Re: [Assp-test] Whitelisting by sender domain/ip recipient
-- Message: 6 Date: Fri, 01 Mar 2013 12:52:11 +0100 From: Fritz Borgstedt f...@iworld.de Subject: Re: [Assp-test] Whitelisting by sender domain/ip recipient To: ASSP development mailing list assp-test@lists.sourceforge.net Message-ID: assp.177270a658.fc.000f455507b2cd4b3b9aca00d8cdbd9a.7b2c...@iworld.de Content-Type: text/plain; charset=ISO-8859-1 ASSP development mailing list assp-test@lists.sourceforge.net schreibt: s this possible? If so can someone point me in the right direction? see -wildcardUser Can you please elaborate how this resolves my problem? As far as I know the whitelist mysql table can't be used for this. Secondly it appears to whitelist an entire domain on the server level unless I'm missing something. Also it doesn't resolve the issue of whitelisting an IP of a sending mail server only for a recipient domain or receipt email address. Just to summarize, I want to be able to whitelist a senders domain on a per recipient domain or recipient email address. As well as a senders IP on a per recipient domain or recipient email address. I also need to whitelist a sender email address for a recipient domain and a sender email address for a recipient email address which I am already able to do using the whitelist table. -- -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test End of Assp-test Digest, Vol 68, Issue 1 -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Resend errors - second issue
Further to this and the reply I think the BCC thing is a complete red herring. We are simply seeing lots of emails coming through are missing the headers. I've already spent nearly an hour processing manual resend requests today so it is becoming quite a big issue and people are starting to ask what is wrong and when it will be fixed. The only thing I can think of currently is dropping back a few versions to see if it is something that was introduced however that won't help if it is something introduced by an OS package being updated or something like that.. -Original Message- From: Colin [mailto:a...@lanternhosting.co.uk] Sent: 07 March 2013 10:43 To: ASSP development mailing list Subject: [Assp-test] Resend errors - second issue I am seeing several of these per day: 2013-03-07 07:59:21 [Worker_1] (re)send - /usr/local/assp/resendmail/Quarry_Product_Focus--1282365.eml - To: and X-Assp-Intended-For: headertag not found - skip file They largely seem to be legitimate mailing lists so my guess is the recipients are named as a BCC rather than To: BCC isn't stored and ASSP does not appear to be creating the X-Assp-Intended-For: tag based on the smtp recipient. If I edit the file in resendmail to manually add an X-Assp-Intended-For: tag then ASSP resends the mail as expected (I have to rename it from .eml.err.modified to .eml which is expected) Any suggestions? All the best, Colin Waring. -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Flood of ATT Fake Bills
I just started to get a flood of ATT Wireless bill emails this morning and see that there is no SPF record for their domain. Any suggestions on how to block this without blocking the real emails, which I have validated also come from the same source email address? Headers for the bad email are below: X-Assp-Version: 1.98(13056) on ASSP.nospam X-Assp-Delay: postmas...@ringofsaturn.com was delayed for 6m 19s; 8 Mar 2013 08:50:54 -0600 X-Assp-SenderBase: country:US; organization:Winnebago Coop. Telephone Assn.; domain:wctatel.net X-Assp-Score: -10 (Home Country US) X-Assp-Whitelisted: Yes (whitelistdb 'ica...@amcustomercare.att-mail.com') X-Assp-Envelope-From: ica...@amcustomercare.att-mail.com X-Assp-Intended-For: XXX@X X-Assp-ID: ASSP.nospam m-36275-21916 Received: from lm-static-207.32.3.173.wctatel.net ([207.32.3.173] helo=lm-static-207.32.3.173.wctatel.net) by ASSP.nospam with ESMTP (ASSP 1.98); 8 Mar 2013 08:50:52 -0600 Received: from (192.168.1.215) by tcsn.net (207.32.3.173) with Microsoft SMTP Server id 8.0.685.24; Fri, 8 Mar 2013 08:50:53 -0600 Message-ID: 5139f65c.204...@tcsn.net Date: Fri, 8 Mar 2013 08:50:53 -0600 From: ATT Customer Care ica...@amcustomercare.att-mail.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100921 Thunderbird/3.1.4 MIME-Version: 1.0 To: XXX@XX Subject: Your ATT wireless bill is ready to view Here's the headers for a good email: X-Assp-Version: 1.98(13056) on ASSP.nospam X-Assp-Delay: s...@emailhoster.com was delayed for 5h 48m 14s; 7 Mar 2013 10:53:29 -0600 X-Assp-SenderBase: country:US; organization:ATT SERVICES; domain:att.com X-Assp-Score: -10 (Home Country US) X-Assp-Whitelisted: Yes (whitelistdb 'ica...@amcustomercare.att-mail.com') X-Assp-Envelope-From: ica...@amcustomercare.att-mail.com X-Assp-Intended-For: XXX@XXX X-Assp-ID: ASSP.nospam m-36267-19691 Received: from tlpi046.enaf.dadc.sbc.com ([144.160.112.12] helo=tlpi046.enaf.dadc.sbc.com) by ASSP.nospam with ESMTP (ASSP 1.98); 7 Mar 2013 10:53:27 -0600 Received: from uspedd06.edc.cingular.net (uspedd06.edc.cingular.net [135.214.228.40]) by tlpi046.enaf.dadc.sbc.com (8.14.4/8.14.4) with ESMTP id r27B5CwP013553 for s...@emailhoster.com; Thu, 7 Mar 2013 05:05:12 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=amcustomercare.att-mail.com; s=egs02; t=1362654312; bh=VY5V1vL1zVNAp3VpZXuBUQC5M4zLeyUdn7m7PC9cIMs=; h=Message-ID:Date:From:To:Subject:Mime-Version:Content-Type: Content-Transfer-Encoding; b=AYO8O0zwCRerZMTkNd21dlSG1mv4ahfMi5QRpZVPp2/wViKIn0+5/u0kAQhobI6EI kqbRuxOERZA4g4bfusCXklPNvWt8Laocuo2zbcr6tvluNqrU74AARWuXipm2xHgYwo 10ZNuuajXkAINt1hHCGNaTksfbaz8ESjJ+IOv8ek= Message-ID: 24734909.1362654312518.javamail.p7edd...@uspedd06.edc.cingular.net Date: Thu, 7 Mar 2013 05:05:12 -0600 (CST) From: ATT Customer Care ica...@amcustomercare.att-mail.com To: XXX@XX Subject: Your ATT wireless bill is ready to view Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 7bit ATT: OLAMBRN-790285545 Thanks in advance! Rusty Nejdl -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Flood of ATT Fake Bills
Remove ica...@amcustomercare.att-mail.com from whitelist Add att.com to whiteorg.txt (whiteSenderBase) -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Flood of ATT Fake Bills
Fritz, Should I add att.com or att-mail.com or amcustomercare.att-mail.com to the whiteSenderBase? ATT.com doesn't seem related to the below email address is why I ask. Rusty Nejdl On 2013-03-08 13:02, Fritz Borgstedt wrote: Remove ica...@amcustomercare.att-mail.com from whitelist Add att.com to whiteorg.txt (whiteSenderBase) -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev [1] ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test [2] Links: -- [1] http://p.sf.net/sfu/symantec-dev2dev [2] https://lists.sourceforge.net/lists/listinfo/assp-test -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Flood of ATT Fake Bills
rne...@ringofsaturn.com schreibt: Should I add att.com or att-mail.com or amcustomercare.att-mail.com to the whiteSenderBase? ATT.com doesn't seem related to the below email address is why I ask. whiteSenderBase is using the sending IP to check organization/domain for whitelisted entries. The mail in question showed: X-Assp-SenderBase: country:US;organization:ATT SERVICES; domain:att.com So you can add ATT SERVICES or att.com . -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Why is spam prob score 0
My ASSP uses test mode. causing the subject to be prefixed with [SPAM] which I catch downstream. (in case that matters). The problem I'm having is that mail with a faked from address (different from MAIL FROM) is getting through unmarked. Below is an analysis of such a message. As you can see ASSP is identifying from != mail from. I have DONOSPOOFING4FROM checked, and DONOSPOOFING set to score. Yet the message below was not tagged as SPAM, and scores 0. Can someone explain why? (I have linkedin.com in a whitelist, but that should not count for spoofed from!?) Thanks Michellehttps://mail.ocg.ca/owa/?ae=Itemt=IPM.Notea=New# sender and reply addresses: MAIL FROM: bryannaale...@sepag.ch Sender: messages-nore...@bounce.linkedin.com From: passw...@linkedin.com recipient addresses: RCPT TO: myn...@mydomain.ca To: myn...@mydomain.ca Feature Matching: • Whitelist: 'messages-nore...@bounce.linkedin.com' • 197.0.48.176 is in SPFCache: status=softfail with helo=[197.0.48.176] • SPF-check returned OK for 197.0.48.176 - bryannaale...@sepag.ch, [197.0.48.176] • SPF: softfail (cache) ip=197.0.48.176 mailfrom=bryannaale...@sepag.ch helo=[197.0.48.176] • DMARC-check returned OK • URIBL check: 'OK' • Not a Valid Format of HELO: '[197.0.48.176]' • Invalid Format of HELO: 'highest match: 197.0.48 with valence: 5 - PB value = 5' • matching invalidFormatHeloRe(file:files/invalidhelo.txt[line 4]): '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}' • IP in Helo check: 'OK' • 199.101.160.51 is in RBLCache: inserted as ok at 2013-03-08 18:07:58 • 64.182.103.22 is in RBLCache: inserted as ok at 2013-03-01 06:04:34 • RBLCheck returned OK for 197.0.48.176: DNSBL: neutral, 197.0.48.176 listed in l2.apews.org psbl.surriel.com • domain sepag.ch has valid MXA record: all01.mx.genotec.ch 82.195.224.56 • 197.0.48.176 is in RWLCache: status=not listed • 197.0.48.0 has a Griplist value of 0.8 Bayesian Analysis: - word stemming engine is used Bad Words Bad ProbGood Words Good Prob [addr] sender 0. sender [addr] 0. sender [addr] 0.0002 [addr] sender 0.0501 rcpt [addr] 0.9275 ssub now0.8742 ssub connecting 0.1345 connecting ssub 0.1546 ssub your 0.8228 your ssub 0.8225 [addr] sender 0.7839 now ssub0.7759 of your 0.7701 of ssub 0.7677 ssub of 0.7676 now part0.2405 network ssub0.2610 ssub network0.2835 part ssub 0.7057 ssub is 0.6992 is ssub 0.6990 ssub part 0.6983 helo smtprandnumberdnsexit.com 0.6426 smtprandnumberdnsexit.com rcpt 0.6293 keep ssub 0.6012 Bayesian Spam Probability: combined probability: 0. - got 25 - used 60 most significant results -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and remains a good choice in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test