
> permanent error - 521 ....
> I'll think about, if the permanent error is right in every state of the
> SMTP session.
>
> >2) Give us the ability to give the ip the extreme score so that future
>
> What was unclear in my answer?
>
> > No. preHeaderRe is designed and used to protect assp from dangerous
> > content. If a match is found for preHeaderRe, the connection is
> terminated
> > by processing a minimal code part.
> >
> > To score this misbehavior, let the client do the wrong things and catch
> > the misbehavior with 'MaxErrors'.
>
> Hmmm ... - the preHeaderRe check is done before a SMTP command or header
> content is processed by a SocketCall (check engine). But only the check
> engine knows how and when to reply with the right Reply-Codes. preHeaderRe
> is a 'horror hack' to protect the assp check engine from dangerous content
> that may cause crashes.
> An normal scenario to configure preHeaderRe would be:
>
> - assp crashes several times because of misbehaved SMTP sessions or
> content
> - the crashAnalyzer was switched on
> - assp crashes several times because of misbehaved SMTP sessions or
> content
> - the crashAnalyzer has analyzed the misbehaved SMTP sessions or content
> and gives an advice to configure preHeaderRe
>
> 'MaxErrors' is the right way to penalize this misbehavior (HEAD
> /favicon.ico HTTP/1.0) !
>
>
> Thomas
>
>
>
> Von: K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 16.05.2016 15:54
> Betreff: Re: [Assp-test] preHeaderRe not working as expected,
> Chinese hack attempts HEAD /favicon.ico HTTP/1.0
>
>
>
> Thanks for working to fix this. Will you be changing it to send a close to
> our smtp server (or is that even necessary)?
>
> Would it be a big deal (and worthwhile) to:
>
> 1) Give us the ability to customize the 421 message
>
> 2) Give us the ability to give the ip the extreme score so that future
> attempts are outright ignored? I really like being able to cut off badly
> acting servers right away, and if a server's going to be bad like that, it
> would be great to just block them right away so ultimately they'll leave
> us
> alone. I think this would be a valuable addition to ASSP functionality,
> but it's not worth it if it would be cumbersome for you to implement or if
> it would impact performance.
>
>
>
> On Mon, May 16, 2016 at 3:22 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > The 421.... is sent to wrong peer for preHeaderRe - this will be fixed.
> >
> > >Also, is there a way to have specific matches from preHeaderRe make the
> > ip
> > score extreme right away
> >
> > No. preHeaderRe is designed and used to protect assp from dangerous
> > content. If a match is found for preHeaderRe, the connection is
> terminated
> > by processing a minimal code part.
> >
> > To score this misbehavior, let the client do the wrong things and catch
> > the misbehavior with 'MaxErrors'.
> >
> > Thomas
> >
> >
> >
> >
> >
> >
> > Von: K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum: 15.05.2016 18:02
> > Betreff: [Assp-test] preHeaderRe not working as expected, Chinese
> > hack attempts HEAD /favicon.ico HTTP/1.0
> >
> >
> >
> > We're getting TONS of requests, all from Chinese IP's sending
> >
> > HEAD /favicon.ico HTTP/1.0
> > close
> > (and a blank line)
> >
> > through ASSP. Essentially, our server says helo, their server responds
> > with the "head" line above, we say that's not valid, they say close, we
> > say, that's not valid, they send a blank line, we say not valid, and
> they
> > disconnect.
> >
> > I'm not sure what they're trying to accomplish, but its happening...
> >
> > https://www.abuseipdb.com/check/219.145.184.210 has a similar report.
> > https://www.abuseipdb.com/check/117.27.245.185
> >
> >
> > I've added
> > HEAD /favicon\.ico HTTP/1\.0
> > to my preHeaderRe file thinking that this would stop our smtp server
> from
> > receiving the command, and it does but not how I'd expect.
> >
> > Before, we were seeing this logged on our smtp server
> > SENT 220 smtp.ourcharity.org
> > RECEIVED: HEAD /favicon.ico HTTP/1.0
> > SENT: 503 Bad sequence of commands
> > RECEIVED: close
> > SENT: 503 Bad sequence of commands
> > RECEIVED: <-- blank line
> > SENT: 503 Bad sequence of commands
> >
> > now we're getting
> > SENT 220 smtp.ourcharity.org
> > RECEIVED: 421 assp.ourcharity.org Service not available, closing
> > transmission channel
> > SENT: 503 Bad sequence of commands
> >
> > So it seems that ASSP is in fact stopping the hacker from sending the
> head
> > line to our smtp server and terminating the session, but ASSP is sending
> > the 421 to our server NOT (or not only) to the sending server.
> >
> > I don't know if this is by design, if I'm just not understanding, or
> what,
> > but I was hoping that ASSP would
> >
> > 1) Intercept the bad HEAD /favicon\.ico HTTP/1\.0 line
> >
> > 2) send a "quit" command to our SMTP server to gracefully close the
> > session
> > without the unexpected 421 line that our smtp server doesn't know how to
> > handle
> >
> > 3) send a 421 or whatever to the other smtp server saying to go away
> >
> >
> > Also, is there a way to have specific matches from preHeaderRe make the
> ip
> > score extreme right away - or if that's even a good idea? I was
> thinking
> > of being able to add a weight to preHeaderRe or something along those
> > lines
> > to score the IP.
> >
> > Other suggestions or thoughts? Are other people seeing this?
> >
> > Thanks.
> >
> >
>
> ------------------------------------------------------------------------------
> > Mobile security can be enabling, not merely restricting. Employees who
> > bring their own devices (BYOD) to work are irked by the imposition of
> MDM
> > restrictions. Mobile Device Manager Plus allows you to control only the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> > _______________________________________________
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
> >
> >
> > DISCLAIMER:
> > *******************************************************
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > *******************************************************
> >
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > Mobile security can be enabling, not merely restricting. Employees who
> > bring their own devices (BYOD) to work are irked by the imposition of
> MDM
> > restrictions. Mobile Device Manager Plus allows you to control only the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> > _______________________________________________
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
