Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

Now I'm in a position where the powers that be have requested that TLS be
disabled because of inbound problems from gmail.  Apparently, gmail users
who send 25mb+ files have been getting this error more frequently than I
thought.

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

YOU DO NOT NEED TO RESEND YOUR MESSAGE.

Delivery to the following recipient has been delayed:

 ouru...@ourcharity.org

Message will be retried for 1 more day(s)

Technical details of temporary failure:
Missed upload deadline (899.99s) (state SENT_MESSAGE)

One of the major donors got this today, which raised the flag with the
directors.  Makes testing really tough

I might be able to test this for a little bit after hours this weekend.




On Thu, Aug 4, 2016 at 3:32 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> debug such a connection
>
> set debugCode to:
>
> $Con{$fh}->{mailfrom} =~ /\@gmail\.com/ && $Con{$fh}->{SIZE} > 1024000
>
> 1024000 can be larger
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  03.08.2016 19:08
> Betreff:Re: [Assp-test] Inbound TLS from gmail.com addresses /
> servers
>
>
>
> watching the SMTP Connections GUI, it looks like google starts out pretty
> fast for the first 2mb or so, but then really slows down.  Might there be
> something with memory handling on my end?
>
> after x seconds: total bytes transferred
> 10 seconds: 1,400,000 bytes
> 30 seconds: 2,600,000 bytes
> 55 seconds: 3,800,000 bytes
> 90 seconds: 5,300,000 bytes
> 160 seconds: 7,500,000 bytes
>
> Hit 1.4mb in the first 10 seconds, but then slows to a rate of about 2mb a
> minute, sometimes slower.  Does this help you figure out what might be
> going on with gmail?
>
>
>
>
> On Tue, Aug 2, 2016 at 10:40 PM, K Post <nntp.p...@gmail.com> wrote:
>
> > activestate just published net::ssleay 1.77 in their repository. Doesn't
> > seem to make any difference in terms of speed.  Capping out at about 2mb
> a
> > minute with TLS.
> >
> > the ssleay.dll that is in c:\perl\site\lib\auto\Net\SSLeay appears to
> have
> > been updated by the ppm.  ASSP in infostats still says:
> > OpenSSL 1.0.2h
> > OpenSSL-lib 1.0.2g Mar 2016
> >
> > Is that first line my c:\openssl installation from Shining Light (I
> don't
> > know anywhere else that 1.0.2h is installed)?
> > and OpenSSL-lib is the ssleay.dll that is seen in the
> > c:\perl\sit\lib\auto\net\ssleay folder?
> >
> > Does it matter that there's also a ssleay.dll in c:\openssl that is
> surely
> > 1.0.2h?
> >
> > Still, I ask all these questions, but it's only gmail that's giving me a
> > headache.  Other senders all seem fine so far, no nearly as fast as
> without
> > TLS.  For example, I just sent the same 11mb file that google takes
> about 7
> > minutes to send via Outlook.com and it only took 35 seconds.
> >
> > thanks again
> >
> >
> >
> >
> >
> > On Tue, Aug 2, 2016 at 9:44 PM, K Post <nntp.p...@gmail.com> wrote:
> >
> >> scratch that Bob.  I'm still closer to 1.5-2mb per minute despite the
> >> tweaks.
> >>
> >> On Tue, Aug 2, 2016 at 9:36 PM, K Post <nntp.p...@gmail.com> wrote:
> >>
> >>> Thanks Thomas, but what OpenSSL should I be using?  I really don't
> think
> >>> this is the problem, but I might as well eliminate it.  I've got
> >>> activestate's perl 5.20 installed and net::ssleay from the activestate
> >>> ppm.  However,the OpenSSL binaries that I have (I'm talking about the
> FULL
> >>> openssl installation in c:\openssl) not the dll files that net::ssleay
> >>> >might< have, is 1.0.2h from Shiining LIght (
> >>> slproweb.com/products/Win32OpenSSL.html)
> >>>
> >>> ASSP says net::ssleay is OpenSSL 1.0.2g - apparently it hasn't been
> >>> compiled using 1.0.2h yet.  That the readme from net::ssleay talks
> >>> specifically about shining light and that it's best to roll your own
> >>> worries me.
> >>>
> >>> And Bob,
> >>> Thanks for testing this out.  3MB in 25 seconds is about what I'm
> >>> generally seeing now that I've tweaked the performance settings of
> ASSP,
> >>> but without TLS, we can receive a 10mb attachment in just a few
> seconds
> >>> thanks to a fast line.  Curious, if you disable TLS temporarily and
> send
> >>> yourself that same 3mb at

Re: [Assp-test] infostats page request

[K Post]

also, could we get an option to DROP a connection.  For example, this would
be useful to immediately drop a connection from a China IP that's trying to
break in.  I know we can add this to the deny SMTP connections list right
from the infostats window, but that doesn't drop the existing connection.


On Wed, Aug 3, 2016 at 1:12 PM, K Post <nntp.p...@gmail.com> wrote:

> Would you consider giving us the at least the option to display the full
> email address / server name in infostats if we want, instead of always
> truncating them?  Maybe let the words wrap if they're too long within the
> td?
>
> Makes it easier to get info from the info stats window.  For example, I
> might see a gmail IP with sender of SomeReallyLongName@somedoma.   I
> can't tell who the sender is.  It could be someone sending using a google
> apps hosted domain like  somedomainatgoogle.org, but I'd need to look
> into the mail log to get that.
>
> Just a wishlist item.  nothing urgent.
>
> thanks
>
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] infostats page request

[K Post]

Would you consider giving us the at least the option to display the full
email address / server name in infostats if we want, instead of always
truncating them?  Maybe let the words wrap if they're too long within the
td?

Makes it easier to get info from the info stats window.  For example, I
might see a gmail IP with sender of SomeReallyLongName@somedoma.   I
can't tell who the sender is.  It could be someone sending using a google
apps hosted domain like  somedomainatgoogle.org, but I'd need to look into
the mail log to get that.

Just a wishlist item.  nothing urgent.

thanks
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

activestate just published net::ssleay 1.77 in their repository.  Doesn't
seem to make any difference in terms of speed.  Capping out at about 2mb a
minute with TLS.

the ssleay.dll that is in c:\perl\site\lib\auto\Net\SSLeay appears to have
been updated by the ppm.  ASSP in infostats still says:
OpenSSL 1.0.2h
OpenSSL-lib 1.0.2g Mar 2016

Is that first line my c:\openssl installation from Shining Light (I don't
know anywhere else that 1.0.2h is installed)?
and OpenSSL-lib is the ssleay.dll that is seen in the
c:\perl\sit\lib\auto\net\ssleay folder?

Does it matter that there's also a ssleay.dll in c:\openssl that is surely
1.0.2h?

Still, I ask all these questions, but it's only gmail that's giving me a
headache.  Other senders all seem fine so far, no nearly as fast as without
TLS.  For example, I just sent the same 11mb file that google takes about 7
minutes to send via Outlook.com and it only took 35 seconds.

thanks again





On Tue, Aug 2, 2016 at 9:44 PM, K Post <nntp.p...@gmail.com> wrote:

> scratch that Bob.  I'm still closer to 1.5-2mb per minute despite the
> tweaks.
>
> On Tue, Aug 2, 2016 at 9:36 PM, K Post <nntp.p...@gmail.com> wrote:
>
>> Thanks Thomas, but what OpenSSL should I be using?  I really don't think
>> this is the problem, but I might as well eliminate it.  I've got
>> activestate's perl 5.20 installed and net::ssleay from the activestate
>> ppm.  However,the OpenSSL binaries that I have (I'm talking about the FULL
>> openssl installation in c:\openssl) not the dll files that net::ssleay
>> >might< have, is 1.0.2h from Shiining LIght (
>> slproweb.com/products/Win32OpenSSL.html)
>>
>> ASSP says net::ssleay is OpenSSL 1.0.2g - apparently it hasn't been
>> compiled using 1.0.2h yet.  That the readme from net::ssleay talks
>> specifically about shining light and that it's best to roll your own
>> worries me.
>>
>> And Bob,
>> Thanks for testing this out.  3MB in 25 seconds is about what I'm
>> generally seeing now that I've tweaked the performance settings of ASSP,
>> but without TLS, we can receive a 10mb attachment in just a few seconds
>> thanks to a fast line.  Curious, if you disable TLS temporarily and send
>> yourself that same 3mb attachment from gmail, how long does it take?
>>
>>
>>
>> On Tue, Aug 2, 2016 at 2:04 PM, Thomas Eckardt <
>> thomas.ecka...@thockar.com> wrote:
>>
>>> >Having looked through the Net:SSLEAY readme, there's a bunch that
>>> suggests
>>> >that it's best to compile your own net:ssleay and OpenSSL on the same
>>> >machine with the same settings.
>>>
>>> This will be the case, if you use the PPM from ActiveState. Perl and all
>>> modules are compiled with the same compiler and header files. Net::SSLeay
>>> is compiled static, means it contains all required openssl code.
>>>
>>> >I'd love to find the time to give this a go,
>>> You'll find something better to do, than to compile this module on
>>> windows.
>>>
>>>
>>> Thomas
>>>
>>>
>>>
>>>
>>> Von:K Post <nntp.p...@gmail.com>
>>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>>> Datum:  02.08.2016 19:42
>>> Betreff:Re: [Assp-test] Inbound TLS from gmail.com addresses /
>>> servers
>>>
>>>
>>>
>>> Having looked through the Net:SSLEAY readme, there's a bunch that
>>> suggests
>>> that it's best to compile your own net:ssleay and OpenSSL on the same
>>> machine with the same settings. I've not done that, and never have (nor
>>> do
>>> I have the skillset to do much more than run a simple make command).  I'd
>>> love to find the time to give this a go, but what do you all think -
>>> could
>>> this be it?  Why would gmail.com always be bad, but others not (that
>>> I've
>>> seen)?
>>>
>>> On Tue, Aug 2, 2016 at 1:22 PM, Thomas Eckardt
>>> <thomas.ecka...@thockar.com>
>>> wrote:
>>>
>>> > >How do you know the type of encryption that gmail is using?
>>> >
>>> > You'll find it in the Received header line written by assp.
>>> >
>>> > >I have SSLDebug set to level 3,
>>> >
>>> > This helps not much. Most of the SSL-debug output goes to NUL.
>>> >  But if there were errors in SSL - you would see them in the maillog.
>>> >
>>> > >I changed EnableHighPerformace to "very high,"
>>> > I don't recommend to do this. This cuts the cyc

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

scratch that Bob.  I'm still closer to 1.5-2mb per minute despite the
tweaks.

On Tue, Aug 2, 2016 at 9:36 PM, K Post <nntp.p...@gmail.com> wrote:

> Thanks Thomas, but what OpenSSL should I be using?  I really don't think
> this is the problem, but I might as well eliminate it.  I've got
> activestate's perl 5.20 installed and net::ssleay from the activestate
> ppm.  However,the OpenSSL binaries that I have (I'm talking about the FULL
> openssl installation in c:\openssl) not the dll files that net::ssleay
> >might< have, is 1.0.2h from Shiining LIght (
> slproweb.com/products/Win32OpenSSL.html)
>
> ASSP says net::ssleay is OpenSSL 1.0.2g - apparently it hasn't been
> compiled using 1.0.2h yet.  That the readme from net::ssleay talks
> specifically about shining light and that it's best to roll your own
> worries me.
>
> And Bob,
> Thanks for testing this out.  3MB in 25 seconds is about what I'm
> generally seeing now that I've tweaked the performance settings of ASSP,
> but without TLS, we can receive a 10mb attachment in just a few seconds
> thanks to a fast line.  Curious, if you disable TLS temporarily and send
> yourself that same 3mb attachment from gmail, how long does it take?
>
>
>
> On Tue, Aug 2, 2016 at 2:04 PM, Thomas Eckardt <thomas.ecka...@thockar.com
> > wrote:
>
>> >Having looked through the Net:SSLEAY readme, there's a bunch that
>> suggests
>> >that it's best to compile your own net:ssleay and OpenSSL on the same
>> >machine with the same settings.
>>
>> This will be the case, if you use the PPM from ActiveState. Perl and all
>> modules are compiled with the same compiler and header files. Net::SSLeay
>> is compiled static, means it contains all required openssl code.
>>
>> >I'd love to find the time to give this a go,
>> You'll find something better to do, than to compile this module on
>> windows.
>>
>>
>> Thomas
>>
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  02.08.2016 19:42
>> Betreff:Re: [Assp-test] Inbound TLS from gmail.com addresses /
>> servers
>>
>>
>>
>> Having looked through the Net:SSLEAY readme, there's a bunch that suggests
>> that it's best to compile your own net:ssleay and OpenSSL on the same
>> machine with the same settings. I've not done that, and never have (nor do
>> I have the skillset to do much more than run a simple make command).  I'd
>> love to find the time to give this a go, but what do you all think - could
>> this be it?  Why would gmail.com always be bad, but others not (that I've
>> seen)?
>>
>> On Tue, Aug 2, 2016 at 1:22 PM, Thomas Eckardt
>> <thomas.ecka...@thockar.com>
>> wrote:
>>
>> > >How do you know the type of encryption that gmail is using?
>> >
>> > You'll find it in the Received header line written by assp.
>> >
>> > >I have SSLDebug set to level 3,
>> >
>> > This helps not much. Most of the SSL-debug output goes to NUL.
>> >  But if there were errors in SSL - you would see them in the maillog.
>> >
>> > >I changed EnableHighPerformace to "very high,"
>> > I don't recommend to do this. This cuts the cycle time (poll/select wait
>> > time) in the workers to a minmum. Even if assp is idle - if this is set,
>> > it will permanently poll the sockets and will produce unwanted CPU
>> > workload. I know 'EnableHighPerformace' sounds magic, but it is more
>> > implemented to tweak exceptional environments.
>> > How ever, if your host accepts this workload - it is fine.
>> >
>> > >Anything else I should try tweaking?
>> >
>> > Don't try to much. Tweak (if) one by one step. Use the
>> > 'notes/confighistory.txt' - the old and new values are recoded there.
>> >
>> > I have an idea about the gmail problem. It may be the case, that they
>> > request SSL rehandshakes more or less often depending on the used
>> > certificate and/or cipher to raise the security of the connection. Such
>> a
>> > behavior would slow down the SSL speed - BUT, now the bad news, this is
>> a
>> > client request (made my gmail). Perl's Net::SSLeay has no easy way to
>> > ignore these requests. The only way would be to pipe all SSL packest
>> > through an assp routine (this is possible), which would drop the
>> > renegotiation requests. Such a code will slow down ALL SSL traffic
>> > dramaticaly, if written in pu

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

Thanks Thomas, but what OpenSSL should I be using?  I really don't think
this is the problem, but I might as well eliminate it.  I've got
activestate's perl 5.20 installed and net::ssleay from the activestate
ppm.  However,the OpenSSL binaries that I have (I'm talking about the FULL
openssl installation in c:\openssl) not the dll files that net::ssleay
>might< have, is 1.0.2h from Shiining LIght (
slproweb.com/products/Win32OpenSSL.html)

ASSP says net::ssleay is OpenSSL 1.0.2g - apparently it hasn't been
compiled using 1.0.2h yet.  That the readme from net::ssleay talks
specifically about shining light and that it's best to roll your own
worries me.

And Bob,
Thanks for testing this out.  3MB in 25 seconds is about what I'm generally
seeing now that I've tweaked the performance settings of ASSP, but without
TLS, we can receive a 10mb attachment in just a few seconds thanks to a
fast line.  Curious, if you disable TLS temporarily and send yourself that
same 3mb attachment from gmail, how long does it take?



On Tue, Aug 2, 2016 at 2:04 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >Having looked through the Net:SSLEAY readme, there's a bunch that
> suggests
> >that it's best to compile your own net:ssleay and OpenSSL on the same
> >machine with the same settings.
>
> This will be the case, if you use the PPM from ActiveState. Perl and all
> modules are compiled with the same compiler and header files. Net::SSLeay
> is compiled static, means it contains all required openssl code.
>
> >I'd love to find the time to give this a go,
> You'll find something better to do, than to compile this module on
> windows.
>
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  02.08.2016 19:42
> Betreff:Re: [Assp-test] Inbound TLS from gmail.com addresses /
> servers
>
>
>
> Having looked through the Net:SSLEAY readme, there's a bunch that suggests
> that it's best to compile your own net:ssleay and OpenSSL on the same
> machine with the same settings. I've not done that, and never have (nor do
> I have the skillset to do much more than run a simple make command).  I'd
> love to find the time to give this a go, but what do you all think - could
> this be it?  Why would gmail.com always be bad, but others not (that I've
> seen)?
>
> On Tue, Aug 2, 2016 at 1:22 PM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > >How do you know the type of encryption that gmail is using?
> >
> > You'll find it in the Received header line written by assp.
> >
> > >I have SSLDebug set to level 3,
> >
> > This helps not much. Most of the SSL-debug output goes to NUL.
> >  But if there were errors in SSL - you would see them in the maillog.
> >
> > >I changed EnableHighPerformace to "very high,"
> > I don't recommend to do this. This cuts the cycle time (poll/select wait
> > time) in the workers to a minmum. Even if assp is idle - if this is set,
> > it will permanently poll the sockets and will produce unwanted CPU
> > workload. I know 'EnableHighPerformace' sounds magic, but it is more
> > implemented to tweak exceptional environments.
> > How ever, if your host accepts this workload - it is fine.
> >
> > >Anything else I should try tweaking?
> >
> > Don't try to much. Tweak (if) one by one step. Use the
> > 'notes/confighistory.txt' - the old and new values are recoded there.
> >
> > I have an idea about the gmail problem. It may be the case, that they
> > request SSL rehandshakes more or less often depending on the used
> > certificate and/or cipher to raise the security of the connection. Such
> a
> > behavior would slow down the SSL speed - BUT, now the bad news, this is
> a
> > client request (made my gmail). Perl's Net::SSLeay has no easy way to
> > ignore these requests. The only way would be to pipe all SSL packest
> > through an assp routine (this is possible), which would drop the
> > renegotiation requests. Such a code will slow down ALL SSL traffic
> > dramaticaly, if written in pure perl.
> >
> > >We are using a 2048bit certificate.  It's a wildcard (*.ourcharity.org)
> > >cert, but I don't think that has anything to do with it.
> >
> > Who knows? But to exclude this, you may use an innocent selfcert
> > certificate and key - create it with openssl - for a while.
> > BTW. assp will create such certificate and keys, if the 'assp/certs'
> > folder is empty at startup. :):)
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

Having looked through the Net:SSLEAY readme, there's a bunch that suggests
that it's best to compile your own net:ssleay and OpenSSL on the same
machine with the same settings. I've not done that, and never have (nor do
I have the skillset to do much more than run a simple make command).  I'd
love to find the time to give this a go, but what do you all think - could
this be it?  Why would gmail.com always be bad, but others not (that I've
seen)?

On Tue, Aug 2, 2016 at 1:22 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >How do you know the type of encryption that gmail is using?
>
> You'll find it in the Received header line written by assp.
>
> >I have SSLDebug set to level 3,
>
> This helps not much. Most of the SSL-debug output goes to NUL.
>  But if there were errors in SSL - you would see them in the maillog.
>
> >I changed EnableHighPerformace to "very high,"
> I don't recommend to do this. This cuts the cycle time (poll/select wait
> time) in the workers to a minmum. Even if assp is idle - if this is set,
> it will permanently poll the sockets and will produce unwanted CPU
> workload. I know 'EnableHighPerformace' sounds magic, but it is more
> implemented to tweak exceptional environments.
> How ever, if your host accepts this workload - it is fine.
>
> >Anything else I should try tweaking?
>
> Don't try to much. Tweak (if) one by one step. Use the
> 'notes/confighistory.txt' - the old and new values are recoded there.
>
> I have an idea about the gmail problem. It may be the case, that they
> request SSL rehandshakes more or less often depending on the used
> certificate and/or cipher to raise the security of the connection. Such a
> behavior would slow down the SSL speed - BUT, now the bad news, this is a
> client request (made my gmail). Perl's Net::SSLeay has no easy way to
> ignore these requests. The only way would be to pipe all SSL packest
> through an assp routine (this is possible), which would drop the
> renegotiation requests. Such a code will slow down ALL SSL traffic
> dramaticaly, if written in pure perl.
>
> >We are using a 2048bit certificate.  It's a wildcard (*.ourcharity.org)
> >cert, but I don't think that has anything to do with it.
>
> Who knows? But to exclude this, you may use an innocent selfcert
> certificate and key - create it with openssl - for a while.
> BTW. assp will create such certificate and keys, if the 'assp/certs'
> folder is empty at startup. :):)
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  02.08.2016 18:34
> Betreff:Re: [Assp-test] Inbound TLS from gmail.com addresses /
> servers
>
>
>
> Thanks for chiming in Thomas with such a detailed response.
>
> First, when Google gives up, it gives a message like:
>
> Technical details of temporary failure:
>
> Missed upload deadline (899.97s) (state SENT_MESSAGE)
>
> So it's 15 minutes that it'll try to send a file for.  At under 2mb a
> minute, anything over about 25megs (considering overhead) will ultimately
> fail.  No good since lots of gmail users send us large files.
>
>
> We're on a 100mbit line, both directions, but I'd happily take a 9.1 mb
> attachment sent over TLS taking 2 minutes.  I suspect when i find out what
> the problem is that it'll be MUCh faster than that.
>
> We are using a 2048bit certificate.  It's a wildcard (*.ourcharity.org)
> cert, but I don't think that has anything to do with it.
>
> We're using local storage on the Hypver-V host, RAID 10 with 4 7200rpm SAS
> drives.  It's not the fasted disk array, but it seems fine.  I can't see
> slow disks impacting TLS like this if non-TLS connections fly.
>
> The hyper-v host is a dual processor, 2.6ghz, 6 core each, 12mb cache.
> I've got a total of 10 cores assigned to the ASSP guest.
>
> I have SSLDebug set to level 3, but I don't see anything in the maillog.
>  How do you know the type of encryption that gmail is using?  It would be
> nice to compare how gmail is connecting vs outlook.com which seems much
> faster (though not super fast)
>
> I've got SSL_Version set to
> SSLv23:!SSLv3:!SSLv2
>
> and
> SSL_Cipher_List set to
>
> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
>
> my unscientific test of changing the cipher list to the default doesn't
> seem to make a difference.
>
> MinPollTime is 1, I think it always has been.
> I changed EnableHighPerformace to "very high," changed thread cycle time
> to
> 1000, maintenance thread cycle time to 2000, and rebuildthreadcycletime to
> 15.  That def

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

Thanks for chiming in Thomas with such a detailed response.

First, when Google gives up, it gives a message like:

Technical details of temporary failure:

Missed upload deadline (899.97s) (state SENT_MESSAGE)

So it's 15 minutes that it'll try to send a file for.  At under 2mb a
minute, anything over about 25megs (considering overhead) will ultimately
fail.  No good since lots of gmail users send us large files.


We're on a 100mbit line, both directions, but I'd happily take a 9.1 mb
attachment sent over TLS taking 2 minutes.  I suspect when i find out what
the problem is that it'll be MUCh faster than that.

We are using a 2048bit certificate.  It's a wildcard (*.ourcharity.org)
cert, but I don't think that has anything to do with it.

We're using local storage on the Hypver-V host, RAID 10 with 4 7200rpm SAS
drives.  It's not the fasted disk array, but it seems fine.  I can't see
slow disks impacting TLS like this if non-TLS connections fly.

The hyper-v host is a dual processor, 2.6ghz, 6 core each, 12mb cache.
I've got a total of 10 cores assigned to the ASSP guest.

I have SSLDebug set to level 3, but I don't see anything in the maillog.
 How do you know the type of encryption that gmail is using?  It would be
nice to compare how gmail is connecting vs outlook.com which seems much
faster (though not super fast)

I've got SSL_Version set to
SSLv23:!SSLv3:!SSLv2

and
SSL_Cipher_List set to
kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED

my unscientific test of changing the cipher list to the default doesn't
seem to make a difference.

MinPollTime is 1, I think it always has been.
I changed EnableHighPerformace to "very high," changed thread cycle time to
1000, maintenance thread cycle time to 2000, and rebuildthreadcycletime to
15.  That definitely made a difference in the rebuild time, almost halving
it (not that I really care about that though).

Anything else I should try tweaking?  I don't care if there's high CPU
usage, we have reasonable processing power to spare.

Thank you

On Tue, Aug 2, 2016 at 12:02 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> I just made simlar tests with my gmail account. I can't reproduce this
> behavior related to gmail.com.
>
> I've sent a 9.1MB attachment in 133 seconds. Gmail used SMTPS(TLSv1_2
> ECDHE-RSA-AES256-GCM-SHA384)- which is commonly used by many
> clients/servers.
> Sender was mail-qt0-f181.google.com ([209.85.216.181]
> helo=mail-qt0-f181.google.com)
> My line speed is 16MB/s inbound and 4MB/s outbound.
>
> I saw many faster SMTPS connections but also many slower - this may depend
> on the usage of my ISP connection.
>
> 133 seconds for such a mail is acceptable (I think).
>
> SSLv2/3:!SSLv3:!SSLv2
> DEFAULT:!aNULL:!RC4:!MD5
>
> are my SSL settings - not very strong - I know :):)
>
> the privat key used is 2048 Bit long
>
> In front of assp is the ISP-router and a pfsense 2.3.2 with snort 3.2.9.1
> . Snort is configured the very hard way, except the SMTP rules are a bit
> more weak, because I need some spam.
> ASSP is running on a 4 Core 6GB W2K3 enterprise with an absolute uptodate
> ActivePerl 5.16.3 - using all Plugins, features and a replicated MySQL
> 5.6.
> Domain based mail routing (in- and out-bound) is done by hmailserver
> 5.6.4-B2283.
> All components are configured to use SSL/TLS when ever this is possible.
> For testing purposes I use a FreeBSD 10.2 with Perl 5.20 and ASSP - it
> runs the same way stable like the production system.
>
> You see - nothing magic, but maintenained (except the nice old W2K3 - but
> it works like a swiss made watch with an ETA 7750).
>
> I really don't know what I can do to fix up the SSL/TLS problems.
>
> Only to be complete:
> Backend for the mail environment and LDAP stuff is a Domino 9.0.1FP6.
> All the stuff above (and very much more) is running on a single VMWare
> vSphere 5.5 ( 8x 2.66GHz 48GB / x3650M2).
> Backups are done with EMC-Networker + EBR + DataDomain-VE, stored at a
> QNAP 419P+
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  02.08.2016 00:07
> Betreff:[Assp-test] Inbound TLS from gmail.com addresses / servers
>
>
>
> I originally thought that we had a problem with all TLS inbound email.  As
> it turns out, my conclusion appears to have been wrong.
>
>
>- There are some SLOW servers outside that are just plain slow (nothing
>I can do there),
>
>- TLS seems to work reasonably fast with most inbound mail, though
>significantly slower than without TLS  (5 seconds for an 11mb file
> without
>tls, vs 45 seconds with TLS on)
>
>- GMAIL.com inbound

Re: [Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

Thanks all for your replies.

Collin,

Sorry that you're experiencing the same thing, but I'm happy that we've
found another installation with a completely dissimilar OS and setup that
is affected.

I saw that Net::SSLeay 1.77 is out, but it's not yet available for Windows
- at least not in the ActiveState repository.  Looking at the changelog, I
don't think it'll make any difference.

The big question is if ALL assp installations are seeing this slowness from
gmail.com specifically.  Could it be something that gmail is doing that
ASSP isn't expecting?

Greyhat,
I've had debugging on, but I don't see anything of note.

and FYI, this server is pretty low usage. Generally only one or 2 sessions
at a time.  I did testing during off hours when there was almost no inbound
email.  Even with only 1 session active, if it was a gmail tls it was crazy
slow, but turn off SSL and POW it flies.


On Tue, Aug 2, 2016 at 5:39 AM, Colin Waring <co...@dolphinict.co.uk> wrote:

> I have to say I've seen this and I posted about it back in January.
>
> https://sourceforge.net/p/assp/mailman/message/34783916/
>
> Back then I saw problems with Gmail, Yahoo Mail and SMTPRoutes. Since then
> I've occasionally fielded calls from different people saying that emails
> aren't coming through and the solution has been to add the IP to noTLSip.
> The problem was much more significant back in January because I was getting
> lots of complaints whereas now it is only occasional.
>
> I'm on a completely different architecture to you.
>
> Ubuntu 14.04.4 LTS, OpenSSL 1.0.1f (latest from apt), Perl v5.18.2,
> Net::SSLeay 1.74, IO::Socket::SSL 2.033, Net::SMTP::SSL 1.03
>
> I've been using cpanm and cpanoutdated to manage module updates, checking
> from within cpan I can see that a number of modules haven't been done that
> way so I'm running upgrade from within CPAN itself to get things up to
> date. One of the updates is Net:SSLeay 1.77 so I'll see what that does.
>
> All the best,
> Colin Waring.
>
>
> Colin Waring
> Technical Manager
> Dolphin ICT Limited
> T
> +44 (0)151 438 2246 Ext 2003
> www.dolphinict.co.uk
> co...@dolphinict.co.uk
> US15a, Armstrong House, First Avenue, Robin Hood Airport, Doncaster, DN9
> 3GA
>
>
>
>
>
> Dolphin ICT Limited. NOTICE & DISCLAIMER Dolphin ICT Limited, a private
> limited company, with company registration number 6206916, registered in
> the United Kingdom, the registered office of which is at US15a, Armstrong
> House, First Avenue, Robin Hood Airport, Doncaster, DN9 3GA VAT
> registration number GB 918 1896 88.
>
>
>
> -Original Message-
> From: K Post [mailto:nntp.p...@gmail.com]
> Sent: 01 August 2016 23:06
> To: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Subject: [Assp-test] Inbound TLS from gmail.com addresses / servers
>
> I originally thought that we had a problem with all TLS inbound email.  As
> it turns out, my conclusion appears to have been wrong.
>
>
>- There are some SLOW servers outside that are just plain slow (nothing
>I can do there),
>
>- TLS seems to work reasonably fast with most inbound mail, though
>significantly slower than without TLS  (5 seconds for an 11mb file
> without
>tls, vs 45 seconds with TLS on)
>
>- GMAIL.com inbound TLS emails are SLOW, no matter what settings I tweak
>
>
> With inbound gmail.com message. if I have TLS off, an 11mb attachment is
> delivered through ASSP in under 5 seconds.  With TLS on it takes close to
> 10 minutes, which gets close to gmail's limit.
>
> I've tested with Outlook.com and that same 11mb attachment comes in
> through ASSP with TLS on in about 45 seconds.
>
> Sending a 30mb attachment from gmail FAILS because it takes too long.
> gmail will try for I believe 10 minutes to send a message, then it quits
> and retries.  After a couple tries, it sends an NDR.
>
> This is a Windows 2012 R2 server, latest ASSP dev, OpenSSL 1.0.2h
> installed from slproweb.com/products/Win32OpenSSL.html (though I've also
> tried with the OpenSSL I downloaded a while back from the ASSP sourceforge
> site.
>  net::ssleay 1.74 (openssl 1.0.2g).  I'm almost certain that the OpenSSL
> installation is not used by ASSP, but I've not been able to get
> confirmation of that here.
>
> Just updated IO::Socket::SSL to 2.033.
> Net::SMTP:SSL 1.02.
>
> CPU usage as reported by assp is 4.78%.  It's not on the fastest machine
> in the world (it's a hypver-v guest on a decent machine), but it seems
> speedy enough.  24gb ram.  We've got similar physical hosts running
> Exchange as a guest without any speed issues whatsoever.
>
> Any other info I can provide to help figure this out?
>
> Disabling TLS for any gmail inbound 

[Assp-test] Inbound TLS from gmail.com addresses / servers

[K Post]

I originally thought that we had a problem with all TLS inbound email.  As
it turns out, my conclusion appears to have been wrong.


   - There are some SLOW servers outside that are just plain slow (nothing
   I can do there),

   - TLS seems to work reasonably fast with most inbound mail, though
   significantly slower than without TLS  (5 seconds for an 11mb file without
   tls, vs 45 seconds with TLS on)

   - GMAIL.com inbound TLS emails are SLOW, no matter what settings I tweak


With inbound gmail.com message. if I have TLS off, an 11mb attachment is
delivered through ASSP in under 5 seconds.  With TLS on it takes close to
10 minutes, which gets close to gmail's limit.

I've tested with Outlook.com and that same 11mb attachment comes in through
ASSP with TLS on in about 45 seconds.

Sending a 30mb attachment from gmail FAILS because it takes too long. gmail
will try for I believe 10 minutes to send a message, then it quits and
retries.  After a couple tries, it sends an NDR.

This is a Windows 2012 R2 server, latest ASSP dev, OpenSSL 1.0.2h installed
from slproweb.com/products/Win32OpenSSL.html (though I've also tried with
the OpenSSL I downloaded a while back from the ASSP sourceforge site.
 net::ssleay 1.74 (openssl 1.0.2g).  I'm almost certain that the OpenSSL
installation is not used by ASSP, but I've not been able to get
confirmation of that here.

Just updated IO::Socket::SSL to 2.033.
Net::SMTP:SSL 1.02.

CPU usage as reported by assp is 4.78%.  It's not on the fastest machine in
the world (it's a hypver-v guest on a decent machine), but it seems speedy
enough.  24gb ram.  We've got similar physical hosts running Exchange as a
guest without any speed issues whatsoever.

Any other info I can provide to help figure this out?

Disabling TLS for any gmail inbound mail isn't a feasible option, plus I
don't know if it really is just google, or just the way that google
connects which others might too...

Thank you all.
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Perl Versions

[K Post]

Interesting, Thanks Thomas.

What do you recommend on Windows then?

Currently using ActiveState 5.20.1. All seems well, except TLS is slow to
the point of being unusable.  Everything else seems fine and fast.  That
thread seems to have died out so I'm grasping at straws now.  Could this be
perl causing the problem?

thanks


On Fri, Jul 22, 2016 at 12:25 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> There are many modules not available for Perl 5.22 and 5.24 on windows.
> All missing modules are available at the packages repository at
> sourceforge.
> ActiveState Perl 5.22 and 5.24 will be not useable. But StrawberryPerl can
> be used, because the gcc and many header files are included there - so the
> missing modules can be compiled with this Perl.
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.07.2016 05:34
> Betreff:Re: [Assp-test] Perl Versions
>
>
>
> Correction, ActiveState DOES allow for 5.22.2.220 to be downloaded (missed
> that) - so my same questions apply.  Is are all of the modules available
> for Windows for 5.22?
>
> On Wed, Jul 20, 2016 at 11:30 PM, K Post <nntp.p...@gmail.com> wrote:
>
> > In one of my other threads, it was mentioned that Thomas said
> (somewhere)
> > that perl 5.22 and 5.24 are "possible."  Is this true??
> >
> > Thomas, I see the readme says:
> >
> > version 2.5.2  build (16177)
> > requires at least Perl 5.10
> > recommended is at least Perl 5.16.3 (5.016003)
> > best run is on Perl 5.20.x for all platforms
> > supports Perl 5.10 to 5.20
> > u*sing Perl 5.22 is experimental*
> >
> >
> > Is 5.24 now possible too? Has it been tested? Issues on a Windows box?
> >
> > I was going to update my 5.20.1 ActiveState installation to try to fix
> > terribly slow TLS, but ActiveState only makes 5.24 available for
> download -
> > unless you buy the business edition (which gives you rights to the older
> > versions).
> >
> > Thanks
> >
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.
> http://sdm.link/zohodev2dev___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.http://sdm.link/zohodev2dev
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Perl Versions

[K Post]

Correction, ActiveState DOES allow for 5.22.2.220 to be downloaded (missed
that) - so my same questions apply.  Is are all of the modules available
for Windows for 5.22?

On Wed, Jul 20, 2016 at 11:30 PM, K Post <nntp.p...@gmail.com> wrote:

> In one of my other threads, it was mentioned that Thomas said (somewhere)
> that perl 5.22 and 5.24 are "possible."  Is this true??
>
> Thomas, I see the readme says:
>
> version 2.5.2  build (16177)
> requires at least Perl 5.10
> recommended is at least Perl 5.16.3 (5.016003)
> best run is on Perl 5.20.x for all platforms
> supports Perl 5.10 to 5.20
> u*sing Perl 5.22 is experimental*
>
>
> Is 5.24 now possible too? Has it been tested? Issues on a Windows box?
>
> I was going to update my 5.20.1 ActiveState installation to try to fix
> terribly slow TLS, but ActiveState only makes 5.24 available for download -
> unless you buy the business edition (which gives you rights to the older
> versions).
>
> Thanks
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Perl Versions

[K Post]

Correction, ActiveState DOES allow for 5.22.2.220 to be downloaded (missed
that) - so my same questions apply.  Are all of the modules available for
5.22 windows?



On Wed, Jul 20, 2016 at 11:30 PM, K Post <nntp.p...@gmail.com> wrote:

> In one of my other threads, it was mentioned that Thomas said (somewhere)
> that perl 5.22 and 5.24 are "possible."  Is this true??
>
> Thomas, I see the readme says:
>
> version 2.5.2  build (16177)
> requires at least Perl 5.10
> recommended is at least Perl 5.16.3 (5.016003)
> best run is on Perl 5.20.x for all platforms
> supports Perl 5.10 to 5.20
> u*sing Perl 5.22 is experimental*
>
>
> Is 5.24 now possible too? Has it been tested? Issues on a Windows box?
>
> I was going to update my 5.20.1 ActiveState installation to try to fix
> terribly slow TLS, but ActiveState only makes 5.24 available for download -
> unless you buy the business edition (which gives you rights to the older
> versions).
>
> Thanks
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Perl Versions

[K Post]

In one of my other threads, it was mentioned that Thomas said (somewhere)
that perl 5.22 and 5.24 are "possible."  Is this true??

Thomas, I see the readme says:

version 2.5.2  build (16177)
requires at least Perl 5.10
recommended is at least Perl 5.16.3 (5.016003)
best run is on Perl 5.20.x for all platforms
supports Perl 5.10 to 5.20
u*sing Perl 5.22 is experimental*


Is 5.24 now possible too? Has it been tested? Issues on a Windows box?

I was going to update my 5.20.1 ActiveState installation to try to fix
terribly slow TLS, but ActiveState only makes 5.24 available for download -
unless you buy the business edition (which gives you rights to the older
versions).

Thanks
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

Any more thoughts on this?  I'm stuck.
THANKS!

On Fri, Jun 10, 2016 at 2:57 PM, K Post <nntp.p...@gmail.com> wrote:

> another thing to note, having restarted a couple of days ago with TLS off,
> I see in the infostats GUI average CPU usage at 5%.
> After updating with PPM, I did a server restart, turned on TLS, and sent
> over a 11mb attachment from google.  CPU average usage at 27%.
>
> On Fri, Jun 10, 2016 at 2:47 PM, K Post <nntp.p...@gmail.com> wrote:
>
>> I gave updating via ppm a go, but I'm nearly certain that all libraries
>> used by ASSP were already up to date.Still right around 2MB per minute
>> vs 75+ without TLS on.
>>
>> ppm log gave me only:
>> 2016-06-10T14:04:47 <3> [InstallArea.pm:412] Rollback File conflict for
>> 'C:/Perl
>> /html/site/lib/ExtUtils/Command.html'. The package ExtUtils-Command has
>> already
>> installed a file that package ExtUtils-MakeMaker wants to install. at
>> C:/Perl/li
>> b/ActivePerl/PPM/InstallArea.pm line 573.
>> 2016-06-10T14:04:47 <3> [ppm:1259] File conflict for
>> 'C:/Perl/html/site/lib/ExtU
>> tils/Command.html'. The package ExtUtils-Command has already installed a
>> file th
>> at package ExtUtils-MakeMaker wants to install. at
>> C:/Perl/lib/ActivePerl/PPM/In
>> stallArea.pm line 573.
>> 2016-06-10T14:14:59 <3> [InstallArea.pm:412] Rollback File conflict for
>> 'C:/Perl
>> /html/site/lib/CGI/Carp.html'. The package CGI.pm has already installed a
>> file t
>> hat package CGI wants to install. at
>> C:/Perl/lib/ActivePerl/PPM/InstallArea.pm l
>> ine 573.
>> 2016-06-10T14:14:59 <3> [ppm:1259] File conflict for
>> 'C:/Perl/html/site/lib/CGI/
>> Carp.html'. The package CGI.pm has already installed a file that package
>> CGI wan
>> ts to install. at C:/Perl/lib/ActivePerl/PPM/InstallArea.pm line 573.
>>
>> Nothing notable there right?
>>
>> Are you using ActiveState perl?  If so, what version?
>>
>> Does OpenSSL come in to play at all?  I know that's needed for generating
>> certificates, and is listed as an ASSP requirement, but is it used in TLS
>> transmissions or is that all on the perl libraries?  Are you using OpenSSL
>> - if so what version and from where.  I've got the Shining light compiled
>> binaries installed.
>>
>> The backend mail server (hmailserver which ultimately passes most mail
>> onto exchange) isn't configured with SSL. That's the same server that's
>> used for non-TLS sessions (obviously).  Can you explain what that server
>> could be doing to slow down TLS sessions to ASSP?
>>
>> I'm really at a loss here.  Keeping TLS off isn't a real option, but
>> turning it on with this speed isn't realistic.  Thanks all for your input!
>>
>> On Fri, Jun 10, 2016 at 2:43 AM, Grayhat <gray...@gmx.net> wrote:
>>
>>> :: On Thu, 9 Jun 2016 12:37:26 -0400
>>> :: <CALhpkAnBjGc9rn+JhT2Oe2SK4hrVhkEQG928s5V=bed7p+e...@mail.gmail.com>
>>> :: K Post <nntp.p...@gmail.com> wrote:
>>>
>>> > Windows 2012 R2
>>> > the certificate is a 2048 bit RSA cert
>>> >
>>> > SSL_Version is SSLv23:!SSLv3:!SSLv2
>>> > Cipher list
>>> > is
>>> >
>>> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
>>>
>>> now, this is strange, I'm running the latest ASSP on a windows box
>>> using the same ciphers as above and never noticed such a slowdown
>>> affecting encrypted connections
>>>
>>> Try running a
>>>
>>> ppm upgrade --install
>>>
>>> on the box, then, once the upgrade completes, run a
>>>
>>> ppm log --errors 60
>>>
>>> check for errors, fix them and rerun the upgrade; also, are you sure
>>> the issue isn't caused by the backend mailserver ? I know it sounds
>>> a bit strange but I'd try checking that portion of the chain too
>>>
>>>
>>>
>>> --
>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>> traffic
>>> patterns at an interface-level. Reveals which users, apps, and protocols
>>> are
>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>> planning reports.
>>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>>> ___
>>> Assp-test mailing list
>>> Assp-test@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>>
>>
>>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] VB: Very slow TLS sessions - Windows server

[K Post]

We don't have any clients directly connecting to ASSP (outbound mail is
relayed in from Exchange), but see severe slowness with other servers
connecting that use TLS.

I can't imagine it's the SMTP server itself.  I feel like I've got some
kind of conflict on the server that's not letting ASSP work efficiently
processing TLS sessions.  I'm running the same ASSP code as everyone else,
but others aren't reporting the slowness, so I doubt it's the code. I just
don't know where else to look.


On Thu, Jun 16, 2016 at 6:07 AM, Pontus Hellgren <
pontus.hellg...@scandinavianhosting.se> wrote:

> Hi there!
>
> Default 1024000 should generate an error since 99 is maximum, 102400
> should work fine.
>
> I have been playing around this to see if any configuration would help my
> TLS-problems, but they are still there.
> And still only for apple devices. (any one else?)
>
> TLS sessions will transfer but there will be no end until MTA times out the
> session.
>
> Client, ASSP or Server problem?
> Well, out server(MTA) version have not changed, Apple clients and ASSP
> versions has changed.
> So, ASSP or Apple?
>
> Regards,
> Pontus
>
> -Ursprungligt meddelande-
> Från: Thomas Eckardt [mailto:thomas.ecka...@thockar.com]
> Skickat: den 9 juni 2016 10:40
> Till: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Ämne: Re: [Assp-test] Very slow TLS sessions - Windows server
>
> Install 2.5.2(16158)
> set 'TCPBufferSize' to : sslrcv = 0, sslsnd = 0
>
> tell me if TLS speed is better or not
>
>
> set 'TCPBufferSize' to : tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv =
> 1024000, sslsnd = 1024000
>
> are there any performance improvements?
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  02.06.2016 04:55
> Betreff:Re: [Assp-test] Very slow TLS sessions - Windows server
>
>
>
> Could this be the problem?  Is OpenSSL even used by ASSP for receiving
> email? I feel like it's not, but thought I'd put this out there.
>
> OpenSSL 1.0.1h 1.0.1h / 0.9.8
> OpenSSL-lib 1.0.2g 1 Mar 2016 1.0.2g / 1.0.1h
>
> I have OpenSSL binaries installed in c:\openssl, and that is 1.0.2g from
> https://slproweb.com/products/Win32OpenSSL.html
>
> I don't know what 1.0.1h OpenSSL ASSP is seeing. Can you tell me what would
> need to be updated to make that be 1.0.2g AND DO WE CARE?
>
> Could that version mismatch be causing the terrible slowness when receiving
> large attachments?
>
>
> I looked through all other modules, they're all at or later than the
> recommended minimum version (updated through Activestate's PPM)
>
> For now I've got TLS off, but that's not viable long term.
>
> Oh and there appears to be plenty of processing power on this machine (12
> cores, 2+ ghz, 32gb ram)
>
>
> THANK YOU
>
>
>
> On Wed, Jun 1, 2016 at 12:25 PM, K Post <nntp.p...@gmail.com> wrote:
>
> > also, with DoTLS set to drop, the WebUI is 500% faster.  Doing
> > searches
> in
> > maillog returns results like a dream!
> >
> > On Wed, Jun 1, 2016 at 12:11 PM, K Post <nntp.p...@gmail.com> wrote:
> >
> >> Running 16142, though I suspect this problem has been going on for a
> >> while now.
> >> Windows.
> >>
> >> I just discovered that large inbound emails (bit attachments say over
> >> 10mb) that use TLS connections are taking forever to complete.  For
> >> example, a 13mb email from a gmail.com address (and confirm coming
> >> from google servers) took over 15 minutes to complete.
> >>
> >> In my testing, I found that changing DoTLS to Drop lets large emails
> come
> >> through nice and fast.  A 10mb attachment took over 12 minutes
> >> before,
> now
> >> it's just a couple of seconds with TLS off.
> >>
> >> The powers that be want encryption on (and so do I).  I'm okay with
> slow,
> >> but gmail specifically has a warning to its users after 899.9 seconds
> (15
> >> minutes).  If it takes longer than that, they get a delay warning
> >> which causes all kinds of confusion.
> >>
> >> Any suggestions on how to figure out what's taking so long with TLS on?
> >> All modules up to date.
> >>
> >> Thank you.
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
> 
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which use

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

another thing to note, having restarted a couple of days ago with TLS off,
I see in the infostats GUI average CPU usage at 5%.
After updating with PPM, I did a server restart, turned on TLS, and sent
over a 11mb attachment from google.  CPU average usage at 27%.

On Fri, Jun 10, 2016 at 2:47 PM, K Post <nntp.p...@gmail.com> wrote:

> I gave updating via ppm a go, but I'm nearly certain that all libraries
> used by ASSP were already up to date.Still right around 2MB per minute
> vs 75+ without TLS on.
>
> ppm log gave me only:
> 2016-06-10T14:04:47 <3> [InstallArea.pm:412] Rollback File conflict for
> 'C:/Perl
> /html/site/lib/ExtUtils/Command.html'. The package ExtUtils-Command has
> already
> installed a file that package ExtUtils-MakeMaker wants to install. at
> C:/Perl/li
> b/ActivePerl/PPM/InstallArea.pm line 573.
> 2016-06-10T14:04:47 <3> [ppm:1259] File conflict for
> 'C:/Perl/html/site/lib/ExtU
> tils/Command.html'. The package ExtUtils-Command has already installed a
> file th
> at package ExtUtils-MakeMaker wants to install. at
> C:/Perl/lib/ActivePerl/PPM/In
> stallArea.pm line 573.
> 2016-06-10T14:14:59 <3> [InstallArea.pm:412] Rollback File conflict for
> 'C:/Perl
> /html/site/lib/CGI/Carp.html'. The package CGI.pm has already installed a
> file t
> hat package CGI wants to install. at
> C:/Perl/lib/ActivePerl/PPM/InstallArea.pm l
> ine 573.
> 2016-06-10T14:14:59 <3> [ppm:1259] File conflict for
> 'C:/Perl/html/site/lib/CGI/
> Carp.html'. The package CGI.pm has already installed a file that package
> CGI wan
> ts to install. at C:/Perl/lib/ActivePerl/PPM/InstallArea.pm line 573.
>
> Nothing notable there right?
>
> Are you using ActiveState perl?  If so, what version?
>
> Does OpenSSL come in to play at all?  I know that's needed for generating
> certificates, and is listed as an ASSP requirement, but is it used in TLS
> transmissions or is that all on the perl libraries?  Are you using OpenSSL
> - if so what version and from where.  I've got the Shining light compiled
> binaries installed.
>
> The backend mail server (hmailserver which ultimately passes most mail
> onto exchange) isn't configured with SSL. That's the same server that's
> used for non-TLS sessions (obviously).  Can you explain what that server
> could be doing to slow down TLS sessions to ASSP?
>
> I'm really at a loss here.  Keeping TLS off isn't a real option, but
> turning it on with this speed isn't realistic.  Thanks all for your input!
>
> On Fri, Jun 10, 2016 at 2:43 AM, Grayhat <gray...@gmx.net> wrote:
>
>> :: On Thu, 9 Jun 2016 12:37:26 -0400
>> :: <CALhpkAnBjGc9rn+JhT2Oe2SK4hrVhkEQG928s5V=bed7p+e...@mail.gmail.com>
>> :: K Post <nntp.p...@gmail.com> wrote:
>>
>> > Windows 2012 R2
>> > the certificate is a 2048 bit RSA cert
>> >
>> > SSL_Version is SSLv23:!SSLv3:!SSLv2
>> > Cipher list
>> > is
>> >
>> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
>>
>> now, this is strange, I'm running the latest ASSP on a windows box
>> using the same ciphers as above and never noticed such a slowdown
>> affecting encrypted connections
>>
>> Try running a
>>
>> ppm upgrade --install
>>
>> on the box, then, once the upgrade completes, run a
>>
>> ppm log --errors 60
>>
>> check for errors, fix them and rerun the upgrade; also, are you sure
>> the issue isn't caused by the backend mailserver ? I know it sounds
>> a bit strange but I'd try checking that portion of the chain too
>>
>>
>>
>> --
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols
>> are
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning reports.
>> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

I gave updating via ppm a go, but I'm nearly certain that all libraries
used by ASSP were already up to date.Still right around 2MB per minute
vs 75+ without TLS on.

ppm log gave me only:
2016-06-10T14:04:47 <3> [InstallArea.pm:412] Rollback File conflict for
'C:/Perl
/html/site/lib/ExtUtils/Command.html'. The package ExtUtils-Command has
already
installed a file that package ExtUtils-MakeMaker wants to install. at
C:/Perl/li
b/ActivePerl/PPM/InstallArea.pm line 573.
2016-06-10T14:04:47 <3> [ppm:1259] File conflict for
'C:/Perl/html/site/lib/ExtU
tils/Command.html'. The package ExtUtils-Command has already installed a
file th
at package ExtUtils-MakeMaker wants to install. at
C:/Perl/lib/ActivePerl/PPM/In
stallArea.pm line 573.
2016-06-10T14:14:59 <3> [InstallArea.pm:412] Rollback File conflict for
'C:/Perl
/html/site/lib/CGI/Carp.html'. The package CGI.pm has already installed a
file t
hat package CGI wants to install. at
C:/Perl/lib/ActivePerl/PPM/InstallArea.pm l
ine 573.
2016-06-10T14:14:59 <3> [ppm:1259] File conflict for
'C:/Perl/html/site/lib/CGI/
Carp.html'. The package CGI.pm has already installed a file that package
CGI wan
ts to install. at C:/Perl/lib/ActivePerl/PPM/InstallArea.pm line 573.

Nothing notable there right?

Are you using ActiveState perl?  If so, what version?

Does OpenSSL come in to play at all?  I know that's needed for generating
certificates, and is listed as an ASSP requirement, but is it used in TLS
transmissions or is that all on the perl libraries?  Are you using OpenSSL
- if so what version and from where.  I've got the Shining light compiled
binaries installed.

The backend mail server (hmailserver which ultimately passes most mail onto
exchange) isn't configured with SSL. That's the same server that's used for
non-TLS sessions (obviously).  Can you explain what that server could be
doing to slow down TLS sessions to ASSP?

I'm really at a loss here.  Keeping TLS off isn't a real option, but
turning it on with this speed isn't realistic.  Thanks all for your input!

On Fri, Jun 10, 2016 at 2:43 AM, Grayhat <gray...@gmx.net> wrote:

> :: On Thu, 9 Jun 2016 12:37:26 -0400
> :: <CALhpkAnBjGc9rn+JhT2Oe2SK4hrVhkEQG928s5V=bed7p+e...@mail.gmail.com>
> :: K Post <nntp.p...@gmail.com> wrote:
>
> > Windows 2012 R2
> > the certificate is a 2048 bit RSA cert
> >
> > SSL_Version is SSLv23:!SSLv3:!SSLv2
> > Cipher list
> > is
> >
> kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+RC4:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!CAMELLIA128:!IDEA:!SEED
>
> now, this is strange, I'm running the latest ASSP on a windows box
> using the same ciphers as above and never noticed such a slowdown
> affecting encrypted connections
>
> Try running a
>
> ppm upgrade --install
>
> on the box, then, once the upgrade completes, run a
>
> ppm log --errors 60
>
> check for errors, fix them and rerun the upgrade; also, are you sure
> the issue isn't caused by the backend mailserver ? I know it sounds
> a bit strange but I'd try checking that portion of the chain too
>
>
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

Gooegg - We don't use this (virtual) machine for anything other than ASSP,
but I tested with Chrome and IE and see no issues browsing HTTPS sites.  I
wouldn't even being to know where to start looking in Wireshark.  I've used
it for sniffing here and there, but don't know enough about tls/ssl to know
what is normal vs what's not re captured packets.

On Fri, Jun 10, 2016 at 9:31 AM, Gooegg <sysad...@satelcom.qc.ca> wrote:

> Maybe the root of the problem is not directly related to ASSP/LibSSL.  I
> would suggest you to try to run Wireshark on that box at
> one point, as there may be excessive retransmission or packet
> fragmentation on the network link.  Have you noticed if HTTPS sites
> are much slower than plain HTTP sites while browsing from that machine? If
> so, the problem may be caused by a bad Ethernet link.
> Defective hardware, incorrect link negotiation or port configuration on
> your NIC, switch or router can, sometimes kill SSL/TLS
> performance while leaving plain traffic mostly unaffected.
>
> Gooegg
>
>
> Le 2016-06-09 à 12:52, Thomas Eckardt a écrit :
> > Windows 2012 R2 has at least a system TCP receive and send buffer of
> 64KB.
> >
> > The max frame size for SSL is 16384 byte (16KB). If you set the SSL
> > receive buffer for assp to 8192 , there will be 8192 byte left in the
> > SSL-read-buffer after reading - assp warns about this and reads until the
> > SSL-read-buffer is empty.
> > Setting the TCP-buffer size in assp lower than the system buffer size
> will
> > lead in to a performance penalty.
> > Setting the SSL- buffer size in assp above 16KB may lead into
> > renegotiation problems (SSL want a read/write first) - 16KB is a safe
> > setting - higher values will improve performance in most cases.
> >
> > Thomas
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  09.06.2016 18:30
> > Betreff:Re: [Assp-test] Very slow TLS sessions - Windows server
> >
> >
> >
> > Also, I tried setting all to 8192 and got lots of messages in the log
> like
> > warning: there are 7268 byte pending in SSL buffer - this should not
> > happen
> >
> > Turned tls off again for now.
> >
> >
> >
> > On Thu, Jun 9, 2016 at 10:52 AM, K Post <nntp.p...@gmail.com> wrote:
> >
> >> Updated to the newest version.
> >>
> >> When I did
> >> sslrcv = 0, sslsnd=0
> >> I get, in green:
> >>
> >> *** Updated TCPBufferSize - TCP Receive Buffer is set to 65536 byte
> > (note
> >> missing line break)
> >> *TCPBufferSize - TCP Send Buffer is set to 65536 byte*
> >> *TCPBufferSize - SSL Receive Buffer is set to 65536 byte*
> >> *TCPBufferSize - SSL Send Buffer is set to 65536 byte*
> >>
> >> With those settings and TLS back on, it's transferring at around 1.25MB
> >> per minute.   That ONE test is slightly better than before, but still
> >> pretty bad.
> >>
> >>
> >> I tried setting all 4 to 1024000, but can't.  When I copy in what you
> >> typed, I get a javascript popup saying
> >> *Invalid 'TCPBufferSize' - unchanged*
> >>
> >> and in the GUI under TCPBufferSize there's a red error message:
> >>  Invalid: 'tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv = 1024000,
> >> sslsnd = 1024000' (check returned '')*
> >>
> >> I tried with the comma right after 1024000 and more traditional spacing,
> >> same warning.
> >>
> >> The GUI says max value is 999,999 but you've got 1,024,000   *I don't
> >> know if you mean just 1024, added a zero or what...*
> >>
> >> *THANK YOU*
> >>
> >>
> >>
> >> On Thu, Jun 9, 2016 at 4:40 AM, Thomas Eckardt
> > <thomas.ecka...@thockar.com
> >>> wrote:
> >>> Install 2.5.2(16158)
> >>> set 'TCPBufferSize' to : sslrcv = 0, sslsnd = 0
> >>>
> >>> tell me if TLS speed is better or not
> >>>
> >>>
> >>> set 'TCPBufferSize' to : tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv =
> >>> 1024000, sslsnd = 1024000
> >>>
> >>> are there any performance improvements?
> >>>
> >>> Thomas
> >>>
> >>>
> >>>
> >>> Von:K Post <nntp.p...@gmail.com>
> >>> An: ASSP development mailing list <assp-test@lists.sourceforge.net
> >
> >>> Datum:  02.06.2016 04:55
> >>> Betre

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

and no, no other AV on the machine.

On Thu, Jun 9, 2016 at 11:31 AM, Grayhat  wrote:

> :: On Thu, 9 Jun 2016 17:27:28 +0200
> :: <20160609172728.0...@gmx.net>
> :: Grayhat  wrote:
>
> > also, what OS are you running on ?
>
> I mean windows version, btw; also, is the box also running an AV (other
> than the ClamD used by ASSP) and if yes, which one ?
>
>
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

Also, I tried setting all to 8192 and got lots of messages in the log like
warning: there are 7268 byte pending in SSL buffer - this should not happen

Turned tls off again for now.



On Thu, Jun 9, 2016 at 10:52 AM, K Post <nntp.p...@gmail.com> wrote:

> Updated to the newest version.
>
> When I did
> sslrcv = 0, sslsnd=0
> I get, in green:
>
> *** Updated TCPBufferSize - TCP Receive Buffer is set to 65536 byte(note
> missing line break)
> *TCPBufferSize - TCP Send Buffer is set to 65536 byte*
> *TCPBufferSize - SSL Receive Buffer is set to 65536 byte*
> *TCPBufferSize - SSL Send Buffer is set to 65536 byte*
>
> With those settings and TLS back on, it's transferring at around 1.25MB
> per minute.   That ONE test is slightly better than before, but still
> pretty bad.
>
>
> I tried setting all 4 to 1024000, but can't.  When I copy in what you
> typed, I get a javascript popup saying
> *Invalid 'TCPBufferSize' - unchanged*
>
> and in the GUI under TCPBufferSize there's a red error message:
>  Invalid: 'tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv = 1024000,
> sslsnd = 1024000' (check returned '')*
>
> I tried with the comma right after 1024000 and more traditional spacing,
> same warning.
>
> The GUI says max value is 999,999 but you've got 1,024,000   *I don't
> know if you mean just 1024, added a zero or what...*
>
> *THANK YOU*
>
>
>
> On Thu, Jun 9, 2016 at 4:40 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> > wrote:
>
>> Install 2.5.2(16158)
>> set 'TCPBufferSize' to : sslrcv = 0, sslsnd = 0
>>
>> tell me if TLS speed is better or not
>>
>>
>> set 'TCPBufferSize' to : tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv =
>> 1024000, sslsnd = 1024000
>>
>> are there any performance improvements?
>>
>> Thomas
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  02.06.2016 04:55
>> Betreff:Re: [Assp-test] Very slow TLS sessions - Windows server
>>
>>
>>
>> Could this be the problem?  Is OpenSSL even used by ASSP for receiving
>> email? I feel like it's not, but thought I'd put this out there.
>>
>> OpenSSL 1.0.1h 1.0.1h / 0.9.8
>> OpenSSL-lib 1.0.2g 1 Mar 2016 1.0.2g / 1.0.1h
>>
>> I have OpenSSL binaries installed in c:\openssl, and that is 1.0.2g from
>> https://slproweb.com/products/Win32OpenSSL.html
>>
>> I don't know what 1.0.1h OpenSSL ASSP is seeing. Can you tell me what
>> would
>> need to be updated to make that be 1.0.2g AND DO WE CARE?
>>
>> Could that version mismatch be causing the terrible slowness when
>> receiving
>> large attachments?
>>
>>
>> I looked through all other modules, they're all at or later than the
>> recommended minimum version (updated through Activestate's PPM)
>>
>> For now I've got TLS off, but that's not viable long term.
>>
>> Oh and there appears to be plenty of processing power on this machine (12
>> cores, 2+ ghz, 32gb ram)
>>
>>
>> THANK YOU
>>
>>
>>
>> On Wed, Jun 1, 2016 at 12:25 PM, K Post <nntp.p...@gmail.com> wrote:
>>
>> > also, with DoTLS set to drop, the WebUI is 500% faster.  Doing searches
>> in
>> > maillog returns results like a dream!
>> >
>> > On Wed, Jun 1, 2016 at 12:11 PM, K Post <nntp.p...@gmail.com> wrote:
>> >
>> >> Running 16142, though I suspect this problem has been going on for a
>> >> while now.
>> >> Windows.
>> >>
>> >> I just discovered that large inbound emails (bit attachments say over
>> >> 10mb) that use TLS connections are taking forever to complete.  For
>> >> example, a 13mb email from a gmail.com address (and confirm coming
>> from
>> >> google servers) took over 15 minutes to complete.
>> >>
>> >> In my testing, I found that changing DoTLS to Drop lets large emails
>> come
>> >> through nice and fast.  A 10mb attachment took over 12 minutes before,
>> now
>> >> it's just a couple of seconds with TLS off.
>> >>
>> >> The powers that be want encryption on (and so do I).  I'm okay with
>> slow,
>> >> but gmail specifically has a warning to its users after 899.9 seconds
>> (15
>> >> minutes).  If it takes longer than that, they get a delay warning which
>> >> causes all kinds of confusion.
>> >>
>> >> Any suggestions on how to figure out what's taking so

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

Updated to the newest version.

When I did
sslrcv = 0, sslsnd=0
I get, in green:

*** Updated TCPBufferSize - TCP Receive Buffer is set to 65536 byte(note
missing line break)
*TCPBufferSize - TCP Send Buffer is set to 65536 byte*
*TCPBufferSize - SSL Receive Buffer is set to 65536 byte*
*TCPBufferSize - SSL Send Buffer is set to 65536 byte*

With those settings and TLS back on, it's transferring at around 1.25MB per
minute.   That ONE test is slightly better than before, but still pretty
bad.


I tried setting all 4 to 1024000, but can't.  When I copy in what you
typed, I get a javascript popup saying
*Invalid 'TCPBufferSize' - unchanged*

and in the GUI under TCPBufferSize there's a red error message:
 Invalid: 'tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv = 1024000,
sslsnd = 1024000' (check returned '')*

I tried with the comma right after 1024000 and more traditional spacing,
same warning.

The GUI says max value is 999,999 but you've got 1,024,000   *I don't know
if you mean just 1024, added a zero or what...*

*THANK YOU*



On Thu, Jun 9, 2016 at 4:40 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> Install 2.5.2(16158)
> set 'TCPBufferSize' to : sslrcv = 0, sslsnd = 0
>
> tell me if TLS speed is better or not
>
>
> set 'TCPBufferSize' to : tcprcv = 1024000 , tcpsnd = 1024000 ,sslrcv =
> 1024000, sslsnd = 1024000
>
> are there any performance improvements?
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  02.06.2016 04:55
> Betreff:Re: [Assp-test] Very slow TLS sessions - Windows server
>
>
>
> Could this be the problem?  Is OpenSSL even used by ASSP for receiving
> email? I feel like it's not, but thought I'd put this out there.
>
> OpenSSL 1.0.1h 1.0.1h / 0.9.8
> OpenSSL-lib 1.0.2g 1 Mar 2016 1.0.2g / 1.0.1h
>
> I have OpenSSL binaries installed in c:\openssl, and that is 1.0.2g from
> https://slproweb.com/products/Win32OpenSSL.html
>
> I don't know what 1.0.1h OpenSSL ASSP is seeing. Can you tell me what
> would
> need to be updated to make that be 1.0.2g AND DO WE CARE?
>
> Could that version mismatch be causing the terrible slowness when
> receiving
> large attachments?
>
>
> I looked through all other modules, they're all at or later than the
> recommended minimum version (updated through Activestate's PPM)
>
> For now I've got TLS off, but that's not viable long term.
>
> Oh and there appears to be plenty of processing power on this machine (12
> cores, 2+ ghz, 32gb ram)
>
>
> THANK YOU
>
>
>
> On Wed, Jun 1, 2016 at 12:25 PM, K Post <nntp.p...@gmail.com> wrote:
>
> > also, with DoTLS set to drop, the WebUI is 500% faster.  Doing searches
> in
> > maillog returns results like a dream!
> >
> > On Wed, Jun 1, 2016 at 12:11 PM, K Post <nntp.p...@gmail.com> wrote:
> >
> >> Running 16142, though I suspect this problem has been going on for a
> >> while now.
> >> Windows.
> >>
> >> I just discovered that large inbound emails (bit attachments say over
> >> 10mb) that use TLS connections are taking forever to complete.  For
> >> example, a 13mb email from a gmail.com address (and confirm coming from
> >> google servers) took over 15 minutes to complete.
> >>
> >> In my testing, I found that changing DoTLS to Drop lets large emails
> come
> >> through nice and fast.  A 10mb attachment took over 12 minutes before,
> now
> >> it's just a couple of seconds with TLS off.
> >>
> >> The powers that be want encryption on (and so do I).  I'm okay with
> slow,
> >> but gmail specifically has a warning to its users after 899.9 seconds
> (15
> >> minutes).  If it takes longer than that, they get a delay warning which
> >> causes all kinds of confusion.
> >>
> >> Any suggestions on how to figure out what's taking so long with TLS on?
> >> All modules up to date.
> >>
> >> Thank you.
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> 

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

Could this be the problem?  Is OpenSSL even used by ASSP for receiving
email? I feel like it's not, but thought I'd put this out there.

OpenSSL 1.0.1h 1.0.1h / 0.9.8
OpenSSL-lib 1.0.2g 1 Mar 2016 1.0.2g / 1.0.1h

I have OpenSSL binaries installed in c:\openssl, and that is 1.0.2g from
https://slproweb.com/products/Win32OpenSSL.html

I don't know what 1.0.1h OpenSSL ASSP is seeing. Can you tell me what would
need to be updated to make that be 1.0.2g AND DO WE CARE?

Could that version mismatch be causing the terrible slowness when receiving
large attachments?


I looked through all other modules, they're all at or later than the
recommended minimum version (updated through Activestate's PPM)

For now I've got TLS off, but that's not viable long term.

Oh and there appears to be plenty of processing power on this machine (12
cores, 2+ ghz, 32gb ram)


THANK YOU



On Wed, Jun 1, 2016 at 12:25 PM, K Post <nntp.p...@gmail.com> wrote:

> also, with DoTLS set to drop, the WebUI is 500% faster.  Doing searches in
> maillog returns results like a dream!
>
> On Wed, Jun 1, 2016 at 12:11 PM, K Post <nntp.p...@gmail.com> wrote:
>
>> Running 16142, though I suspect this problem has been going on for a
>> while now.
>> Windows.
>>
>> I just discovered that large inbound emails (bit attachments say over
>> 10mb) that use TLS connections are taking forever to complete.  For
>> example, a 13mb email from a gmail.com address (and confirm coming from
>> google servers) took over 15 minutes to complete.
>>
>> In my testing, I found that changing DoTLS to Drop lets large emails come
>> through nice and fast.  A 10mb attachment took over 12 minutes before, now
>> it's just a couple of seconds with TLS off.
>>
>> The powers that be want encryption on (and so do I).  I'm okay with slow,
>> but gmail specifically has a warning to its users after 899.9 seconds (15
>> minutes).  If it takes longer than that, they get a delay warning which
>> causes all kinds of confusion.
>>
>> Any suggestions on how to figure out what's taking so long with TLS on?
>> All modules up to date.
>>
>> Thank you.
>>
>>
>>
>>
>>
>>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Very slow TLS sessions - Windows server

[K Post]

also, with DoTLS set to drop, the WebUI is 500% faster.  Doing searches in
maillog returns results like a dream!

On Wed, Jun 1, 2016 at 12:11 PM, K Post <nntp.p...@gmail.com> wrote:

> Running 16142, though I suspect this problem has been going on for a while
> now.
> Windows.
>
> I just discovered that large inbound emails (bit attachments say over
> 10mb) that use TLS connections are taking forever to complete.  For
> example, a 13mb email from a gmail.com address (and confirm coming from
> google servers) took over 15 minutes to complete.
>
> In my testing, I found that changing DoTLS to Drop lets large emails come
> through nice and fast.  A 10mb attachment took over 12 minutes before, now
> it's just a couple of seconds with TLS off.
>
> The powers that be want encryption on (and so do I).  I'm okay with slow,
> but gmail specifically has a warning to its users after 899.9 seconds (15
> minutes).  If it takes longer than that, they get a delay warning which
> causes all kinds of confusion.
>
> Any suggestions on how to figure out what's taking so long with TLS on?
> All modules up to date.
>
> Thank you.
>
>
>
>
>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SSL Proxy and TLS support

[K Post]

sorry, wrong thread.

On Wed, Jun 1, 2016 at 12:24 PM, K Post <nntp.p...@gmail.com> wrote:

> also, with DoTLS set to drop, the WebUI is 500% faster.  Doing searches in
> maillog returns results like a dream!
>
> On Thu, May 26, 2016 at 6:33 AM, Martin Voßloh <martin.voss...@mhp.com>
> wrote:
>
>> (BanFailedSSLIP)
>> (noBanFailedSSLIP)
>>
>> Hello,
>>
>> I only have trouble with some big senders and their hugh mail incomming
>> over TLS .
>> The IP´s are now on my noBanFailedSSLIP and it is working again.
>>
>> Could I see (debug) a reason why some sender IP´s are listed on
>> "DB-SSLfailed"?
>>
>> Regards
>> Martin
>>
>>
>>
>>
>>
>>
>>
>> --
>> Mobile security can be enabling, not merely restricting. Employees who
>> bring their own devices (BYOD) to work are irked by the imposition of MDM
>> restrictions. Mobile Device Manager Plus allows you to control only the
>> apps on BYO-devices by containerizing them, leaving personal data
>> untouched!
>> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SSL Proxy and TLS support

[K Post]

also, with DoTLS set to drop, the WebUI is 500% faster.  Doing searches in
maillog returns results like a dream!

On Thu, May 26, 2016 at 6:33 AM, Martin Voßloh 
wrote:

> (BanFailedSSLIP)
> (noBanFailedSSLIP)
>
> Hello,
>
> I only have trouble with some big senders and their hugh mail incomming
> over TLS .
> The IP´s are now on my noBanFailedSSLIP and it is working again.
>
> Could I see (debug) a reason why some sender IP´s are listed on
> "DB-SSLfailed"?
>
> Regards
> Martin
>
>
>
>
>
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Very slow TLS sessions - Windows server

[K Post]

Running 16142, though I suspect this problem has been going on for a while
now.
Windows.

I just discovered that large inbound emails (bit attachments say over 10mb)
that use TLS connections are taking forever to complete.  For example, a
13mb email from a gmail.com address (and confirm coming from google
servers) took over 15 minutes to complete.

In my testing, I found that changing DoTLS to Drop lets large emails come
through nice and fast.  A 10mb attachment took over 12 minutes before, now
it's just a couple of seconds with TLS off.

The powers that be want encryption on (and so do I).  I'm okay with slow,
but gmail specifically has a warning to its users after 899.9 seconds (15
minutes).  If it takes longer than that, they get a delay warning which
causes all kinds of confusion.

Any suggestions on how to figure out what's taking so long with TLS on?
All modules up to date.

Thank you.
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] urgent please help - DKIMgen (stuck)

[K Post]

Restarting ASSP seemed to resolve it.
Haven't ever seen that before and  I'm fine writing it off as an
anomaly,but any idea as to what could ahve cased that?

On Wed, Jun 1, 2016 at 10:25 AM, K Post <nntp.p...@gmail.com> wrote:

> out of the blue, workers are getting stuck with
> DKIMgen (stuck)
>
> Don't know what to do.
>
>
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] urgent please help - DKIMgen (stuck)

[K Post]

out of the blue, workers are getting stuck with
DKIMgen (stuck)

Don't know what to do.
--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] preHeaderRe not working as expected, Chinese hack attempts HEAD /favicon.ico HTTP/1.0

[K Post]

We could do a 421 or 521 but with whatever message we wanted, like simply
"terminated."  That way malicious actors wouldn't be able to easily
identify ASSP as the one saying that.  A little security through obscurity
- but it's really not important.  If it's a pain to implement, don't.  not
worth it.

I understood the max errors idea, in terms of scoring the ip, but we don't
want to allow bad guys to do anything more once we catch them.  If we catch
the favicon request, we want to kill the connect right there (as ASSP
already does so well), but then stop them from connecting again...  I
figured ASSP could do this pretty easily by simply giving a bad score to
the IP, but again, if that's a pain to write, skip it.



On Mon, May 16, 2016 at 11:14 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> >1) Give us the ability to customize the 421 message
>
> What else would you send? Reasonable and possibly better would be the
> permanent error - 521 
> I'll think about, if the permanent error is right in every state of the
> SMTP session.
>
> >2) Give us the ability to give the ip the extreme score so that future
>
> What was unclear in my answer?
>
> > No. preHeaderRe is designed and used to protect assp from dangerous
> > content. If a match is found for preHeaderRe, the connection is
> terminated
> > by processing a minimal code part.
> >
> > To score this misbehavior, let the client do the wrong things and catch
> > the misbehavior with 'MaxErrors'.
>
> Hmmm ... - the preHeaderRe check is done before a SMTP command or header
> content is processed by a SocketCall (check engine).  But only the check
> engine knows how and when to reply with the right Reply-Codes. preHeaderRe
> is a 'horror hack' to protect the assp check engine from dangerous content
> that may cause crashes.
> An normal scenario to configure preHeaderRe would be:
>
> - assp crashes several times because of misbehaved SMTP sessions or
> content
> - the crashAnalyzer was switched on
> - assp crashes several times because of misbehaved SMTP sessions or
> content
> - the crashAnalyzer has analyzed the misbehaved SMTP sessions or content
> and gives an advice to configure preHeaderRe
>
> 'MaxErrors' is the right way to penalize this misbehavior  (HEAD
> /favicon.ico HTTP/1.0) !
>
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  16.05.2016 15:54
> Betreff:Re: [Assp-test] preHeaderRe not working as expected,
> Chinese hack attempts HEAD /favicon.ico HTTP/1.0
>
>
>
> Thanks for working to fix this. Will you be changing it to send a close to
> our smtp server (or is that even necessary)?
>
> Would it be a big deal (and worthwhile) to:
>
> 1) Give us the ability to customize the 421 message
>
> 2) Give us the ability to give the ip the extreme score so that future
> attempts are outright ignored?   I really like being able to cut off badly
> acting servers right away, and if a server's going to be bad like that, it
> would be great to just block them right away so ultimately they'll leave
> us
> alone.  I think this would be a valuable addition to ASSP functionality,
> but it's not worth it if it would be cumbersome for you to implement or if
> it would impact performance.
>
>
>
> On Mon, May 16, 2016 at 3:22 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > The 421 is sent to wrong peer for preHeaderRe - this will be fixed.
> >
> > >Also, is there a way to have specific matches from preHeaderRe make the
> > ip
> > score extreme right away
> >
> > No. preHeaderRe is designed and used to protect assp from dangerous
> > content. If a match is found for preHeaderRe, the connection is
> terminated
> > by processing a minimal code part.
> >
> > To score this misbehavior, let the client do the wrong things and catch
> > the misbehavior with 'MaxErrors'.
> >
> > Thomas
> >
> >
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  15.05.2016 18:02
> > Betreff:[Assp-test] preHeaderRe not working as expected, Chinese
> > hack attempts HEAD /favicon.ico HTTP/1.0
> >
> >
> >
> > We're getting TONS of requests, all from Chinese IP's sending
> >
> > HEAD /favicon.ico HTTP/1.0
> > close
> > (and a blank line)
> >
> > through ASSP.  Essentially, our server says helo, their server responds
> > with the "head" line above, we

Re: [Assp-test] preHeaderRe not working as expected, Chinese hack attempts HEAD /favicon.ico HTTP/1.0

[K Post]

Thanks for working to fix this. Will you be changing it to send a close to
our smtp server (or is that even necessary)?

Would it be a big deal (and worthwhile) to:

1) Give us the ability to customize the 421 message

2) Give us the ability to give the ip the extreme score so that future
attempts are outright ignored?   I really like being able to cut off badly
acting servers right away, and if a server's going to be bad like that, it
would be great to just block them right away so ultimately they'll leave us
alone.  I think this would be a valuable addition to ASSP functionality,
but it's not worth it if it would be cumbersome for you to implement or if
it would impact performance.



On Mon, May 16, 2016 at 3:22 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> The 421 is sent to wrong peer for preHeaderRe - this will be fixed.
>
> >Also, is there a way to have specific matches from preHeaderRe make the
> ip
> score extreme right away
>
> No. preHeaderRe is designed and used to protect assp from dangerous
> content. If a match is found for preHeaderRe, the connection is terminated
> by processing a minimal code part.
>
> To score this misbehavior, let the client do the wrong things and catch
> the misbehavior with 'MaxErrors'.
>
> Thomas
>
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  15.05.2016 18:02
> Betreff:[Assp-test] preHeaderRe not working as expected, Chinese
> hack attempts HEAD /favicon.ico HTTP/1.0
>
>
>
> We're getting TONS of requests, all from Chinese IP's sending
>
> HEAD /favicon.ico HTTP/1.0
> close
> (and a blank line)
>
> through ASSP.  Essentially, our server says helo, their server responds
> with the "head" line above, we say that's not valid, they say close, we
> say, that's not valid, they send a blank line, we say not valid, and they
> disconnect.
>
> I'm not sure what they're trying to accomplish, but its happening...
>
> https://www.abuseipdb.com/check/219.145.184.210 has a similar report.
> https://www.abuseipdb.com/check/117.27.245.185
>
>
> I've added
> HEAD /favicon\.ico HTTP/1\.0
> to my preHeaderRe file thinking that this would stop our smtp server from
> receiving the command, and it does but not how I'd expect.
>
> Before, we were seeing this logged on our smtp server
> SENT 220 smtp.ourcharity.org
> RECEIVED: HEAD /favicon.ico HTTP/1.0
> SENT: 503 Bad sequence of commands
> RECEIVED: close
> SENT: 503 Bad sequence of commands
> RECEIVED: <-- blank line
> SENT: 503 Bad sequence of commands
>
> now we're getting
> SENT 220 smtp.ourcharity.org
> RECEIVED: 421 assp.ourcharity.org Service not available, closing
> transmission channel
> SENT: 503 Bad sequence of commands
>
> So it seems that ASSP is in fact stopping the hacker from sending the head
> line to our smtp server and terminating the session, but ASSP is sending
> the 421 to our server NOT (or not only) to the sending server.
>
> I don't know if this is by design, if I'm just not understanding, or what,
> but I was hoping that ASSP would
>
> 1) Intercept the bad HEAD /favicon\.ico HTTP/1\.0 line
>
> 2) send a "quit" command to our SMTP server to gracefully close the
> session
> without the unexpected 421 line that our smtp server doesn't know how to
> handle
>
> 3) send a 421 or whatever to the other smtp server saying to go away
>
>
> Also, is there a way to have specific matches from preHeaderRe make the ip
> score extreme right away  - or if that's even a good idea?  I was thinking
> of being able to add a weight to preHeaderRe or something along those
> lines
> to score the IP.
>
> Other suggestions or thoughts?  Are other people seeing this?
>
> Thanks.
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it 

[Assp-test] preHeaderRe not working as expected, Chinese hack attempts HEAD /favicon.ico HTTP/1.0

[K Post]

We're getting TONS of requests, all from Chinese IP's sending

HEAD /favicon.ico HTTP/1.0
close
(and a blank line)

through ASSP.  Essentially, our server says helo, their server responds
with the "head" line above, we say that's not valid, they say close, we
say, that's not valid, they send a blank line, we say not valid, and they
disconnect.

I'm not sure what they're trying to accomplish, but its happening...

https://www.abuseipdb.com/check/219.145.184.210 has a similar report.
https://www.abuseipdb.com/check/117.27.245.185


I've added
HEAD /favicon\.ico HTTP/1\.0
to my preHeaderRe file thinking that this would stop our smtp server from
receiving the command, and it does but not how I'd expect.

Before, we were seeing this logged on our smtp server
SENT 220 smtp.ourcharity.org
RECEIVED: HEAD /favicon.ico HTTP/1.0
SENT: 503 Bad sequence of commands
RECEIVED: close
SENT: 503 Bad sequence of commands
RECEIVED: <-- blank line
SENT: 503 Bad sequence of commands

now we're getting
SENT 220 smtp.ourcharity.org
RECEIVED: 421 assp.ourcharity.org Service not available, closing
transmission channel
SENT: 503 Bad sequence of commands

So it seems that ASSP is in fact stopping the hacker from sending the head
line to our smtp server and terminating the session, but ASSP is sending
the 421 to our server NOT (or not only) to the sending server.

I don't know if this is by design, if I'm just not understanding, or what,
but I was hoping that ASSP would

1) Intercept the bad HEAD /favicon\.ico HTTP/1\.0 line

2) send a "quit" command to our SMTP server to gracefully close the session
without the unexpected 421 line that our smtp server doesn't know how to
handle

3) send a 421 or whatever to the other smtp server saying to go away


Also, is there a way to have specific matches from preHeaderRe make the ip
score extreme right away  - or if that's even a good idea?  I was thinking
of being able to add a weight to preHeaderRe or something along those lines
to score the IP.

Other suggestions or thoughts?  Are other people seeing this?

Thanks.
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] 7-zip vulnerability

[K Post]

Excellent.  We'll just deny 7zip for now until the library is patched.
Probably overkill in terms of security, but is there really such a thing?

Thanks.

On Sun, May 15, 2016 at 3:36 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> Type detection (and possibly decompression +detection) is every time done
> before a virus scan. Both has nothing to do with each other.
> ASSP_AFC every time sends the MIME decoded content of the attachment to
> the virus scanner (not the decompressed content!)
> The decompression engine used by the virus scanner is not controlled by
> ASSP_AFC.
>
>
> 1) Yes
> 2) An 7z exeutable is only used, if Archive::Rar::Passthrough is installed
> and 'libarchive' (Archive::Libarchive::XS) is not installed or a 7z unique
> compression mode is used.
>In any case it is recommended to install Archive::Libarchive::XS to
> prevent assp from calling system executables.
>
> Thomas
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  15.05.2016 01:32
> Betreff:Re: [Assp-test] 7-zip vulnerability
>
>
>
> Right, but what's to stop a malicious actor from emailing a TINY infected
> one of these inside a .7zip file?
>
> Curious:
> 1) Is ASSP able to detect .7z files as a type.  I'm talkinga bout it
> knowing that a 7-zip file that is emailed using a random extension like
> .bla being caught as a prohibited type regardless of the extension.
>
> 2) If we prohibit all .7z files, will the content type be detected BEFORE
> the file is scanned by ClamAV (and thereby opened by the 7-zip
> executable)?
>
>
> On Fri, May 13, 2016 at 12:04 PM, Thomas Eckardt
> <thomas.ecka...@thockar.com
> > wrote:
>
> > Never saw a DVD-Video, DVD-Audio or HFS+ emailed.
> >
> > Thomas
> >
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  13.05.2016 17:55
> > Betreff:[Assp-test] 7-zip vulnerability
> >
> >
> >
> > I always worry when software calls other software
> >
> > Now that ASSP supports 7-zip, what can we do to insure we're protected?
> > http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
> >
> > Is it just a matter of waiting for the libraries to be updated?
> >
> >
>
> --
> > Mobile security can be enabling, not merely restricting. Employees who
> > bring their own devices (BYOD) to work are irked by the imposition of
> MDM
> > restrictions. Mobile Device Manager Plus allows you to control only the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
> >
> >
> > DISCLAIMER:
> > ***
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > ***
> >
> >
> >
> >
>
> --
> > Mobile security can be enabling, not merely restricting. Employees who
> > bring their own devices (BYOD) to work are irked by the imposition of
> MDM
> > restrictions. Mobile Device Manager Plus allows you to control only the
> > apps on BYO-devices by containerizing them, leaving personal data
> > untouched!
> > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing th

Re: [Assp-test] 7-zip vulnerability

[K Post]

Right, but what's to stop a malicious actor from emailing a TINY infected
one of these inside a .7zip file?

Curious:
1) Is ASSP able to detect .7z files as a type.  I'm talkinga bout it
knowing that a 7-zip file that is emailed using a random extension like
.bla being caught as a prohibited type regardless of the extension.

2) If we prohibit all .7z files, will the content type be detected BEFORE
the file is scanned by ClamAV (and thereby opened by the 7-zip executable)?


On Fri, May 13, 2016 at 12:04 PM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> Never saw a DVD-Video, DVD-Audio or HFS+ emailed.
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  13.05.2016 17:55
> Betreff:[Assp-test] 7-zip vulnerability
>
>
>
> I always worry when software calls other software
>
> Now that ASSP supports 7-zip, what can we do to insure we're protected?
> http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
>
> Is it just a matter of waiting for the libraries to be updated?
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data
> untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] 7-zip vulnerability

[K Post]

I always worry when software calls other software

Now that ASSP supports 7-zip, what can we do to insure we're protected?
http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

Is it just a matter of waiting for the libraries to be updated?
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Still getting some (but not as many) can't find name server registration for legit domains

[K Post]

One of your recent released GREATLY reduced the number of warnings about
bad sender domains, but we still get a bunch, always from different
counties across the US.

For example

*Warning: can't find a name server registration for the sender domain
'co.pg.md.us ' - all DNS queries will be skipped!*

However, co.pd.md.us resolves to 38.70.2.172

others that we've seen this week:
mcc.co.mercer.pa.us
co.delaware.pa.us
co.nevada.ca.us
co.union.oh.us
co.geauga.oh.us
co.dodge.wi.us

Might there be more tweaks that you could make?  I can't image that all of
these domains are misconfigured.

Thanks.
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Big Request: Virus notification for outbound only??

[K Post]

For those of you following this thread, implemented in 16130

THANK YOU THOMAS!

On Sat, Apr 30, 2016 at 1:24 PM, K Post <nntp.p...@gmail.com> wrote:

> We're getting a lot of inbound viruses (and heuritstic detections of spam)
> caught by clamav.  This suddenly started working a couple versions of
> ASSP/AFC ago.  So nice to have this working!
>
> It's at the point where having EmailVirusToReport enabled is no longer
> reasonable.  I'm getting hundreds of them a day for inbound viruses.
>
> I would however like to have notifications for mail being sent OUT by our
> users.  Might there be a way for you to separate out inbound virus
> notifications from those either by authenticated users or those allowed to
> send through a relay port?  This would be quite helpful.
>
> Thanks
>
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] ImageMagick vulnerability

[K Post]

Just a heads up, ImageMagick has a pretty significant vulnerability.  Would
be hard to exploit on ASSP, but imagine that it's possible.  Thoughts?



https://www.us-cert.gov/ncas/current-activity/2016/05/04/ImageMagick-Vulnerability

more info
https://blog.sucuri.net/2016/05/imagemagick-remote-command-execution-vulnerability.html
--
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Big Request: Virus notification for outbound only??

[K Post]

We're getting a lot of inbound viruses (and heuritstic detections of spam)
caught by clamav.  This suddenly started working a couple versions of
ASSP/AFC ago.  So nice to have this working!

It's at the point where having EmailVirusToReport enabled is no longer
reasonable.  I'm getting hundreds of them a day for inbound viruses.

I would however like to have notifications for mail being sent OUT by our
users.  Might there be a way for you to separate out inbound virus
notifications from those either by authenticated users or those allowed to
send through a relay port?  This would be quite helpful.

Thanks
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] [request] AFC and rar archives

[K Post]

Sane/Clam AV is reporting rar's being used...
http://sanesecurity.blogspot.com/2016/03/locky-javascript-malware-that-arrives.html

On Thu, Apr 28, 2016 at 9:09 AM, aquilinux  wrote:

> >
> > in practice, I don't know if it may be worth
>
>
> i bet this will be the next virus packaging trend in a very close future :)
>
>
>
>
> --
> "Madness, like small fish, runs in hosts, in vast numbers of instances."
>
> Nessuno mi pettina bene come il vento.
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Warning: Main_Thread found socket without SocketCalls - please report!

[K Post]

Any thoughts on how I can fix this on my windows system?  It's not just the
maillog where I see it and it's ONLY when I try to access the webui (which
is encrypted if that matters).

Apr-27-16 10:54:10 Warning: Main_Thread found socket without
SocketCalls!Apr-27-16
10:54:10 Warning: Main_Thread found socket without SocketCalls!
often I'll get this 2 or 3 times in a row.

On Tue, Apr 19, 2016 at 12:03 PM, K Post <nntp.p...@gmail.com> wrote:

> Thanks for replying Thomas.  .
>
> It doesn't look like there was high load on the system or anything wonky
> with the network, but I really don't monitor that heavily.  I'm not
> worried, this doesn't happen often, I only reported because the warning
> message said to.
>
> On Tue, Apr 19, 2016 at 11:10 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> This sounds like a network problem of the system.
>> The worker can't accept a connection and the MainThread is unable to send
>> GUI data to the browser at the same time. An orphaned socket in the
>> MainThread could be the result - which leads in to the warning one time.
>>
>> Under normal conditions the MaillogTail with a 'tail bytes' setting of
>> 10.000 takes not longer than three seconds..
>>
>> Thomas
>>
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  19.04.2016 16:38
>> Betreff:[Assp-test] Warning: Main_Thread found socket without
>> SocketCalls -   please report!
>>
>>
>>
>> Reporting, because it said to...
>>
>> I see this on occasion when I click on maillog from the main assp admin
>> screen.  Maillog eventually comes up, but can take 20+ seconds.  Machine
>> seems plenty fast, lots of ram.
>>
>> Maillog has always been slow to load though.
>>
>> Apr-19-16 10:33:55 Error: Worker_4 accept to client failed
>> IO::Socket::INET=GLOB(0x492171d4) (timeout: 2 s) : A connection attempt
>> failed because the connected party did not properly respond after a period
>> of time, or established connection failed because connected host has
>> failed
>> to respond.
>>
>>
>> followed by
>>
>>
>> Apr-19-16 10:33:59 Warning: Main_Thread found socket without SocketCalls -
>> please report!
>>
>> --
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>>
>>
>> --
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.5.2 build 16117

[K Post]

I researched linux low port restrictions a bit just now.  For the sake of
anyone reading this threat, this isn't applicable to Windows - it's not
firewalling, it's an optional restriction in *nix that prohibits servers
from binding to ports lower than 1024.

On Wed, Apr 27, 2016 at 1:41 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >Do you know when the 'DoDKIM' error was introduced?
>
> this was possibly build 16089.
>
> >And on the low port restriction, on a Windows system
>
> low port restriction on Windows for the 'system' account ???
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  27.04.2016 03:16
> Betreff:Re: [Assp-test] fixes in assp 2.5.2 build 16117
>
>
>
> Do you know when the 'DoDKIM' error was introduced?
>
> And on the low port restriction, on a Windows system with the standard
> windows firewall, do you think this would have been a problem prior to
> this
> version?  We had the SMTP ports open below this range, but other ports
> were
> blocked in the firewall.   Couldn't find any discussion about this
> problem.
>
> Just trying to determine what to expect from this release.
>
> Thanks for the fixes!!
>
> On Tue, Apr 26, 2016 at 12:34 PM, Thomas Eckardt
> <thomas.ecka...@thockar.com
> > wrote:
>
> > Hi all,
> >
> > fixed in assp 2.5.2 build 16117:
> >
> > - if the low ports 0-1023 were restricted by the OS for the assp user,
> the
> > send- and receive buffer was set
> >   too low, which caused high CPU usage
> >
> > - if 'DoDKIM' was set and a mail has passed the DKIM body check, the
> .eml
> > file was moved to the 'notspam'
> >   every time, even the mail was blocked or OK before
> >
> >
> > changed:
> >
> > - 'debugCode' is now stored encrypted in the configuration
> >
> >
> > Thomas
> >
> >
> > DISCLAIMER:
> > ***
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > ***
> >
> >
> >
> >
>
> --
> > Find and fix application performance issues faster with Applications
> > Manager
> > Applications Manager provides deep performance insights into multiple
> > tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___

Re: [Assp-test] fixes in assp 2.5.2 build 16117

[K Post]

And commas in the byte count in the smtp sessions window.  THANK YOU.  So
much easier to read.

On Tue, Apr 26, 2016 at 9:15 PM, K Post <nntp.p...@gmail.com> wrote:

> Do you know when the 'DoDKIM' error was introduced?
>
> And on the low port restriction, on a Windows system with the standard
> windows firewall, do you think this would have been a problem prior to this
> version?  We had the SMTP ports open below this range, but other ports were
> blocked in the firewall.   Couldn't find any discussion about this problem.
>
> Just trying to determine what to expect from this release.
>
> Thanks for the fixes!!
>
> On Tue, Apr 26, 2016 at 12:34 PM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> Hi all,
>>
>> fixed in assp 2.5.2 build 16117:
>>
>> - if the low ports 0-1023 were restricted by the OS for the assp user, the
>> send- and receive buffer was set
>>   too low, which caused high CPU usage
>>
>> - if 'DoDKIM' was set and a mail has passed the DKIM body check, the .eml
>> file was moved to the 'notspam'
>>   every time, even the mail was blocked or OK before
>>
>>
>> changed:
>>
>> - 'debugCode' is now stored encrypted in the configuration
>>
>>
>> Thomas
>>
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>>
>>
>> --
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] microsoft.com and w3.org detected in URI scan

[K Post]

Makes perfect sense - thanks

On Thu, Apr 21, 2016 at 2:02 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> 'URIBLwhitelist' can be used.
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  20.04.2016 22:12
> Betreff:[Assp-test] microsoft.com and w3.org detected in URI scan
>
>
>
> Outlook likes to put something like:
>
>  xmlns:o="urn:schemas-microsoft-com:office:office"
> xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="
> http://schemas.microsoft.com/office/2004/12/omml; xmlns="
> http://www.w3.org/TR/REC-html40;> CONTENT="text/html; charset=us-ascii"> content="Microsoft Word 14 (filtered medium)">
>
> on its HTML emails.  I've noticed that X-ASSP-Detected-URI shows
> microsoft.com and w3.org for all of these emails, as you'd expect.
>
> Does it matter?  Any point in having those ignored if contained in the
> html
> open block?
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] microsoft.com and w3.org detected in URI scan

[K Post]

Outlook likes to put something like:

http://schemas.microsoft.com/office/2004/12/omml; xmlns="
http://www.w3.org/TR/REC-html40;>

on its HTML emails.  I've noticed that X-ASSP-Detected-URI shows
microsoft.com and w3.org for all of these emails, as you'd expect.

Does it matter?  Any point in having those ignored if contained in the html
open block?
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Request for shutdown list (SMTP Connections)

[K Post]

Good point, though the USA is the only place that matters :-)
The comma thing is really insignificant.

On Wed, Apr 20, 2016 at 1:47 PM, Robert K Coffman Jr. -Info From Data Corp.
 wrote:

> > And while you're at it, could you add commas to separate every set of 3
> digits to improve readability?
>
> I think this one is a non-starter.  Some places use periods where the US
> uses commas and vice versa.
>
> - Bob
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Request for shutdown list (SMTP Connections)

[K Post]

Is there any chance that you'd be willing to right align the bytes and
duration columns of the SMTP Connection screen?   And while you're at it,
could you add commas to separate every set of 3 digits to improve
readability?

Thanks!
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Warning: Main_Thread found socket without SocketCalls - please report!

[K Post]

Thanks for replying Thomas.  .

It doesn't look like there was high load on the system or anything wonky
with the network, but I really don't monitor that heavily.  I'm not
worried, this doesn't happen often, I only reported because the warning
message said to.

On Tue, Apr 19, 2016 at 11:10 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> This sounds like a network problem of the system.
> The worker can't accept a connection and the MainThread is unable to send
> GUI data to the browser at the same time. An orphaned socket in the
> MainThread could be the result - which leads in to the warning one time.
>
> Under normal conditions the MaillogTail with a 'tail bytes' setting of
> 10.000 takes not longer than three seconds..
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  19.04.2016 16:38
> Betreff:[Assp-test] Warning: Main_Thread found socket without
> SocketCalls -   please report!
>
>
>
> Reporting, because it said to...
>
> I see this on occasion when I click on maillog from the main assp admin
> screen.  Maillog eventually comes up, but can take 20+ seconds.  Machine
> seems plenty fast, lots of ram.
>
> Maillog has always been slow to load though.
>
> Apr-19-16 10:33:55 Error: Worker_4 accept to client failed
> IO::Socket::INET=GLOB(0x492171d4) (timeout: 2 s) : A connection attempt
> failed because the connected party did not properly respond after a period
> of time, or established connection failed because connected host has
> failed
> to respond.
>
>
> followed by
>
>
> Apr-19-16 10:33:59 Warning: Main_Thread found socket without SocketCalls -
> please report!
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Warning: Main_Thread found socket without SocketCalls - please report!

[K Post]

Reporting, because it said to...

I see this on occasion when I click on maillog from the main assp admin
screen.  Maillog eventually comes up, but can take 20+ seconds.  Machine
seems plenty fast, lots of ram.

Maillog has always been slow to load though.

Apr-19-16 10:33:55 Error: Worker_4 accept to client failed
IO::Socket::INET=GLOB(0x492171d4) (timeout: 2 s) : A connection attempt
failed because the connected party did not properly respond after a period
of time, or established connection failed because connected host has failed
to respond.


followed by


Apr-19-16 10:33:59 Warning: Main_Thread found socket without SocketCalls -
please report!
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] 16106 Virus Detected: 'Heuristics.Phishing.Email.SpoofedDomain'

[K Post]

Updates:

1) This is continuing.  It seems that it's almost exclusively legitimate
emails from Citi (major US bank) that are getting flagged
as Heuristics.Phishing.Email.SpoofedDomain

I reported to ClamAV - this very well could just be a ClamAV problem, but
it started the same days as I went from 16080 to 16106 (and ASSP_AFC
update).  Could something have changed between those versions to either:
1) Make ClamAV suddenly be able to detect these (incorrectly) or
2) Be sending incorrect info to ClamAV somehow?

It's likely just a coincidence and I know I can just turn off the phishing
heuristics, but it seems like a great feature to have on.

2) I know why the emails are being delivered,  The sender ip range is
senderbase whitelisted which is enough to reduce the message score to an
acceptable level.   OF COURSE!!  Always nice to see ASSP considering
multiple facets of an email.

3) The admin notification emails still do not have a To or Subject in the
email header of the notification itself - I'm not talking about the body of
the notification which is essentially the original email header with
detection information, I'm talking about the header of the notification.
That means that in Outlook, only the from shows up.  Subject is blank,
which makes it hard to spot these.




On Sun, Apr 17, 2016 at 11:53 AM, K Post <nntp.p...@gmail.com> wrote:

> Thanks for chiming in Robert.  I had previously looked tat that info
> page.  What I'm trying to figure out is if something changed in one of the
> last couple of releases of ASSP that could be causing these false positives
> now.
>
> And I don't understand why they would be delivered to the end user if
> ClamAV thought it was phishing.  I'm glad that they were sent through since
> ClamAV was wrong, but I want to make sure functionality is working when
> there's a real phishing attempt.
>
>
> On Sun, Apr 17, 2016 at 7:08 AM, Robert K Coffman Jr. -Info From Data
> Corp. <bcoff...@infofromdata.com> wrote:
>
>> > We've seen several rejected emails since 16106 listing: Virus Detected:
>> > 'Heuristics.Phishing.Email.SpoofedDomain'
>>
>> Look at http://sanesecurity.com/support/false-positives/
>>
>>
>>
>> --
>> Find and fix application performance issues faster with Applications
>> Manager
>> Applications Manager provides deep performance insights into multiple
>> tiers of
>> your business applications. It resolves application problems quickly and
>> reduces your MTTR. Get your free trial!
>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] 16106 Virus Detected: 'Heuristics.Phishing.Email.SpoofedDomain'

[K Post]

Thanks for chiming in Robert.  I had previously looked tat that info page.
What I'm trying to figure out is if something changed in one of the last
couple of releases of ASSP that could be causing these false positives now.


And I don't understand why they would be delivered to the end user if
ClamAV thought it was phishing.  I'm glad that they were sent through since
ClamAV was wrong, but I want to make sure functionality is working when
there's a real phishing attempt.


On Sun, Apr 17, 2016 at 7:08 AM, Robert K Coffman Jr. -Info From Data Corp.
 wrote:

> > We've seen several rejected emails since 16106 listing: Virus Detected:
> > 'Heuristics.Phishing.Email.SpoofedDomain'
>
> Look at http://sanesecurity.com/support/false-positives/
>
>
>
> --
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] 16106 Virus Detected: 'Heuristics.Phishing.Email.SpoofedDomain'

[K Post]

Update.  This is happening with a lot of different domain names now.  I'm
getting the warning email as the admin, BUT the recipient is also getting
the message.  I don't even see an indication that ClamAV thought something
was wrong in the message that's delivered. That's good, since these are
false positives, but I would have thought that if ClamAV is detecting a
phishing email, that it would have been rejected.

Can't figure this one out.  I should also note that I increased the amount
of virtual memory (swap file) available on this machine yesterady, but I
can't imagine that has anything to do with anything.

Thanks


On Sat, Apr 16, 2016 at 1:19 PM, K Post <nntp.p...@gmail.com> wrote:

> We've seen several rejected emails since 16106 listing: Virus Detected:
> 'Heuristics.Phishing.Email.SpoofedDomain'
>
> These have been all legitimate emails from Citibank.  I don't know why
> ClamAV is suddenly catching these erroneously.  Previously, Citibank emails
> the sent using the same method have gotten through no problem. Just a
> coincidence that it's only after updating to 16106 and assp_afc.pm?  I
> haven't changed any ClamAV settings - but maybe it's just working
> differently now with the new versions of assp files?  Or maybe just a bad
> update to the clamav signatures?  No idea.
>
> The sender domain is in WhiteSenderBaseRe.
>
> Of note:
>
> 1) Despite being rejected (erroneously, but rejected none the less), the
> messages are still stored files in NOTspam.
>
> 2) The administrative alert email has no FROM or SUBJECT in it (this has
> been an ongoing problem any time clamav triggers an alert)
>
> Suggestions?
>
> Thanks
>
>
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] 16106 Virus Detected: 'Heuristics.Phishing.Email.SpoofedDomain'

[K Post]

We've seen several rejected emails since 16106 listing: Virus Detected:
'Heuristics.Phishing.Email.SpoofedDomain'

These have been all legitimate emails from Citibank.  I don't know why
ClamAV is suddenly catching these erroneously.  Previously, Citibank emails
the sent using the same method have gotten through no problem. Just a
coincidence that it's only after updating to 16106 and assp_afc.pm?  I
haven't changed any ClamAV settings - but maybe it's just working
differently now with the new versions of assp files?  Or maybe just a bad
update to the clamav signatures?  No idea.

The sender domain is in WhiteSenderBaseRe.

Of note:

1) Despite being rejected (erroneously, but rejected none the less), the
messages are still stored files in NOTspam.

2) The administrative alert email has no FROM or SUBJECT in it (this has
been an ongoing problem any time clamav triggers an alert)

Suggestions?

Thanks
--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] RFC 1480 Locality Domains Re: can't find a name server registration

[K Post]

Thanks for that info Bryan.

Thomas, does your fix in 16097 consider other delegations that might
include "multi-dotted" names where there could be 2 or more levels that
don't exist?I supposed there could there be other RFC's out there for
other countries/tld's that delegate this way.  Is there a way to handle
this generically - or maybe ASSP now does.

On Wed, Apr 6, 2016 at 11:08 AM, bryan bradsby <bryan.a...@tx.net> wrote:

> Thomas
>
> Please see RFC 1480
>
>https://www.ietf.org/rfc/rfc1480.txt.pdf
>
> That will explain the strange nomenclature used in the US locality
> domain structure.
>
> "co.delaware.pa.us" would be the government of Delaware County,
> Pennsylvania.
>
> The issue here is that the TLD ".us" delegates directly to
> "co.delaware.pa.us". The intermediate zones do not exist.
>
>
> My organization supports
>
>State government agencies under "state.tx.us"
>County government under "co.NAME.tx.us"
>City government under "ci.NAME.tx.us"
>
> where "NAME" is the name of the City or County.
>
>
> bryan.brad...@capnet.state.tx.us
> Department of Information Resources
> Communications Technology Services
> Network Operations Center - Information Technology
>
>
> On Wed, 2016-04-06 at 07:34 +0200, Thomas Eckardt wrote:
> > I think I found the reason.
> >
> > using 'co.delaware.pa.us'
> >
> > us - TLD
> > pa.us - TLD
> > delaware.pa.us - invalid !!!
> > co.delaware.pa.us - valid
> >
> > pa.us is a TLD - but there are also sub domains registered as TLD
> > like
> > cc.pa.us or lib.pa.us (and others) - BUT not delaware.pa.us
> > The really strange thing is, that 'delaware.pa.us' it self is
> > invalid, but
> > subdomains like 'co.delaware.pa.us' are valid.
> >
> > To be not too strict, assp has tested the domain (delaware.pa.us) of
> > the
> > host (co.delaware.pa.us)
> > the logic of assp:
> > Because (pa.us) is a TLD and (delaware.pa.us) is not a TLD , (
> > delaware.pa.us) must be a registered user domain and
> > (co.delaware.pa.us)
> > must be a host.
> >
> > I'll try to workaround this. But first I'll ask IANA and will force
> > them
> > to close the .us TLD but at least the pa.us domain :):)
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <
> > assp-test@lists.sourceforge.net>
> > Datum:  06.04.2016 06:01
> > Betreff:Re: [Assp-test] can't find a name server registration
> >
> >
> >
> > I hear yah loud and clear on the nxdomain for the stupid Navy
> > subdomains.
> > I'm sure it's a valid subdomain internally and they just aren't
> > thinking
> > when emailing out  Forget about that one, it's clearly a
> > misconfiguration on their end.
> >
> > But the multiple co.county.status.us domain problem is baffling.
> >  We've
> > got
> > 3 dns servers here, none seem to have any problem resolving anything
> > -
> > I've
> > never seen one of these county long domain (multi part) timeout
> > during
> > manual tests.  Just weird that these are the only ones that cause a
> > warning
> > besides legit nxdomains.  Looking at the log, it appears that just 1
> > second
> > passes between the connection to ASSP and the warning message
> > Warning:
> > can't find a name server registration for the sender domain...
> >
> > Is there a way to enable DNS debugging only for these types of
> > domains or
> > do I need to turn on DebugSPF (from memory, I feel like that is the
> > magic
> > debug all DNS switch)?
> >
> > I'm wondering if there's some kind of perfect storm, there's too many
> > dots
> > in that domain name where the Net-DNS module or something fails.  I
> > don't
> > see other domain names that we get mail from.  What's odder is that I
> > don't
> > always get this warning with the domain names (which I agree makes it
> > sound
> > like a problem with our DNS servers, but I can't imagine what -
> > there's no
> > forwarders, there's 3 of them, they're all responsive and I never
> > seem to
> > be able to cause a failure)
> >
> > It's just a warning, but I'd hate do see something and not say
> > something -
> > or not say something only to discover that we've got something
> > failing on
> > our end that I didn't know about.
> >
> > If you're certain that it must be my DNS se

Re: [Assp-test] can't find a name server registration

[K Post]

Heh, most of the people running the (state).us domains do so poorly from my
experience.  There's also the tld's like co.uk too right?

see, every so often when I'm persistent and hash out my questions until the
end, it turns out that I'm onto something :)   it's a shame that usually
that isn't true, but I won't stop trying!!


On Wed, Apr 6, 2016 at 1:34 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> I think I found the reason.
>
> using 'co.delaware.pa.us'
>
> us - TLD
> pa.us - TLD
> delaware.pa.us - invalid !!!
> co.delaware.pa.us - valid
>
> pa.us is a TLD - but there are also sub domains registered as TLD like
> cc.pa.us or lib.pa.us (and others) - BUT not delaware.pa.us
> The really strange thing is, that 'delaware.pa.us' it self is invalid, but
> subdomains like 'co.delaware.pa.us' are valid.
>
> To be not too strict, assp has tested the domain (delaware.pa.us) of the
> host (co.delaware.pa.us)
> the logic of assp:
> Because (pa.us) is a TLD and (delaware.pa.us) is not a TLD , (
> delaware.pa.us) must be a registered user domain and (co.delaware.pa.us)
> must be a host.
>
> I'll try to workaround this. But first I'll ask IANA and will force them
> to close the .us TLD but at least the pa.us domain :):)
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  06.04.2016 06:01
> Betreff:Re: [Assp-test] can't find a name server registration
>
>
>
> I hear yah loud and clear on the nxdomain for the stupid Navy subdomains.
> I'm sure it's a valid subdomain internally and they just aren't thinking
> when emailing out  Forget about that one, it's clearly a
> misconfiguration on their end.
>
> But the multiple co.county.status.us domain problem is baffling.  We've
> got
> 3 dns servers here, none seem to have any problem resolving anything -
> I've
> never seen one of these county long domain (multi part) timeout during
> manual tests.  Just weird that these are the only ones that cause a
> warning
> besides legit nxdomains.  Looking at the log, it appears that just 1
> second
> passes between the connection to ASSP and the warning message Warning:
> can't find a name server registration for the sender domain...
>
> Is there a way to enable DNS debugging only for these types of domains or
> do I need to turn on DebugSPF (from memory, I feel like that is the magic
> debug all DNS switch)?
>
> I'm wondering if there's some kind of perfect storm, there's too many dots
> in that domain name where the Net-DNS module or something fails.  I don't
> see other domain names that we get mail from.  What's odder is that I
> don't
> always get this warning with the domain names (which I agree makes it
> sound
> like a problem with our DNS servers, but I can't imagine what - there's no
> forwarders, there's 3 of them, they're all responsive and I never seem to
> be able to cause a failure)
>
> It's just a warning, but I'd hate do see something and not say something -
> or not say something only to discover that we've got something failing on
> our end that I didn't know about.
>
> If you're certain that it must be my DNS servers, say so one more time and
> I'll drop the discussion here.
>
> As always ,thanks.
>
> On Tue, Apr 5, 2016 at 12:58 PM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > ASSP does nothing else than ask YOUR DNS-server for 'ANY' DNS-entry. If
> > the DNS-server answers with 'NXDOMAIN' , there is no doubt for assp,
> that
> > this domain/host does'nt exist. This is NOT allowed in SMTP
> >
> > >I know that submail.navy.mil isn't valid
> >
> > So - using 'submail.navy.mil' in SMTP IS A FAULT. There is nothing to
> > 'don't know' 'think about','can','should' .
> > And because the host name is not valid, what else 'should' assp do, than
> > to skip all the following DNS queries for this host name
> > (SPF,DKIM,A,MX,) - there is not 'ANY' DNS-entry?
> >
> > Again:
> > The 'DoRFC822' check hits ONLY, if any of the following is the case
> >
> > - the 'MAIL FROM' address has an invalid format
> > - the TLD (here mil) is not registered to IANA
> > - the answer of an 'ANY' query for the host name is 'NXDOMAIN' - (any
> > other error is ignored by assp)
> >
> > If the answer for 'co.county.state.us' is 'NXDOMAIN', you should check
> > your name server. It should never answer with 'NXDOMAIN' in case of a
> > timeout!
> >
> > Thomas
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development maili

Re: [Assp-test] can't find a name server registration

[K Post]

I hear yah loud and clear on the nxdomain for the stupid Navy subdomains.
I'm sure it's a valid subdomain internally and they just aren't thinking
when emailing out  Forget about that one, it's clearly a
misconfiguration on their end.

But the multiple co.county.status.us domain problem is baffling.  We've got
3 dns servers here, none seem to have any problem resolving anything - I've
never seen one of these county long domain (multi part) timeout during
manual tests.  Just weird that these are the only ones that cause a warning
besides legit nxdomains.  Looking at the log, it appears that just 1 second
passes between the connection to ASSP and the warning message Warning:
can't find a name server registration for the sender domain...

Is there a way to enable DNS debugging only for these types of domains or
do I need to turn on DebugSPF (from memory, I feel like that is the magic
debug all DNS switch)?

I'm wondering if there's some kind of perfect storm, there's too many dots
in that domain name where the Net-DNS module or something fails.  I don't
see other domain names that we get mail from.  What's odder is that I don't
always get this warning with the domain names (which I agree makes it sound
like a problem with our DNS servers, but I can't imagine what - there's no
forwarders, there's 3 of them, they're all responsive and I never seem to
be able to cause a failure)

It's just a warning, but I'd hate do see something and not say something -
or not say something only to discover that we've got something failing on
our end that I didn't know about.

If you're certain that it must be my DNS servers, say so one more time and
I'll drop the discussion here.

As always ,thanks.

On Tue, Apr 5, 2016 at 12:58 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> ASSP does nothing else than ask YOUR DNS-server for 'ANY' DNS-entry. If
> the DNS-server answers with 'NXDOMAIN' , there is no doubt for assp, that
> this domain/host does'nt exist. This is NOT allowed in SMTP
>
> >I know that submail.navy.mil isn't valid
>
> So - using 'submail.navy.mil' in SMTP IS A FAULT. There is nothing to
> 'don't know' 'think about','can','should' .
> And because the host name is not valid, what else 'should' assp do, than
> to skip all the following DNS queries for this host name
> (SPF,DKIM,A,MX,) - there is not 'ANY' DNS-entry?
>
> Again:
> The 'DoRFC822' check hits ONLY, if any of the following is the case
>
> - the 'MAIL FROM' address has an invalid format
> - the TLD (here mil) is not registered to IANA
> - the answer of an 'ANY' query for the host name is 'NXDOMAIN' - (any
> other error is ignored by assp)
>
> If the answer for 'co.county.state.us' is 'NXDOMAIN', you should check
> your name server. It should never answer with 'NXDOMAIN' in case of a
> timeout!
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  05.04.2016 18:19
> Betreff:Re: [Assp-test] can't find a name server registration
>
>
>
> Terminology mixed me up I guess.  Was thinking as the "domain name" as
> what's registered with the registrar.  What's being checked, I'd call the
> "hostname" <-- but I'm wrong according to the RFC.  Sorry for that.
>
> I know that submail.navy.mil isn't valid, but navy.mil certainly is.
> Shouldn't ASSP find that though and not complain stating that no more DNS
> checking will be done?
>
> And I don't understand what the problem is with co.delaware.pa.us and the
> other co.county.state.us domains.  They're valid domain/host names with mx
> records.  And it's only multiple part hostnames that show up as warnings
> in
> the logs as far as I can tell.
>
> Not really worried, just thought I'd bring it up to insure something wonky
> isn't going on.
>
> Thanks
>
>
> On Tue, Apr 5, 2016 at 12:08 PM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > RFC5321 section 2.3.5.  Domain Names
> >
> > ASSP is smart and ask for 'ANY' DNS registration for the domainpart of
> the
> > sender address - no entry -> no luck!
> >
> > disable 'DoRFC822' if this is not working for you
> >
> > Thomas
> >
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  05.04.2016 17:01
> > Betreff:Re: [Assp-test] can't find a name server registration
> >
> >
> >
> > This problem hasn't gone away and it only seems to be with hostnames
> that
> > have more than 2 parts -
> >
> > For example:
> > co.delaware.pa.us
> > resolves just fine on 

Re: [Assp-test] can't find a name server registration

[K Post]

Terminology mixed me up I guess.  Was thinking as the "domain name" as
what's registered with the registrar.  What's being checked, I'd call the
"hostname" <-- but I'm wrong according to the RFC.  Sorry for that.

I know that submail.navy.mil isn't valid, but navy.mil certainly is.
Shouldn't ASSP find that though and not complain stating that no more DNS
checking will be done?

And I don't understand what the problem is with co.delaware.pa.us and the
other co.county.state.us domains.  They're valid domain/host names with mx
records.  And it's only multiple part hostnames that show up as warnings in
the logs as far as I can tell.

Not really worried, just thought I'd bring it up to insure something wonky
isn't going on.

Thanks


On Tue, Apr 5, 2016 at 12:08 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> RFC5321 section 2.3.5.  Domain Names
>
> ASSP is smart and ask for 'ANY' DNS registration for the domainpart of the
> sender address - no entry -> no luck!
>
> disable 'DoRFC822' if this is not working for you
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  05.04.2016 17:01
> Betreff:Re: [Assp-test] can't find a name server registration
>
>
>
> This problem hasn't gone away and it only seems to be with hostnames that
> have more than 2 parts -
>
> For example:
> co.delaware.pa.us
> resolves just fine on the dns servers
> co.delaware.pa.us   MX preference = 10, mail exchanger =
> co-delaware-pa-us.mail.protection.outlook.com
>
> co-delaware-pa-us.mail.protection.outlook.com   internet address =
> 207.46.163.247
> co-delaware-pa-us.mail.protection.outlook.com   internet address =
> 207.46.163.215
> co-delaware-pa-us.mail.protection.outlook.com   internet address =
> 207.46.163.138
>
> And
> submail.navy.mil
> *which doesn't seem to be a valid hostname, but shouldn't ASSP be looking
> for a name server registration for navy.mil <http://navy.mil> and not the
> full hostname?  *I don't know, I'm asking.  Just seems odd that the only
> time I get these warnings are for hostnames with more than just 2 parts.
>
> Thanks
>
> On Tue, Feb 23, 2016 at 12:44 PM, K Post <nntp.p...@gmail.com> wrote:
>
> > Seeing this again.  This time:
> > Warning: can't find a name server registration for the sender domain '
> > co.dodge.wi.us' - all DNS queries will be skipped!
> >
> > It seems that 99% of the time it's a long city / county domain name like
> > co.dodge.wi.us ci.wilsonville.or.us  co.geauga.oh.us and
> co.delaware.pa.us
> >
> > Thomas, any ideas?
> >
> >
> > On Mon, Feb 1, 2016 at 3:47 PM, K Post <nntp.p...@gmail.com> wrote:
> >
> >> At least it's not just me.
> >>
> >> James - FYI, you definitely don't want to use public DNS servers for
> ASSP
> >> - too slow and more importantly you could have trouble with things like
> >> DNSBL, senderbase, etc where it's limited to a certain number of
> queries
> >> per IP.
> >>
> >> On Mon, Feb 1, 2016 at 2:36 PM, James Moe <ji...@sohnen-moe.com> wrote:
> >>
> >>> -BEGIN PGP SIGNED MESSAGE-
> >>> Hash: SHA1
> >>>
> >>> On 01/29/2016 11:10 AM, K Post wrote:
> >>> > I see this on occasion:
> >>> >
> >>>   ASSP version 2.4.5(15334)
> >>>   I have the same problem.
> >>>
> >>>
> >>> 2016-02-01 08:32:24 Warning: Name Server 205.171.3.65: does not
> >>> respond or timed out
> >>> 2016-02-01 08:32:24 Warning: Name Server 8.8.8.8: does not respond or
> >>> timed out
> >>> 2016-02-01 08:33:24 Warning: Name Server 127.0.0.1: does not respond
> >>> or timed out
> >>> 2016-02-01 08:33:24 Warning: Name Server 205.171.3.65: does not
> >>> respond or timed out
> >>> 2016-02-01 08:33:24 Warning: Name Server 8.8.8.8: does not respond or
> >>> timed out
> >>> 2016-02-01 09:32:49 Warning: Name Server 205.171.3.65: does not
> >>> respond or timed out
> >>> 2016-02-01 11:15:27 Warning: can't find a name server registration for
> >>> the sender domain 'mktg.actonsoftware.com' - all DNS queries will be
> >>> skipped!
> >>>
> >>>
> >>> - --
> >>> James Moe
> >>> moe dot james at sohnen-moe dot com
> >>> 520.743.3936
> >>> -BEGIN PGP SIGNATURE-
> >>> Version: GnuPG v2
> >>>
> >>&g

Re: [Assp-test] can't find a name server registration

[K Post]

This problem hasn't gone away and it only seems to be with hostnames that
have more than 2 parts -

For example:
co.delaware.pa.us
resolves just fine on the dns servers
co.delaware.pa.us   MX preference = 10, mail exchanger =
co-delaware-pa-us.mail.protection.outlook.com

co-delaware-pa-us.mail.protection.outlook.com   internet address =
207.46.163.247
co-delaware-pa-us.mail.protection.outlook.com   internet address =
207.46.163.215
co-delaware-pa-us.mail.protection.outlook.com   internet address =
207.46.163.138

And
submail.navy.mil
*which doesn't seem to be a valid hostname, but shouldn't ASSP be looking
for a name server registration for navy.mil <http://navy.mil> and not the
full hostname?  *I don't know, I'm asking.  Just seems odd that the only
time I get these warnings are for hostnames with more than just 2 parts.

Thanks

On Tue, Feb 23, 2016 at 12:44 PM, K Post <nntp.p...@gmail.com> wrote:

> Seeing this again.  This time:
> Warning: can't find a name server registration for the sender domain '
> co.dodge.wi.us' - all DNS queries will be skipped!
>
> It seems that 99% of the time it's a long city / county domain name like
> co.dodge.wi.us ci.wilsonville.or.us  co.geauga.oh.us and co.delaware.pa.us
>
> Thomas, any ideas?
>
>
> On Mon, Feb 1, 2016 at 3:47 PM, K Post <nntp.p...@gmail.com> wrote:
>
>> At least it's not just me.
>>
>> James - FYI, you definitely don't want to use public DNS servers for ASSP
>> - too slow and more importantly you could have trouble with things like
>> DNSBL, senderbase, etc where it's limited to a certain number of queries
>> per IP.
>>
>> On Mon, Feb 1, 2016 at 2:36 PM, James Moe <ji...@sohnen-moe.com> wrote:
>>
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> On 01/29/2016 11:10 AM, K Post wrote:
>>> > I see this on occasion:
>>> >
>>>   ASSP version 2.4.5(15334)
>>>   I have the same problem.
>>>
>>>
>>> 2016-02-01 08:32:24 Warning: Name Server 205.171.3.65: does not
>>> respond or timed out
>>> 2016-02-01 08:32:24 Warning: Name Server 8.8.8.8: does not respond or
>>> timed out
>>> 2016-02-01 08:33:24 Warning: Name Server 127.0.0.1: does not respond
>>> or timed out
>>> 2016-02-01 08:33:24 Warning: Name Server 205.171.3.65: does not
>>> respond or timed out
>>> 2016-02-01 08:33:24 Warning: Name Server 8.8.8.8: does not respond or
>>> timed out
>>> 2016-02-01 09:32:49 Warning: Name Server 205.171.3.65: does not
>>> respond or timed out
>>> 2016-02-01 11:15:27 Warning: can't find a name server registration for
>>> the sender domain 'mktg.actonsoftware.com' - all DNS queries will be
>>> skipped!
>>>
>>>
>>> - --
>>> James Moe
>>> moe dot james at sohnen-moe dot com
>>> 520.743.3936
>>> -BEGIN PGP SIGNATURE-
>>> Version: GnuPG v2
>>>
>>> iEYEARECAAYFAlavs8cACgkQzTcr8Prq0ZMSPwCffuGpMYSd1e7/mqCD6AitMYbu
>>> Jm8AnRxQrpenZVUHTwunXFg0E8HvMWYx
>>> =e+8I
>>> -END PGP SIGNATURE-
>>>
>>>
>>> --
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
>>> ___
>>> Assp-test mailing list
>>> Assp-test@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>>
>>
>>
>
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

I had to lookup stochasitc.  I just barely understand the surface of what
you're even challenging me to answer.  I rely on your wizardry, and that of
those who came before you, for all of this and have faith that it works
(and absolutely have proof that it does in the real world).  I trust what
you're arguing - it doesn't matter for the rebuild process, and I believe
you without question, though I don't understand why (and don't need to).

Let me be more clear, I am no longer thinking that a poor distribution of
randomness in notspam will impact assp accuracy.  I don't know why, but if
you say it's true, I believe it.  BUT, why are you resistant to removing
these duplicate files in notspam at cleanup time before trashing others?
What's the downside to removing the duplicate notspam files by name.   *We're
going to have to delete some files during the cleanup, so why not give us
the best chance of keeping the ones that we care about most - if not for
the rebuild, then for manual analysis, copying to corrected folders,
etc.  *Would
it cause harm that I'm not understanding?



On Wed, Mar 23, 2016 at 8:17 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >If we have a maximum number of total files, a system that removes excess
> >based on file age, and the potential that there could be a single user
> that
> >could send the same email more than the maximum number of files that are
> >allowed, that could give us NO data diversity in notspam.  All of the
> older
> >files would be deleted, leaving us with almost all fo the remaining files
> >being identical, without any other files to build that random sampling
> >from.  Right?
>
> It is a configuration mistake, if you set 'MaxFiles' too low and you don't
> use UseSubjectsAsMaillogNames
>
> It is very simple. If you can find and explain a mathematical proof for
> the stochasitc analysis used by assp, if and how any count of equal mails
> in any collection folder will compromize the corpus norm and/or the corpus
> confidence, than and ONLY than I'll think about this suggestion.
>
> precondition:
>
> - a finished rebuildspamdb
> - MaxBytes is set to 8.000
> - MaxFiles is ignored because UseSubjectsAsMaillogNames is configured
> - 5000 files in the spam folder
> - 2000 files in the notspam folder
> - 500.000 records in spamdb
> - 1.000.000 records in HMMdb
> - Spam Weight  =  3,500,000
> - Not-Spam Weight:   3,500,000
> - corpus norm == 1
> - corpus confidence == 1
>
> event after the rebuild spamdb:
>
> - an arbitary count of equal files is stored in one or multiple collection
> folders.
> - the length of the mail body is 10.000 Bytes
>
> proof:
>
> after the next rebuild spamdb :
>
> - what is the minimum corpus norm and minimum corpus confidence if all
> files are stored in the notspam folder
> - what is the maximum corpus norm and minimum corpus confidence if all
> files are stored in the spam folder
> - what is the maximum and minimum corpus norm and minimum corpus
> confidence if the files are stored randomly in the spam and notspam folder
> - for the distribution
> spam / notspam
> 25% / 75%
> 50% / 50%
> 75% / 25%
>
> Until now, this is more or less simple mathematic (+-*/ exp) - but here
> the last, but most important question:
>
> Explain for only one of the above cases, why and how the changed corpus
> norm and corpus confidence will affect the average detection rate for spam
> and notspam of the Bayesian and HMM engine - for 100.000 incoming mails.
> The detection rate before the event occured was 99,0% spam-detection with
> no false positives for the Bayesian and HMM engine (only!)
>
> assumed distribution of real spam / notspam
>
> 95.000 / 5.000
>
> good luck
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.03.2016 20:31
> Betreff:Re: [Assp-test] Max Number Duplicate File Names
>
>
>
> Summary:
> *Isn't it important to have as random and diverse of a sampling in the
> file
> store as possible?  *I feel like removing excessive duplicate file names
> before cleaning up the file store gives us the best chance of using the
> most varied set of messages possible for both building bayes/hmm and also
> manual review, resends, copying to corrected, etc.
>
> Detailed discussion:
>
> You're right, I came to the conclusion that you thought I would at the end
> of your last post  - if you argue that it doesn't make sense for notspam,
> then it doesn't make sense for spam either...  but I still disagree.
> Please allow me to explain better.
>
> It's funny that you talk about move2num, I was just looking at that from a
> rea

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

Summary:
*Isn't it important to have as random and diverse of a sampling in the file
store as possible?  *I feel like removing excessive duplicate file names
before cleaning up the file store gives us the best chance of using the
most varied set of messages possible for both building bayes/hmm and also
manual review, resends, copying to corrected, etc.

Detailed discussion:

You're right, I came to the conclusion that you thought I would at the end
of your last post  - if you argue that it doesn't make sense for notspam,
then it doesn't make sense for spam either...  but I still disagree.
Please allow me to explain better.

It's funny that you talk about move2num, I was just looking at that from a
really old installation.  I was also trying to find my circa 2003 script
that removed duplicate file names before the rebuild. (couldn't find it,
but I stopped using that once MaxDupFileNames was introduced).

And yes, you nailed it that I periodically manually poke around in the file
store, but that's not why I'm >still< thinking that it's still important to
have the removal of dups.  A random selection of varying data is important
no?

If we have a maximum number of total files, a system that removes excess
based on file age, and the potential that there could be a single user that
could send the same email more than the maximum number of files that are
allowed, that could give us NO data diversity in notspam.  All of the older
files would be deleted, leaving us with almost all fo the remaining files
being identical, without any other files to build that random sampling
from.  Right?

And even if we went back to number only filenaming, or something like md5
filenames, the same problem would exist - we only have so many files to
work with, if you replace enough of them with essentially the same file,
that just removes data that we wanted more than what we replaced it with.

Simply put, if we replaced 15,000 not spam files with the same not spam
file 15,000 times and did a rebuild, wouldn't we get a bayesian/hmm
database that's not as good as what we would have had if we first removed
those duplicate file names?

Wouldn't turning off maxalloweddups open us up for the the potential that
the spam corpus could be filled with the same message over and over (same
subject at least) that would then result in the same problem - the spam
folder having fewer different messages than we could have had otherwise.

Besides my own neuroses, isn't it important for the blockreport and manual
inspections to also keep as many of the message files in place for resends,
corrections, etc?  Yes, deleting all of the excess duplicate filenames
means that those duplicates they wouldn't be available, but playing our
odds, it's more likely that files with different filenames are different
than those with the same file names.




On Mon, Mar 21, 2016 at 2:19 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> The concept of bayes but at least for HMM is too complex for most admins.
> ASSP is nice and stores all file in clear text and with nice filenames in
> filesystem if configured this way.
>
> No someone like you, looks in to this folders and tries to find a reason
> to do something - that this folder looks more nice to humans.
> Now assume, I would store all files RSA encrypted in a database. Nobody
> would care about the content, the size, the subject and the count of
> records as long as the corpus norm is fine and the detection rate is OK.
> Because nobody would be able to read anything in this database.
> Looking back to the old days of assp, move2num was used and the filenames
> were build using random numbers and it was possible, that any file could
> be deleted at any time. Not really nice but it worked - numbers only
> numbers nothing more - and the highest randomness you can think about..
>
> Now - reading this you must come to a conclusion - 'MaxAllowedDups' is
> NONSENSE - and YES you are right - SWITCH IT OFF!
>
> Thomas
>
>
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.03.2016 18:56
> Betreff:Re: [Assp-test] Max Number Duplicate File Names
>
>
>
> I'm worry if you're finding this discussion to be such a time waster..  My
> goal is to improve ASSP for all, not to waste your time, you must know
> that.
>
> In the interest of conserving your time - summary question:
> *Wouldn't it be better for ASSP to remove duplicate file names in excess
> of
> X from notspam than for it to not remove them and instead remove other
> files with more varied notspam content?*
>
> Expanded:
>
> It's helpful for me to now understand that the hmm/bayes analysis doesn't
> weigh repetition more heavily than just one file in the opposite folder.
> Thank you for that explanation.  W

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

I'm worry if you're finding this discussion to be such a time waster..  My
goal is to improve ASSP for all, not to waste your time, you must know
that.

In the interest of conserving your time - summary question:
*Wouldn't it be better for ASSP to remove duplicate file names in excess of
X from notspam than for it to not remove them and instead remove other
files with more varied notspam content?*

Expanded:

It's helpful for me to now understand that the hmm/bayes analysis doesn't
weigh repetition more heavily than just one file in the opposite folder.
Thank you for that explanation.  When the users do mail merges, a lot of
the time, the body is subtly different (different dear line or other per
person customization for example), but based on what you're saying, I'd
think that they'd be substantially similar enough to act the same way as
you describe.  So good.

But, what is the downside of having ASSP remove filenames with more than X
of the same in notpsam?  I understand that having more wouldn't increase
scoring for the content of >those< messages, but wouldn't it also remove
say 5000 of the OTHER files that we want during a rebuild based on their
age, and therefore give us a file store that's not as diverse as it could
be?  Isn't that a bad thing or at least not as good as it would be if the
duplicate file name emails were removed?

Localfrequency isn't going to help, at least in my case.  If the director
wants to ignore my instruction and policy, she needs to be able to. Yes,
this is a policy problem, but the people high up in the charity will always
argue that if they need to send a message, they're going to.  They don't
pay me much, but it's a job that I need - I can't risk that by turning on
localfrequency.  I don't see how nocollecting / re is going to help.  I
have no way of knowing who is going to send next or what they're going to
send.

I guess I just don't see the downside (other than your time in coding and
testing along with a slightly longer cleanup process) to have ASSP remove
those duplicate file names at cleanup time, before removing oldest first.
Wouldn't that be better than having a notspam folder that once cleanup runs
could only have only a handful of files that are significantly different
content (say if a couple users sent a boatload of mailmerges in 1 day)?






On Mon, Mar 21, 2016 at 12:49 PM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> bonehead user sends 5000 -> LocalFrequencyInt and next configs
>
> regular user sends 5000 -> noCollecting , noCollectRe ...
>
> This is not a coding task - this is an organizing and configuration task.
> As I always say - RTMF!
>
> >then delete as you already do files in
> >excess of the maximum total number of files?
>
> Oldest fist - no content check.
>
> >that our notspam corpus remains diverse
>
> having 5000 times the 100% same mail-body in one folder is the same, like
> having the mail one time in this folder for HMM and bayes
> having the same mail in the opposit folder one time - elimiates all the
> 5000 for HMM and bayes
> BTW : this is independend from the filename or subject
>
> This is not new (since more than 10 years) - because it is one of the
> basic concepts of HMM and bayes.
>
> >I know that we must be missing something significant.
>
> Yes - the concept!
>
> You waste my time Ken.
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.03.2016 16:41
> Betreff:Re: [Assp-test] Max Number Duplicate File Names
>
>
>
> -From Thomas, posted elsewhere
> >Remains the (my) question - what should be done with mails that
> >reaches the 'MaxAllowedHamDups' without breaking any concept and without
> >creating a new folder (which breaks several concepts)?
>
> The scenario where a bonehead user sends 5000 of the same message in an
> Outlook mailmerge isn't just a conceptual possibility, it happens.  And
> it's happening more and more frequently despite training, memos,
> reminders,
> and a very good email blast system in place that eliminated the need for
> mailmerges.
>
> What about when doing the nightly cleanup if you were to delete files with
> the same name in excess of max dups, then delete as you already do files
> in
> excess of the maximum total number of files?  I thought that was what was
> already happening with the spam corpus, but apparently not.
>
> I only see upside to limiting the number of dups it notspam, but you've
> stated elsewhere that the arguments herein don't make sense to you.  If
> you're saying what we suggest doesn't make any sense, I know that we must
> be missing something significant.  I know that bayesian filtering works
> really well, but I only under

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

-From Thomas, posted elsewhere
>Remains the (my) question - what should be done with mails that
>reaches the 'MaxAllowedHamDups' without breaking any concept and without
>creating a new folder (which breaks several concepts)?

The scenario where a bonehead user sends 5000 of the same message in an
Outlook mailmerge isn't just a conceptual possibility, it happens.  And
it's happening more and more frequently despite training, memos, reminders,
and a very good email blast system in place that eliminated the need for
mailmerges.

What about when doing the nightly cleanup if you were to delete files with
the same name in excess of max dups, then delete as you already do files in
excess of the maximum total number of files?  I thought that was what was
already happening with the spam corpus, but apparently not.

I only see upside to limiting the number of dups it notspam, but you've
stated elsewhere that the arguments herein don't make sense to you.  If
you're saying what we suggest doesn't make any sense, I know that we must
be missing something significant.  I know that bayesian filtering works
really well, but I only understand the inner workings from 35,000 feet. I
just can't understand how making every effort to insure that our notspam
corpus remains diverse doesn't make sense.

Thanks again.  Hope we can continue this discussion.

On Mon, Mar 14, 2016 at 5:28 PM, K Post <nntp.p...@gmail.com> wrote:

> On of our staff inadvertently sent about 3400 of the same test messages
> out through our server.  Okay, okay, it was me - had a loop coded wrong and
> before I noticed what was going on and could stop it about 3400 of the same
> messages went out, fortunately, they were just to me.  Sure enough, all
> 3400 were in notspam.
>
> So, could we, and does it make sense, to keep discussing this?
>
> On Thu, Mar 10, 2016 at 1:47 PM, K Post <nntp.p...@gmail.com> wrote:
>
>> Isn't that exact same logic an argument for having the maximum number of
>> duplicate subjects apply to the HAM / notspam folder too?  5000 or 15000 of
>> the same message sent individually by (untrainable / apathetic) users would
>> fill the notspam folder and mess up HMM / Bayesian right?
>>
>> And for those RE / FWD / No subject emails, maybe we could have ASSP
>> ignore subjects shorter than say 5 or 6 characters when deleting duplicate
>> file names?  Then those files could get wiped out oldest first during the
>> maintenance.
>>
>> \
>>
>> On Thu, Mar 10, 2016 at 11:18 AM, Thomas Eckardt <
>> thomas.ecka...@thockar.com> wrote:
>>
>>> Just think about the logic behind Bayesian and HMM - this will answer
>>> your
>>> question.
>>>
>>> Having the same mail in the spam folder multiple times, this will score
>>> the content to extreme spam havy, even your users are using the same
>>> content - but less often.
>>>
>>> Thomas
>>>
>>>
>>>
>>>
>>>
>>> Von:K Post <nntp.p...@gmail.com>
>>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>>> Datum:  10.03.2016 16:58
>>> Betreff:Re: [Assp-test] Max Number Duplicate File Names
>>>
>>>
>>>
>>> I know you're all RTFM, but there's plenty of places in the GUI where the
>>> description isn't exactly clear or right.  For example
>>>
>>> MaxFiles
>>> If you're not using subjects as file names ( UseSubjectsAsMaillogNames ),
>>> this is the maximum number of files to keep in each collection (spam &
>>> nonspam)
>>> It's actually less than this -- files get a random number between 1 and
>>> MaxFiles.
>>>
>>> I AM using file names and MaxFiles DOES control the maximum number of
>>> files
>>> in each collection, despite what the description says when
>>> MaintBayesCollection is on and no max age is set. The language is not
>>> clear
>>> and that makes us assume things, sometimes incorrectly, about what the
>>> GUI
>>> really mean.  We've been working this way since ASSP came out.  Because
>>> of
>>> this, I had no way of knowing that MaxAllowedDups >really< only applied
>>> to
>>> the spam collection.  I assumed the GUI meant the whole log of spam and
>>> NOTspam.  I don't think that's an unreasonable assumption, or call it an
>>> oversight, or a mistake on my part - but none of that justifies and angry
>>> sounding response from you.
>>>
>>>  I'm not looking for a fight, but I feel like I have to keep justifying
>>> myself after you appear to be so angry with me, and the rest of u

Re: [Assp-test] fixes in assp 2.5.2 build 16080

[K Post]

At the risk of continuing the conversation despite you saying no -- you
asked a question so I'll try to only address that- in the original thread
to keep the discussion together.  Hope you'll find the time and desire to
respond.  Thanks


On Mon, Mar 21, 2016 at 10:39 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> >Could we resume that discussion then?
> Not with me.
>
> >some valid points were raised by a couple of us
> Not a single one was valid from my point of view.
>
> >but you haven't enlightened us yet
> I have. Remains the (my) question - what should be done with mails that
> reaches the 'MaxAllowedHamDups' without breaking any concept and without
> creating a new folder (which breaks several concepts)?
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.03.2016 15:28
> Betreff:Re: [Assp-test] fixes in assp 2.5.2 build 16080
>
>
>
> Could we resume that discussion then?  I >>think<< some valid points were
> raised by a couple of us, but you didn't chime in further.   I feel like
> there has to be a reason that our ideas don't make sense, but you haven't
> enlightened us yet.
>
> On Mon, Mar 21, 2016 at 3:46 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > >Are the  'MaxAllowedDups' changes
> > >listed in the GUI?
> >
> > No - these changes are more related to the cluster mode, with a shared
> > corpus. The wanted behavior is not changed - so the GUI is not changed.
> > ASSP only act more aggressive to follow the configuration of
> > 'MaxAllowedDups'.
> >
> > >I'm guessing this is based on our discussions about not
> > keeping dups of notspam too...
> >
> > No.
> >
> > Thomas
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  20.03.2016 18:47
> > Betreff:Re: [Assp-test] fixes in assp 2.5.2 build 16080
> >
> >
> >
> > ooh lala.
> >
> > Appetite wet for all of these changes.  Are the  'MaxAllowedDups'
> changes
> > listed in the GUI?  I'm guessing this is based on our discussions about
> > not
> > keeping dups of notspam too...
> >
> > Thanks for the quick work.
> >
> > On Sun, Mar 20, 2016 at 9:25 AM, Thomas Eckardt
> > <thomas.ecka...@thockar.com>
> > wrote:
> >
> > > Hi all,
> > >
> > > fixed in assp 2.5.2 build 16080:
> > >
> > > - 'enhancedOriginIPDetect wrong detected tunneled IPv4 addresses
> > >
> > > - the SSLfailed-Cache was not cleanedup from invalid IP-addresses if
> > > 'noBanFailedSSLIP' was changed
> > >
> > >
> > > changed:
> > >
> > > - faster SSL-linstener handling improves DoS and DDoS handling of
> > > SSL-negotiation attacks
> > >
> > > - 'MaxAllowedDups' acts more aggressive to keep the configured
> duplicate
> > > filenames
> > >
> > > Thomas
> > >
> > >
> > > DISCLAIMER:
> > > ***
> > > This email and any files transmitted with it may be confidential,
> > legally
> > > privileged and protected in law and are intended solely for the use of
> > the
> > >
> > > individual to whom it is addressed.
> > > This email was multiple times scanned for viruses. There should be no
> > > known virus in this email!
> > > ***
> > >
> > >
> > >
> > >
> >
> >
>
> --
> > > Transform Data into Opportunity.
> > > Accelerate data analysis in your applications with
> > > Intel Data Analytics Acceleration Library.
> > > Click to learn more.
> > > http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> > > ___
> > > Assp-test mailing list
> > > Assp-test@lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/assp-test
> > >
> > >
> >
> >
>
> --
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn mo

Re: [Assp-test] fixes in assp 2.5.2 build 16080

[K Post]

Could we resume that discussion then?  I >>think<< some valid points were
raised by a couple of us, but you didn't chime in further.   I feel like
there has to be a reason that our ideas don't make sense, but you haven't
enlightened us yet.

On Mon, Mar 21, 2016 at 3:46 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >Are the  'MaxAllowedDups' changes
> >listed in the GUI?
>
> No - these changes are more related to the cluster mode, with a shared
> corpus. The wanted behavior is not changed - so the GUI is not changed.
> ASSP only act more aggressive to follow the configuration of
> 'MaxAllowedDups'.
>
> >I'm guessing this is based on our discussions about not
> keeping dups of notspam too...
>
> No.
>
> Thomas
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  20.03.2016 18:47
> Betreff:Re: [Assp-test] fixes in assp 2.5.2 build 16080
>
>
>
> ooh lala.
>
> Appetite wet for all of these changes.  Are the  'MaxAllowedDups' changes
> listed in the GUI?  I'm guessing this is based on our discussions about
> not
> keeping dups of notspam too...
>
> Thanks for the quick work.
>
> On Sun, Mar 20, 2016 at 9:25 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > Hi all,
> >
> > fixed in assp 2.5.2 build 16080:
> >
> > - 'enhancedOriginIPDetect wrong detected tunneled IPv4 addresses
> >
> > - the SSLfailed-Cache was not cleanedup from invalid IP-addresses if
> > 'noBanFailedSSLIP' was changed
> >
> >
> > changed:
> >
> > - faster SSL-linstener handling improves DoS and DDoS handling of
> > SSL-negotiation attacks
> >
> > - 'MaxAllowedDups' acts more aggressive to keep the configured duplicate
> > filenames
> >
> > Thomas
> >
> >
> > DISCLAIMER:
> > ***
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > ***
> >
> >
> >
> >
>
> --
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.5.2 build 16080

[K Post]

ooh lala.

Appetite wet for all of these changes.  Are the  'MaxAllowedDups' changes
listed in the GUI?  I'm guessing this is based on our discussions about not
keeping dups of notspam too...

Thanks for the quick work.

On Sun, Mar 20, 2016 at 9:25 AM, Thomas Eckardt 
wrote:

> Hi all,
>
> fixed in assp 2.5.2 build 16080:
>
> - 'enhancedOriginIPDetect wrong detected tunneled IPv4 addresses
>
> - the SSLfailed-Cache was not cleanedup from invalid IP-addresses if
> 'noBanFailedSSLIP' was changed
>
>
> changed:
>
> - faster SSL-linstener handling improves DoS and DDoS handling of
> SSL-negotiation attacks
>
> - 'MaxAllowedDups' acts more aggressive to keep the configured duplicate
> filenames
>
> Thomas
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Bad DNSBL detection

[K Post]

Thanks.

Comcast is one of the biggest ISP's in the US.  I've got to believe that
they have a massive amount of mail sent from their webmail systems.  I'm
shocked that we didn't run into this sooner.  Appreciate the fix!

On Sun, Mar 20, 2016 at 3:27 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >Is X-Originating-IP something that's checked?
>
> yes - this is a perfect information for assp
>
> >X-Originating-IP: [:::W.X.Y.Z]
>
> this leads in to two IP's that are put at the IP-address stack - the
> extracted IPv4 followed by the expanded IPv6 (important: exactly in this
> order !)
>
> because : enhancedOriginIPDetect is set to "all but most origin"
> the IPv6 is removed from the stack - but the IPv4 (extracted from the same
> header line) is used as origin IP - this is wrong in this case and will be
> corrected in the next release
>
> Thank you
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  19.03.2016 23:22
> Betreff:[Assp-test] Bad DNSBL detection
>
>
>
> Saw an email get rejected due to a hit on DNSBL.  It was from a legit user
> using Comcast's (major ISP here in the US) webmail system.
>
> All of the received lines were fine, and the home cable modem's address
> was
> not listed there.
>
> However, there was a line below the received lines like this:
> X-Originating-IP: [:::W.X.Y.Z]
>
> It looked like an IPV6 address, but my research showed that W.X.Y.Z was
> actually the ipv4 address of the user's home cable modem/router and that
> IP
> was correctly in DNSBL.
>
> enhancedOriginIPDetect is set to "all but most origin"
>
> I haven't seen this before, but could have certainly missed others.  Just
> happened to catch this one.
>
> Is X-Originating-IP something that's checked?
>
> Bug?  Did I do something wrong?  Any way to insure this doesn't happen
> again?
>
> Thanks
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Virus detected

[K Post]

That file has:

Warning -
Our anti-spam and anti-virus system has detected a virus or phishing
attack within an email sent to you.  Should you feel that this was
in error, or have questions please feel free to contact support and
supply them with a copy of this email.

The following are details from the email:


I'm not seeing that in the email and wouldn't expect to
as EmailVirusReportsToRCPT is disabled.

It's the report to the *admin* that is missing the to and subject line of
the alert.   (EmailVirusReportsTo)I'd expect the email to come with a
subject indicating that a potential virus was found.  Instead, my alert
emails have no subject and I can't even filter based on TO since that's a
missing line too.

Thanks



On Wed, Mar 16, 2016 at 3:15 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> switch it back
>
> check 'assp/reports/virusreport.txt'
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  15.03.2016 20:40
> Betreff:Re: [Assp-test] Virus detected
>
>
>
> It was on, but tried with it off.  Same result. I get a shorter bit of
> information in the body:
> Message ID: msg72223-13594
> Session: AB01C7BC
> Remote IP: 149.202.232.193
> Subject: Test mail 2/7 (ID=ILVgZjNA==)
> Sender: securitych...@emailsecuritycheck.net
> Recipients(s): m...@ourcharity.org
> Virus Detected: 'Eicar-Test-Signature'
>
> as expected, but TO and SUBJECT are blank in the header.
>
> www.emailsecuritycheck.net is what I've been using to test.  Might someone
> here be able to try on their end?
> Thanks
>
> On Tue, Mar 15, 2016 at 2:44 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > What is your setting of 'EmailVirusReportsHeader'?
> > Try the opposit setting - does it work?
> >
> > Thomas
> >
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  14.03.2016 23:10
> > Betreff:Re: [Assp-test] Virus detected
> >
> >
> >
> > Even with 16074 and the latest ASSP_AFC, if I have my email address in
> > EmailVirusReportsTo, I DO get the report, but the subject line and to
> line
> > are blank blank.   Looking at the header of the notification email,
> there
> > doesn't appear to be a to or subject line.
> >
> >
>
> --
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
> >
> >
> > DISCLAIMER:
> > ***
> > This email and any files transmitted with it may be confidential,
> legally
> > privileged and protected in law and are intended solely for the use of
> the
> >
> > individual to whom it is addressed.
> > This email was multiple times scanned for viruses. There should be no
> > known virus in this email!
> > ***
> >
> >
> >
> >
>
> --
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
> >
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may b

[Assp-test] Bad DNSBL detection

[K Post]

Saw an email get rejected due to a hit on DNSBL.  It was from a legit user
using Comcast's (major ISP here in the US) webmail system.

All of the received lines were fine, and the home cable modem's address was
not listed there.

However, there was a line below the received lines like this:
X-Originating-IP: [:::W.X.Y.Z]

It looked like an IPV6 address, but my research showed that W.X.Y.Z was
actually the ipv4 address of the user's home cable modem/router and that IP
was correctly in DNSBL.

enhancedOriginIPDetect is set to "all but most origin"

I haven't seen this before, but could have certainly missed others.  Just
happened to catch this one.

Is X-Originating-IP something that's checked?

Bug?  Did I do something wrong?  Any way to insure this doesn't happen
again?

Thanks
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] ASSP as smarthost - reverse DNS

[K Post]

I don't think this is an ASSP problem, but wanted to make sure as I'm at
the end of my rope on this.

Regular inbound messages are fine.  As long as the helo matches reverse
DNS, then the received line is like

Received: from whatever.outside.com (1.2.3.4 helo=whatever.outside.com).

If the helo doen't match, it gives

Received: from unknown (1.2.3.4 helo=whatever.outside.com).
(or maybe that's only if there is no reverse dns for the ip?)

Fine

What I'm finding though is that when i send mail from our exchange servers,
which use ASSP as a smarthost, it always shows
Received: from unknown (172.15.15.5 helo=exchange.int.ourcharity.org)
despite 172.15.15.5 reversing internally to exchange.int.ourcharity.org

Is there any chance that there's a bug in ASSP where it's not trying to
reverse the IP for relays??  Not trying to be accusatory, I just can't
figure it out.  If I do a nslookup on the assp machine, all is fine for
that ip.
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ASSP as smarthost - reverse DNS

[K Post]

?


On Wed, Mar 16, 2016 at 12:21 PM, K Post <nntp.p...@gmail.com> wrote:

> I don't think this is an ASSP problem, but wanted to make sure as I'm at
> the end of my rope on this.
>
> Regular inbound messages are fine.  As long as the helo matches reverse
> DNS, then the received line is like
>
> Received: from whatever.outside.com (1.2.3.4 helo=whatever.outside.com
> ).
>
> If the helo doen't match, it gives
>
> Received: from unknown (1.2.3.4 helo=whatever.outside.com).
> (or maybe that's only if there is no reverse dns for the ip?)
>
> Fine
>
> What I'm finding though is that when i send mail from our exchange
> servers, which use ASSP as a smarthost, it always shows
> Received: from unknown (172.15.15.5 helo=exchange.int.ourcharity.org)
> despite 172.15.15.5 reversing internally to exchange.int.ourcharity.org
>
> Is there any chance that there's a bug in ASSP where it's not trying to
> reverse the IP for relays??  Not trying to be accusatory, I just can't
> figure it out.  If I do a nslookup on the assp machine, all is fine for
> that ip.
>
>
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ASSP as smarthost - reverse DNS

[K Post]

It's so nice to feel loved.  Thank you for the warm fuzzy.

I don't think its necessary to include the option to include the
credentials in the email header, as people who need the credentials can get
them from the HTML code of our webpages.  That way if I forget the
password, it's easy to find - and I use that same 4 digit password
everywhere for safety.

But seriously, why couldn't you just answer by saying that this is by
design such that internal hostnames are not revealed?  I would have replied
with a "that makes sense, thanks for the clarification, and we move on."
 It would have taken you 2 seconds.  instead I was left hanging.  Ignoring
a question that you don't think makes sense doesn't solve anything or help
anyone.  It's not like there's that much traffic here that its
unmanageable.

It wasn't necessary to insult me either.  There's nothing in the GUI that I
could find that indicates that the relay port will not be doing any reverse
lookup.  It wasn't unreasonable for me to be asking.   Exchange servers
regularly expose the AD name and machine names. If security through
obscurity is your intention here, then how about removing the ASSP version
and build number from the email headers so that potential hackers don't
know the exact code running their target?  Hackers love that.

And with ASSP being in perpetual beta (which is a great thing) you're
discouraging users from asking questions or reporting potential bugs by
being so aggressive.  We're all in this together, yes, you are our leader,
yes sometimes people ask silly questions.  But also sometimes there's
nothing documented about something that seems off and we should be
encouraged to ask.  That's what I did here.

I'm not trying to be a jerk here, I just don't understand why my question
warranted such a response.  I am sincerely, really I am, sorry that you
find our questions to be so offensive or stupid.  You're appreciated, most
of us aren't the coding wiz that you are, we absolutely rely on you -  your
massive contribution to ASSP code - your maintenance of everything.  But we
also we like to discuss things with civility in the spirit of this
community.  Please try not to take us neophytes as some kind of enemy.



On Fri, Mar 18, 2016 at 2:11 PM, Scott MacLean <a...@hollsco.com> wrote:

> Thomas, you're hilarious! :) Have a good weekend.
>
> On 3/18/2016 2:06 PM, Thomas Eckardt wrote:
> >> ?
> >
> >
> >> On Wed, Mar 16, 2016 at 12:21 PM, K Post <nntp.p...@gmail.com> wrote:
> >
> > This useless post was ignored by me - but now I can't any longer -
> > I'sorry.
> >
> > reverse DNS for privat hosts/domains in public headers ?*1000
> >
> > So I suggest a new feature:
> >
> > - instead using 'unknown' as host name in Received headers of outgoing
> > mails, assp will provide the full privat hostname, which shows for
> example
> > the AD domain name
> > - in addition assp adds the domain Adminstrator credentials in clear text
> > at the end of this header line
> > - the feature 'HideIPandHelo' should be removed - it makes hackers so
> > unhappy, because they are not getting any usefull information
> >
> > You'll not need this really nice new feature and you can safely switch it
> > off, if you provide the real IP and the correct hostname (in the  HELO)
> > like :  (172.15.15.5 helo=exchange.domain.local)
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  18.03.2016 18:05
> > Betreff:Re: [Assp-test] ASSP as smarthost - reverse DNS
> >
> >
> >
> > ?
> >
> >
> > On Wed, Mar 16, 2016 at 12:21 PM, K Post <nntp.p...@gmail.com> wrote:
> >
> >> I don't think this is an ASSP problem, but wanted to make sure as I'm at
> >> the end of my rope on this.
> >>
> >> Regular inbound messages are fine.  As long as the helo matches reverse
> >> DNS, then the received line is like
> >>
> >> Received: from whatever.outside.com (1.2.3.4 helo=whatever.outside.com
> >> ).
> >>
> >> If the helo doen't match, it gives
> >>
> >> Received: from unknown (1.2.3.4 helo=whatever.outside.com).
> >> (or maybe that's only if there is no reverse dns for the ip?)
> >>
> >> Fine
> >>
> >> What I'm finding though is that when i send mail from our exchange
> >> servers, which use ASSP as a smarthost, it always shows
> >> Received: from unknown (172.15.15.5
> > helo=exchange.int.ourcharity.org)
> >> despite 172.15.15.5 reversing internally to exchange.int.ourcharity.org
&

Re: [Assp-test] Virus detected

[K Post]

It was on, but tried with it off.  Same result. I get a shorter bit of
information in the body:
Message ID: msg72223-13594
Session: AB01C7BC
Remote IP: 149.202.232.193
Subject: Test mail 2/7 (ID=ILVgZjNA==)
Sender: securitych...@emailsecuritycheck.net
Recipients(s): m...@ourcharity.org
Virus Detected: 'Eicar-Test-Signature'

as expected, but TO and SUBJECT are blank in the header.

www.emailsecuritycheck.net is what I've been using to test.  Might someone
here be able to try on their end?
Thanks

On Tue, Mar 15, 2016 at 2:44 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> What is your setting of 'EmailVirusReportsHeader'?
> Try the opposit setting - does it work?
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  14.03.2016 23:10
> Betreff:Re: [Assp-test] Virus detected
>
>
>
> Even with 16074 and the latest ASSP_AFC, if I have my email address in
> EmailVirusReportsTo, I DO get the report, but the subject line and to line
> are blank blank.   Looking at the header of the notification email, there
> doesn't appear to be a to or subject line.
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Virus detected

[K Post]

Even with 16074 and the latest ASSP_AFC, if I have my email address in
EmailVirusReportsTo, I DO get the report, but the subject line and to line
are blank blank.   Looking at the header of the notification email, there
doesn't appear to be a to or subject line.
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Attachment blocking and ClamAV suspicious only

[K Post]

Also, with 16074 and the updated ASSP_AFC, test 5, the dll file still gets
through.
http://www.emailsecuritycheck.net/

This is a RENAMED text file that they're sending, it's NOT a real DLL, it
just has that extension.  Shouldn't the blocked extensions still reject it
though?

On Mon, Mar 14, 2016 at 11:47 AM, K Post <nntp.p...@gmail.com> wrote:

> EXCELLENT- didn't see suspicious virus setting. THanks
>
> On Sun, Mar 13, 2016 at 6:49 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> >Is there a way to tell ClamAV or ASSP to reject even suspicious files?
>>
>> ClamAV only detects OK and FAILED (+ result string) - the result is
>> processes by assp.
>>
>> 'vsValencePB'
>>
>> RTMF:
>>
>> 'SuspiciousVirus' ....  It is possible to weight such results. .
>>
>>
>> Thomas
>>
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  12.03.2016 20:16
>> Betreff:[Assp-test] Attachment blocking and ClamAV suspicious only
>>
>>
>>
>> 2 questions:
>>
>> 1) I've been doing some ClamAV testing.  It mostly works, but I've also
>> seen:
>> [VIRUS][scoring] 149.202.232.193 <securitych...@emailsecuritycheck.net>
>> to:
>> virust...@ourdomain.org 'Eicar-Test-Signature' passing the virus check
>> because of only suspicious virus 'Eicar'
>>
>> Is there a way to tell ClamAV or ASSP to reject even suspicious files?
>>
>>
>> 2) I've got Level 1 blocking set using
>>
>> exe-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh
>>
>> Everything I've tested is blocked with the exception of DLL files and I
>> can't for the life of me figure out why.  Any ideas?
>>
>> Thanks
>> Ken
>>
>> --
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>>
>>
>> --
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] fixes in assp 2.4.8 build 16074

[K Post]

16074 is much better with the admin report of submitted spam.  I now see
bayes and hmm information, something I haven't seen in at least a year.
Thank you!!

The top part is still missing most of the info and I get this warning in
the log:
Warning: DKIM returned 'no domain to fetch policy for '  (with the space
and single quote)


General Hints:

m...@ourcharity.org has requested this analyze report
analyze is restricted to a maximum length of 3088 bytes
attachments will be fully analyzed using ASSP_AFC
attachments will be fully scanned for viruses
text processing uses unicode normalization

sender and reply addresses: <-- nothing there
recipient addresses:<-- nothing there
Feature Matching:   <-- nothing there

• DKIM-check returned OK no domain to fetch policy for   <-- doesn't
seem to see any of this stuff either
• URIBL check: 'OK'
• PTR record via DNS: status=no PTR
• RWLcheck returned OK for : status=unknown


On Mon, Mar 14, 2016 at 1:53 PM, K Post <nntp.p...@gmail.com> wrote:

> can't wait to try this!  THANK YOU.
>
> On Mon, Mar 14, 2016 at 1:42 PM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> Hi all,
>>
>> fixed in assp 2.4.8 build 16074:
>>
>> added:
>>
>> - the Perl module Email::MIME is currently not able to process (decode)
>> RFC2231 encoded MIME-header-lines like
>>
>> Content-Type: application/x-msdownload;
>>  name*0*="us-ascii'en-en'attached%2E";
>>  name*1*="%62";
>>  name*2=at
>>
>> (attached.bat) and
>>
>> ´=?us-ascii*en-en?Q?text?=
>>
>>   - this makes it impossible to detect attachment filenames, if they are
>> encoded this way!
>>
>>   ASSP now provides the decoding of these special cases of MIME-header
>> encoding.
>>   The language encodings like 'en-en' are ignored for now in both cases of
>> encoding, because they are
>>   not used by assp in any filter mechanism.
>>   Notice: the defined characterset in those encodings, is only used to
>> decode the header tag,
>>   it can't be detected by 'bombCharSets' - but by all other bomb
>> regular expressions
>>
>>
>> Thomas
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>>
>>
>> --
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

On of our staff inadvertently sent about 3400 of the same test messages out
through our server.  Okay, okay, it was me - had a loop coded wrong and
before I noticed what was going on and could stop it about 3400 of the same
messages went out, fortunately, they were just to me.  Sure enough, all
3400 were in notspam.

So, could we, and does it make sense, to keep discussing this?

On Thu, Mar 10, 2016 at 1:47 PM, K Post <nntp.p...@gmail.com> wrote:

> Isn't that exact same logic an argument for having the maximum number of
> duplicate subjects apply to the HAM / notspam folder too?  5000 or 15000 of
> the same message sent individually by (untrainable / apathetic) users would
> fill the notspam folder and mess up HMM / Bayesian right?
>
> And for those RE / FWD / No subject emails, maybe we could have ASSP
> ignore subjects shorter than say 5 or 6 characters when deleting duplicate
> file names?  Then those files could get wiped out oldest first during the
> maintenance.
>
> \
>
> On Thu, Mar 10, 2016 at 11:18 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> Just think about the logic behind Bayesian and HMM - this will answer your
>> question.
>>
>> Having the same mail in the spam folder multiple times, this will score
>> the content to extreme spam havy, even your users are using the same
>> content - but less often.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  10.03.2016 16:58
>> Betreff:Re: [Assp-test] Max Number Duplicate File Names
>>
>>
>>
>> I know you're all RTFM, but there's plenty of places in the GUI where the
>> description isn't exactly clear or right.  For example
>>
>> MaxFiles
>> If you're not using subjects as file names ( UseSubjectsAsMaillogNames ),
>> this is the maximum number of files to keep in each collection (spam &
>> nonspam)
>> It's actually less than this -- files get a random number between 1 and
>> MaxFiles.
>>
>> I AM using file names and MaxFiles DOES control the maximum number of
>> files
>> in each collection, despite what the description says when
>> MaintBayesCollection is on and no max age is set. The language is not
>> clear
>> and that makes us assume things, sometimes incorrectly, about what the GUI
>> really mean.  We've been working this way since ASSP came out.  Because of
>> this, I had no way of knowing that MaxAllowedDups >really< only applied to
>> the spam collection.  I assumed the GUI meant the whole log of spam and
>> NOTspam.  I don't think that's an unreasonable assumption, or call it an
>> oversight, or a mistake on my part - but none of that justifies and angry
>> sounding response from you.
>>
>>  I'm not looking for a fight, but I feel like I have to keep justifying
>> myself after you appear to be so angry with me, and the rest of us, who
>> turn to you for enlightenment.  You're carrying the entire weight of this
>> project on your shoulders.  It's a lot, I know,  Can we move on and have a
>> reasonable discussion here?
>>
>> Is there a reason that MaxAllowedDups shouldn't also apply to the notspam
>> collection?   Shouldn't we want that to be the case for the same reason
>> that we have it for spam?   Maybe also to the errors collections?
>>
>> If we don't, wouldn't the case where a staff member sends the same basic
>> message to 5000 people (against my wishes, but I can't control everything)
>> that'll take 1/3 of the other notspam messages out of the rebuild
>> processes?  How about if 20k messages are sent?
>>
>> Maybe I'm just not understanding, and that's why I'm asking, but I hope it
>> doesn't result in any more scolding.
>>
>> Thank you
>>
>>
>> On Thu, Mar 10, 2016 at 4:15 AM, Thomas Eckardt
>> <thomas.ecka...@thockar.com>
>> wrote:
>>
>> > >There are about 600 of those files in NotSpam.
>> >
>> > 'MaxAllowedDups','Max Number of Duplicate File Names'
>> >   'The maximum number of logged files with the same filename (subject)
>> > that are stored in the spam folder (spamlog),
>> >
>> > I'll write in Hebrew - possibly the english is better, if you translate
>> it
>> > back to english.
>> >
>> > Thomas
>> >
>> >
>> >
>> > Von:K Post <nntp.p...@gmail.com>
>> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> > Datum:  10.03

Re: [Assp-test] fixes in assp 2.4.8 build 16074

[K Post]

can't wait to try this!  THANK YOU.

On Mon, Mar 14, 2016 at 1:42 PM, Thomas Eckardt 
wrote:

> Hi all,
>
> fixed in assp 2.4.8 build 16074:
>
> added:
>
> - the Perl module Email::MIME is currently not able to process (decode)
> RFC2231 encoded MIME-header-lines like
>
> Content-Type: application/x-msdownload;
>  name*0*="us-ascii'en-en'attached%2E";
>  name*1*="%62";
>  name*2=at
>
> (attached.bat) and
>
> ´=?us-ascii*en-en?Q?text?=
>
>   - this makes it impossible to detect attachment filenames, if they are
> encoded this way!
>
>   ASSP now provides the decoding of these special cases of MIME-header
> encoding.
>   The language encodings like 'en-en' are ignored for now in both cases of
> encoding, because they are
>   not used by assp in any filter mechanism.
>   Notice: the defined characterset in those encodings, is only used to
> decode the header tag,
>   it can't be detected by 'bombCharSets' - but by all other bomb
> regular expressions
>
>
> Thomas
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] ASSP Outlook Ribbon Shortcuts 2013

[K Post]

Right, but I'm asking you before asking the author (or changing myself) -
in Outlook, the proper way to send a spam/notspam report is to forward the
message as an attachment right?

(and fyi, when I do that the report works, but the admin notification
indicates that there wasn't really any info sent over - the file in the
corpus is fine though - has been this way for a long time)

On Sun, Mar 13, 2016 at 4:29 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> contact the author
>
> http://assp.sourceforge.net/forum/viewtopic.php?f=8=2795
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  12.03.2016 18:05
> Betreff:[Assp-test] ASSP Outlook Ribbon Shortcuts 2013
>
>
>
> Saw the Outlook module code that is posted as SF.
>
> I haven't tried it yet, but should we be forwarding as an attachment to
> send all of the headers?
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Attachment blocking and ClamAV suspicious only

[K Post]

EXCELLENT- didn't see suspicious virus setting. THanks

On Sun, Mar 13, 2016 at 6:49 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >Is there a way to tell ClamAV or ASSP to reject even suspicious files?
>
> ClamAV only detects OK and FAILED (+ result string) - the result is
> processes by assp.
>
> 'vsValencePB'
>
> RTMF:
>
> 'SuspiciousVirus'   It is possible to weight such results. .
>
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  12.03.2016 20:16
> Betreff:[Assp-test] Attachment blocking and ClamAV suspicious only
>
>
>
> 2 questions:
>
> 1) I've been doing some ClamAV testing.  It mostly works, but I've also
> seen:
> [VIRUS][scoring] 149.202.232.193 <securitych...@emailsecuritycheck.net>
> to:
> virust...@ourdomain.org 'Eicar-Test-Signature' passing the virus check
> because of only suspicious virus 'Eicar'
>
> Is there a way to tell ClamAV or ASSP to reject even suspicious files?
>
>
> 2) I've got Level 1 blocking set using
>
> exe-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh
>
> Everything I've tested is blocked with the exception of DLL files and I
> can't for the life of me figure out why.  Any ideas?
>
> Thanks
> Ken
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Attachment blocking and ClamAV suspicious only

[K Post]

Also, testing here: http://www.emailsecuritycheck.net/index.html

test 2, which is the eicar executable inside of a zip, gets through (but
caught by our Exchange servers) - shouldn't Clamd catch this with ASSP_AFC?
  DoASSP_AFC is enabled, do both, decompression level set to 12.

test 5. which is is a text file but with a dll extension, gets through too.
clamav shouldn't catch this since the text file doesn't contain the
eicar test string, but shouldn't the file extension be enough to block it.
I know that renaming an exe to txt won't let it through, but does renaming
a txt to exe (other way around) allow the file through??




On Sat, Mar 12, 2016 at 2:14 PM, K Post <nntp.p...@gmail.com> wrote:

> 2 questions:
>
> 1) I've been doing some ClamAV testing.  It mostly works, but I've also
> seen:
> [VIRUS][scoring] 149.202.232.193 <securitych...@emailsecuritycheck.net>
> to: virust...@ourdomain.org 'Eicar-Test-Signature' passing the virus
> check because of only suspicious virus 'Eicar'
>
> Is there a way to tell ClamAV or ASSP to reject even suspicious files?
>
>
> 2) I've got Level 1 blocking set using
>
> exe-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh
>
> Everything I've tested is blocked with the exception of DLL files and I
> can't for the life of me figure out why.  Any ideas?
>
> Thanks
> Ken
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Attachment blocking and ClamAV suspicious only

[K Post]

2 questions:

1) I've been doing some ClamAV testing.  It mostly works, but I've also
seen:
[VIRUS][scoring] 149.202.232.193  to:
virust...@ourdomain.org 'Eicar-Test-Signature' passing the virus check
because of only suspicious virus 'Eicar'

Is there a way to tell ClamAV or ASSP to reject even suspicious files?


2) I've got Level 1 blocking set using
exe-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh

Everything I've tested is blocked with the exception of DLL files and I
can't for the life of me figure out why.  Any ideas?

Thanks
Ken
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] ASSP Outlook Ribbon Shortcuts 2013

[K Post]

Saw the Outlook module code that is posted as SF.

I haven't tried it yet, but should we be forwarding as an attachment to
send all of the headers?
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Conditional DNS Forwarders

[K Post]

-bump-

On Tue, Mar 8, 2016 at 10:12 AM, K Post <nntp.p...@gmail.com> wrote:

> Another thought:  Would it make any sense for ASSP to have 2 sets of DNS
> servers, with the second set (optional) being used for those services that
> would not work well with a dns server that forwards?  Then we could use a
> fast DNS server (for us internal) that forwards for general lookups and an
> internal non-forwarding server which has to look to root hints and not
> forward for all of the other queries.
>
> I think I can fake this by modifying the DNS servers that we use, but my
> proposal would be a generic feature for all.
>
> Just a thought. Interested in your opinions.
>
>
> On Mon, Mar 7, 2016 at 4:59 PM, K Post <nntp.p...@gmail.com> wrote:
>
>> I know that running ASSP pointing to dns servers that use forwarding is
>> HIGHLY discouraged, and I understand why.
>>
>> For performance reasons, I'd like to start using forwarders on our 3
>> internal dns servers (the same servers that ASSP uses).  Other than for
>> ASSP, forwarders would be quite beneficial, and I think for general
>> queries, like looking for ptr, a, and mx records, forwarders would be good
>> for ASSP too.
>>
>> Our Windows DNS servers allow for *conditional* forwarding where certain
>> queries can be directed to a specific group of servers.  My idea is to turn
>> forwarding on for our servers (probably to google's public DNS servers
>> which seem VERY fast and reliable) but then turn on conditional forwarding
>> to those queries that ASSP uses where conditional forwarding would cause a
>> problem (Senderbase and Realtime Balcklist for example) to point to a new
>> 4th DNS server that doesn't use forwarding and instead looks to the root
>> DNS servers.  That's essentially turning off forwarding for the specified
>> requests.  If that 4th server goes down or doesn't respond, then forwarders
>> would be used until its restored.
>>
>>
>> So for example:
>> Anything querying a senderbase.org hostname would look to our new
>> internal dns server x.x.x.x that doesn't forward, as would whatever the RWL
>> lookups,
>>
>> I know I'd need to do this at a minimum for Senderbase,
>> RBLServiceProviders, URIBLServiceProvider
>>
>> How about the whois lookups?
>> "ARIN" => "whois.arin.net"
>> "RIPE" => "whois.ripe.net"
>> "APNIC" => "whois.apnic.net"
>> "KRNIC" => "whois.krnic.net"
>> "LACNIC" => "whois.lacnic.net"
>> "AFRINIC" => "whois.afrinic.net"
>>
>> Did I miss any services?
>>
>> *And most importantly, I'd love to get community feedback whether this is
>> a good idea or not.*
>>
>> Thanks
>> Ken
>>
>>
>>
>>
>>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

Isn't that exact same logic an argument for having the maximum number of
duplicate subjects apply to the HAM / notspam folder too?  5000 or 15000 of
the same message sent individually by (untrainable / apathetic) users would
fill the notspam folder and mess up HMM / Bayesian right?

And for those RE / FWD / No subject emails, maybe we could have ASSP ignore
subjects shorter than say 5 or 6 characters when deleting duplicate file
names?  Then those files could get wiped out oldest first during the
maintenance.

\

On Thu, Mar 10, 2016 at 11:18 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> Just think about the logic behind Bayesian and HMM - this will answer your
> question.
>
> Having the same mail in the spam folder multiple times, this will score
> the content to extreme spam havy, even your users are using the same
> content - but less often.
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  10.03.2016 16:58
> Betreff:Re: [Assp-test] Max Number Duplicate File Names
>
>
>
> I know you're all RTFM, but there's plenty of places in the GUI where the
> description isn't exactly clear or right.  For example
>
> MaxFiles
> If you're not using subjects as file names ( UseSubjectsAsMaillogNames ),
> this is the maximum number of files to keep in each collection (spam &
> nonspam)
> It's actually less than this -- files get a random number between 1 and
> MaxFiles.
>
> I AM using file names and MaxFiles DOES control the maximum number of
> files
> in each collection, despite what the description says when
> MaintBayesCollection is on and no max age is set. The language is not
> clear
> and that makes us assume things, sometimes incorrectly, about what the GUI
> really mean.  We've been working this way since ASSP came out.  Because of
> this, I had no way of knowing that MaxAllowedDups >really< only applied to
> the spam collection.  I assumed the GUI meant the whole log of spam and
> NOTspam.  I don't think that's an unreasonable assumption, or call it an
> oversight, or a mistake on my part - but none of that justifies and angry
> sounding response from you.
>
>  I'm not looking for a fight, but I feel like I have to keep justifying
> myself after you appear to be so angry with me, and the rest of us, who
> turn to you for enlightenment.  You're carrying the entire weight of this
> project on your shoulders.  It's a lot, I know,  Can we move on and have a
> reasonable discussion here?
>
> Is there a reason that MaxAllowedDups shouldn't also apply to the notspam
> collection?   Shouldn't we want that to be the case for the same reason
> that we have it for spam?   Maybe also to the errors collections?
>
> If we don't, wouldn't the case where a staff member sends the same basic
> message to 5000 people (against my wishes, but I can't control everything)
> that'll take 1/3 of the other notspam messages out of the rebuild
> processes?  How about if 20k messages are sent?
>
> Maybe I'm just not understanding, and that's why I'm asking, but I hope it
> doesn't result in any more scolding.
>
> Thank you
>
>
> On Thu, Mar 10, 2016 at 4:15 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com>
> wrote:
>
> > >There are about 600 of those files in NotSpam.
> >
> > 'MaxAllowedDups','Max Number of Duplicate File Names'
> >   'The maximum number of logged files with the same filename (subject)
> > that are stored in the spam folder (spamlog),
> >
> > I'll write in Hebrew - possibly the english is better, if you translate
> it
> > back to english.
> >
> > Thomas
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  10.03.2016 00:29
> > Betreff:[Assp-test] Max Number Duplicate File Names
> >
> >
> >
> > I've got UseSubjectAsMaillogNames checked (the messages are stored in
> the
> > folders user the subject name followed by a 6 digit number as expected)
> >
> > I've got MaxAllowedDups set to 3
> >
> > MaxBayesFileAge is 0
> > MaxFiles is 15000
> >
> > I'm noticing that MaxAllowedDups doesn't seem to be working.
> >
> > For example, a couple users often send emails with the subject
> > "Your Donation Receipt"
> > There are about 600 of those files in NotSpam.
> > Your_Donation_Receipt--123456.txt
> > where 123456 is a random differing number.
> >
> > Shouldn't only 3 of these files exist in the folder (with the exception
> of

Re: [Assp-test] ASSP_AFC Priority

[K Post]

Thanks

The double slash is MY doing fyi.  I have assp running in a different
folder (d:\assp-antispam) and didn't want to confuse anything in my
report.  When I edited the warning, I inadvertently added the extra slash.
It was fine in the warning itself.

On Thu, Mar 10, 2016 at 4:35 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >located at c:/assp/Plugins/ASSP_AFC.pm
> >located at c:/assp//Plugins/ASSP_AFC.pm
>
> This will be fixed in the next release.
>
> Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  09.03.2016 23:32
> Betreff:[Assp-test] ASSP_AFC Priority
>
>
>
> The only plugin I use is the ASSP_AFC plugin.
>
> I had the priority set to the default of 6.
>
> I just got this warning:
> Mar-09-16 17:20:07 ERROR: runlevel 'complete mail' - priority 8, requested
> by Plugin 'ASSP_AFC' (located at c:/assp/Plugins/ASSP_AFC.pm), is already
> occupied by Plugin 'ASSP_AFC' (located at c:/assp//Plugins/ASSP_AFC.pm)
>
> Priority 8 sounded wrong, so I went to the gui and it's showing a priority
> of NINE.
>
> Any idea how this could have happened?
>
> And if I'm reading the error right, ASSP_AFC isn't happy that it's
> priority
> level is being used by itself??
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Max Number Duplicate File Names

[K Post]

I know you're all RTFM, but there's plenty of places in the GUI where the
description isn't exactly clear or right.  For example

MaxFiles
If you're not using subjects as file names ( UseSubjectsAsMaillogNames ),
this is the maximum number of files to keep in each collection (spam &
nonspam)
It's actually less than this -- files get a random number between 1 and
MaxFiles.

I AM using file names and MaxFiles DOES control the maximum number of files
in each collection, despite what the description says when
MaintBayesCollection is on and no max age is set. The language is not clear
and that makes us assume things, sometimes incorrectly, about what the GUI
really mean.  We've been working this way since ASSP came out.  Because of
this, I had no way of knowing that MaxAllowedDups >really< only applied to
the spam collection.  I assumed the GUI meant the whole log of spam and
NOTspam.  I don't think that's an unreasonable assumption, or call it an
oversight, or a mistake on my part - but none of that justifies and angry
sounding response from you.

 I'm not looking for a fight, but I feel like I have to keep justifying
myself after you appear to be so angry with me, and the rest of us, who
turn to you for enlightenment.  You're carrying the entire weight of this
project on your shoulders.  It's a lot, I know,  Can we move on and have a
reasonable discussion here?

Is there a reason that MaxAllowedDups shouldn't also apply to the notspam
collection?   Shouldn't we want that to be the case for the same reason
that we have it for spam?   Maybe also to the errors collections?

If we don't, wouldn't the case where a staff member sends the same basic
message to 5000 people (against my wishes, but I can't control everything)
that'll take 1/3 of the other notspam messages out of the rebuild
processes?  How about if 20k messages are sent?

Maybe I'm just not understanding, and that's why I'm asking, but I hope it
doesn't result in any more scolding.

Thank you


On Thu, Mar 10, 2016 at 4:15 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:

> >There are about 600 of those files in NotSpam.
>
> 'MaxAllowedDups','Max Number of Duplicate File Names'
>   'The maximum number of logged files with the same filename (subject)
> that are stored in the spam folder (spamlog),
>
> I'll write in Hebrew - possibly the english is better, if you translate it
> back to english.
>
> Thomas
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  10.03.2016 00:29
> Betreff:[Assp-test] Max Number Duplicate File Names
>
>
>
> I've got UseSubjectAsMaillogNames checked (the messages are stored in the
> folders user the subject name followed by a 6 digit number as expected)
>
> I've got MaxAllowedDups set to 3
>
> MaxBayesFileAge is 0
> MaxFiles is 15000
>
> I'm noticing that MaxAllowedDups doesn't seem to be working.
>
> For example, a couple users often send emails with the subject
> "Your Donation Receipt"
> There are about 600 of those files in NotSpam.
> Your_Donation_Receipt--123456.txt
> where 123456 is a random differing number.
>
> Shouldn't only 3 of these files exist in the folder (with the exception of
> those that were sent since the rebuild / maintenance window)?
>
> Thanks
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>

[Assp-test] Max Number Duplicate File Names

[K Post]

I've got UseSubjectAsMaillogNames checked (the messages are stored in the
folders user the subject name followed by a 6 digit number as expected)

I've got MaxAllowedDups set to 3

MaxBayesFileAge is 0
MaxFiles is 15000

I'm noticing that MaxAllowedDups doesn't seem to be working.

For example, a couple users often send emails with the subject
"Your Donation Receipt"
There are about 600 of those files in NotSpam.
Your_Donation_Receipt--123456.txt
where 123456 is a random differing number.

Shouldn't only 3 of these files exist in the folder (with the exception of
those that were sent since the rebuild / maintenance window)?

Thanks
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] ASSP_AFC Priority

[K Post]

The only plugin I use is the ASSP_AFC plugin.

I had the priority set to the default of 6.

I just got this warning:
Mar-09-16 17:20:07 ERROR: runlevel 'complete mail' - priority 8, requested
by Plugin 'ASSP_AFC' (located at c:/assp/Plugins/ASSP_AFC.pm), is already
occupied by Plugin 'ASSP_AFC' (located at c:/assp//Plugins/ASSP_AFC.pm)

Priority 8 sounded wrong, so I went to the gui and it's showing a priority
of NINE.

Any idea how this could have happened?

And if I'm reading the error right, ASSP_AFC isn't happy that it's priority
level is being used by itself??
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785111=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Conditional DNS Forwarders

[K Post]

Another thought:  Would it make any sense for ASSP to have 2 sets of DNS
servers, with the second set (optional) being used for those services that
would not work well with a dns server that forwards?  Then we could use a
fast DNS server (for us internal) that forwards for general lookups and an
internal non-forwarding server which has to look to root hints and not
forward for all of the other queries.

I think I can fake this by modifying the DNS servers that we use, but my
proposal would be a generic feature for all.

Just a thought. Interested in your opinions.


On Mon, Mar 7, 2016 at 4:59 PM, K Post <nntp.p...@gmail.com> wrote:

> I know that running ASSP pointing to dns servers that use forwarding is
> HIGHLY discouraged, and I understand why.
>
> For performance reasons, I'd like to start using forwarders on our 3
> internal dns servers (the same servers that ASSP uses).  Other than for
> ASSP, forwarders would be quite beneficial, and I think for general
> queries, like looking for ptr, a, and mx records, forwarders would be good
> for ASSP too.
>
> Our Windows DNS servers allow for *conditional* forwarding where certain
> queries can be directed to a specific group of servers.  My idea is to turn
> forwarding on for our servers (probably to google's public DNS servers
> which seem VERY fast and reliable) but then turn on conditional forwarding
> to those queries that ASSP uses where conditional forwarding would cause a
> problem (Senderbase and Realtime Balcklist for example) to point to a new
> 4th DNS server that doesn't use forwarding and instead looks to the root
> DNS servers.  That's essentially turning off forwarding for the specified
> requests.  If that 4th server goes down or doesn't respond, then forwarders
> would be used until its restored.
>
>
> So for example:
> Anything querying a senderbase.org hostname would look to our new
> internal dns server x.x.x.x that doesn't forward, as would whatever the RWL
> lookups,
>
> I know I'd need to do this at a minimum for Senderbase,
> RBLServiceProviders, URIBLServiceProvider
>
> How about the whois lookups?
> "ARIN" => "whois.arin.net"
> "RIPE" => "whois.ripe.net"
> "APNIC" => "whois.apnic.net"
> "KRNIC" => "whois.krnic.net"
> "LACNIC" => "whois.lacnic.net"
> "AFRINIC" => "whois.afrinic.net"
>
> Did I miss any services?
>
> *And most importantly, I'd love to get community feedback whether this is
> a good idea or not.*
>
> Thanks
> Ken
>
>
>
>
>
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Conditional DNS Forwarders

[K Post]

I know that running ASSP pointing to dns servers that use forwarding is
HIGHLY discouraged, and I understand why.

For performance reasons, I'd like to start using forwarders on our 3
internal dns servers (the same servers that ASSP uses).  Other than for
ASSP, forwarders would be quite beneficial, and I think for general
queries, like looking for ptr, a, and mx records, forwarders would be good
for ASSP too.

Our Windows DNS servers allow for *conditional* forwarding where certain
queries can be directed to a specific group of servers.  My idea is to turn
forwarding on for our servers (probably to google's public DNS servers
which seem VERY fast and reliable) but then turn on conditional forwarding
to those queries that ASSP uses where conditional forwarding would cause a
problem (Senderbase and Realtime Balcklist for example) to point to a new
4th DNS server that doesn't use forwarding and instead looks to the root
DNS servers.  That's essentially turning off forwarding for the specified
requests.  If that 4th server goes down or doesn't respond, then forwarders
would be used until its restored.


So for example:
Anything querying a senderbase.org hostname would look to our new internal
dns server x.x.x.x that doesn't forward, as would whatever the RWL lookups,

I know I'd need to do this at a minimum for Senderbase,
RBLServiceProviders, URIBLServiceProvider

How about the whois lookups?
"ARIN" => "whois.arin.net"
"RIPE" => "whois.ripe.net"
"APNIC" => "whois.apnic.net"
"KRNIC" => "whois.krnic.net"
"LACNIC" => "whois.lacnic.net"
"AFRINIC" => "whois.afrinic.net"

Did I miss any services?

*And most importantly, I'd love to get community feedback whether this is a
good idea or not.*

Thanks
Ken
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Warning: Main_Thread found socket without SocketCalls - please report!

[K Post]

Went to load up the GUI and it was very slow and ultimately timed out.  I
then saw this:

Mar-07-16 16:43:16 Warning: Main_Thread found socket without SocketCalls -
please report!

So I'm reporting as requested.  v. 16060 on windows
--
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] warning: try to terminate inactive/stuck Worker_

[K Post]

Since whatever version was before 16036, and still with 16060, I'm seeing
messages like

*warning: try to terminate inactive/stuck Worker_3*a couple of times a day.

It was pretty bad with the version before 16036, but is much better with
16060.

Info: Loop in Worker_3 was not active for 181 seconds

Mar-04-16 14:48:11 Info: Worker_3 : last sigoff in main, c:\assp\assp.pl,
24872, main::SPFok_Run, 1, , , at 16-4-2 14:45:11 1457120711.10927 - 24981

Mar-04-16 14:48:11 Info: Worker_3 : last sigon in main, c:\assp\assp.pl,
26248, main::RWLok_Run, 1, , , at 16-4-2 14:45:11 1457120711.09619 - 26310

Mar-04-16 14:48:11 Info: Worker_3 : last action was : SPF2
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] OpenSSL 1.0.2g - update to Net:SSLeay?

[K Post]

I'll answer some of my own question.
I got 1.0.2g to be used by ASSP via the Net::SSLeay module.   OpenSSL-lib
1.0.2g 1 Mar 2016

It looks like ActiveState updated their repository right away (March 1)
http://www.activestate.com/blog/2016/03/perl-modules-updated-openssl-102g

All it took was firing up PPM and flagging Net:SSLeay for a reinstallation.
 (that actually didn't work, but removing it and then installing again
did).  It's still v1.72 of the package, but the dll in
site/lib/auto/net/ssleay has been updated.


SO it looks like we are at the mercy of the repositories to update
net::ssleay (really the DLL that goes with it).

On Wed, Mar 2, 2016 at 11:28 AM, K Post <nntp.p...@gmail.com> wrote:

>
> Back in January, I was able to get ASSP on my Windows machine to report
> OpenSSL 1.0.2c by removing Net:SSLeay and reinstalling it using
> ActiveState's ppm.
>
> Overnight, OpenSSL released 1.0.2g which plugs the DROWN vulnerability.
>
> In previous discussions, I've been told that Net::SSLeay installs it's own
> ssleay.dll.  I believe this is the file that I see in
> perl/site/lib/auto/net/ssleay
>
> Now that 1.0.2g is out, do I need to wait for a new version of Net:SSLeay
> to be published, is that recommended, or is there an alternative?
>
> Shining Light's openssl distribution (
> https://slproweb.com/products/Win32OpenSSL.html) installs an SSLeay*32*.dll
> into its installation folder, but that's 1/10 the size of the ssleay.dll -
> and I've been told previously that net::ssleay is independed from the
> Windows binary installation.
>
> Further confusing me is that ActiveState's ppm says that v1.72 of
> Net:SSLeay uses 1.0.2a, but I have 1.0.2c being reported by ASSP in info
> stats and in the log at startup.
>
> Insight would be appreciated.
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] OpenSSL 1.0.2g - update to Net:SSLeay?

[K Post]

Back in January, I was able to get ASSP on my Windows machine to report
OpenSSL 1.0.2c by removing Net:SSLeay and reinstalling it using
ActiveState's ppm.

Overnight, OpenSSL released 1.0.2g which plugs the DROWN vulnerability.

In previous discussions, I've been told that Net::SSLeay installs it's own
ssleay.dll.  I believe this is the file that I see in
perl/site/lib/auto/net/ssleay

Now that 1.0.2g is out, do I need to wait for a new version of Net:SSLeay
to be published, is that recommended, or is there an alternative?

Shining Light's openssl distribution (
https://slproweb.com/products/Win32OpenSSL.html) installs an SSLeay*32*.dll
into its installation folder, but that's 1/10 the size of the ssleay.dll -
and I've been told previously that net::ssleay is independed from the
Windows binary installation.

Further confusing me is that ActiveState's ppm says that v1.72 of
Net:SSLeay uses 1.0.2a, but I have 1.0.2c being reported by ASSP in info
stats and in the log at startup.

Insight would be appreciated.
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] can't find a name server registration

[K Post]

Seeing this again.  This time:
Warning: can't find a name server registration for the sender domain '
co.dodge.wi.us' - all DNS queries will be skipped!

It seems that 99% of the time it's a long city / county domain name like
co.dodge.wi.us ci.wilsonville.or.us  co.geauga.oh.us and co.delaware.pa.us

Thomas, any ideas?


On Mon, Feb 1, 2016 at 3:47 PM, K Post <nntp.p...@gmail.com> wrote:

> At least it's not just me.
>
> James - FYI, you definitely don't want to use public DNS servers for ASSP
> - too slow and more importantly you could have trouble with things like
> DNSBL, senderbase, etc where it's limited to a certain number of queries
> per IP.
>
> On Mon, Feb 1, 2016 at 2:36 PM, James Moe <ji...@sohnen-moe.com> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> On 01/29/2016 11:10 AM, K Post wrote:
>> > I see this on occasion:
>> >
>>   ASSP version 2.4.5(15334)
>>   I have the same problem.
>>
>>
>> 2016-02-01 08:32:24 Warning: Name Server 205.171.3.65: does not
>> respond or timed out
>> 2016-02-01 08:32:24 Warning: Name Server 8.8.8.8: does not respond or
>> timed out
>> 2016-02-01 08:33:24 Warning: Name Server 127.0.0.1: does not respond
>> or timed out
>> 2016-02-01 08:33:24 Warning: Name Server 205.171.3.65: does not
>> respond or timed out
>> 2016-02-01 08:33:24 Warning: Name Server 8.8.8.8: does not respond or
>> timed out
>> 2016-02-01 09:32:49 Warning: Name Server 205.171.3.65: does not
>> respond or timed out
>> 2016-02-01 11:15:27 Warning: can't find a name server registration for
>> the sender domain 'mktg.actonsoftware.com' - all DNS queries will be
>> skipped!
>>
>>
>> - --
>> James Moe
>> moe dot james at sohnen-moe dot com
>> 520.743.3936
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2
>>
>> iEYEARECAAYFAlavs8cACgkQzTcr8Prq0ZMSPwCffuGpMYSd1e7/mqCD6AitMYbu
>> Jm8AnRxQrpenZVUHTwunXFg0E8HvMWYx
>> =e+8I
>> -END PGP SIGNATURE-
>>
>>
>> --
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Unexpected SEGV - v16036, Line 38599

[K Post]

about 24 hours after completely blanking that whitere file, the problems
remain gone.  GREAT.  I still don't understand why that would have all of a
sudden started the problem, but it's resolved I guess...

On Sun, Feb 21, 2016 at 10:58 AM, K Post <nntp.p...@gmail.com> wrote:

> I killed the WhiteRe completely since most of them are old.
> I've restarted, and so far so good, BUT it seems to take a while after
> restart for the warnings to start, which I further don't understand.
> What's really strange is that the WhiteRe hasn't changed for a really long
> time.  No idea why this suddenly started happening, but hopefully just
> ditching them altogether will fiz the errors/warnings.  When I saw this
> last night, what I'm really baffled by is that things would be okay for a
> while after restart, say an hour or two, and then the warnings / stuck will
> start and continue.
>
> FYI
> The \from \to came from you years ago as a suggestion.  It was well before
> SPF handling and was for a very specific email.  Now, I'm looking more
> generally:
>
> Might there be a negative scoring that I could add to bombre for a
> specific subdomain of ours here that i could use to give a bonus couple of
> points to any mail from whatever@[domain].ext that comes to [domain]@
> oursub.ourdomain.org?
> For example, if mail is from *RedCross*.org to 249058619899@
> sub.ourdomain.org give it -10 to help it eek by as Mail OK when it might
> have had a score that would have otherwise made it scored as spam.  Most of
> the erroneously rejected mails are mails like this.  That's sort of what
> the cnn filter in the whitere was intended for, but I don't need it to be
> white, just reduce the score.  I don't want something if you think it'll be
> too cpu intensive though.
>
> The key here is that this subdomain is setup as a wildcard alias.  It goes
> to a group of users and those users are free to use the [whatever]@
> sub.ourdomain.org online with whomever they see fit.  That lets us track
> email usage and know when a specific email address has been sold to another
> entity or stolen (and then set a rule to reject those messages).
>
>
>
>
>
> Is there a trick
>
> On Sun, Feb 21, 2016 at 10:31 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> Google Alert - victim(?:s)(?:')? help
>> Google Alert - human trafficing
>> #
>> # from cnn to our cnn@ourdomain account
>> \nfrom:[^\r\n]+?\@cnn\.com.+?\nto:[^\r\n]+?c\@ourdomain
>> \nto:[^\r\n]+?cnn\@ourdomain.+?\nfrom:[^\r\n]+?\@cnn\.com
>> #
>> HelpDaily
>>
>> ..
>>
>> Google Alert - victim(?:s)(?:')? help
>> better use
>> Google Alert - victims'? help
>>
>> both lines '\nfrom' and '\nto...' can be very cpu and memory consuming
>> and will run over the complete mail. I would try to whitelist  @cnn.com
>> an
>> to remove both lines.
>>
>> Because CNN seem to be a grocer - they don't provide a SPF record - you
>> should try to build one for there domain and override (+ strict).
>> Your logs contain the CNN IP addresses.
>> And write them a bitterly angry email - that they should provide an SPF
>> record.
>>
>>  Thomas
>>
>>
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  21.02.2016 15:57
>> Betreff:Re: [Assp-test] Unexpected SEGV - v16036, Line 38599
>>
>>
>>
>> I've got WhiteRe in a file.
>>
>> It's:
>>
>> Google Alert - victim(?:s)(?:')? help
>> Google Alert - human trafficing
>> #
>> # from cnn to our cnn@ourdomain account
>> \nfrom:[^\r\n]+?\@cnn\.com.+?\nto:[^\r\n]+?c\@ourdomain
>> \nto:[^\r\n]+?cnn\@ourdomain.+?\nfrom:[^\r\n]+?\@cnn\.com
>> #
>> HelpDaily
>>
>> That hasn't changed.  Looking back at logs, I see this happening with the
>> previous 16013 version, just not as frequently, so it's not a version
>> specific problem.  Some sort of corruption in my data???
>>
>> Suggestion to fix?
>>
>> On Sun, Feb 21, 2016 at 12:48 AM, Thomas Eckardt
>> <thomas.ecka...@thockar.com
>> > wrote:
>>
>> > line 38599 is checking the mail body against 'whiteRe' - so what is your
>> > config value for this?
>> >
>> > Thomas
>> >
>> >
>> >
>> >
>> > Von:K Post <nntp.p...@gmail.com>
>> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> > Datum:  21.02.2016 02:45
>> > Betreff:[Assp-test] Unexpected SEGV - v16036, Line

Re: [Assp-test] Unexpected SEGV - v16036, Line 38599

[K Post]

I killed the WhiteRe completely since most of them are old.
I've restarted, and so far so good, BUT it seems to take a while after
restart for the warnings to start, which I further don't understand.
What's really strange is that the WhiteRe hasn't changed for a really long
time.  No idea why this suddenly started happening, but hopefully just
ditching them altogether will fiz the errors/warnings.  When I saw this
last night, what I'm really baffled by is that things would be okay for a
while after restart, say an hour or two, and then the warnings / stuck will
start and continue.

FYI
The \from \to came from you years ago as a suggestion.  It was well before
SPF handling and was for a very specific email.  Now, I'm looking more
generally:

Might there be a negative scoring that I could add to bombre for a specific
subdomain of ours here that i could use to give a bonus couple of points to
any mail from whatever@[domain].ext that comes to [domain]@
oursub.ourdomain.org?
For example, if mail is from *RedCross*.org to 249058619899@
sub.ourdomain.org give it -10 to help it eek by as Mail OK when it might
have had a score that would have otherwise made it scored as spam.  Most of
the erroneously rejected mails are mails like this.  That's sort of what
the cnn filter in the whitere was intended for, but I don't need it to be
white, just reduce the score.  I don't want something if you think it'll be
too cpu intensive though.

The key here is that this subdomain is setup as a wildcard alias.  It goes
to a group of users and those users are free to use the [whatever]@
sub.ourdomain.org online with whomever they see fit.  That lets us track
email usage and know when a specific email address has been sold to another
entity or stolen (and then set a rule to reject those messages).





Is there a trick

On Sun, Feb 21, 2016 at 10:31 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> Google Alert - victim(?:s)(?:')? help
> Google Alert - human trafficing
> #
> # from cnn to our cnn@ourdomain account
> \nfrom:[^\r\n]+?\@cnn\.com.+?\nto:[^\r\n]+?c\@ourdomain
> \nto:[^\r\n]+?cnn\@ourdomain.+?\nfrom:[^\r\n]+?\@cnn\.com
> #
> HelpDaily
>
> ..
>
> Google Alert - victim(?:s)(?:')? help
> better use
> Google Alert - victims'? help
>
> both lines '\nfrom' and '\nto...' can be very cpu and memory consuming
> and will run over the complete mail. I would try to whitelist  @cnn.com an
> to remove both lines.
>
> Because CNN seem to be a grocer - they don't provide a SPF record - you
> should try to build one for there domain and override (+ strict).
> Your logs contain the CNN IP addresses.
> And write them a bitterly angry email - that they should provide an SPF
> record.
>
>  Thomas
>
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.02.2016 15:57
> Betreff:Re: [Assp-test] Unexpected SEGV - v16036, Line 38599
>
>
>
> I've got WhiteRe in a file.
>
> It's:
>
> Google Alert - victim(?:s)(?:')? help
> Google Alert - human trafficing
> #
> # from cnn to our cnn@ourdomain account
> \nfrom:[^\r\n]+?\@cnn\.com.+?\nto:[^\r\n]+?c\@ourdomain
> \nto:[^\r\n]+?cnn\@ourdomain.+?\nfrom:[^\r\n]+?\@cnn\.com
> #
> HelpDaily
>
> That hasn't changed.  Looking back at logs, I see this happening with the
> previous 16013 version, just not as frequently, so it's not a version
> specific problem.  Some sort of corruption in my data???
>
> Suggestion to fix?
>
> On Sun, Feb 21, 2016 at 12:48 AM, Thomas Eckardt
> <thomas.ecka...@thockar.com
> > wrote:
>
> > line 38599 is checking the mail body against 'whiteRe' - so what is your
> > config value for this?
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post <nntp.p...@gmail.com>
> > An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> > Datum:  21.02.2016 02:45
> > Betreff:[Assp-test] Unexpected SEGV - v16036, Line 38599
> >
> >
> >
> > My 16036 installation, windows, all modules up to date is throwing this
> > warning over and over:
> >
> > Warning: got unexpected signal SEGV in Worker_2: package - main, file -
> > c:\ASSP\assp.pl, line - 38599!
> > (many of them)
> >
> > followed by a
> >
> > Warning: try to terminate inactive/stucking Worker_2
> >
> >
> >
> > [ fyi, "stucking" isn't a word.  Replace with "stuck" if you are so
> > inclined ]
> >
> >
>
> --
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> &g

Re: [Assp-test] Unexpected SEGV - v16036, Line 38599

[K Post]

When I go to Worker Status, I see most of the workers
showing: ThreadGetNewCon

On Sun, Feb 21, 2016 at 9:53 AM, K Post <nntp.p...@gmail.com> wrote:

> I've got WhiteRe in a file.
>
> It's:
>
> Google Alert - victim(?:s)(?:')? help
> Google Alert - human trafficing
> #
> # from cnn to our cnn@ourdomain account
> \nfrom:[^\r\n]+?\@cnn\.com.+?\nto:[^\r\n]+?c\@ourdomain
> \nto:[^\r\n]+?cnn\@ourdomain.+?\nfrom:[^\r\n]+?\@cnn\.com
> #
> HelpDaily
>
> That hasn't changed.  Looking back at logs, I see this happening with the
> previous 16013 version, just not as frequently, so it's not a version
> specific problem.  Some sort of corruption in my data???
>
> Suggestion to fix?
>
> On Sun, Feb 21, 2016 at 12:48 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> line 38599 is checking the mail body against 'whiteRe' - so what is your
>> config value for this?
>>
>> Thomas
>>
>>
>>
>>
>> Von:K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
>> Datum:  21.02.2016 02:45
>> Betreff:[Assp-test] Unexpected SEGV - v16036, Line 38599
>>
>>
>>
>> My 16036 installation, windows, all modules up to date is throwing this
>> warning over and over:
>>
>> Warning: got unexpected signal SEGV in Worker_2: package - main, file -
>> c:\ASSP\assp.pl, line - 38599!
>> (many of them)
>>
>> followed by a
>>
>> Warning: try to terminate inactive/stucking Worker_2
>>
>>
>>
>> [ fyi, "stucking" isn't a word.  Replace with "stuck" if you are so
>> inclined ]
>>
>> --
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>>
>>
>> --
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Unexpected SEGV - v16036, Line 38599

[K Post]

I've got WhiteRe in a file.

It's:

Google Alert - victim(?:s)(?:')? help
Google Alert - human trafficing
#
# from cnn to our cnn@ourdomain account
\nfrom:[^\r\n]+?\@cnn\.com.+?\nto:[^\r\n]+?c\@ourdomain
\nto:[^\r\n]+?cnn\@ourdomain.+?\nfrom:[^\r\n]+?\@cnn\.com
#
HelpDaily

That hasn't changed.  Looking back at logs, I see this happening with the
previous 16013 version, just not as frequently, so it's not a version
specific problem.  Some sort of corruption in my data???

Suggestion to fix?

On Sun, Feb 21, 2016 at 12:48 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:

> line 38599 is checking the mail body against 'whiteRe' - so what is your
> config value for this?
>
> Thomas
>
>
>
>
> Von:K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum:  21.02.2016 02:45
> Betreff:[Assp-test] Unexpected SEGV - v16036, Line 38599
>
>
>
> My 16036 installation, windows, all modules up to date is throwing this
> warning over and over:
>
> Warning: got unexpected signal SEGV in Worker_2: package - main, file -
> c:\ASSP\assp.pl, line - 38599!
> (many of them)
>
> followed by a
>
> Warning: try to terminate inactive/stucking Worker_2
>
>
>
> [ fyi, "stucking" isn't a word.  Replace with "stuck" if you are so
> inclined ]
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Unexpected SEGV - v16036, Line 38599

[K Post]

for clarification, the the SEGV error hits, I see more than 100 of them in
the same second in the log

On Sat, Feb 20, 2016 at 8:44 PM, K Post <nntp.p...@gmail.com> wrote:

> My 16036 installation, windows, all modules up to date is throwing this
> warning over and over:
>
> Warning: got unexpected signal SEGV in Worker_2: package - main, file -
> c:\ASSP\assp.pl, line - 38599!
> (many of them)
>
> followed by a
>
> Warning: try to terminate inactive/stucking Worker_2
>
>
>
> [ fyi, "stucking" isn't a word.  Replace with "stuck" if you are so
> inclined ]
>
--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test