Hi list, hi Fritz,
Since my last exchange with you about Message-ID signature problems and
problem to receive legitimate Non delivery Notification or Auto Responder
messages (rfc 3798)i have disabled it (Backscatter Detection/ Do Message-ID
Signing).
I wanted to give another try as this feature is really nice and efficient in
blocking null senders spammers.
Since 13 hours i have enabled it again and here is the way it actually work as
in version 1.99(13129) :
1) Spam are still blocked (as expected) but many of them that are not null
sender (filled MAIL FROM) are considered as null sender so MSG-ID signature is
checked and these spam are stored in discarded folder.
2) Legitimate MDN Messages (rfc3798) are often blocked (in previous they were)
3) Legitimage Delivery Status Notification are blocked (in version 1.98(13056)
they were not).
I suspect that there is something wrong as demonstrated after that bring MDN
messages and Delivery Status Notifications to be blocked and i think it is
relate to a bug in bounce detection.
To give an exemple about non null sender detected as bounce sender here is :
Assp logfile entries:
May-17-13 01:15:08 Delayed ip 62.144.109.24, because reputation(232) is higher
than DelayIP(50);
May-17-13 01:15:16 m-36874-03706 62.73.4.63
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> internaluser
validated by ldap-c
ache;
May-17-13 01:15:16 m-36874-03706 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
Originating IP/HELO: 62.144.109.24 / mx109e024.fagms.de;
May-17-13 01:15:17 m-36874-03706 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
Message-Score: added 10 for Foreign Country DE, total score for this message is
now 10;
May-17-13 01:15:17 m-36874-03706 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
Message-Score: added -12 for bombSenderRe: 'newsletter (-12)', total score for
this message is now -2;
May-17-13 01:15:17 m-36874-03706 [BombSender] 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
[scoring:-12] -- bombSenderRe: 'newsletter (-12)' -- [Craquez pour des produits
ensoleill\xc3\xa9s !];
May-17-13 01:15:17 m-36874-03706 [MSGID-sig] 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
info: found bounce sender:
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> and recipient:
<internaluser> w
ithout valid MSGID-signature;
May-17-13 01:15:17 m-36874-03706 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
Message-Score: added 50 for MSGID-sig check failed
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr>, total score for
this message is now 48;
May-17-13 01:15:17 m-36874-03706 [MSGID-sig] 62.73.4.63 [OIP: 62.144.109.24]
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> to: internaluser
[spam found][blocked] -- MSGID-sig check failed
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr> -- [Craquez pour
des produits e
nsoleill\xc3\xa9s !] ->
/var/db/assp/discarded/Craquez_pour_des_produits_enso__1852.eml;
==> we can note "found bounce sender:
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr>" which is not the
case (not null send not mailer-daemon and not postmaster)
and message sample header:
X-Assp-Version: 1.99(13129) on ASSP.nospam^M
X-Assp-ispip: 62.73.4.63^M
X-Assp-SenderBase: country:DE; organization:Experian Cheetahmail^M
Deutschland GmbH; domain:fagms.de^M
X-Assp-Score: 10 (Foreign Country DE)^M
X-Assp-Score: -12 (bombSenderRe: 'newsletter (-12)')^M
X-Assp-Score: 50 (MSGID-sig check failed
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr>)^M
X-Assp-Envelope-From:
info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr^M
X-Assp-Intended-For: internaluser ^M
X-Assp-ID: ASSP.nospam m-36874-03706^M
X-Assp-Spam-Found: MSGID-sig check failed
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr>^M
X-Assp-Message-Totalscore: 48^M
Received: from antivir.axinet.fr ([62.73.4.63] helo=antivir.axinet.fr) by^M
ASSP.nospam with ESMTP (ASSP 1.99); 17 May 2013 01:15:16 +0200^M
Received: from localhost (antivir.axinet.fr [127.0.0.1])^M
by antivir.axinet.fr (Postfix) with ESMTP id D9F9D37201F^M
for <internaluser>; Fri, 17 May 2013 01:15:16 +0200 (CEST)^M
X-Virus-Scanned: amavisd-new at example.com^M
Received: from antivir.axinet.fr ([127.0.0.1])^M
by localhost (antivir.axinet.fr [127.0.0.1]) (amavisd-new, port 10024)^M
with LMTP id dm657Re-C7xE for <internaluser>;^M
Fri, 17 May 2013 01:15:08 +0200 (CEST)^M
Received: from mx109e024.fagms.de (mx109e024.fagms.de [62.144.109.24])^M
by antivir.axinet.fr (Postfix) with ESMTP id 441B8372000^M
for <internaluser>; Fri, 17 May 2013 01:15:08 +0200 (CEST)^M
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;^M
s=s1024; d=newsletter.lidl.fr;^M
b=OJ4XPfd+PUvo0QX1/a1KLtvuxpV7BhQWzge5yoqxuK0ZoCRK4QQCBhG9xDKPbS/6NraspD+1/dsGIAg8z6rMmOS4IG/1Jq3ybrr8E4Eg1eSSJfecnQ3enucuJJ0RkEqc1FeoUU9F5KTjsJro7W8
o0u+io6CLBXhVemcy9bPRCdU=;^M
h=X-EMID:X-EMMAIL:From:Reply-To:To:Subject:Content-Type:Content-Transfer-Encoding:Message-Id:MIME-Version:Date;^M
X-EMID: 0A600E401DNNHML05BDV301TLEUKD^M
X-EMMAIL: internaluser^M
From: "Lidl France Newsletter" <i...@newsletter.lidl.fr>^M
Reply-To: "Lidl France Newsletter"
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr>^M
To: internaluser^M
Subject: =?ISO-8859-1?Q?Craquez_pour_des_produits_ensoleill=E9s_!?=^M
Content-Type: text/html;^M
charset="ISO-8859-1"^M
Content-Transfer-Encoding: 7bit^M
Message-Id: <130517011411zh.31...@mscreator08.fagms.de>^M
MIME-Version: 1.0^M
As we can see in this line " X-Assp-Score: 50 (MSGID-sig check failed
<info-emid0a600e401dnnhml05bdv301tle...@newsletter.lidl.fr>)^M" this message is
effectively a spam but the reason why it is detected so should not be MSGID-sig
check failed
So the questions which i would be really happy to know the answers are :
Is there possibly something really wrong in my config (i doubt because i have
really take attention to not modifiy parameters i don't really understand but
why not) ?
Does Backscatter detection is a feature recognized as buggy in version 1(for
any reason and motivation i will respect) and if it was the case wouldn't it be
more interesting to totally disable this functionality?
are there any plan to bring this functionality (very nice feature) at the level
of stability of all other nices assp v1 features?
Thank you very much for your answers
Regards,
MAIRIE DE SALLANCHES
Direction des Systèmes d'Information
Alexandre RAYNAUD
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user
