Any additional insight on this from anyone? I'd appreciate it.
-A
On Friday, October 3, 2014 8:19 AM, Andy Bradford
<[email protected]> wrote:
One thing that I find peculiar, even when ASSP is building up it's database of
spam to "learn", is mail from legitimate sources that are not on a blacklist
would be getting blocked. For example:
====
Received: from mta.panerabreadnews.com ([68.232.195.37]
helo=mta.panerabreadnews.com) by ASSP.nospam with ESMTP (ASSP 1.9.9); 3 Oct
2014 06:07:48 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608;
d=panerabreadnews.com;
h=From:To:Subject:Date:List-Unsubscribe:MIME-Version:Reply-To:Message-ID:Content-Type;
[email protected];
bh=7mzmNrKwtF7nRoj4DGReSNstRt8=;
b=G0VLv67Dpmv8TS6c+r3c0EfumCXl2QVuaL3OTSEuImbbMjOb4a0mJCGrRHoIdFL/cz7PmUtmPCd2
Apv3iWEuSV/9gJBqzSeKRtoXIp7gVvUnu2j1Qb9SYmVn3FcnwjwuGyua9wfhrNsHZXsusA1o+9Yw
jdALTpI5IJfVMI+TqKE=
Received: by mta.panerabreadnews.com id h5pqo6163hs0 for
<>; Fri, 3 Oct 2014 04:07:55 -0600 (envelope-from
<bounce-96_html-26893704-2251261-1064718-...@bounce.panerabreadnews.com>)
From: Panera Bread <[email protected]>
To: <>
Subject: You can earn a free You Pick Two.
Date: Fri, 3 Oct 2014 04:07:54 -0600
List-Unsubscribe:
<mailto:leave-fd7c1d761a3c402029-fe5816767d6d077a7510-fe9c16727065067b74-fe9415707360037c7d-ff6a177...@leave.panerabreadnews.com>
MIME-Version: 1.0
Reply-To: Panera Bread
<reply-fe9c16727065067b74-96_html-26893704-1064718-...@panerabreadnews.com>
x-job: 1064718_2251261
Message-ID: <[email protected]>
Content-Type: multipart/alternative; boundary="HQcldVHl67lB=_?:"
X-Assp-Version: 1.9.9(13227) on ASSP.nospam
X-Assp-Score: -12 (bombSenderRe: 'news. (-12)')
X-Assp-Score: 19 (bombSubjectRe: 'free (12)' , 'earn (7)')
X-Assp-Score: 25 (bombHeaderRe: '3 oct 2014 06:07:48 -0400 (25)')
X-Original-Authentication-Results: ASSP.nospam; spf=pass (SPF: pass
record='v=spf1 include:cust-spf.exacttarget.com -all' ip=68.232.195.37
mailfrom=bounce-96_html-26893704-2251261-1064718-...@bounce.panerabreadnews.com
helo=mta.panerabreadnews.com)
X-Assp-Score: 11 (Low Reputation for 68.232.195.37)
X-Assp-Score: -10 (bombSuspiciousRe: 'list-unsubscribe: (-10)')
X-Assp-Score: 55 (URIBL failed: 'panerabreadnews.com'(black.uribl.com ))
X-Assp-Envelope-From:
bounce-96_html-26893704-2251261-1064718-...@bounce.panerabreadnews.com
X-Assp-Intended-For:
X-Assp-ID: ASSP.nospam m-41233-00099
X-Assp-Spam: YES
X-Assp-Block: NO (alltestmode)
X-Assp-Spam-Found: URIBL failed: 'panerabreadnews.com'(black.uribl.com )
X-Assp-Message-Totalscore: 88
Return-Path:
bounce-96_html-26893704-2251261-1064718-...@bounce.panerabreadnews.com
====
I'm confused as to why "panerabreadnews.com" was reported as being on the
URIBL, considering that when I check with them directly with manually
performing a lookup on their site, it's not listed. Could this be because Cox
has port 25 blocked for me (non-business account), and that I smarthost out
through a different provider? I'm wondering if because, if what I'm suspecting
to be true is true, ASSP is trying to query out over port 25 to perform the
URIBL, not getting a response, and just assuming it to be bad.
-A
On Thursday, October 2, 2014 3:59 PM, Jay Tarbox <[email protected]>
wrote:
Is this list really this dead???
-----Original Message-----
From: Jay Tarbox [mailto:[email protected]]
Sent: October 02, 2014 07:58
To: Andy Bradford; For Users of ASSP
Subject: Re: [Assp-user] New to ASSP - some questions and issues with getting
started
I ran ASSP for a long time in “testmode” with subject line [Spam?] added.
I then had users setup a rule to kick emails with that subject to their junk
folders if they wanted.
After several years actually, I gained the confidence to start blocking.
(we’re a services company so an incorrectly discarded email could cost us money
eg a sale) It still tags possible spam messages for the junk folder and the
most egregiously scored are blocked.
From: Andy Bradford [mailto:[email protected]]
Sent: October 01, 2014 21:26
To: Jay Tarbox; For Users of ASSP
Subject: Re: [Assp-user] New to ASSP - some questions and issues with getting
started
Jay,
Happy to see a fellow New Englander on the list! Thanks for the tip. I was
considering doing this, but wasn't sure how it managed to "learn", I guess I
should say. Will it eventually work out the O365 blocking over time if I threw
it in testmode? Is there anything else I should consider doing before that,
considering it's going to tag messages in the subject with "possiblespam", etc?
Thanks,
Andy
On Wednesday, October 1, 2014 7:33 PM, Jay Tarbox
<[email protected]<mailto:[email protected]>> wrote:
You should probably let it run in testmode for a while to build up a database
of spam and ham first, before blocking anything.
-----Original Message-----
From: Andy Bradford
[mailto:[email protected]<mailto:[email protected]>]
Sent: October 01, 2014 18:02
To: [email protected]<mailto:[email protected]>
Subject: [Assp-user] New to ASSP - some questions and issues with getting
started
Hey guys,
Stumbled across @SSP being recommended as a pretty good spam fighting solution
to put in front of a mail server via a thread on Reddit, and thought I'd give
it a shot to replace my now unsupported (and quite frankly, just bad) solution
of Forefront for Exchange. I'm running a small Exchange 2010 box for about 20
mailboxes, some that get hammered with spam more than others. I stood up a VM
with FreeBSD 10 install, opted to install Postfix, and threw up @ASSP to dive
in.
Install went smoothly, and I redirected my firewall rule for ports 25 and 465
to flow mail through my mail filtering VM, configured to pass the mail to
Exchange. I started seeing some issues though, even after messing with some of
the values:
Here's a legit email from an Office 365 mail user:
====
Sep-29-14 00:49:13 m-41196-00013 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 25 for bombSubjectRe: 'subject-redacted (25)', total score for this
message is now 25;
Sep-29-14 00:49:13 m-41196-00013 [BombSubject] 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> [scoring:25] --
bombSubjectRe: 'subject-redacted (25)' --
[subject-redacted];
Sep-29-14 00:49:13 m-41196-00013 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 25 for b ombHeaderRe: '9 sep 2014 00:49:03
-0400 (25)', total score for this message is now 50;
Sep-29-14 00:49:13 m-41196-00013 [BombHeader] 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> [scoring:25] --
bombHeaderRe: '9 sep 2014 00:49:03 -0400 (25)'
-- [subject-redacted];
Sep-29-14 00:49:13 m-41196-00013 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 17 for Bad Reputation for 157.56.110.132, total score for this message is
now 67;
Sep-29-14 00:49:13 m-41196-00013 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Bayesian Check
[scoring:-10] - Prob: 0.00750 / Confidence:
0.00210 => confident.ham;
Sep-29-14 00:49:13 m-41196-00013 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added -10 for Bayesian Confidence: 0.00210,
total score for this message is now 57;
Sep-29-14 00:49:13 m-41196-00013 [MessageScore][PossibleSpam] 157.56.110.132
<sender-redacted@office365<mailto:sender-redacted@office365>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange>
[spam found] and passing because messagescore(57) is in warning
range ( 47 - 75) -- [subject-redacted] ->
/var/db/assp/discarded/subject-redacted__7.em l;
====
Unfortunately, ASSP categorized this as spam when it really isn't. It did a
lookup on the O365 IP and, for some reason, heightened the marking of thinking
it was spam.
Legit spam, which was blocked, great! :
====
Sep-29-14 00:45:16 m-41196-00011 87.106.211.104
<[email protected]<mailto:[email protected]>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 25 for bombHeaderRe: '9 sep 2014 00:45:05 -0400 (25)', total score for
this message is now 25;
Sep-29-14 00:45:16 m-41196-00011 [BombHeader] 87.106.211.104
<[email protected]<mailto:[email protected]>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> [scoring:25] --
bombHeaderRe: '9 sep 2014 00:45:05 -0400 (25)' -- [Hi Quality Medical Online
Products];
Sep-29-14 00:45:16 m-41196-00011 87.106.211.104
<[email protected]<mailto:[email protected]>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 15 for 87.106.211 in griplist (1.00), total score for this message is now
40;
Sep-29-14 00:45:16 m-41196-00011 87.106.211.104
<[email protected]<mailto:[email protected]>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 100 for DNSBL: failed, 87.106.211.104 listed in b.barracudacentral.org,
total score for this message is now 140;
Sep-29-14 00:45:16 m-41196-00011 [DNSBL] 87.106.211.104
<[email protected]<mailto:[email protected]>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> [spam
found][blocked] -- DNSBL, 87.106.211.104 listed in b.barracudacentral.org --
[Hi Quality Medical Online Products] -> /var/db/assp/
spam/Hi_Quality_Medical_Online_Prod__6.eml;
====
Another non-legitimate spam email that was falsely identified:
====
Sep-29-14 00:38:53 m-41196-00005 146.101.78.152
<reputable-redacted@sender<mailto:reputable-redacted@sender>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 25 for bombHeaderRe: '9 sep 2014 00:38:42
-0400 (25)', total score for this message is now 25;
Sep-29-14 00:38:53 m-41196-00005 [BombHeader] 146.101.78.152
<reputable-redacted@sender<mailto:reputable-redacted@sender>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> [scoring:25] --
bombHeaderRe: '9 sep 2014 00:38:42 -0400 (25)'
-- [Work];
Sep-29-14 00:38:54 m-41196-00005 146.101.78.152
<reputable-redacted@sender<mailto:reputable-redacted@sender>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> Message-Score:
added 55 for URIBL failed:
'dimensiondata.com'(black.uribl.com ), total score for this message is now 80;
Sep-29-14 00:38:54 m-41196-00005 [URIBL] 146.101.78.152
<reputable-redacted@sender<mailto:reputable-redacted@sender>> to:
recipient-redacted@exchange<mailto:recipient-redacted@exchange> [spam
found][blocked ] -- URIBL failed:
'dimensiondata.com'(black.uribl.com ) -- [Work] ->
/var/db/assp/spam/Work__3.eml;
====
There's some tweaking that some people recommend, especially modifying the low
and high values of the weighting. Since 50 is high by default, I then set to 75
with continued issues. I saw that I could put all marked messages in
training/demo mode for it to just mark the messages, put a "possiblespam"
inclusion in the subject, and then pass the mail on. However, that might be
annoying to my end users, so trying to avoid that.
Any further tweaking ideas? Can't seem to find a happy medium right now, so I
had to temporarily put @SSP in time out and re-route my mail back to Exchange
directly. The inconvenience of Yahoo and O365 emails being marked as spam with
normal content didn't go over well in my testing, even though I verified they
were at the default whitelisted value (for Yahoo, at least).
Thanks,
Andy
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS
3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready
for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0
Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS
3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready
for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0
Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
