Re: [Assp-test] Senderbase
On my way to a new version - this is the nudge that I needed. (pending some more answers to my other thread on general windows recommendations and the requirements of hmm) cheers. On Thu, Jan 30, 2014 at 2:09 AM, Thomas Eckardt thomas.ecka...@thockar.comwrote: Since some time V2 does not use Net::Senderbase, it has its own SenderBase code included. For this reason Net::Senderbase is no longer shown in the module list (Info Stats) Use the latest version. Thomas Von:K Post nntp.p...@gmail.com An: ASSP development mailing list assp-test@lists.sourceforge.net, Datum: 29.01.2014 20:35 Betreff:Re: [Assp-test] Senderbase tried 1.02 (not 1.2 as I type-o'ed above). No difference. Still timing out at line 45 of dns.pm. dns.pm is the same in 1.01 and 1.02. On Wed, Jan 29, 2014 at 2:04 PM, K Post nntp.p...@gmail.com wrote: temporarily changing dns.pm to use query.senderbase.org instead of test.senderbase.org doesn't do anything. Still times out. If from the assp machien I use nslookup and do: set type=txt 8.8.8.8.query.senderbase.org it gives me the txt record. doing the same thing with test.senderbase.org times out. Do based on my crude test, I'd say that this machine can query senderbase using DNS. The question now is what is this test.senderbase.org and how is it queried? Port 53 tcp and udp is wide open on the firewall. I've got Net-Senderbase 1.01 installed, which ppm indicates is the newest. BUT, there's 1.2 over at cpan. Should I be using that? On Wed, Jan 29, 2014 at 1:32 PM, K Post nntp.p...@gmail.com wrote: Scratch that. The one that I saw go through was cached The error is on line 45 Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas e/Query/DNS.pm It's like dns.pm is potentially querying reversip.test.senderbase.org is that right or should it be reversedip. query.senderbase.org?? On Wed, Jan 29, 2014 at 10:22 AM, K Post nntp.p...@gmail.com wrote: And now it's working. Must have been something DNS related, but I didn't change anything Thanks for the guidance. On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt thomas.ecka...@thockar.com wrote: SenderBase is working like expected (using 14025) Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to: u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE ARGENTINA domain:speedy.com.ar Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to: u...@domain.com Message-Score: added 10 for Foreign Country AR (TELEFONICA DE ARGENTINA), total score for this message is now 10 Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to: u...@domain.com [scoring] SenderBase -- Foreign Country AR (TELEFONICA DE ARGENTINA) Should senderbase test showup in the mail analyzer? Yes after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and having it in the SenderBaseCache * 186.39.19.146 is in CountryCache: status=changed to black country, data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15 or after removing the SBCache entry * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15 Thomas Von:K Post nntp.p...@gmail.com An: ASSP development mailing list assp-test@lists.sourceforge.net , Datum: 28.01.2014 14:14 Betreff:[Assp-test] Senderbase Any suggestions for debugging SenderBase on 2.x? Sometimes it works, but ASSP doesn't appear to be checking senderbase at all. I'm wondering if it's only looking at the cache and not attempting to make new queries. Looking at the log, I don't see white senderbase for messages that I'd expect. I see nothing on senderbase, not a failure, good or bad. Should senderbase test showup in the mail analyzer? -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ***
Re: [Assp-test] Senderbase
On my way to a new version - this is the nudge that I needed. (pending some more answers to my other thread on general windows recommendations and the requirements of hmm) Well, as for the hMM, start vanilla, that is, install your new ASSP, configure it, migrate your files, upgrade to DB and then once it will be working, you may experiment by enabling HMM but, as Thomas wrote, just one step at a time :) -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] Bayes mistake
Hi there, I'm wondering what's the best way to troubleshoot a Bayes mistake. We get tonnes of fake bank security alert emails and nearly all of them got blocked. Imagine my surprise to see one in my own inbox this morning from barcl...@email.barclays.co.uk mailto:barcl...@email.barclays.co.uk So I checked the logs. What I found was more surprising. The exact same message with the exact same content (I compared the .eml files and only the headers were different) hit my server later on and was blocked by Bayes. I hadn't reported the previous one as a false negative yet. Is there any way to figure out why Bayes made a boob on the first one? Cheers, Colin. 2014-01-30 09:41:52 m1-74904-00342 [Worker_4] [TLS-in] [TLS-out] 212.227.137.50 barcl...@email.barclays.co.uk to: m...@mydomain.tld HMM Check [scoring] - Prob: 1.0 = spam 2014-01-30 09:41:52 m1-74904-00342 [Worker_4] [TLS-in] [TLS-out] 212.227.137.50 barcl...@email.barclays.co.uk to: m...@mydomain.tld Message-Score: added 20 for HMM Probability: 1., total score for this message is now 35 2014-01-30 09:41:53 m1-74904-00342 [Worker_4] [TLS-in] [TLS-out] 212.227.137.50 barcl...@email.barclays.co.uk to: m...@mydomain.tld Bayesian Check [scoring] - Prob: 0.10750 = ham 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld HMM Check [scoring] - Prob: 1.0 = spam 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld Message-Score: added 20 for HMM Probability: 1., total score for this message is now 40 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld Bayesian Check [scoring] - Prob: 0.99597 = spam 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld Message-Score: added 30 for Bayesian Probability: 0.99597, total score for this message is now 70 -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Links in log
I think part of it may have to do with highlighting. I just did a search for a domain, and the log search brought up the relevant lines. Many of the lines had clickable links - but there were some that appeared to have identical information that did not have full links. To try to be clearer - most log lines have an IP, an remote address, and a local address. If I search for the remote domain, the IP and local address remain clickable - the remote addresses are not. However - the remote addresses PRIOR to the highlighted results, or if there is no highlighting - remain clickable. Also, if I search for the complete remote address - not just the domain - the links remain clickable. -- Daniel On 1/22/2014 3:21 AM, Thomas Eckardt wrote: What determines if a link is supposed to be generated vs just text? This depends on your configuration, the actions selected at the top of the web page and the content of the line. IP's are no links if: - they are privat - they are locals - a file name is made a link in the same line - IP's are followed by a port definition email addresses are no links if: - a file name is made a link in the same line Thomas Von:Daniel Miller dmil...@amfes.com An: ASSP development mailing list assp-test@lists.sourceforge.net, Datum: 21.01.2014 21:28 Betreff:[Assp-test] Links in log I notice that sometimes in my log the IP's and email addresses are clickable links - and sometimes they are not. What determines if a link is supposed to be generated vs just text? -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] ASSP 1.9.9 denySMTPConnectionsFromAlways behavior changed
On 2014-01-20 17:55, Rusty Nejdl wrote: On 2014-01-20 09:46, Fritz Borgstedt wrote: rnejdl@ringofsaturn.comschreibt: I know that there is another field that can be used _(denySMTPConnectionsFrom)_ but using it is not nearly as easy as I have to copy the IP, scroll down to the configuration item and paste it on the end, vs the other where I can just click on the IP and add it to the block list file. The handling is the same if files are used for both. If you do not use a file, it will not appear on the pull down menu. I am running 1.9.9(14031): the code is the same as in 13359. Fritz, I'm not quite sure how to troubleshoot this then. This is an example of a connection from a bot trying to harvest valid logins: Jan-20-14 17:48:39 85.214.85.40 disconnected (2 seconds); Jan-20-14 17:48:39 85.214.85.40 warning: SMTP authentication failed; Jan-20-14 17:48:39 85.214.85.40 info: authentication (LOGIN) realms - user:besadmin; Jan-20-14 17:48:38 85.214.85.40 info: authentication - login is used; Clicking on the IP gives me: RESULTS FOR ACTION - GENERAL IP-MATCHES FOR 85.214.85.40 : matches in DENYSMTPCONNECTIONSFROMALWAYS with 85.214.85.40/32 _(DoDenySMTPstrict)_ is set to Block. Any ideas? Still troubleshooting this. I have spam lovers that get spam protection and I have denied IP's that are allowed to try to authenticate: Jan-30-14 14:45:25 200.93.84.77 disconnected (3 seconds); Jan-30-14 14:45:24 200.93.84.77 warning: SMTP authentication failed; Jan-30-14 14:45:24 [DenyIPStrict] 200.93.84.77 info: authentication (PLAIN) realms - foruser:, user:a...@x.com; Jan-30-14 14:45:24 [DenyIPStrict] 200.93.84.77 info: authentication - plain is used; I am on the latest ASSP now and haven't noticed an improvement here. It's not in a test mode because it is definitely doing spam protection but it is ignoring a number of configuration items even when it sees that. Rusty -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Bayes mistake
Two reasons: I hadn't reported the previous one as a false negative yet. 1) Another one has reported the same or similar mail. ASSP V2 recalculates the Bayes and HMM database on the fly if a mail is reported 2) A rebuild was done. Is there any way to figure out why Bayes made a boob on the first one? No - all checks are done on the current DB's - no chance to go back in the past. But I think, after eliminating pairs of very low (ham) and very high (spam) values, there was at least one very low value left. If you use both HMM and Bayes - set the scoring so, that your trust on HMM is higher. Bayes is fine but less exact - for this reason HMM was implemented. Thomas Von:Colin Waring co...@lanternhosting.co.uk An: 'ASSP development mailing list' assp-test@lists.sourceforge.net, Datum: 30.01.2014 21:15 Betreff:[Assp-test] Bayes mistake Hi there, I'm wondering what's the best way to troubleshoot a Bayes mistake. We get tonnes of fake bank security alert emails and nearly all of them got blocked. Imagine my surprise to see one in my own inbox this morning from barcl...@email.barclays.co.uk mailto:barcl...@email.barclays.co.uk So I checked the logs. What I found was more surprising. The exact same message with the exact same content (I compared the .eml files and only the headers were different) hit my server later on and was blocked by Bayes. I hadn't reported the previous one as a false negative yet. Is there any way to figure out why Bayes made a boob on the first one? Cheers, Colin. 2014-01-30 09:41:52 m1-74904-00342 [Worker_4] [TLS-in] [TLS-out] 212.227.137.50 barcl...@email.barclays.co.uk to: m...@mydomain.tld HMM Check [scoring] - Prob: 1.0 = spam 2014-01-30 09:41:52 m1-74904-00342 [Worker_4] [TLS-in] [TLS-out] 212.227.137.50 barcl...@email.barclays.co.uk to: m...@mydomain.tld Message-Score: added 20 for HMM Probability: 1., total score for this message is now 35 2014-01-30 09:41:53 m1-74904-00342 [Worker_4] [TLS-in] [TLS-out] 212.227.137.50 barcl...@email.barclays.co.uk to: m...@mydomain.tld Bayesian Check [scoring] - Prob: 0.10750 = ham 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld HMM Check [scoring] - Prob: 1.0 = spam 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld Message-Score: added 20 for HMM Probability: 1., total score for this message is now 40 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld Bayesian Check [scoring] - Prob: 0.99597 = spam 2014-01-30 12:40:56 m1-85654-02281 [Worker_7] [TLS-out] 85.94.77.22 barcl...@email.barclays.co.uk to: m...@mydomain.tld Message-Score: added 30 for Bayesian Probability: 0.99597, total score for this message is now 70 -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991iu=/4140/ostg.clktrk___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test