Re: [Assp-test] Senderbase
Hey, would you look at that! There's a setting for senderbase log verbosity! Changing it to verbose, gives me: Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas e/Query/DNS.pm DNSTimeout was 5 seconds. Changed to 10, no difference. Any suggestions? DNS settings on the server seem fine and are responsive. On Tue, Jan 28, 2014 at 11:48 AM, Grayhat wrote: > > > Hey Grayhat- been a while... Thanks for your followup. > > Hi there, yes, been (and being ) busy > > > I'm using our internal dns servers, without forwarders. I see DNSBL > > messages, RWL, etc as expected. > > ok, one thing less to check (I hope) :) > > > Could a format error in the whiteSenderBase be the culprit? I don't > > see an error when it's loaded. There's 1000+ entries, hard to check > > well, maybe, sure or may be due to some check kicking in *before* the > senderbase one; carefully checking the logs and/or increasing logging > would be a good idea imVHo > > > -- > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Senderbase
> Hey Grayhat- been a while... Thanks for your followup. Hi there, yes, been (and being ) busy > I'm using our internal dns servers, without forwarders. I see DNSBL > messages, RWL, etc as expected. ok, one thing less to check (I hope) :) > Could a format error in the whiteSenderBase be the culprit? I don't > see an error when it's loaded. There's 1000+ entries, hard to check well, maybe, sure or may be due to some check kicking in *before* the senderbase one; carefully checking the logs and/or increasing logging would be a good idea imVHo -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Senderbase
Hey Grayhat- been a while... Thanks for your followup. I'm using our internal dns servers, without forwarders. I see DNSBL messages, RWL, etc as expected. Could a format error in the whiteSenderBase be the culprit? I don't see an error when it's loaded. There's 1000+ entries, hard to check manually. I suppose I could try just a shorter list, but it'll be hard to test - would need a domain that should be senderbase ok, but isn't in the cache to send an email The code should be querying senderbase.org each time if the entry isn't in cache right?If so, maybe I'll dive into the code and start logging. On Tue, Jan 28, 2014 at 10:06 AM, Grayhat wrote: > :: On Tue, 28 Jan 2014 09:02:50 -0500 > :: > :: K Post wrote: > > > Confirmed that it seems like only the cached entries are working. > > Every one of the 300+ senderbase matches from today, are from the > > cache. For example: > > 199.101.162.46 > > couple questions: > > 1: are there any DNS-related messages in your logs ? > > 2: are you using your own (no forwarders) DNS resolvers or are you >using public resolvers like OpenDNS, Google or whatever else ? > > > > -- > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Senderbase
:: On Tue, 28 Jan 2014 09:02:50 -0500 :: :: K Post wrote: > Confirmed that it seems like only the cached entries are working. > Every one of the 300+ senderbase matches from today, are from the > cache. For example: > 199.101.162.46 couple questions: 1: are there any DNS-related messages in your logs ? 2: are you using your own (no forwarders) DNS resolvers or are you using public resolvers like OpenDNS, Google or whatever else ? -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] module BerkeleyDB 0.54 + BDB engine 6.0.20
Thanks Thomas. At some point in the near future, I'm going to be upgrading our small Win32 box. Currently we're running an old version of ASSP (I'm ashamed to say old enough that HMM isn't an option). No proper database in use, just flat files for everything. What's your recommended database being that this will be a new OS install, but will be migrating over existing data? We need a db one for HMM right? I'm planning on using W2k12 r2. I could use W2k8 r2 instead. MySQL is an option. Berkeley DB too (though I have no experience there). 32 or 64 bit perl, etc. Just looking for some updated guidance. Thanks as always. I figure ASSP and your work is saving me something like 2 hours a day, which I can devote to managing the it needs of this charity. THANKS! THANKS THANKS! On Sat, Jan 25, 2014 at 6:49 AM, Thomas Eckardt wrote: > Hi all, > > after more than 8 weeks of testing, I've released the module BerkeleyDB > version 0.54 with BDB engine 6.0.20 for Perl 5.16 and Perl 5.18 (both for > windows only) at CVS and the default SF download. > > There are no longer any memory leaks related to this module. > > If you want to upgrade to this version: > > - download the archive file and uncompress it > - stop assp (and any other Perl process on the system!) > - use cmd and change in to directory with the extracted new BerkeleyDB.ppd > (and BerkeleyDB.tar.gz) file > - run >ppm install BerkeleyDB.ppd > - start assp one time from the commandline > - (A) check if spamdb and HMMdb contains more than two record (only if > used and configured) - this is shown at the startup log lines > - wait until (~3 min) the griplist is updated (only if used and > configured) > - stop assp > - start assp in your regular mode > - run a rebuildspamdb, if (A) has shown not more than 2 records for any of > the DB's > > Thomas > > DISCLAIMER: > *** > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > *** > > > > > -- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Senderbase White Org regex
Thanks for the reply Thomas. I appreciate the - clarification. Might you consider changing senderbase functionality such that it looks for an exact match? I worry about allowing anything from Hosting Service (just an example) but consider it a network name that we know only sends good, erroneously matching Bob's Bad Hosting Service too in senderbase... FYI - I was wondering why so many of my questions have gone unanswered recently. Totally not typical for you - I should have known better. Turns out the gmail servers were filtering your message to spam! Irony in its truest form On Sun, Jan 26, 2014 at 2:29 AM, Thomas Eckardt wrote: > 1) \bacer-euro\.com is listed. Doesn't the - need to be escaped? (if > not, > why not?) > > No need to escape the - here. It is required in a character class like > [fth\-kl] - but not if the - is the last character in a character class > like [a-z0-9-] see > http://perldoc.perl.org/perlretut.html#Using-character-classes > It does not matter to escape the - everywhere in a regex. like > \bacer\-euro\.com > > > >2) Should we use ^ to indicate beginning of line and $ to indicate end so > that something like: > Would ^Hosting Service$ work? > > No - assp processes all regexes against the complete target string > (header, body, mail), there is no line processing! > > btw: \bHosting Service > matches both: "Bob's Hosting Service" and "Hosting Service Inc." > > Thomas > > > > > > > > Von:K Post > An: ASSP development mailing list , > Datum: 25.01.2014 18:16 > Betreff:[Assp-test] Senderbase White Org regex > > > > I just downloaded 2.3.3 and am reviewing the whiteorg.txt sample file for > SenderBase. > > I understand that that \b is necessary to indicate the word boundary. I > get that the . needs to be escaped with \ so they don't match any > character. > > Questions: > 1) \bacer-euro\.com is listed. Doesn't the - need to be escaped? (if > not, > why not?) > 2) Should we use ^ to indicate beginning of line and $ to indicate end so > that something like: > \bHosting Service (to match any host in the "Hosting Service" network > doesn't match "Bob's Hosting Service" or "Hosting Service Inc." > Would ^Hosting Service$ work? > > Thanks all! > ken > > -- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > *** > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > *** > > > > > -- > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Senderbase
Also, I was able to confirm that I can directly query query.senderbase.orgfrom the machine On Tue, Jan 28, 2014 at 9:02 AM, K Post wrote: > Confirmed that it seems like only the cached entries are working. Every > one of the 300+ senderbase matches from today, are from the cache. > For example: > 199.101.162.46 > to: ouru...@.org [whiting] SenderBase -- White Organization/Domain > 'LinkedIn Corporation' in cache > That works great. Any way to debug why new hits don't seem to be > happening even though there's emails that should match entries in the > whiteSenderBase file? That certainly wasn't the case before. I don't > think it's the code, I think it's my setup. > > > On Tue, Jan 28, 2014 at 8:12 AM, K Post wrote: > >> Any suggestions for debugging SenderBase on 2.x? >> >> Sometimes it works, but ASSP doesn't appear to be checking senderbase at >> all. I'm wondering if it's only looking at the cache and not attempting to >> make new queries. Looking at the log, I don't see white senderbase for >> messages that I'd expect. I see nothing on senderbase, not a failure, good >> or bad. >> >> Should senderbase test showup in the mail analyzer? >> >> >> > -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Senderbase
Confirmed that it seems like only the cached entries are working. Every one of the 300+ senderbase matches from today, are from the cache. For example: 199.101.162.46 to: ouru...@.org [whiting] SenderBase -- White Organization/Domain 'LinkedIn Corporation' in cache That works great. Any way to debug why new hits don't seem to be happening even though there's emails that should match entries in the whiteSenderBase file? That certainly wasn't the case before. I don't think it's the code, I think it's my setup. On Tue, Jan 28, 2014 at 8:12 AM, K Post wrote: > Any suggestions for debugging SenderBase on 2.x? > > Sometimes it works, but ASSP doesn't appear to be checking senderbase at > all. I'm wondering if it's only looking at the cache and not attempting to > make new queries. Looking at the log, I don't see white senderbase for > messages that I'd expect. I see nothing on senderbase, not a failure, good > or bad. > > Should senderbase test showup in the mail analyzer? > > > -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Senderbase
Any suggestions for debugging SenderBase on 2.x? Sometimes it works, but ASSP doesn't appear to be checking senderbase at all. I'm wondering if it's only looking at the cache and not attempting to make new queries. Looking at the log, I don't see white senderbase for messages that I'd expect. I see nothing on senderbase, not a failure, good or bad. Should senderbase test showup in the mail analyzer? -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] BATV, DSN and Exchange backend
Hi all, i'm having an issue dealing with BATV and DSN, not strictly related to ASSP but i thought it wouldn't harm posting here: whenever I send a mail to a non-existent external address, my postfix MTA hands the DSN message back to Exchange 2010 who doesn't know about BATV tag, hence it doesn't understand the return path address in form of "prvs=423424232..." thus dropping the DSN. my scenario is: Exchange --> ASSP --> Postfix (Outgoing) ASSP --> Postfix --> Exchange (Incoming) Whenever the DNS is generate, Postfix will route it directly to Exchange. Does anyone managed to solve this issue with BATV and Exchange or knows how to instruct Postfix to mangle the batv tag? Can anything be done/set on ASSP side to avoid this issue? AS of now, i set BATV to 'disabled', keeping FBMTV on. regards, -- "Madness, like small fish, runs in hosts, in vast numbers of instances." Nessuno mi pettina bene come il vento. -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
