[Assp-test] Antwort: Backscatter problem

Fri, 21 Sep 2012 01:26:22 -0700 

Thank you Colin - I've found the bug.

Thomas




Von:    Colin <a...@lanternhosting.co.uk>
An:     assp-test@lists.sourceforge.net, 
Datum:  20.09.2012 18:58
Betreff:        Re: [Assp-test] Antwort: Re: Antwort: Re: Antwort: 
Backscatter     problem



Hi Thomas,

Setting it to verbose seems to have changed nothing. As per the log 
below the system is detecting the message as a bounce but does not 
appear to be logging any MSIG validation attempt.

2012-09-20 14:40:58 [Worker_6] Connected: 82.198.189.153:58621 > 
195.88.101.110:25 > 127.0.0.1:125
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 [SMTP Reply] 220 
mail.smtphost.co.uk ESMTP Exim 4.76 Thu, 20 Sep 2012 14:40:58 +0100
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 [SMTP Reply] 250 HELP
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 info: got STARTTLS request 
from 82.198.189.153
2012-09-20 14:40:58 [Worker_6] 82.198.189.153 [SMTP Reply] 220 TLS go 
ahead
2012-09-20 14:40:59 [Worker_6] [TLS-in] [TLS-out] 82.198.189.153 [SMTP 
Reply] 250 HELP
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 info: found message size announcement: 7.85 kByte
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
[isbounce] 82.198.189.153 bounce message detected
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 Message-Score: added -10 (tlsValencePB) for 
SSL-TLS-connection-OK, total score for this message is now -10
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 [SMTP Reply] 250 OK
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 250 Accepted
2012-09-20 14:40:59 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 354 Enter 
message, ending with "." on a line by itself
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [scoring] SPF: none 
ip=82.198.189.153 helo=mail.rosreestr.ru
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld Regex:BombRe 'PB 20: for 
Undeliverable:'
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
[bombRe] 82.198.189.153 to: vida.melnik...@domain.tld [scoring] (bombRe 
'Undeliverable:')
2012-09-20 14:41:00 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld Message-Score: added 20 for 
Regex:BombRe 'PB 20: for Undeliverable:'  bombRe: 'Undeliverable:', 
total score for this message is now 10
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld HMM Check [scoring] - Prob: 
1.00000 => spam
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld Message-Score: added 22 for 
HMM Probability: 1.0000, total score for this message is now 32
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld Bayesian Check [scoring] - 
Prob: 0.00000 => ham
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [Plugin] calling plugin 
ASSP_AFC
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [Plugin] calling plugin 
ASSP_DCC
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
[MessageOK] 82.198.189.153 to: vida.melnik...@domain.tld message ok 
[Undeliverable]
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 250 OK 
id=1TEgzz-0007xX-Ve
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [TLS-out] 
82.198.189.153 to: vida.melnik...@domain.tld [SMTP Reply] 221 
mail.smtphost.co.uk closing connection
2012-09-20 14:41:01 m1-48459-06817 [Worker_6] [TLS-in] [SSL-out] 
82.198.189.153 to: vida.melnik...@domain.tld finished message - received 
DATA size: 0 Byte - sent DATA size: 8.06 kByte
2012-09-20 14:41:01 [Worker_6] Disconnected: 82.198.189.153 - processing 
time 3 seconds


On 18/09/2012 16:43, Thomas Eckardt wrote:
> What is your setting for 'MSGIDsigLog' ?
>
> Thomas
>
>
>
>
> Von:    Colin <a...@lanternhosting.co.uk>
> An:     assp-test@lists.sourceforge.net,
> Datum:  18.09.2012 17:21
> Betreff:        Re: [Assp-test] Antwort: Re:  Antwort:  Backscatter
> problem
>
>
>
> I have just checked some outbound emails and they all bear a Message-ID:
> header so it looks like MSGID is working.
>
> In the case of this one domain it would seem that ASSP is failing to
> block the messages even though they do not bear an MSGID header
>
> All the best,
> Colin
>
> On 18/09/2012 15:19, Thomas Eckardt wrote:
>> Colin, if you use the MSGID-signature, all mails sent for your 
domain(s)
>> should be tagedr - otherwise this does not make sense to me.
>> If any webserver sents out messages without the tag and a bounce comes
> in
>> because of such a mail, assp should block it.
>>
>> So, if I understand it right, the MSGID-signature check is not working 
?
>>
>> Thomas
>>
>>
>>
>>
>> Von:    Colin <a...@lanternhosting.co.uk>
>> An:     assp-test@lists.sourceforge.net,
>> Datum:  18.09.2012 16:04
>> Betreff:        Re: [Assp-test] Antwort:  Backscatter problem
>>
>>
>>
>> The junk emails are nothing to do with our servers.
>>
>> The website I believe to be generating the original junk is hosted
>> elsewhere and deals with emails however it wants. The bounce messages
>> are coming from various Russian servers that have been hit by the spam.
>> As such ratelimiting and frequency won't do anything.
>>
>> The only reason I am seeing these messages in the queues is because 
they
>> are sent to invalid recipients - if recipient validation was to ocurr 
on
>> received bounce messages as per my original message then the whole 
issue
>> would go away as far as I am concerned. If the client wants us to argue
>> the compromised website with the web developer then that is another
> issue.
>> All the best,
>> Colin Waring.
>>
>>
>>
>> On 18/09/2012 08:03, Grayhat wrote:
>>>> has you set 'MSGIDpreTag' and 'MSGIDSec' ?
>>>>
>>>> Both have to be set! The default value is NOT valid for  'MSGIDSec'!
>>> good point; also, if the customer is also *sending* out emails through
>>> ASSP, it may be a good idea enabling the outbound rate limiter, that 
is
>>> setting appropriate values for LocalFrequencyInt/LocalFrequencyNumRcpt
>>> (and possibly for NoLocalFrequency *or* LocalFrequencyOnly not both);
>>> in my experience the limiter greatly helps finding sudden "outbound
>>> emails flurries" which are often caused by compromised boxes (or 
either
>>> by regular users thinking that mass-mailing is cool :P)
>>>
>>> For a starter, you may try setting up the following
>>>
>>> LocalFrequencyInt := 1800
>>>
>>> LocalFrequencyNumRcpt := 120
>>>
>>> then populate EITHER the NoLocalFrequency or LocalFrequencyOnly with
>>> something like file:files/nolocalfreq.txt of file:files/localfreq.txt
>>> and edit the file populating it with the desired recipients; I use the
>>> first one and populated the file with addresses beloning to mailing
>>> lists or newsletter, but if you prefer you may use the second one and
>>> just insert into it the sender addresses which you want to "monitor";
>>> in either case, you'll then get back an alert in case someone sends 
out
>>> more than 120 messages in 1800 seconds (you may fine tune those 
values,
>>> but they are usually a good starting point)
>>>
>>>
> 
------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond.
>> Discussions
>>> will include endpoint security, mobile security and the latest in
>> malware
>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>> _______________________________________________
>>> Assp-test mailing list
>>> Assp-test@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
> 
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
> Discussions
>> will include endpoint security, mobile security and the latest in
> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential,
> legally
>> privileged and protected in law and are intended solely for the use of
> the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>>
>>
> 
------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond.
> Discussions
>> will include endpoint security, mobile security and the latest in
> malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
> 
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. 
Discussions
> will include endpoint security, mobile security and the latest in 
malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, 
legally
> privileged and protected in law and are intended solely for the use of 
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
> 
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. 
Discussions
> will include endpoint security, mobile security and the latest in 
malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************



------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to