Good afternoon,
I am using postfix within assp only for sending mail as a relay for
exchange 2010. When I do telnet tests it gives me everything correct and
sends but the emails do not go to the internet, gmail, etc ...
The errors I see in mail.log are 554 5.4.0 and also 421 4.7.0.
But I have no more information and I also get the bounced mail at the
origin.
Can anyone help me correct it?
Thank you.
Greetings.
El mar., 3 mar. 2020 a las 18:21, K Post (<nntp.p...@gmail.com>) escribió:
> That's one heck of a regex, but I get the idea.. Thank you.
>
> How much overhead would this add if it was set for 20-30 people?
>
> Is the AllowCodeInRegex feature documented anywhere? I only see:
>
>
> - it is now possible to use the regex-eval-code function in regular
> expressions without any restriction
> how ever - it is highly recommended to NOT enable the required hidden
> feature ('AllowCodeInRegex'). If regex files are not protected from
> unauthorized write access,
>
> assp/perl can be forced to execute any code at runtime!
>
> I don't like doing anything you don't recommend - you obviously know your
> stuff. Provided my ASSP server is inaccessible to others, is this still a
> big risk?
>
> Why are you using the hex codes in the regex? Just preference or a
> requirement of using AllowCodeInRegex?
>
> Again, thanks
> Ken
>
>
> On Tue, Mar 3, 2020 at 2:19 AM Thomas Eckardt <thomas.ecka...@thockar.com>
> wrote:
>
>> this regex (all in one line) example will call sub
>> CorrectASSPcfg::tagSubject if a match is found - values are bold
>>
>> (?:^|\n)(?:*from|sender|reply-to*):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
>> *)?(?{local %_ = qw, fname *paul* sname* jones* domain *OurCharity.org*
>> ,})(?:(??{$_{'fname'}})[.\x20_\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,\x20](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E(?{&CorrectASSPcfg::tagSubject($fh)})
>>
>>
>> *this example requires the hidden variable 'AllowCodeInRegex' to be set
>> to 1*
>>
>>
>>
>>
>> in the sub CorrectASSPcfg::tagSubject you can do and modify what ever you
>> want (even the complete mail)
>>
>> modify the subject - example
>>
>> my $fh = shift;
>> return unless $fh;
>> return unless exists $main::Con{$fh};
>>
>> my $this = $main::Con{$fh};
>> my $HeaderRe = $main::HeaderRe;
>> my $HeaderValueRe = $main::HeaderValueRe;
>>
>> $this->{header} =~ s/($HeaderRe*)(subject:)($HeaderValueRe)/$1$2
>> your_tag$3/io;
>> $this->{maillength} = $this->{headerlength} = length($this->{header});
>>
>> mlog($fh,"info: found match for local name in external mail - subject was
>> modified");
>>
>> return 1;
>>
>>
>>
>> Thomas
>>
>>
>>
>> Von: "K Post" <nntp.p...@gmail.com>
>> An: "ASSP development mailing list" <
>> assp-test@lists.sourceforge.net>
>> Datum: 18.02.2020 19:33
>> Betreff: Re: [Assp-test] Message body modification
>> ------------------------------
>>
>>
>>
>> I know we've been round and round on this, but it continues to be a
>> problem, and it's only getting worse. Spear phishing via CEO name
>> spoofing is all too common and ASSP doesn't yet do all that much to to
>> protect.
>>
>> Today our staff got hit with another spear phishing email from a gmail
>> account that was created with our director's name on it. The staff is
>> trained very well and they didn't fall for it, but it was really cleverly
>> crafted and obviously had some inside information that if followed would
>> have been terrible for the organization. There's no way that ASSP could
>> have detected this. It wasn't HMM/Bayesian spammy, it came from a good IP
>> (gmail). DKIM signed, spf pass, etc. To a computer, nothing about it was
>> bad. However, if ASSP were able to say "hey, this email has the director's
>> name in the FROM, but it isn't from director.n...@ourcharity.org. I'd
>> better *warn* the user" we would have been safer.
>>
>> My original idea was to insert an HTML warning into the body of the
>> message like Google and other providers do. That's apparently a 100+ hour
>> project. I tried to get funding, but got laughed at...
>>
>> What if instead, there were some kind of manually maintained rule based
>> matching on the FROM line that *could modify only the subject*. instead
>> of being overly complicated and inserting a warning in the body? Kind of
>> like the spam prepend that low threshold mails get?
>>
>> Your sample rules in this thread are good, but they score the message.
>> That's not what I'm suggesting. I do NOT want to block or even score these
>> messages - there's plenty of times that the director sends legitimate
>> message from personal gmail/hotmail/whatever and it of course has her
>> name. BUT, to either have an HTML warning in the body or even just
>> [EXTERNAL MESSAGE] or something prepended to the subject when ASSP detects
>> this would be an outstanding feature.
>>
>> We really only need to check the FROM line. Sender, Reply to, etc
>> doesn't matter. ASSP will keep doing it's job blocking spoofed headers,
>> but the NAME of the sender is that we're considering.
>>
>> How about something like:
>> to:first:last:notfrom:WarnMsg
>>
>> *@ourcharity:Sally:Smith:sally.sm...@ourcharity.org:Caution: External
>> Email
>>
>> matches mail sent to *@OurCharity.org, with a from line where the name
>> (not the email address, but the name itself) is a combination of FirstName
>> & LastName.* that ASSP tests against (.*FirstName.*LastName.*,
>> .*Lastname.*FirstName>8, where the from email isn't
>> sally.sm...@ourcharity.org
>>
>> Even better:
>> *@ourcharity:Paul:Jones:paul.jo...@ourcharity.org|pjones12...@gmail.com:Caution:
>> External Email Not From Paul
>>
>> Which would catch the same thing, but not warn if the message is from
>> either Paul's known gmail account or his @OurCharity.org account.
>>
>> Does this simplification of the rules and only warning in the subject
>> instead of modifying the body make this easy enough for you to implement? I
>> understand that this isn't simple, but based on discussions that I've had
>> with counterparts elsewhere, they're all seeing the same problem.
>>
>> Would a body warning be great? Of course, but since that's too much
>> work, I'm hopeful that subject modification based on these rules could be a
>> possibility.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>> On Thu, Nov 7, 2019 at 9:46 PM K Post <*nntp.p...@gmail.com*
>> <nntp.p...@gmail.com>> wrote:
>> Thanks for the nudge in the right direction. I'll take a look at that
>> regex Showing the sender address in Outlook won't fly. It's a good idea,
>> but users would hate it and it doesn't solve the issue for mobile users
>> (where most of our users get tricked into a quick reply).
>>
>> How much would you need for a 100 hour or so sponsorship of this? I
>> doubt our charity can come up with the funds, but I'd try!!
>>
>> On Mon, Nov 4, 2019 at 9:12 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> Such a feature is not worth the effort.
>>
>> *https://www.howto-outlook.com/howto/viewsenderaddress.htm*
>> <https://www.howto-outlook.com/howto/viewsenderaddress.htm>
>>
>> There are too many pitfalls and too many required manual configuration
>> tweaks and exceptions to be handled.
>> examples:
>> - assp does not know user and mailbox names - requires manual tweaks
>> using lists and/or regular expressions
>> - to keep the manual configuration impact low, a complex and very
>> variable LDAP and/or external scripting will be required
>> - a per local domain configuration will be required
>> - several bounce sender tagging mechanism will make problems (example: <
>> *bob.jones=ourcharity....@domain.com*
>> <bob.jones.ourcharity....@gmail.com>> )
>> ....
>>
>> So, with this feature you would have to configure matching sets for each
>> user. But you can do this now already - in 'bombHeaderRe'. If you got a
>> regular expression working for one user, it is easy to build them for every
>> user.
>> example:
>>
>> ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
>> *)?(?{local %_ = qw, fname *bob* sname *jones* domain *ourcharity.org*
>> <http://ourcharity.org/> ,})(?:(??{$_{'fname'}})[.
>> _\-]+(??{$_{'sname'}})|(??{$_{'sname'}})[,
>> ](??{$_{'fname'}})|(??{$_{'fname'}})\.(??{$_{'sname'}})\@(??{$_{'domain'}})))\s*"?[^<]*<[^\@]+\@(?!(??{$_{'domain'}}))\x3E>>>~=>YOURSCORE
>>
>> this example requires the hidden variable 'AllowCodeInRegex' to be set to
>> 1
>> and a small change in *assp.pl* <http://assp.pl/> - will be published
>> soon
>>
>> or more simple, but much more needs to be change in each line
>>
>> ~<<<(?:^|\n)(?:from|sender|reply-to):\s*"?\s*(?:(?:(?:Mrs?|Ms|Miss|Dr|Prof)\.?
>> *)?(?:*bob*[. _\-]+*jones*|*jones*[, ]*bob*|*bob.jones\@ourcharity\.org*
>> ))\s*"?[^<]*<[^\@]+\@(?!*ourcharity\.org*)\x3E>>>~=>YOURSCORE
>>
>>
>>
>> How ever, if you think you need such a feature, you'll need to sponsor it
>> or find a sponsor. I expect an effort of two weeks but not less than 100
>> hours to implement and test this feature as a level-1 plugin.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An: "ASSP development mailing list" <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum: 04.11.2019 00:28
>> Betreff: Re: [Assp-test] Message body modification
>> ------------------------------
>>
>>
>>
>> Right, but what I'm trying to accomplish (as described in detail in my
>> previous thread) is flagging, maybe just with subject modification mail
>> from outside senders with a name that matches one of our organization's
>> senders. I'd love to be able to have ASSP insert a warning, not on all
>> mail, but only when there's a suspicious name match. We can't reasonably
>> quarantine all external email, the messages in question don't have links or
>> attachments to block.
>>
>> For example Bob Jones <bob.jo...@ourcharity.org> is the real address
>> within our organization. We're seeing name spoofing mail from Bob Jones <
>> *bob.jones.ourcharity....@gmail.com* <bob.jones.ourcharity....@gmail.com>>
>> or Bob Jones <*president123mad...@gmail.com*
>> <president123mad...@gmail.com>>. It shows up in outlook as Bob Jones in
>> the inbox. Lots of times, the message even had the signature that the
>> person actually uses. We've had even some of our most savvy users get
>> tricked. The messages slips through assp, because they're innocuous
>> sounding "are you in the office? I need your help" "I've got a favor to
>> ask, reply when you get this please?" Whatever, user gets fooled, replies,
>> and then that gmail address is whitelisted. The next mail asks for the
>> purchase of gift cards, etc. Common scheme. If we could change even just
>> the subject line like [Potential Spoof]: <real subject> that would help the
>> recipient. Inserting a warning into the body would be even better!
>>
>> To do the matching though, we'd need to list the names our people and
>> their correct address and have ASSP flag only when there's a match from
>> outside. Of course there are lots of legitimate instances where our
>> people email from their real personal email address to our staff. Those
>> would get a subject or body modification too, but that's okay. We don't
>> have the budge to have a third part system do this.
>>
>> Would you mind taking a look at the original thread for more detail and
>> explanation of what I'm thinking? I think it's at least worth discussion -
>> I think there's some real value to the ASSP community being how often we're
>> getting name spoofing messages.
>>
>>
>> On Sat, Nov 2, 2019 at 3:34 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> simple company rules are the solution:
>>
>> - every mail from outside the company is subject to be malicious - open
>> attachments or following links in such mails, requires a full manually
>> verification of the email before any action is done - on any doubt the mail
>> has to be quarantained
>> - qurantined mails are untouchable as long as they are not released by an
>> authorisized person or system
>> - every mail from outside the company passed an assp system
>> - every mail from/to inside the company will never reach any assp system
>> (except assp reporting)
>> - every mail from outside contains a X-ASSP header but at least the ASSP
>> received header - this header has to be used by the mail client and/or
>> server to classify the mail
>>
>> >can I insert something into the bodies of selected messages as it is
>> sent to the real mail server
>>
>> there is no such code in *assp.pl* <http://assp.pl/> - only ASSP_AFC is
>> able to manipulate the mail body (replace attachments , SMIME)
>>
>> >without having that warning message saved in the corpus
>>
>> assp stores the incoming mail + assp headers - never the content sent to
>> the server
>>
>> Thomas
>>
>>
>>
>> Von: "K Post" <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An: "ASSP development mailing list" <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum: 01.11.2019 18:02
>> Betreff: [Assp-test] Message body modification
>> ------------------------------
>>
>>
>>
>> Thomas, quick question: can I insert something into the bodies of
>> selected messages as it is sent to the real mail server without having that
>> warning message saved in the corpus?
>>
>> Early last month, I sent "An idea: Visual warnings in message body" but
>> received no replies.
>> We're seeing SO many of these, that I might try to figure this out on my
>> own if there isn't broad appeal.
>>
>> Thanks
>>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
