Re: [Assp-test] PB-IP-Score suddenly dropping

Thomas Eckardt Mon, 03 Oct 2016 00:13:03 -0700

There are dozend of reasons why this can happen.
Most common is 'PenaltyExpiration'.
If there is a good mail transfered by an IP, the IP score is deleted to 
prevent false positives. Where good means - no doubed, like 'contentOnly', 
RWL, SPF, DKIM ....


Thomas.






Von:    "Dirk Kulmsee" <d.kulm...@netgroup.de>
An:     "'ASSP development mailing list'" 
<assp-test@lists.sourceforge.net>
Datum:  02.10.2016 20:04
Betreff:        [Assp-test] PB-IP-Score suddenly dropping



Hi all,

 

I just tracked some IPs through my logfiles just to see how they build up
their score. Something strange is happening:

 

Case 1: between 09:51:13 and 12:49:10 PB-IP-Score drops from 600 to 0
without any visible reason

 

2016-10-02 06:13:54 [Worker_1] Connected: session:7F11F4A35FA0
118.71.251.67:53467 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 06:13:54 [Worker_1] 118.71.251.67 Disabled SMTP AUTH for 
External
IPs

2016-10-02 06:13:55 [Worker_1] [unsupported_AUTH] 118.71.251.67 AUTH not
allowed

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 Message-Score: added 60
(autValencePB) for too many AUTH errors from 118.71.251.0, total score for
this message is now 60

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 PB-IP-Score for 
'118.71.251.67'
is 540, added 60 for AUTHErrors

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 [SMTP Error] 502 AUTH not
supported

2016-10-02 06:13:55 [Worker_1] 118.71.251.67 info: start damping (12 s)

2016-10-02 06:14:07 [Worker_1] 118.71.251.67 info: PB-IP-Score for
'118.71.251.67' is 540, added 60 in this session

2016-10-02 06:14:07 [Worker_1] 118.71.251.67 disconnected:
session:7F11F4A35FA0 118.71.251.67 - processing time 13 seconds

2016-10-02 06:22:56 [Worker_1] Delayed ip 118.71.251.67, because
PBBlack(540) is higher than DelayIP(500)- last penalty reason was:
AUTHErrors

2016-10-02 07:07:29 [Worker_1] Connected: session:7F11F4C41160
118.71.251.67:54518 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 Disabled SMTP AUTH for 
External
IPs

2016-10-02 07:07:29 [Worker_1] [unsupported_AUTH] 118.71.251.67 AUTH not
allowed

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 Message-Score: added 60
(autValencePB) for too many AUTH errors from 118.71.251.0, total score for
this message is now 60

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 PB-IP-Score for 
'118.71.251.67'
is 600, added 60 for AUTHErrors

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 [SMTP Error] 502 AUTH not
supported

2016-10-02 07:07:29 [Worker_1] 118.71.251.67 info: start damping (12 s)

2016-10-02 07:07:53 [Worker_1] 118.71.251.67 info: PB-IP-Score for
'118.71.251.67' is 600, added 60 in this session

2016-10-02 07:07:53 [Worker_1] 118.71.251.67 disconnected:
session:7F11F4C41160 118.71.251.67 - processing time 24 seconds

2016-10-02 09:51:13 [Worker_1] Delayed ip 118.71.251.67, because
PBBlack(600) is higher than DelayIP(500)- last penalty reason was:
AUTHErrors

2016-10-02 12:49:10 [Worker_1] Connected: session:7F11F573EEF0
118.71.251.67:2425 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 Disabled SMTP AUTH for 
External
IPs

2016-10-02 12:49:10 [Worker_1] [unsupported_AUTH] 118.71.251.67 AUTH not
allowed

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 Message-Score: added 60
(autValencePB) for too many AUTH errors from 118.71.251.0, total score for
this message is now 60

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 PB-IP-Score for 
'118.71.251.67'
is 60, added 60 for AUTHErrors

2016-10-02 12:49:10 [Worker_1] 118.71.251.67 [SMTP Error] 502 AUTH not
supported

2016-10-02 12:49:11 [Worker_1] 118.71.251.67 info: start damping (12 s)

2016-10-02 12:49:34 [Worker_1] 118.71.251.67 info: PB-IP-Score for
'118.71.251.67' is 60, added 60 in this session

2016-10-02 12:49:34 [Worker_1] 118.71.251.67 disconnected:
session:7F11F573EEF0 118.71.251.67 - processing time 24 seconds

 

Case 2: between 15:02:57 and 15:41:09 PB-IP-Score drops from 600 to 0
without any visible reason

 

2016-10-02 11:49:40 [Worker_1] Connected: session:7F11F65EC988
46.32.239.160:64727 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 11:49:40 [Worker_1] 46.32.239.160 Disabled SMTP AUTH for 
External
IPs

2016-10-02 11:49:41 [Worker_1] [unsupported_AUTH] 46.32.239.160 AUTH not
allowed

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 Message-Score: added 60
(autValencePB) for too many AUTH errors from 46.32.239.0, total score for
this message is now 60

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 PB-IP-Score for 
'46.32.239.160'
is 540, added 60 for AUTHErrors

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 [SMTP Error] 502 AUTH not
supported

2016-10-02 11:49:41 [Worker_1] 46.32.239.160 info: start damping (12 s)

2016-10-02 11:50:05 [Worker_1] 46.32.239.160 info: PB-IP-Score for
'46.32.239.160' is 540, added 60 in this session

2016-10-02 11:50:05 [Worker_1] 46.32.239.160 disconnected:
session:7F11F65EC988 46.32.239.160 - processing time 25 seconds

2016-10-02 14:43:24 [Worker_1] Delayed ip 46.32.239.160, because
PBBlack(540) is higher than DelayIP(500)- last penalty reason was:
AUTHErrors

2016-10-02 15:02:32 [Worker_1] Connected: session:7F11F6667F10
46.32.239.160:64548 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 15:02:32 [Worker_1] 46.32.239.160 Disabled SMTP AUTH for 
External
IPs

2016-10-02 15:02:33 [Worker_1] [unsupported_AUTH] 46.32.239.160 AUTH not
allowed

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 Message-Score: added 60
(autValencePB) for too many AUTH errors from 46.32.239.0, total score for
this message is now 60

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 PB-IP-Score for 
'46.32.239.160'
is 600, added 60 for AUTHErrors

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 [SMTP Error] 502 AUTH not
supported

2016-10-02 15:02:33 [Worker_1] 46.32.239.160 info: start damping (12 s)

2016-10-02 15:02:57 [Worker_1] 46.32.239.160 info: PB-IP-Score for
'46.32.239.160' is 600, added 60 in this session

2016-10-02 15:02:57 [Worker_1] 46.32.239.160 disconnected:
session:7F11F6667F10 46.32.239.160 - processing time 25 seconds

2016-10-02 15:41:08 [Worker_1] Connected: session:7F11F70B3378
46.32.239.160:56422 > 192.168.12.242:25 > 127.0.0.1:125

2016-10-02 15:41:08 [Worker_1] 46.32.239.160 Disabled SMTP AUTH for 
External
IPs

2016-10-02 15:41:09 [Worker_1] [unsupported_AUTH] 46.32.239.160 AUTH not
allowed

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 Message-Score: added 60
(autValencePB) for too many AUTH errors from 46.32.239.0, total score for
this message is now 60

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 PB-IP-Score for 
'46.32.239.160'
is 60, added 60 for AUTHErrors

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 [SMTP Error] 502 AUTH not
supported

2016-10-02 15:41:09 [Worker_1] 46.32.239.160 info: start damping (12 s)

2016-10-02 15:41:33 [Worker_1] 46.32.239.160 info: PB-IP-Score for
'46.32.239.160' is 60, added 60 in this session

2016-10-02 15:41:33 [Worker_1] 46.32.239.160 disconnected:
session:7F11F70B3378 46.32.239.160 - processing time 25 seconds

 


I'm currently running  ASSP version 2.5.2(16270) on Debian with perl 5.22.
There have been no restarts or resets of ASSP for 6 days.

 

Any ideas what has happened here?

 

 

Best regards

Dirk

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] PB-IP-Score suddenly dropping

Reply via email to