[Assp-test] Antwort: Spam getting through from DNSstuff spam test

Thomas Eckardt/eck Thu, 27 Aug 2009 00:14:15 -0700

James,

>because it contains a forged received header


Let's look at the header lines:

line 1
>                Received:               from astaro1.bordo.com.au 
(localhost [127.0.0.1]) by 
>mail.bordo.com.au (Postfix) with SMTP id 9EB14566F50 for <m...@bordo.com.au 

> >; Wed, 26 Aug 2009 09:03:20 +1000 (EST)

line 2
>                Received:               from astaro1.bordo.com.au 
([192.168.1.2] 
>helo=astaro1.bordo.com.au) by ASSP-nospam; 26 Aug 2009 09:03:20 +1000

line 3
>                Received:               from gold.dnsstuff.com 
([75.125.82.251]:59117 helo=main) 
>by astaro1.bordo.com.au with esmtp (Exim 4.69) (envelope-from 
<emailavt...@dnsstuff.com 
> >) id 1Mg52q-0004vU-1K for m...@bordo.com.au; Wed, 26 Aug 2009 09:03:17 
>+1000

line 4
>                Received:               from forgedsnd.example.com 
([127.0.0.2]) by 
>forgedrcv.example.com with fakesvc; Wed, 12 Aug 2009 23:24:02

What 'Received' line should be the forged one? I think it is line 3. But 
there is nothing forged in this line, except the 'helo=main' which is not 
used by ASSP, because it is only an option to have it there.

It looks like your assp 'ASSP-nospam' is not directly connected to to a 
public IP - there is an other mail server in front, that receives the 
message - right?
You has defined the name of that server as 'ispHostnames' - in your case 
'astaro1.bordo.com.au' (line 3). And ASSP has right detected the IP and 
hostname in that line.

Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au Originating IP/HELO:  75.125.82.251 / 
gold.dnsstuff.com

Line 2
>                Received:               from astaro1.bordo.com.au 
([192.168.1.2] 
>helo=astaro1.bordo.com.au) by ASSP-nospam; 26 Aug 2009 09:03:20 +1000

 This line is written by ASSP.

Line 3
>                Received:               from gold.dnsstuff.com 
([75.125.82.251]:59117 helo=main) 
>by astaro1.bordo.com.au with esmtp (Exim 4.69) (envelope-from 
<emailavt...@dnsstuff.com 
> >) id 1Mg52q-0004vU-1K for m...@bordo.com.au; Wed, 26 Aug 2009 09:03:17 
>+1000

This line is the first one (Received: line) that ASSP has got.

ASSP has correctly used the IP '75.125.82.251' as connected IP (cip) to 
make all IP based checks (SPF,PTR,MX,DNSBL,GRIP,IP-Blocking .....) - if 
configured.

The line 4

>                Received:               from forgedsnd.example.com 
([127.0.0.2]) by 
>forgedrcv.example.com with fakesvc; Wed, 12 Aug 2009 23:24:02

contains some words (forged...  and  fake...) which could be detected by 
'bombHeaderRe' if you want - but there is no RFC that disallows the usage 
of such words as host- or service name.

I'm unable to see, from where we could detect, that this a forged mail!

Thomas





James Brown <jlbr...@bordo.com.au> 
26.08.2009 01:21
Bitte antworten an
ASSP development mailing list <assp-test@lists.sourceforge.net>


An
ASSP development mailing list <assp-test@lists.sourceforge.net>
Kopie

Thema
[Assp-test] Spam getting through from DNSstuff spam test






DNSstuff have a beta of a new anti-spam test tool which I ran. 
Unfortunately the email got through. What settings should I use to 
stop this in future? The message states that it should be caught 
because it contains a forged received header, but it looks like ASSP 
is not picking this up.

I've increased the rblnValencePB to the default of 35 (from 5).

Running 2.0, 4.02.

Any suggestions about the forged received header?

Thanks,

James.

Log was:

Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au Originating IP/HELO:  75.125.82.251 / 
gold.dnsstuff.com
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au Message-Score: added 5 for DNSBLcache: neutral, 
75.125.82.251 listed in combined-HIB.dnsiplists.completewhois.com, 
total score for this message is now 5
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au Message-Score: added -10 for SPF pass, total 
score for this message is now -5
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au info: queued first data in sendqueue
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au Bayesian Check  - Prob: 0.00000 => ham
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au convert and send data from sendqueue
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] [MessageOK] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au message ok [DNSstuff Mail Server Test Center 
Anti Spam Test Message] -> /Applications/assp//okmail/ 
DNSstuff_Mail_Server_Test_Center_Anti_Spam_Test_Me--4964.eml
Aug-26-09 09:03:20 id-41400-16761 [Worker_3] 192.168.1.2 
<emailavt...@dnsstuff.com 
 > to: m...@bordo.com.au info: no MIME/TNEF conversion done

The email that got through, including header was:

                 From:           sa...@dnsstuff.com
                 Subject:                DNSstuff Mail Server Test Center 
- Anti-Spam Test Message
                 Date:           26 August 2009 9:03:14 AM
                 To:             m...@bordo.com.au
                 Return-Path:            <emailavt...@dnsstuff.com>
                 X-Original-To:                  m...@bordo.com.au
                 Delivered-To:           m...@bordo.com.au
                 Received:               from astaro1.bordo.com.au 
(localhost [127.0.0.1]) by 
mail.bordo.com.au (Postfix) with SMTP id 9EB14566F50 for <m...@bordo.com.au 
 >; Wed, 26 Aug 2009 09:03:20 +1000 (EST)
                 Received:               from astaro1.bordo.com.au 
([192.168.1.2] 
helo=astaro1.bordo.com.au) by ASSP-nospam; 26 Aug 2009 09:03:20 +1000
                 Received:               from gold.dnsstuff.com 
([75.125.82.251]:59117 helo=main) 
by astaro1.bordo.com.au with esmtp (Exim 4.69) (envelope-from 
<emailavt...@dnsstuff.com 
 >) id 1Mg52q-0004vU-1K for m...@bordo.com.au; Wed, 26 Aug 2009 09:03:17 
+1000
                 Received:               from forgedsnd.example.com 
([127.0.0.2]) by 
forgedrcv.example.com with fakesvc; Wed, 12 Aug 2009 23:24:02
                 X-Ctch-Refid: 
str=0001.0A150203.4A946DB5.0037:SCFSTAT4073896,ss=1,fgs=0
                 Mime-Version:           1.0
                 Content-Type:           text/html; charset="US-ASCII"
                 Content-Disposition:            inline
                 X-Assp-Message/Ip-Score:                5 (DNSBLcache: 
neutral, 75.125.82.251 
listed in combined-HIB.dnsiplists.completewhois.com)
                 X-Assp-Message/Ip-Score:                -10 (SPF pass)
                 X-Assp-Dnsblcache:              neutral, 75.125.82.251 
listed in combined- 
HIB.dnsiplists.completewhois.com
                 X-Assp-Received-Spf:            pass (cache) 
ip=75.125.82.251 mailfrom=emailavt...@dnsstuff.com 
  helo=astaro1.bordo.com.au
                 X-Assp-Bayes-Confidence:                0.00000
                 X-Assp-Envelope-From:           emailavt...@dnsstuff.com
                 X-Assp-Intended-For:            m...@bordo.com.au
                 Message-Id: 
<20090825230320.9eb14566...@mail.bordo.com.au>

DNSstuff Mail Server Test Center - Anti-Spam Test

Sent by "me" at Tue Aug 25 23:03:14 2009

This is a test message that was sent to you because you or someone you 
know visited the DNSstuff Mail Server Test Center and ran an anti-spam 
test against this email address.

This email message contains a forged received header with with a 
blacklisted IP Address.

If you received this message without a spam warning or notification, 
we recommend you perform the following steps:

Contact your email administrator.
If you are the email administrator, review your current anti-spam 
settings, and insure that the latest updates are applied and that your 
spam filtering software is enabled.
If the issue is still not resolved or you need additional assistance, 
please reply to this email and a DNSstuff sales team member will 
contact you.
If you received this message in error or if you require assistance, 
please reply to this email.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 
30-Day 
trial. Simplify your report design, integration and deployment - and focus 
on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Antwort: Spam getting through from DNSstuff spam test

Reply via email to