Thomas, Crap... that explains a lot. Thanks for the heads up.
If it's helpful at all, this stopped working properly when it started exhibiting the "new and improved!" behavior of the two-tiered Neutral/Fail approach where the scoring result from the first round of hits effectively serves as an index or lookup into the Neutral/Fail (30/50 etc.) scoring table. There appear to be a bunch of DNSBL-related changes between 1.9.9 (14059) and (14060) so that may be when this mess began. This problem appears to affect URIBL scoring as well. Cheers, - Phil -----Original Message----- From: Thomas Eckardt Sent: Thursday, July 10, 2014 1:26 PM To: ph...@qsystemsengineering.com; For Users of ASSP Subject: Re: [Assp-user] Inconsistent DNSBL scoring I had just a look in to the V1 code. The RBL code is totaly scrambled (mixed V2 and V1). hostkarma.junkemailfilter.com=>127.0.0.2=>45 This is a V2 syntax - it is accepted by V1 - but not used in the check. I don't know if I'll have the time to fix this wild code. How ever, in your example the return code was '127.0.1.1' , which has no weight assigned - so the default score is used. The RBL check will not work like expected ! Thomas Von: "Phil Quesinberry" <ph...@qsystemsengineering.com> An: <assp-user@lists.sourceforge.net> Datum: 10.07.2014 18:46 Betreff: Re: [Assp-user] Inconsistent DNSBL scoring After updating to 1.9.9 (14187), this appears to be working properly for cached entries but is still failing for non-cached entries. I don't think anything has changed, I'm pretty sure it worked properly for cached entries before. In the first example below, hostkarma.junkemailfilter.com hasn't even been assigned a weight for 127.0.1.1 results, the entries for that DNSBL are as follows: hostkarma.junkemailfilter.com=>127.0.0.2=>45 hostkarma.junkemailfilter.com=>127.0.1.2=>35 hostkarma.junkemailfilter.com=>127.0.0.4=>30 >From the log: Jul-10-14 03:09:49 m-40497-02320 [SSL-out] 74.112.64.75 <v-bebplbn_bbmgjmcoho_bfhnefea_bfhnefe...@bounce.sicirculation.mkt6348.com> to: sher...@ourdomain.com Message-Score: added 50 for DNSBL: failed, 74.112.64.75 listed in hostkarma.junkemailfilter.com, total score for this message is now 105; Jul-10-14 03:09:49 m-40497-02320 [SSL-out] [DNSBL] 74.112.64.75 <v-bebplbn_bbmgjmcoho_bfhnefea_bfhnefe...@bounce.sicirculation.mkt6348.com> to: sher...@ourdomain.com [scoring:50] (DNSBL: failed, 74.112.64.75 listed in (hostkarma.junkemailfilter.com<-127.0.1.1; )); In the second example, bl.spamcannibal.org has been assigned a weight of 35 as follows: bl.spamcannibal.org=>35 >From the log: Jul-10-14 10:22:15 m-40500-02646 [SSL-in] [SSL-out] 17.151.1.94 <boun...@insideicloud.icloud.com> to: lfar...@ourdomain.com Message-Score: added 50 for DNSBL: failed, 17.151.1.94 listed i n bl.spamcannibal.org, total score for this message is now 90; Jul-10-14 10:22:15 m-40500-02646 [SSL-in] [SSL-out] [DNSBL] 17.151.1.94 <boun...@insideicloud.icloud.com> to: lfar...@ourdomain.com [scoring:50] (DNSBL: failed, 17.151.1.94 listed in (bl.spamcannibal.org<-127.0.0.2; )); _____________________________________________ From: Phil Quesinberry Sent: Monday, July 07, 2014 1:08 PM To: 'assp-user@lists.sourceforge.net' Subject: RE: Inconsistent DNSBL scoring Ok... let me try to explain this a little better and then perhaps you can tell us why: one message gets a single hit on the ipews blacklist (and no others) with a weight of 20 and is scored with a value of 20 out of 50 corresponding to a Neutral DNSBL result with a resulting score of 30 added to the message score, then later the same day another message gets a single hit on the same ipews blacklist (and no others) with a weight of 20 but that one is scored with a value of 50 out of 50 corresponding to a Failed DNSBL result with a resulting score of 50 added to the message score? - Phil > From: Thomas Eckardt <Thomas.E<ckardt@th...> - 2014-07-07 15:52:48 >different results, possibly dependent upon whether it's a cached hit or not the difference is not cache or no cache - the important difference is 'neutral' and 'failed' - who can read .... - both have different valence values - 30 and 50 in your case IMHO using weights for DNSBL and URIBL is still working in V1 Thomas _____________________________________________ From: Phil Quesinberry Sent: Monday, July 07, 2014 11:41 AM To: 'assp-user@lists.sourceforge.net' Subject: RE: Inconsistent DNSBL scoring Looking at the log, you can see where a hit on the same blacklist yields two different results, possibly dependent upon whether it's a cached hit or not. This causes false positives when a more aggressive blacklist is intermittently and improperly scored the same way as say, Spamhaus. URIBL hits appear to exhibit the same behavior. I'm hoping that V2 is in better shape now than when we tried it last, which was admittedly quite some time ago. I'm not sure why this behavior was changed in V1 as it worked perfectly before. Looking back, I'm pretty sure that the inconsistent scoring behavior started after the "improvement". :) From: Thomas Eckardt <Thomas.E<ckardt@th...> - 2014-07-04 06:10:02 >added 30 for DNSBLcache: neutral >added 50 for DNSBL: failed >Now tell me what is wrong ? Also, is there a way to still have ASSP score the message based on total DNSBL points like it used to instead of limiting to the neutral/fail scoring dependent upon the number of hits? >use V2 >Thomas _____________________________________________ From: Phil Quesinberry Sent: Friday, July 04, 2014 12:12 AM To: 'assp-user@lists.sourceforge.net' Subject: RE: Inconsistent DNSBL scoring The same thing appears to be happening with URIBL hits as well. _____________________________________________ From: Phil Quesinberry Sent: Thursday, July 03, 2014 12:08 PM To: 'assp-user@lists.sourceforge.net' Subject: Inconsistent DNSBL scoring We're seeing some odd behavior when it comes to DNSBL scoring. One of the DNSBLs we use is i2.apews.org. It's useful for weighing in against a message with other problems but it's occasionally prone to false-positives, so we give hits against it a score of 20. Notice the following log entries (hit on apews DNSBL adds 20 which is the correct behavior): Jul-01-14 11:02:45 Connected: 108.12.183.50:31641 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jul-01-14 11:02:45 108.12.183.50 MTA offered STARTTLS - converting to SSL; Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] 108.12.183.50 <brappap...@somesender.com> to: sher...@ourdomain.com Message-Score: added -5 for SSL-TLS-connection-OK, total score fo r this message is now -5; Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] [DNSBL] 108.12.183.50 <brappap...@somesender.com> to: sher...@ourdomain.com [scoring:20] (108.12.183.50 listed in DNSBLcache by l2.ap ews.org at 2014-07-01/10:54:50); Jul-01-14 11:02:47 m-40422-26873 [SSL-in] [SSL-out] 108.12.183.50 <brappap...@somesender.com> to: sher...@ourdomain.com Message-Score: added 30 for DNSBLcache: neutral, 108.12.183.50 li sted in l2.apews.org, total score for this message is now 25; This is what we'd expect. Now have a look at the following log entries (hit on apews DNSBL adds 50 which is NOT correct), no configurational changes have been made: Jul-01-14 16:20:36 Connected: 173.67.34.179:54431 -> 10.0.0.15:25 (listenPort) -> 127.0.0.1:125; Jul-01-14 16:20:36 173.67.34.179 MTA offered STARTTLS - converting to SSL; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com Message-Score: added -5 for SSL-TLS-connection-OK, total score for this message is now -5; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com deleting spamming whitelisted tuplet: (173.67.34.0,anothersender.com) age: 2s; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com Message-Score: added 50 for DNSBL: failed, 173.67.34.179 listed in l2.apews.org, total score for this message is now 45; Jul-01-14 16:20:38 m-40424-27323 [SSL-in] [SSL-out] [DNSBL] 173.67.34.179 <d...@anothersender.com> to: ph...@ourotherdomain.com [scoring:50] (DNSBL: failed, 173.67.34.179 listed in (l2.apews.org<-127.0.0.2; )); >From the above, It looks like cached hits are scored correctly but real-time hits are not? If you need additional info, let me know. I can crank up the DNSBL logging to debug/verbose if it will help. Also, is there a way to still have ASSP score the message based on total DNSBL points like it used to instead of limiting to the neutral/fail scoring dependent upon the number of hits? There are a number of DNSBLs which are useful for pushing suspect messages "over the edge" but more prone to false-positives and we'd prefer to have the granularity of just weighting them accordingly, which was the behavior of ASSP until fairly recently. Thanks! Phil Quesinberry Vintage Telecom VoIP Business Telephone Hosting Improve your business telephone services and save money (410) 921-6550 http://www.vintagetelecom.com ---------------------------------------------------------------------------- -- Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
