[Assp-test] PB-IP-Score suddenly dropping

Dirk Kulmsee Sun, 02 Oct 2016 11:03:55 -0700

Hi all,


I just tracked some IPs through my logfiles just to see how they build up
their score. Something strange is happening:

 

Case 1: between 09:51:13 and 12:49:10 PB-IP-Score drops from 600 to 0
without any visible reason

 

2016-10-02 06:13:54 [Worker_1] Connected: session:7F11F4A35FA0
118.71.251.67:53467 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 06:13:54 [Worker_1] 118.71.251.67 Disabled SMTP AUTH for External
IPs

2016-10-02 06:13:55 [Worker_1] [unsupported_AUTH] 118.71.251.67 AUTH not
allowed

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 Message-Score: added 60
(autValencePB) for too many AUTH errors from 118.71.251.0, total score for
this message is now 60

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 PB-IP-Score for '118.71.251.67'
is 540, added 60 for AUTHErrors

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 [SMTP Error] 502 AUTH not
supported

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 info: start damping (12 s)

2016-10-02 06:14:07 [Worker_1] 118.71.251.67 info: PB-IP-Score for
'118.71.251.67' is 540, added 60 in this session

2016-10-02 06:14:07 [Worker_1] 118.71.251.67 disconnected:
session:7F11F4A35FA0 118.71.251.67 - processing time 13 seconds

2016-10-02 06:22:56 [Worker_1] Delayed ip 118.71.251.67, because
PBBlack(540) is higher than DelayIP(500)- last penalty reason was:
AUTHErrors

2016-10-02 07:07:29 [Worker_1] Connected: session:7F11F4C41160
118.71.251.67:54518 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 Disabled SMTP AUTH for External
IPs

2016-10-02 07:07:29 [Worker_1] [unsupported_AUTH] 118.71.251.67 AUTH not
allowed

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 Message-Score: added 60
(autValencePB) for too many AUTH errors from 118.71.251.0, total score for
this message is now 60

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 PB-IP-Score for '118.71.251.67'
is 600, added 60 for AUTHErrors

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 [SMTP Error] 502 AUTH not
supported

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 info: start damping (12 s)

2016-10-02 07:07:53 [Worker_1] 118.71.251.67 info: PB-IP-Score for
'118.71.251.67' is 600, added 60 in this session

2016-10-02 07:07:53 [Worker_1] 118.71.251.67 disconnected:
session:7F11F4C41160 118.71.251.67 - processing time 24 seconds

2016-10-02 09:51:13 [Worker_1] Delayed ip 118.71.251.67, because
PBBlack(600) is higher than DelayIP(500)- last penalty reason was:
AUTHErrors

2016-10-02 12:49:10 [Worker_1] Connected: session:7F11F573EEF0
118.71.251.67:2425 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 Disabled SMTP AUTH for External
IPs

2016-10-02 12:49:10 [Worker_1] [unsupported_AUTH] 118.71.251.67 AUTH not
allowed

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 Message-Score: added 60
(autValencePB) for too many AUTH errors from 118.71.251.0, total score for
this message is now 60

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 PB-IP-Score for '118.71.251.67'
is 60, added 60 for AUTHErrors

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 [SMTP Error] 502 AUTH not
supported

2016-10-02 12:49:11 [Worker_1] 118.71.251.67 info: start damping (12 s)

2016-10-02 12:49:34 [Worker_1] 118.71.251.67 info: PB-IP-Score for
'118.71.251.67' is 60, added 60 in this session

2016-10-02 12:49:34 [Worker_1] 118.71.251.67 disconnected:
session:7F11F573EEF0 118.71.251.67 - processing time 24 seconds

 

Case 2: between 15:02:57 and 15:41:09 PB-IP-Score drops from 600 to 0
without any visible reason

 

2016-10-02 11:49:40 [Worker_1] Connected: session:7F11F65EC988
46.32.239.160:64727 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 11:49:40 [Worker_1] 46.32.239.160 Disabled SMTP AUTH for External
IPs

2016-10-02 11:49:41 [Worker_1] [unsupported_AUTH] 46.32.239.160 AUTH not
allowed

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 Message-Score: added 60
(autValencePB) for too many AUTH errors from 46.32.239.0, total score for
this message is now 60

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 PB-IP-Score for '46.32.239.160'
is 540, added 60 for AUTHErrors

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 [SMTP Error] 502 AUTH not
supported

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 info: start damping (12 s)

2016-10-02 11:50:05 [Worker_1] 46.32.239.160 info: PB-IP-Score for
'46.32.239.160' is 540, added 60 in this session

2016-10-02 11:50:05 [Worker_1] 46.32.239.160 disconnected:
session:7F11F65EC988 46.32.239.160 - processing time 25 seconds

2016-10-02 14:43:24 [Worker_1] Delayed ip 46.32.239.160, because
PBBlack(540) is higher than DelayIP(500)- last penalty reason was:
AUTHErrors

2016-10-02 15:02:32 [Worker_1] Connected: session:7F11F6667F10
46.32.239.160:64548 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 15:02:32 [Worker_1] 46.32.239.160 Disabled SMTP AUTH for External
IPs

2016-10-02 15:02:33 [Worker_1] [unsupported_AUTH] 46.32.239.160 AUTH not
allowed

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 Message-Score: added 60
(autValencePB) for too many AUTH errors from 46.32.239.0, total score for
this message is now 60

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 PB-IP-Score for '46.32.239.160'
is 600, added 60 for AUTHErrors

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 [SMTP Error] 502 AUTH not
supported

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 info: start damping (12 s)

2016-10-02 15:02:57 [Worker_1] 46.32.239.160 info: PB-IP-Score for
'46.32.239.160' is 600, added 60 in this session

2016-10-02 15:02:57 [Worker_1] 46.32.239.160 disconnected:
session:7F11F6667F10 46.32.239.160 - processing time 25 seconds

2016-10-02 15:41:08 [Worker_1] Connected: session:7F11F70B3378
46.32.239.160:56422 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 15:41:08 [Worker_1] 46.32.239.160 Disabled SMTP AUTH for External
IPs

2016-10-02 15:41:09 [Worker_1] [unsupported_AUTH] 46.32.239.160 AUTH not
allowed

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 Message-Score: added 60
(autValencePB) for too many AUTH errors from 46.32.239.0, total score for
this message is now 60

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 PB-IP-Score for '46.32.239.160'
is 60, added 60 for AUTHErrors

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 [SMTP Error] 502 AUTH not
supported

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 info: start damping (12 s)

2016-10-02 15:41:33 [Worker_1] 46.32.239.160 info: PB-IP-Score for
'46.32.239.160' is 60, added 60 in this session

2016-10-02 15:41:33 [Worker_1] 46.32.239.160 disconnected:
session:7F11F70B3378 46.32.239.160 - processing time 25 seconds

 


I'm currently running  ASSP version 2.5.2(16270) on Debian with perl 5.22.
There have been no restarts or resets of ASSP for 6 days.

        

Any ideas what has happened here?

 

 

Best regards

Dirk

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] PB-IP-Score suddenly dropping

Reply via email to