[Assp-test] fixes in assp 2.2.2 build 12228
Hi all, fixed in assp 2.2.2 build 12228: changed: - If the receive of mail data takes longer than 'smtpIdleTimeOut' (or 180 seconds if not set) and all the data are queued for the final Plugin-, charset conversion- or DKIM- processing - assp sends a simple header line X-ASSP-KEEP:[CR][LF] to the server and resets this special internal timer. So your MTA should get every 180 seconds this line in the DATA part of the mail as long as ASSP receives the slow large DATA, to keep the connection alife. This is done to prevent SMTP-timeouts for the MTA connection. added: - The GUI now has a 'Print Config/Screen' link at the very bottom of all pages. In the Main-Config view it will expand all topics, print the config like a manual and collaps all topics. In all other pages, the screen will be printed. Thomas DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] ASSP not trapping obvious forged signatures
A month ago I upgraded ASSP 2.2.1(12137) (and also moved to a new partition).
Since then, my volume of spam getting through ASSP has increased considerably.
Attached below is an example - clearly forged sender. Why isn't ASSP trapping
this?
I attached the analysis of the header below. Strangely the probability is
showing as 0.5 for a bunch of messages I tested...
I'm not sure how to fix this. Help...
Thanks!
-
•ISP/Secondary Header:'Received: from [95.56.197.53javascript:void(0);]
([95.56.197.53javascript:void(0);]) by smtp2.netdorm.com'
•Switched to ISP/Secondary IP: '95.56.197.53javascript:void(0);'
using enhanced Originated IP detection
•detected IP's on the mail routing way: 199.101.162.39javascript:void(0);(no
PTR)
•detected source IP: 199.101.162.39javascript:void(0);
sender and reply addresses:
MAIL FROM: angelabrund...@manzoniconsulting.itjavascript:void(0);
Sender: messages-nore...@bounce.linkedin.comjavascript:void(0);
From: passw...@linkedin.comjavascript:void(0);
recipient addresses:
RCPT TO: myacco...@mydomain.comjavascript:void(0);
To: myacco...@mydomain.comjavascript:void(0);
Feature Matching:
• SPF-check returned OK for 95.56.197.53javascript:void(0); -
angelabrund...@manzoniconsulting.itjavascript:void(0);,
[95.56.197.53javascript:void(0);]
• URIBL checkhttp://mail.ocg.ca:5/#ValidateURIBL: 'OK'
• Not a Valid Format of HELOhttp://mail.ocg.ca:5/#DoValidFormatHelo:
'[95.56.197.53javascript:void(0);]'
• Invalid Format of HELOhttp://mail.ocg.ca:5/#invalidFormatHeloRe:
'highest match: 95.56.197 with valence: 5 - PB value = 5'
• matching invalidFormatHeloRe(file:files/invalidhelo.txt[line
4]javascript:void(0);): '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}'
• IP in Helo checkhttp://mail.ocg.ca:5/#DoIPinHelo: 'OK'
• 199.101.162.39javascript:void(0); is in RBLCache: inserted as ok at
2012-08-15 11:40:51
• 95.56.197.53javascript:void(0); is in RBLCache: inserted as not ok at
2012-08-15 11:40:51 , listed by l2.apews.org{127.0.0.2}
zen.spamhaus.org{127.0.0.11}
• domain manzoniconsulting.it has valid MXA record: mx1.interac.it
212.183.164.48javascript:void(0);
• 95.56.197.0javascript:void(0); has a Griplist value of 0.8
Bayesian Analysis:
Bad Words Bad ProbGood Words Good Prob
Bayesian Spam Probability:
combined probability: 0.5000 - got 0 - used 60 most significant results
Received: from smtp2.netdorm.com (172.31.254.35) by mail.mydomain.com
(172.31.254.35) with Microsoft SMTP Server id 8.1.436.0; Wed, 15 Aug 2012
11:40:50 -0400
Received: from smtp2.netdorm.com ([67.214.161.138] helo=smtp2.netdorm.com) by
spamfilter.mydomain.com with SMTP (2.2.1); 15 Aug 2012 11:40:49 -0400
Received: from [95.56.197.53] ([95.56.197.53]) by smtp2.netdorm.com
(8.13.8/8.13.8) with ESMTP id q7FFf9fd022957 for
myacco...@mydomain.commailto:myacco...@mydomain.com; Wed, 15 Aug
2012 11:41:11 -0400
Received: from mailb-ea.linkedin.com ([199.101.162.39]) by mx1.interac.it;
Wed, 15 Aug 2012 04:40:41 +0600
Sender:
messages-nore...@bounce.linkedin.commailto:messages-nore...@bounce.linkedin.com
Date: Wed, 15 Aug 2012 04:40:41 +0600
From: LinkedIn Password passw...@linkedin.commailto:passw...@linkedin.com
To: myaccount myacco...@mydomain.commailto:myacco...@mydomain.com
Message-ID:
430288651.0623442.3275882383774.javamail@ela2-app1439.prodmailto:430288651.0623442.3275882383774.javamail@ela2-app1439.prod
Subject: Re: Fwd: Better Business Bureau Complaint
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary==_Part_4847258_8686314084.0929890424051
X-LinkedIn-Template: password_reset
X-LinkedIn-Class: ACCT-ADMIN
X-LinkedIn-fbl: s-N5P69E8AHU3GMGEJT75CSRO431MBXDC8K3EG6S-K40V2PDRHOKH9R7
X-OriginalArrivalTime: Wed, 15 Aug 2012 04:40:41 +0600
FILETIME=[7D3A5495:E1B208E1]
X-Assp-Version: 2.2.1(12137) on spamfilter.mydomain.com
X-Assp-Received-SPF: none ip=67.214.161.138
mailfrom=angelabrund...@manzoniconsulting.itmailto:mailfrom=angelabrund...@manzoniconsulting.it
helo=smtp2.netdorm.com
X-Assp-Message-Score: 10 (SPF none)
X-Assp-IP-Score: 10 (SPF none)
X-Assp-Message-Score: 17 (DNSBL: neutral, 95.56.197.53 listed in
l2.apews.org zen.spamhaus.org)
X-Assp-IP-Score: 17 (DNSBL: neutral, 95.56.197.53 listed in l2.apews.org
zen.spamhaus.org)
X-Assp-DNSBL: neutral, 95.56.197.53 listed in (l2.apews.org-127.0.0.2;
zen.spamhaus.org-127.0.0.11; )
X-Assp-ID: spamfilter.mydomain.com m1-45249-76011
X-Assp-Detected-RIP: 199.101.162.39, 95.56.197.53
X-Assp-Source-IP: 199.101.162.39
X-Assp-Envelope-From:
angelabrund...@manzoniconsulting.itmailto:angelabrund...@manzoniconsulting.it
X-Assp-Intended-For: myacco...@mydomain.commailto:myacco...@mydomain.com
Return-Path:
angelabrund...@manzoniconsulting.itmailto:angelabrund...@manzoniconsulting.it
--
Live Security Virtual
Re: [Assp-test] Antwort: Re: too old installed dev versions
On 8/14/2012 1:25 AM, Thomas Eckardt wrote: Or what about changing the color of the GUI to a 'nice' yellow after some time of no update and later to a dazzlingly 'deafening :)' red. Or another way would be to popup in the GUI - 'man - do an upgrade' - more often than later the time (mean older the version). There is absolutely nothing wrong with a - discreet - message that the current version is out of date, unsupported, potentially with bugs-I-mean-undocumented-features - and a nice shiny new one is available for immediate update. In fact, having a manual update button could be a good thing. If you wanted to go all the way and have the changelog available prior to the update, so an admin knows what to look for immediately in the way of new configuration, features, or likely, um..., breakages - that would be a nice bit of polish. -- Daniel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Antwort: Re: Antwort: Re: too old installed dev versions
In fact, having a manual update button could be a good thing. Here it is (I can't remember how long): (AutoUpdateASSP) If this value is changed to 'download and install', the autoupdate procedure will be scheduled immediatly. ... changelog available prior to the update It is available at the same time. nothing wrong with a - discreet - message This discreet message is already shown in the GUI. Thomas Von:Daniel L. Miller dmil...@amfes.com An: assp-test@lists.sourceforge.net, Datum: 15.08.2012 19:35 Betreff:Re: [Assp-test] Antwort: Re: too old installed dev versions On 8/14/2012 1:25 AM, Thomas Eckardt wrote: Or what about changing the color of the GUI to a 'nice' yellow after some time of no update and later to a dazzlingly 'deafening :)' red. Or another way would be to popup in the GUI - 'man - do an upgrade' - more often than later the time (mean older the version). There is absolutely nothing wrong with a - discreet - message that the current version is out of date, unsupported, potentially with bugs-I-mean-undocumented-features - and a nice shiny new one is available for immediate update. In fact, having a manual update button could be a good thing. If you wanted to go all the way and have the changelog available prior to the update, so an admin knows what to look for immediately in the way of new configuration, features, or likely, um..., breakages - that would be a nice bit of polish. -- Daniel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Antwort: Re: Antwort: Re: too old installed dev versions
On 8/15/2012 11:00 AM, Thomas Eckardt wrote: In fact, having a manual update button could be a good thing. Here it is (I can't remember how long): (AutoUpdateASSP) If this value is changed to 'download and install', the autoupdate procedure will be scheduled immediatly. ... I see that - that's documented. changelog available prior to the update It is available at the same time. Where is that seen? Without either going to the download site, or performing an upgrade? The existing manual download option (by setting AutoUpdateASSP to download and install) also forces installation - so admins can't read the changelog BEFORE installing. nothing wrong with a - discreet - message This discreet message is already shown in the GUI. It may have been a while since my auto-update was working correctly, but where is this shown outside of logs? -- Daniel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Antwort: Re: Antwort: Re: Antwort: Re: too old installed dev versions
so admins can't read the changelog BEFORE installing Oh ... admins who expects to find information at the 'Info and Stats' screen would be able to read the current installed and the last available change log :):):) (Server Information) but where is this shown outside of logs GUI - TopMenu - a LINK in GREEN letters 'new available ASSP version $availversion' AutoUpdateASSP must not be disabled to see this link - because if admins don't care about new versions - I don't have any reason to do that. Daniel - EVERY new feature , EVERY bug fix and EVERY new link or change in the GUI is documented in the changelog - RTFM first! Thomas Von:Daniel L. Miller dmil...@amfes.com An: assp-test@lists.sourceforge.net, Datum: 15.08.2012 20:51 Betreff:Re: [Assp-test] Antwort: Re: Antwort: Re: too old installed dev versions On 8/15/2012 11:00 AM, Thomas Eckardt wrote: In fact, having a manual update button could be a good thing. Here it is (I can't remember how long): (AutoUpdateASSP) If this value is changed to 'download and install', the autoupdate procedure will be scheduled immediatly. ... I see that - that's documented. changelog available prior to the update It is available at the same time. Where is that seen? Without either going to the download site, or performing an upgrade? The existing manual download option (by setting AutoUpdateASSP to download and install) also forces installation - so admins can't read the changelog BEFORE installing. nothing wrong with a - discreet - message This discreet message is already shown in the GUI. It may have been a while since my auto-update was working correctly, but where is this shown outside of logs? -- Daniel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Antwort: Re: Antwort: Re: Antwort: Re: too old installed dev versions
On 8/15/2012 12:22 PM, Thomas Eckardt wrote: so admins can't read the changelog BEFORE installing Oh ... admins who expects to find information at the 'Info and Stats' screen would be able to read the current installed and the last available change log :):):) (Server Information) Every day I learn something new :) but where is this shown outside of logs GUI - TopMenu - a LINK in GREEN letters 'new available ASSP version $availversion' AutoUpdateASSP must not be disabled to see this link - because if admins don't care about new versions - I don't have any reason to do that. Well - then my feature requests have already been fulfilled. That was fast work! :) This started because you had a concern about deployments of outdated versions. My questions/suggestions were intended to help: 1. Alert/educate ASSP users about their current status. 2. Provide a means for a controlled update. Now - solutions for these already exist as you have shown me. The remaining question is one of presentation - do you feel strongly enough about the need for ASSP users to keep current to make a GUI change that will bring some of these items more to the front? -- Daniel -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
