You should probably let it run in testmode for a while to build up a database of spam and ham first, before blocking anything.
-----Original Message----- From: Andy Bradford [mailto:andy_bradford_...@yahoo.com] Sent: October 01, 2014 18:02 To: assp-user@lists.sourceforge.net Subject: [Assp-user] New to ASSP - some questions and issues with getting started Hey guys, Stumbled across @SSP being recommended as a pretty good spam fighting solution to put in front of a mail server via a thread on Reddit, and thought I'd give it a shot to replace my now unsupported (and quite frankly, just bad) solution of Forefront for Exchange. I'm running a small Exchange 2010 box for about 20 mailboxes, some that get hammered with spam more than others. I stood up a VM with FreeBSD 10 install, opted to install Postfix, and threw up @ASSP to dive in. Install went smoothly, and I redirected my firewall rule for ports 25 and 465 to flow mail through my mail filtering VM, configured to pass the mail to Exchange. I started seeing some issues though, even after messing with some of the values: Here's a legit email from an Office 365 mail user: ==== Sep-29-14 00:49:13 m-41196-00013 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange Message-Score: added 25 for bombSubjectRe: 'subject-redacted (25)', total score for this message is now 25; Sep-29-14 00:49:13 m-41196-00013 [BombSubject] 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange [scoring:25] -- bombSubjectRe: 'subject-redacted (25)' -- [subject-redacted]; Sep-29-14 00:49:13 m-41196-00013 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange Message-Score: added 25 for b ombHeaderRe: '9 sep 2014 00:49:03 -0400 (25)', total score for this message is now 50; Sep-29-14 00:49:13 m-41196-00013 [BombHeader] 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange [scoring:25] -- bombHeaderRe: '9 sep 2014 00:49:03 -0400 (25)' -- [subject-redacted]; Sep-29-14 00:49:13 m-41196-00013 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange Message-Score: added 17 for Bad Reputation for 157.56.110.132, total score for this message is now 67; Sep-29-14 00:49:13 m-41196-00013 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange Bayesian Check [scoring:-10] - Prob: 0.00750 / Confidence: 0.00210 => confident.ham; Sep-29-14 00:49:13 m-41196-00013 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange Message-Score: added -10 for Bayesian Confidence: 0.00210, total score for this message is now 57; Sep-29-14 00:49:13 m-41196-00013 [MessageScore][PossibleSpam] 157.56.110.132 <sender-redacted@office365> to: recipient-redacted@exchange [spam found] and passing because messagescore(57) is in warning range ( 47 - 75) -- [subject-redacted] -> /var/db/assp/discarded/subject-redacted__7.em l; ==== Unfortunately, ASSP categorized this as spam when it really isn't. It did a lookup on the O365 IP and, for some reason, heightened the marking of thinking it was spam. Legit spam, which was blocked, great! : ==== Sep-29-14 00:45:16 m-41196-00011 87.106.211.104 <renee_ol...@blog.beauty-arzt.de> to: recipient-redacted@exchange Message-Score: added 25 for bombHeaderRe: '9 sep 2014 00:45:05 -0400 (25)', total score for this message is now 25; Sep-29-14 00:45:16 m-41196-00011 [BombHeader] 87.106.211.104 <renee_ol...@blog.beauty-arzt.de> to: recipient-redacted@exchange [scoring:25] -- bombHeaderRe: '9 sep 2014 00:45:05 -0400 (25)' -- [Hi Quality Medical Online Products]; Sep-29-14 00:45:16 m-41196-00011 87.106.211.104 <renee_ol...@blog.beauty-arzt.de> to: recipient-redacted@exchange Message-Score: added 15 for 87.106.211 in griplist (1.00), total score for this message is now 40; Sep-29-14 00:45:16 m-41196-00011 87.106.211.104 <renee_ol...@blog.beauty-arzt.de> to: recipient-redacted@exchange Message-Score: added 100 for DNSBL: failed, 87.106.211.104 listed in b.barracudacentral.org, total score for this message is now 140; Sep-29-14 00:45:16 m-41196-00011 [DNSBL] 87.106.211.104 <renee_ol...@blog.beauty-arzt.de> to: recipient-redacted@exchange [spam found][blocked] -- DNSBL, 87.106.211.104 listed in b.barracudacentral.org -- [Hi Quality Medical Online Products] -> /var/db/assp/ spam/Hi_Quality_Medical_Online_Prod__6.eml; ==== Another non-legitimate spam email that was falsely identified: ==== Sep-29-14 00:38:53 m-41196-00005 146.101.78.152 <reputable-redacted@sender> to: recipient-redacted@exchange Message-Score: added 25 for bombHeaderRe: '9 sep 2014 00:38:42 -0400 (25)', total score for this message is now 25; Sep-29-14 00:38:53 m-41196-00005 [BombHeader] 146.101.78.152 <reputable-redacted@sender> to: recipient-redacted@exchange [scoring:25] -- bombHeaderRe: '9 sep 2014 00:38:42 -0400 (25)' -- [Work]; Sep-29-14 00:38:54 m-41196-00005 146.101.78.152 <reputable-redacted@sender> to: recipient-redacted@exchange Message-Score: added 55 for URIBL failed: 'dimensiondata.com'(black.uribl.com ), total score for this message is now 80; Sep-29-14 00:38:54 m-41196-00005 [URIBL] 146.101.78.152 <reputable-redacted@sender> to: recipient-redacted@exchange [spam found][blocked ] -- URIBL failed: 'dimensiondata.com'(black.uribl.com ) -- [Work] -> /var/db/assp/spam/Work__3.eml; ==== There's some tweaking that some people recommend, especially modifying the low and high values of the weighting. Since 50 is high by default, I then set to 75 with continued issues. I saw that I could put all marked messages in training/demo mode for it to just mark the messages, put a "possiblespam" inclusion in the subject, and then pass the mail on. However, that might be annoying to my end users, so trying to avoid that. Any further tweaking ideas? Can't seem to find a happy medium right now, so I had to temporarily put @SSP in time out and re-route my mail back to Exchange directly. The inconvenience of Yahoo and O365 emails being marked as spam with normal content didn't go over well in my testing, even though I verified they were at the default whitelisted value (for Yahoo, at least). Thanks, Andy ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
