Re: [Assp-test] Senderbase Matching Substring

[K Post]

Loud and clear Thomas.  No need to reply unless I'm wrong or offbase here:
I prefixed *everything* in whitesenderBase to start with ^ instead of just
\b since \b seems to match hypens.  I'm assuming that the ^ prefix instead
of \b will not cause any sort of performance or other problem.  I haven't
seen one, but if it's not advisable, please let me know?

So my original \bwalmart\.com to ^walmart\.com$ so that fake-walmart.com
doesn't match.

I feel like the ^name$ syntax ensures that I'm matching complete domain or
network name as listed in senderbase vs "just" a word boundary to the end
of one with \bdomain$Bad idea?

Your explanation of whiteSenderBase being a RE vs dkimWLAddresses being
just a list was very helpful and an important point for me to remember.

While I can hack the very basics of perl, there's no way I could implement
new functionality.  That's why I ask the "wouldn't it be nice" questions.
That sometimes gets good ideas out there, like my suggestion for the dkimWL
and dkimNP which has been a game change here.  Often it gets a, "no, that's
a bad idea" or "that's not necessary, you could instead..." reply which is
fine.  I feel like that's why we have this discussion list, the free
exchange of ideas, with one goal, blocking spammers and scammers.  We're on
the same team, even if I might make you feel like I'm an adversary
sometimes with my questions.




On Sun, May 2, 2021 at 7:14 AM Thomas Eckardt 
wrote:

> My final comment to this thread.
>
> -  whiteSenderBase is a reglar expression, while dkimAddresses and
> dkimNPAddresses are address- and domain lists
> - if you've added '\bwalmart\.com' to whiteSenderBase, change it to
> '\bwalmart\.com$'
> - do not change anything else in whiteSenderBase as long as you don't get
> a wrong (or not the expected) detection for this feature
> - trust ARIN, RIPE and all the other registars - they will not register
> suspicious company names
>
> In terms of assp - 'assumes' and 'believes' are most times bad. The
> feature descriptions in the GUI and the manual should be informativ enough
> for IT professionals - if you think, there is anything missing, post your
> suggestions for changes here or in the forum - BUT RTMF!
> Features should always work like described. If this is not the case, post
> this here or in the sourceforge ticket system (
> https://sourceforge.net/p/assp/tickets/)
> If assp will remove, add or change anything in your configuration values
> 'automatically', this should be stated in the GUI (if not, please report
> this)
> As long as it is not exeptional stated in the GUI, assp features should
> work RFC conform.
> Any RFC related information will not be added to the GUI - RFC's, drafts
> and there substitutes can be read in the IANA web. Things like 'what is
> SPF, SRS, DKIM ?' will not become part of the assp manual - there are
> very good explanations and examples in the web.
>
> Suggestions for new features or changes are wellcome. How ever: I prever
> to see something like 'I saw, changed, tested and got very good results
> ...' - than something like 'would'nt it be nice to have'
>
>
> Thomas
>
>
>
>
>
>
> Von:"K Post" 
> An:"ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum:29.04.2021 22:29
> Betreff:Re: [Assp-test] Senderbase Matching Substring
> --
>
>
>
> and I'll add that I believe it's a good idea to start whiteSenderBase
> lines with ^ instead of \b
>
> For example:
> \bapple\,com$
> would allow *bad-apple.com* <http://bad-apple.com/>, whereas
> ^apple\.com$
> won't.
>
> I suppose it should be obvious, it's just a regex, but the example file
> for all those years ago, threw me off.
>
>
> On Thu, Apr 29, 2021 at 10:20 AM K Post <*nntp.p...@gmail.com*
> > wrote:
> also, fyi, the sample file files/whiteorg.txt doesn't have $ to force it
> only to match the line ending, which I believe is what I used to come up
> with my incorrect assumption.  Putting in at least 1 example in that file
> with a $ might help others not make the same mistake that I have.  My
> money's on well more than half of the admins using ASSP haven't made the
> same mistake.
>
> In the sample file, everything starts with \b, clearly telling us that it
> needs to be the start of a word, but no lines end with $ or even \b   For
> example:
> \bbank of america
> When I see that, I think "we have the \b so that some scammer can't get
> senderbase 

Re: [Assp-test] Senderbase Matching Substring

[Thomas Eckardt]

My final comment to this thread.

-  whiteSenderBase is a reglar expression, while dkimAddresses and 
dkimNPAddresses are address- and domain lists
- if you've added '\bwalmart\.com' to whiteSenderBase, change it to 
'\bwalmart\.com$'
- do not change anything else in whiteSenderBase as long as you don't get 
a wrong (or not the expected) detection for this feature
- trust ARIN, RIPE and all the other registars - they will not register 
suspicious company names

In terms of assp - 'assumes' and 'believes' are most times bad. The 
feature descriptions in the GUI and the manual should be informativ enough 
for IT professionals - if you think, there is anything missing, post your 
suggestions for changes here or in the forum - BUT RTMF!
Features should always work like described. If this is not the case, post 
this here or in the sourceforge ticket system (
https://sourceforge.net/p/assp/tickets/)
If assp will remove, add or change anything in your configuration values 
'automatically', this should be stated in the GUI (if not, please report 
this)
As long as it is not exeptional stated in the GUI, assp features should 
work RFC conform.
Any RFC related information will not be added to the GUI - RFC's, drafts 
and there substitutes can be read in the IANA web. Things like 'what is 
SPF, SRS, DKIM ?' will not become part of the assp manual - there are 
very good explanations and examples in the web.

Suggestions for new features or changes are wellcome. How ever: I prever 
to see something like 'I saw, changed, tested and got very good results 
...' - than something like 'would'nt it be nice to have' 


Thomas


 



Von:    "K Post" 
An: "ASSP development mailing list" 
Datum:  29.04.2021 22:29
Betreff:Re: [Assp-test] Senderbase Matching Substring



and I'll add that I believe it's a good idea to start whiteSenderBase 
lines with ^ instead of \b

For example:
\bapple\,com$
would allow bad-apple.com, whereas
^apple\.com$ 
won't.

I suppose it should be obvious, it's just a regex, but the example file 
for all those years ago, threw me off.


On Thu, Apr 29, 2021 at 10:20 AM K Post  wrote:
also, fyi, the sample file files/whiteorg.txt doesn't have $ to force it 
only to match the line ending, which I believe is what I used to come up 
with my incorrect assumption.  Putting in at least 1 example in that file 
with a $ might help others not make the same mistake that I have.  My 
money's on well more than half of the admins using ASSP haven't made the 
same mistake.

In the sample file, everything starts with \b, clearly telling us that it 
needs to be the start of a word, but no lines end with $ or even \b   For 
example:
\bbank of america
When I see that, I think "we have the \b so that some scammer can't get 
senderbase to have their network as 'BADbank of america' and get through 
our filters."  That's logical, but I also assumed that because there isn't 
a trailing \b (or actually $) that it's going to the end of the line.  Why 
would someone put a \b at the beginning, but not care about "bank of 
americascammer network" also being a match? 

Maybe edit the sample whiteorg or put a note at the top to help others?

On Thu, Apr 29, 2021 at 10:05 AM K Post  wrote:
My assumption was wrong for as long as senderbase has been in ASSP then!
I'll be adding the $ end of line requirement to everything in senderbase 
shortly.

Is this also also true of dkimAddresses and dkimNPAddresses?  

On Mon, Apr 26, 2021 at 2:50 AM Thomas Eckardt  wrote:
>I (maybe incorrectly) assumed that the word boundary was automatically 
added on the end. 

Hmm  what is causing this assumtion reading the description of 
whiteSenderBase? 

Whitelisted Organizations, Domains and Hosts in SenderBase** 
(whiteSenderBase) 
If the organization, domain or hostname in the SenderBase IP description 
matches this Perl regular expression, the message will be considered 
non-spam. For example file:files/whiteorg.txt 
NOTICE: If only the hostname matches an entry and DoOrgWhiting is set to 
"whiting", the domain+organization pair will not be added to the white 
organizations! 


walmart.com.mx 

\bwalmart\.com - match 
\bwalmart\.com\b - match 
\bwalmart\.com$ - no match 

Thomas 






Von:"K Post"  
An:"ASSP development mailing list" <
assp-test@lists.sourceforge.net> 
Datum:25.04.2021 12:25 
Betreff:[Assp-test] Senderbase Matching Substring 



For a long time, I've had  
\bwalmart\.com 
in my whiteSenderBase configuration.  Some of our staff shops at walmart 
and anything from Walmart's ip space should be considered white.  All good 
there. 

However, I had a bunch of spam slip through because of this overnight.  
When I did an alayze, I 

Re: [Assp-test] Senderbase Matching Substring

[K Post]

and I'll add that I believe it's a good idea to start whiteSenderBase lines
with ^ instead of \b

For example:

\bapple\,com$

would allow bad-apple.com, whereas

^apple\.com$

won't.

I suppose it should be obvious, it's just a regex, but the example file for
all those years ago, threw me off.


On Thu, Apr 29, 2021 at 10:20 AM K Post  wrote:

> also, fyi, the sample file files/whiteorg.txt doesn't have $ to force it
> only to match the line ending, which I believe is what I used to come up
> with my incorrect assumption.  Putting in at least 1 example in that file
> with a $ might help others not make the same mistake that I have.  My
> money's on well more than half of the admins using ASSP haven't made the
> same mistake.
>
> In the sample file, everything starts with \b, clearly telling us that it
> needs to be the start of a word, but no lines end with $ or even \b   For
> example:
>
> \bbank of america
>
> When I see that, I think "we have the \b so that some scammer can't get
> senderbase to have their network as 'BADbank of america' and get through
> our filters."  That's logical, but I also assumed that because there isn't
> a trailing \b (or actually $) that it's going to the end of the line.  Why
> would someone put a \b at the beginning, but not care about "bank of
> americascammer network" also being a match?
>
> Maybe edit the sample whiteorg or put a note at the top to help others?
>
> On Thu, Apr 29, 2021 at 10:05 AM K Post  wrote:
>
>> My assumption was wrong for as long as senderbase has been in ASSP then!
>> I'll be adding the $ end of line requirement to everything in senderbase
>> shortly.
>>
>> Is this also also true of dkimAddresses and dkimNPAddresses?
>>
>> On Mon, Apr 26, 2021 at 2:50 AM Thomas Eckardt <
>> thomas.ecka...@thockar.com> wrote:
>>
>>> >I (maybe incorrectly) assumed that the *word boundary* was *automatically
>>> added* on the end.
>>>
>>> Hmm  what is causing this assumtion reading the description of
>>> whiteSenderBase?
>>>
>>> *Whitelisted Organizations, Domains and Hosts in SenderBase**
>>> (whiteSenderBase)*
>>> If the organization, domain or hostname in the SenderBase IP description
>>> matches this Perl regular expression, the message will be considered
>>> non-spam. For example file:files/whiteorg.txt
>>> NOTICE: If only the hostname matches an entry and DoOrgWhiting is set to
>>> "whiting", the domain+organization pair will not be added to the white
>>> organizations!
>>>
>>>
>>> walmart.com.mx
>>>
>>> \bwalmart\.com - match
>>> \bwalmart\.com\b - match
>>> \bwalmart\.com$ - no match
>>>
>>> Thomas
>>>
>>>
>>>
>>>
>>>
>>>
>>> Von:"K Post" 
>>> An:"ASSP development mailing list" <
>>> assp-test@lists.sourceforge.net>
>>> Datum:25.04.2021 12:25
>>> Betreff:[Assp-test] Senderbase Matching Substring
>>> --
>>>
>>>
>>>
>>> For a long time, I've had
>>> \bwalmart\.com
>>> in my whiteSenderBase configuration.  Some of our staff shops at walmart
>>> and anything from Walmart's ip space should be considered white.  All good
>>> there.
>>>
>>> However, I had a bunch of spam slip through because of this overnight.
>>> When I did an alayze, I saw:
>>> 129.41.173.75 SenderBase: status=white SenderBase, data=[CN=US,
>>> ORG=ACOUSTIC-ATL-01, DOM=*walmart.com* <http://walmart.com/>*.mx*,
>>> BLS=, HNM=Y, CIDR=23, HN=*mail9320.hayhouse.mkt9919.com*
>>> <http://mail9320.hayhouse.mkt9919.com/>]
>>>
>>> WhiteDomain Regex: whiteSenderBaseRE '*walmart.com*
>>> <http://walmart.com/>'
>>> [scoring] SenderBase -- White Domain '*walmart.com*
>>> <http://walmart.com/>'
>>> It's matching *walmart.com* <http://walmart.com/>*.MX*
>>>
>>> I've never put a \b at the end of config lines in whiteSenderBase, I
>>> (maybe incorrectly) assumed that the word boundary was automatically added
>>> on the end.
>>>
>>> Is the \b on the end necessary, if I don't want to match
>>> *walmart.com.mx* <http://walmart.com.mx/> and only want to match
>>> *walmart.com* <http://walmart.com/>?   Is there another way, coding
>>> err

Re: [Assp-test] Senderbase Matching Substring

[K Post]

also, fyi, the sample file files/whiteorg.txt doesn't have $ to force it
only to match the line ending, which I believe is what I used to come up
with my incorrect assumption.  Putting in at least 1 example in that file
with a $ might help others not make the same mistake that I have.  My
money's on well more than half of the admins using ASSP haven't made the
same mistake.

In the sample file, everything starts with \b, clearly telling us that it
needs to be the start of a word, but no lines end with $ or even \b   For
example:

\bbank of america

When I see that, I think "we have the \b so that some scammer can't get
senderbase to have their network as 'BADbank of america' and get through
our filters."  That's logical, but I also assumed that because there isn't
a trailing \b (or actually $) that it's going to the end of the line.  Why
would someone put a \b at the beginning, but not care about "bank of
americascammer network" also being a match?

Maybe edit the sample whiteorg or put a note at the top to help others?

On Thu, Apr 29, 2021 at 10:05 AM K Post  wrote:

> My assumption was wrong for as long as senderbase has been in ASSP then!
> I'll be adding the $ end of line requirement to everything in senderbase
> shortly.
>
> Is this also also true of dkimAddresses and dkimNPAddresses?
>
> On Mon, Apr 26, 2021 at 2:50 AM Thomas Eckardt 
> wrote:
>
>> >I (maybe incorrectly) assumed that the *word boundary* was *automatically
>> added* on the end.
>>
>> Hmm  what is causing this assumtion reading the description of
>> whiteSenderBase?
>>
>> *Whitelisted Organizations, Domains and Hosts in SenderBase**
>> (whiteSenderBase)*
>> If the organization, domain or hostname in the SenderBase IP description
>> matches this Perl regular expression, the message will be considered
>> non-spam. For example file:files/whiteorg.txt
>> NOTICE: If only the hostname matches an entry and DoOrgWhiting is set to
>> "whiting", the domain+organization pair will not be added to the white
>> organizations!
>>
>>
>> walmart.com.mx
>>
>> \bwalmart\.com - match
>> \bwalmart\.com\b - match
>> \bwalmart\.com$ - no match
>>
>> Thomas
>>
>>
>>
>>
>>
>>
>> Von:"K Post" 
>> An:"ASSP development mailing list" <
>> assp-test@lists.sourceforge.net>
>> Datum:25.04.2021 12:25
>> Betreff:[Assp-test] Senderbase Matching Substring
>> --
>>
>>
>>
>> For a long time, I've had
>> \bwalmart\.com
>> in my whiteSenderBase configuration.  Some of our staff shops at walmart
>> and anything from Walmart's ip space should be considered white.  All good
>> there.
>>
>> However, I had a bunch of spam slip through because of this overnight.
>> When I did an alayze, I saw:
>> 129.41.173.75 SenderBase: status=white SenderBase, data=[CN=US,
>> ORG=ACOUSTIC-ATL-01, DOM=*walmart.com* <http://walmart.com/>*.mx*, BLS=,
>> HNM=Y, CIDR=23, HN=*mail9320.hayhouse.mkt9919.com*
>> <http://mail9320.hayhouse.mkt9919.com/>]
>>
>> WhiteDomain Regex: whiteSenderBaseRE '*walmart.com* <http://walmart.com/>
>> '
>> [scoring] SenderBase -- White Domain '*walmart.com* <http://walmart.com/>
>> '
>> It's matching *walmart.com* <http://walmart.com/>*.MX*
>>
>> I've never put a \b at the end of config lines in whiteSenderBase, I
>> (maybe incorrectly) assumed that the word boundary was automatically added
>> on the end.
>>
>> Is the \b on the end necessary, if I don't want to match *walmart.com.mx*
>> <http://walmart.com.mx/> and only want to match *walmart.com*
>> <http://walmart.com/>?   Is there another way, coding error, config
>> mistake, etc?
>>
>> Thanks!___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Matching Substring

[K Post]

My assumption was wrong for as long as senderbase has been in ASSP then!
I'll be adding the $ end of line requirement to everything in senderbase
shortly.

Is this also also true of dkimAddresses and dkimNPAddresses?

On Mon, Apr 26, 2021 at 2:50 AM Thomas Eckardt 
wrote:

> >I (maybe incorrectly) assumed that the *word boundary* was *automatically
> added* on the end.
>
> Hmm  what is causing this assumtion reading the description of
> whiteSenderBase?
>
> *Whitelisted Organizations, Domains and Hosts in SenderBase**
> (whiteSenderBase)*
> If the organization, domain or hostname in the SenderBase IP description
> matches this Perl regular expression, the message will be considered
> non-spam. For example file:files/whiteorg.txt
> NOTICE: If only the hostname matches an entry and DoOrgWhiting is set to
> "whiting", the domain+organization pair will not be added to the white
> organizations!
>
>
> walmart.com.mx
>
> \bwalmart\.com - match
> \bwalmart\.com\b - match
> \bwalmart\.com$ - no match
>
> Thomas
>
>
>
>
>
>
> Von:"K Post" 
> An:"ASSP development mailing list" <
> assp-test@lists.sourceforge.net>
> Datum:25.04.2021 12:25
> Betreff:[Assp-test] Senderbase Matching Substring
> --
>
>
>
> For a long time, I've had
> \bwalmart\.com
> in my whiteSenderBase configuration.  Some of our staff shops at walmart
> and anything from Walmart's ip space should be considered white.  All good
> there.
>
> However, I had a bunch of spam slip through because of this overnight.
> When I did an alayze, I saw:
> 129.41.173.75 SenderBase: status=white SenderBase, data=[CN=US,
> ORG=ACOUSTIC-ATL-01, DOM=*walmart.com* <http://walmart.com/>*.mx*, BLS=,
> HNM=Y, CIDR=23, HN=*mail9320.hayhouse.mkt9919.com*
> <http://mail9320.hayhouse.mkt9919.com/>]
>
> WhiteDomain Regex: whiteSenderBaseRE '*walmart.com* <http://walmart.com/>'
> [scoring] SenderBase -- White Domain '*walmart.com* <http://walmart.com/>'
> It's matching *walmart.com* <http://walmart.com/>*.MX*
>
> I've never put a \b at the end of config lines in whiteSenderBase, I
> (maybe incorrectly) assumed that the word boundary was automatically added
> on the end.
>
> Is the \b on the end necessary, if I don't want to match *walmart.com.mx*
> <http://walmart.com.mx/> and only want to match *walmart.com*
> <http://walmart.com/>?   Is there another way, coding error, config
> mistake, etc?
>
> Thanks!___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Matching Substring

[Thomas Eckardt]

>I (maybe incorrectly) assumed that the word boundary was automatically 
added on the end.

Hmm  what is causing this assumtion reading the description of 
whiteSenderBase?

Whitelisted Organizations, Domains and Hosts in SenderBase** 
(whiteSenderBase)
If the organization, domain or hostname in the SenderBase IP description 
matches this Perl regular expression, the message will be considered 
non-spam. For example file:files/whiteorg.txt
NOTICE: If only the hostname matches an entry and DoOrgWhiting is set to 
"whiting", the domain+organization pair will not be added to the white 
organizations!


walmart.com.mx

\bwalmart\.com - match
\bwalmart\.com\b - match
\bwalmart\.com$ - no match

Thomas






Von:"K Post" 
An: "ASSP development mailing list" 
Datum:  25.04.2021 12:25
Betreff:[Assp-test] Senderbase Matching Substring



For a long time, I've had 
\bwalmart\.com
in my whiteSenderBase configuration.  Some of our staff shops at walmart 
and anything from Walmart's ip space should be considered white.  All good 
there.

However, I had a bunch of spam slip through because of this overnight.  
When I did an alayze, I saw:
129.41.173.75 SenderBase: status=white SenderBase, data=[CN=US, 
ORG=ACOUSTIC-ATL-01, DOM=walmart.com.mx, BLS=, HNM=Y, CIDR=23, HN=
mail9320.hayhouse.mkt9919.com]

WhiteDomain Regex: whiteSenderBaseRE 'walmart.com'
[scoring] SenderBase -- White Domain 'walmart.com'
It's matching walmart.com.MX

I've never put a \b at the end of config lines in whiteSenderBase, I 
(maybe incorrectly) assumed that the word boundary was automatically added 
on the end.   

Is the \b on the end necessary, if I don't want to match walmart.com.mx 
and only want to match walmart.com?   Is there another way, coding error, 
config mistake, etc?

Thanks!___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase Matching Substring

[K Post]

For a long time, I've had
\bwalmart\.com
in my whiteSenderBase configuration.  Some of our staff shops at walmart
and anything from Walmart's ip space should be considered white.  All good
there.

However, I had a bunch of spam slip through because of this overnight.
When I did an alayze, I saw:

129.41.173.75 SenderBase: status=white SenderBase, data=[CN=US,
ORG=ACOUSTIC-ATL-01, DOM=walmart.com*.mx*, BLS=, HNM=Y, CIDR=23, HN=
mail9320.hayhouse.mkt9919.com]

WhiteDomain Regex: whiteSenderBaseRE 'walmart.com'
[scoring] SenderBase -- White Domain 'walmart.com'

It's matching walmart.com*.MX*

I've never put a \b at the end of config lines in whiteSenderBase, I (maybe
incorrectly) assumed that the word boundary was automatically added on the
end.

Is the \b on the end necessary, if I don't want to match walmart.com.mx and
only want to match walmart.com?   Is there another way, coding error,
config mistake, etc?

Thanks!
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase still working?

[Thomas Eckardt]

I don't see any issue for Senderbase.
Notice - ironport is limiting the queries for a single connecting IP per 
day. I recommend to set 'enableWhois' to 'SenderBase first'.

Thomas




Von:"Mr. Courtney Creighton" 
An: assp-test@lists.sourceforge.net
Datum:  20.03.2020 03:24
Betreff:[Assp-test] SenderBase still working?



Hi,
Is anyone else currently seeing good SenderBase answers? That it's all 
working properly?

I am not seeing anything regarding SB for about the last week or so. I 
turned on debug logging, and get all answers - apparently for all ip 
addresses - as "warning: SenderBase: No SenderBase DNS answer received for 
x.x.x.x".

This issue does somewhat closely coincide with a server migration, and an 
upgrade to Perl 5.30.1, so I'm trying to find out if there are 
pre-requisites or dependencies that I'm missing. Network-wise, DNS seems 
to be working for everything else, and I'm using the same firewall config.

thanks,
-C___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] SenderBase still working?

[Mr. Courtney Creighton]

Hi,
Is anyone else currently seeing good SenderBase answers? That it's all 
working properly?


I am not seeing anything regarding SB for about the last week or so. I 
turned on debug logging, and get all answers - apparently for all ip 
addresses - as "warning: SenderBase: No SenderBase DNS answer received 
for x.x.x.x".


This issue does somewhat closely coincide with a server migration, and 
an upgrade to Perl 5.30.1, so I'm trying to find out if there are 
pre-requisites or dependencies that I'm missing. Network-wise, DNS seems 
to be working for everything else, and I'm using the same firewall config.


thanks,
-C
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase domains

[K Post]

I can't believe I did that.  Thanks!

On Fri, Jan 12, 2018 at 1:59 AM, Thomas Eckardt 
wrote:

> >\bsparkpostmail\.com->-20
>
>
> \bsparkpostmail\.com=>-20
>
> should work
>
>
>
>
> Von:"K Post" 
> An:"ASSP development mailing list"  net>
> Datum:09.01.2018 15:39
> Betreff:[Assp-test] Senderbase domains
> --
>
>
>
> In my whiteSenderBase file, I have this line:
>
> \bsparkpostmail\.com->-20
>
> I would expect this to add a negative 20 score (subtract 20 from the
> running score) of a message if senderbase detects that a message matches
> SparkPostMail.com in either the hostname, the domain or the network name.
>
> I recently saw a message go to spam because it had a score of 50.  Now
> granted, the content was pretty spammy in my opinion, but I would think
> that the total score would have been 30 after the 20 point deduction due to
> senderbase matching.
>
> Received: from *mta289c.sparkpostmail.com*
> <http://mta289c.sparkpostmail.com/> ([52.10.151.25] helo=
> *mta289c.sparkpostmail.com* <http://mta289c.sparkpostmail.com/>)
>
> X-ASSP-Message-Score: 50 (HMM Probability: 1.0)
> X-ASSP-IP-Score: 50 (HMM Probability: 1.0)
> X-ASSP-HMM-Spam-Prob: 1.0
> X-ASSP-HMM-Confidence: 0.07696
> X-ASSP-Tag: MessageLimit
> X-ASSP-Spam-Reason: MessageScore 50, limit 50
> X-ASSP-Message-Totalscore: 50
>
> If I looking 52.10.151.25 in senderbase, I get:
> OWNER DETAILS
> IP ADDRESS 52.10.151.25
> FWD/REV DNS MATCH Yes
> HOSTNAME *mta289c.sparkpostmail.com* <http://mta289c.sparkpostmail.com/>
> DOMAIN *sparkpostmail.com* <http://sparkpostmail.com/>
> NETWORK OWNER Amazon.com
>
> shouldn't this match my \bsparkpostmail\.com->-20 line based on the DOMAIN
> entry in senderbase?
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase domains

[Thomas Eckardt]

>\bsparkpostmail\.com->-20


\bsparkpostmail\.com=>-20

should work




Von:"K Post" 
An: "ASSP development mailing list" 
Datum:  09.01.2018 15:39
Betreff:    [Assp-test] Senderbase domains



In my whiteSenderBase file, I have this line:

\bsparkpostmail\.com->-20

I would expect this to add a negative 20 score (subtract 20 from the 
running score) of a message if senderbase detects that a message matches 
SparkPostMail.com in either the hostname, the domain or the network 
name.  

I recently saw a message go to spam because it had a score of 50.  Now 
granted, the content was pretty spammy in my opinion, but I would think 
that the total score would have been 30 after the 20 point deduction due 
to senderbase matching.

Received: from mta289c.sparkpostmail.com ([52.10.151.25] helo=
mta289c.sparkpostmail.com)

X-ASSP-Message-Score: 50 (HMM Probability: 1.0)
X-ASSP-IP-Score: 50 (HMM Probability: 1.0)
X-ASSP-HMM-Spam-Prob: 1.0
X-ASSP-HMM-Confidence: 0.07696
X-ASSP-Tag: MessageLimit
X-ASSP-Spam-Reason: MessageScore 50, limit 50
X-ASSP-Message-Totalscore: 50

If I looking 52.10.151.25 in senderbase, I get:
OWNER DETAILS
IP ADDRESS 52.10.151.25
FWD/REV DNS MATCH Yes
HOSTNAME mta289c.sparkpostmail.com
DOMAIN sparkpostmail.com
NETWORK OWNER Amazon.com

shouldn't this match my \bsparkpostmail\.com->-20 line based on the DOMAIN 
entry in senderbase?


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test





DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase domains

[K Post]

I don't know if something changed with senderbase results (maybe after the
Cisco Talos integration), but it doesn't seem like domain matches are
triggering a match anymore.  Did I miss something along the way were we
need to configure something differently to match not just hostname and
network, but also trigger a hit if the domain matches?

On Tue, Jan 9, 2018 at 9:38 AM, K Post  wrote:

> In my whiteSenderBase file, I have this line:
>
> \bsparkpostmail\.com->-20
>
> I would expect this to add a negative 20 score (subtract 20 from the
> running score) of a message if senderbase detects that a message matches
> SparkPostMail.com in either the hostname, the domain or the network name.
>
> I recently saw a message go to spam because it had a score of 50.  Now
> granted, the content was pretty spammy in my opinion, but I would think
> that the total score would have been 30 after the 20 point deduction due to
> senderbase matching.
>
> Received: from mta289c.sparkpostmail.com ([52.10.151.25] helo=
> mta289c.sparkpostmail.com)
>
> X-ASSP-Message-Score: 50 (HMM Probability: 1.0)
> X-ASSP-IP-Score: 50 (HMM Probability: 1.0)
> X-ASSP-HMM-Spam-Prob: 1.0
> X-ASSP-HMM-Confidence: 0.07696
> X-ASSP-Tag: MessageLimit
> X-ASSP-Spam-Reason: MessageScore 50, limit 50
> X-ASSP-Message-Totalscore: 50
>
> If I looking 52.10.151.25 in senderbase, I get:
> OWNER DETAILS
> IP ADDRESS 52.10.151.25
> FWD/REV DNS MATCH Yes
> HOSTNAME mta289c.sparkpostmail.com
> DOMAIN sparkpostmail.com
> NETWORK OWNER Amazon.com
>
> shouldn't this match my \bsparkpostmail\.com->-20 line based on the DOMAIN
> entry in senderbase?
>
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase domains

[K Post]

In my whiteSenderBase file, I have this line:

\bsparkpostmail\.com->-20

I would expect this to add a negative 20 score (subtract 20 from the
running score) of a message if senderbase detects that a message matches
SparkPostMail.com in either the hostname, the domain or the network name.

I recently saw a message go to spam because it had a score of 50.  Now
granted, the content was pretty spammy in my opinion, but I would think
that the total score would have been 30 after the 20 point deduction due to
senderbase matching.

Received: from mta289c.sparkpostmail.com ([52.10.151.25] helo=
mta289c.sparkpostmail.com)

X-ASSP-Message-Score: 50 (HMM Probability: 1.0)
X-ASSP-IP-Score: 50 (HMM Probability: 1.0)
X-ASSP-HMM-Spam-Prob: 1.0
X-ASSP-HMM-Confidence: 0.07696
X-ASSP-Tag: MessageLimit
X-ASSP-Spam-Reason: MessageScore 50, limit 50
X-ASSP-Message-Totalscore: 50

If I looking 52.10.151.25 in senderbase, I get:
OWNER DETAILS
IP ADDRESS 52.10.151.25
FWD/REV DNS MATCH Yes
HOSTNAME mta289c.sparkpostmail.com
DOMAIN sparkpostmail.com
NETWORK OWNER Amazon.com

shouldn't this match my \bsparkpostmail\.com->-20 line based on the DOMAIN
entry in senderbase?
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Top Senders by IP useful info to ASSP?

[Thomas Eckardt]

Ironport is close to zen.spamhaus.org .
use dnsbl to score on reputation
use senderbase to detect orgs and countries by IP

Notice: senderbase is not free for everyone - it can be used as long as 
CISCO allows it. The fallback for senderbase in assp is WHOIS-IP - and 
this one has no reputation information!

Thomas




Von:K Post 
An: ASSP development mailing list 
Datum:  18.10.2016 16:05
Betreff:[Assp-test] Senderbase Top Senders by IP useful info to 
ASSP?



Any value in using Senderbase's top senders by IP (assuming there's an API
or other method to access this info)?

http://www.senderbase.org/static/email/#tab=1

I've been thinking about looking at the top 100 senders for the day, only
considering the POOR reputation ones and having ASSP score that.

Senderbase in general is a great resource, but when you have shared
providers like Amazon AWS, who anyone can send from, it would be nice to
have Senderbase's opinion of the IP itself.  We could score the   Sure, we
already have DNSBL, but this would be another score to consider.

Or maybe I'm really just getting at using a senderbase poor reputation as 
a
scoring factor for ASSP vs only looking at the top senders:
http://www.senderbase.org/lookup/ip/?search_string=52.38.45.34
shows this specific IP as poor, really poor considering the increase in
volume, but AFAIK ASSP won't use that info unless that IP or AmazonAWS is
in BlackSenderbase right??

All of this of course is a moot point if ASSP can't access this info via a
DNS query or some other method.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase Top Senders by IP useful info to ASSP?

[K Post]

Any value in using Senderbase's top senders by IP (assuming there's an API
or other method to access this info)?

http://www.senderbase.org/static/email/#tab=1

I've been thinking about looking at the top 100 senders for the day, only
considering the POOR reputation ones and having ASSP score that.

Senderbase in general is a great resource, but when you have shared
providers like Amazon AWS, who anyone can send from, it would be nice to
have Senderbase's opinion of the IP itself.  We could score the   Sure, we
already have DNSBL, but this would be another score to consider.

Or maybe I'm really just getting at using a senderbase poor reputation as a
scoring factor for ASSP vs only looking at the top senders:
http://www.senderbase.org/lookup/ip/?search_string=52.38.45.34
shows this specific IP as poor, really poor considering the increase in
volume, but AFAIK ASSP won't use that info unless that IP or AmazonAWS is
in BlackSenderbase right??

All of this of course is a moot point if ASSP can't access this info via a
DNS query or some other method.
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

[K Post]

Here's another:
195.129.79.64.query.senderbase.org  text =

"0-0=1|1=SWITCH COMMUNICATIONS GROUP
LLC|2=6.1|3=6.1|6=0|7=17|8=102080|9=828|20=smtp6.boydgaming.net|21=switchna
p.com|22=Y|23=6.1|24=6.1|25=1204898656|40=4.8|41=4.4|43=4.6|44=7.8|45=N|46=21|48=24|50=Las
Vegas|51=NV|52=89101|53=US|54
=-115.137|55=36.175"

I've got boydgaming\.net in white org, but analyze doesn't show a hit.

On Fri, May 8, 2015 at 12:02 PM, K Post  wrote:

> Thanks for sticking with this!  I'm sorry, but I don't quite follow.
>
> 153.69.214.203 shows a hostname when I query Senderbase
> 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20=
> csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4
>
> .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791
>
>
> However, in the analyze GUI, it shows:
> 153.69.214.203 SenderBase: status=not classified, data=US, NCR
> CORPORATION, , , Y, 11
>
> I don't understand why the gui wouldn't show the hostname.
>
>
> On Fri, May 8, 2015 at 11:58 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> It shows the same that stored in the cache - more is not used by assp.
>>
>>
>>
>>
>>
>> Von:K Post 
>> An: ASSP development mailing list 
>> Datum:  08.05.2015 17:52
>> Betreff:Re: [Assp-test] Senderbase not always matching domain
>>
>>
>>
>> I hear ya...
>>
>> What about the senderbase result as it appears in the analyze gui?  Why
>> isn't this showing the hostname?
>>
>>
>> On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt
>> 
>> wrote:
>>
>> > >1) Is there a way to have Senderbase return the DOMAIN that it's
>> > guessing?
>> >
>> > ASSP has to take what it gets - DNS is used - retun values are the same
>> > like in nslookup or other DNS tools.
>> >
>> > 2) Is there a way to specify in the White Org file that ASSP uses to
>> only
>> >
>> > the 'White Org file' (regex) is checked against the SB-org and the domai
>> -
>> > no other way.
>> >
>> > Thomas
>> >
>> >
>> >
>> >
>> > Von:K Post 
>> > An: ASSP development mailing list 
>> > Datum:  08.05.2015 16:31
>> > Betreff:Re: [Assp-test] Senderbase not always matching domain
>> >
>> >
>> >
>> > Thank you both for sticking with this.
>> >
>> > Greyhat, my name's Ken :)  Seriously though, the Force has taught me
>> that
>> > you need to reverse the IP, which makes much more sense.  Thanks.
>> >
>> > Thomas, I know ASSP uses DNS, I just didn't know if it was querying
>> > differently than I was testing - and it is, the RIGHT way - reversing
>> the
>> > IP.
>> >
>> > I now see the hostname being returned, and I can match on that through a
>> > regex.  Doesn't that open up vulnerability though if a spammer has their
>> > SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely,
>> probably
>> > not, but it's what I would do if I were trying to send spam appearing to
>> > be
>> > from Delta - or worse, one of the banks.
>> >
>> > My language was also incorrect in my original post.  I talked about
>> > hostname, but what I'd really like to do is match on the "guess" DOMAIN
>> > name that the senderbase website shows, in this case e.delta.com.  So:
>> > 1) Is there a way to have Senderbase return the DOMAIN that it's
>> guessing?
>> > 2) Is there a way to specify in the White Org file that ASSP uses to
>> only
>> > match against network name, hostname, or domain name?
>> >
>> >
>> >
>> >
>> > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt
>> > 
>> > wrote:
>> >
>> > > ASSP uses DNS queries for Senderbase.
>> > >
>> > > Thomas
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Von:K Post 
>> > > An: ASSP development mailing list
>> 
>> > > Datum:  07.05.2015 20:36
>> > > Betreff:Re: [Assp-test] Senderbase not always matching domain
>> > >
>> > >
>> > >
>> > > It doesn't seem like the domain is being returned, just the network
>> > name,
>> > > so a lot domains that should result in a white org score, ar

Re: [Assp-test] Senderbase not always matching domain

[K Post]

Thanks for sticking with this!  I'm sorry, but I don't quite follow.

153.69.214.203 shows a hostname when I query Senderbase
0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20=
csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4
.4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791


However, in the analyze GUI, it shows:
153.69.214.203 SenderBase: status=not classified, data=US, NCR CORPORATION,
, , Y, 11

I don't understand why the gui wouldn't show the hostname.


On Fri, May 8, 2015 at 11:58 AM, Thomas Eckardt 
wrote:

> It shows the same that stored in the cache - more is not used by assp.
>
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  08.05.2015 17:52
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> I hear ya...
>
> What about the senderbase result as it appears in the analyze gui?  Why
> isn't this showing the hostname?
>
>
> On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt
> 
> wrote:
>
> > >1) Is there a way to have Senderbase return the DOMAIN that it's
> > guessing?
> >
> > ASSP has to take what it gets - DNS is used - retun values are the same
> > like in nslookup or other DNS tools.
> >
> > 2) Is there a way to specify in the White Org file that ASSP uses to
> only
> >
> > the 'White Org file' (regex) is checked against the SB-org and the domai
> -
> > no other way.
> >
> > Thomas
> >
> >
> >
> >
> > Von:K Post 
> > An: ASSP development mailing list 
> > Datum:  08.05.2015 16:31
> > Betreff:Re: [Assp-test] Senderbase not always matching domain
> >
> >
> >
> > Thank you both for sticking with this.
> >
> > Greyhat, my name's Ken :)  Seriously though, the Force has taught me
> that
> > you need to reverse the IP, which makes much more sense.  Thanks.
> >
> > Thomas, I know ASSP uses DNS, I just didn't know if it was querying
> > differently than I was testing - and it is, the RIGHT way - reversing
> the
> > IP.
> >
> > I now see the hostname being returned, and I can match on that through a
> > regex.  Doesn't that open up vulnerability though if a spammer has their
> > SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely,
> probably
> > not, but it's what I would do if I were trying to send spam appearing to
> > be
> > from Delta - or worse, one of the banks.
> >
> > My language was also incorrect in my original post.  I talked about
> > hostname, but what I'd really like to do is match on the "guess" DOMAIN
> > name that the senderbase website shows, in this case e.delta.com.  So:
> > 1) Is there a way to have Senderbase return the DOMAIN that it's
> guessing?
> > 2) Is there a way to specify in the White Org file that ASSP uses to
> only
> > match against network name, hostname, or domain name?
> >
> >
> >
> >
> > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt
> > 
> > wrote:
> >
> > > ASSP uses DNS queries for Senderbase.
> > >
> > > Thomas
> > >
> > >
> > >
> > >
> > >
> > > Von:K Post 
> > > An: ASSP development mailing list
> 
> > > Datum:  07.05.2015 20:36
> > > Betreff:Re: [Assp-test] Senderbase not always matching domain
> > >
> > >
> > >
> > > It doesn't seem like the domain is being returned, just the network
> > name,
> > > so a lot domains that should result in a white org score, aren't
> > hitting.
> > > This doesn't appear to be an ASSP problem
> > >
> > > I just did a lookup for the ip 38.100.169.66
> > > At the senderbase website, it shows a domain of e.delta.com, which I
> > have
> > > whitelisted (Delta Airlines)
> > >
> > > However, a nslookup for the txt record only shows
> > > 38.100.169.66.query.senderbase.org  text =
> > >
> > > "0-0=1|1=CHARTER
> > >
> > >
> >
> >
>
> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> > > Worth|5
> > > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
> > >
> > > Nowhere to I see e.delta.com which explains why ASSP isn't matching.
> Is
> > > this the same way that ASSP queries senderbase?  Is there a way to
> have
> > > ASSP ask senderbase to return th

Re: [Assp-test] Senderbase not always matching domain

[Thomas Eckardt]

It shows the same that stored in the cache - more is not used by assp.





Von:K Post 
An: ASSP development mailing list 
Datum:  08.05.2015 17:52
Betreff:Re: [Assp-test] Senderbase not always matching domain



I hear ya...

What about the senderbase result as it appears in the analyze gui?  Why
isn't this showing the hostname?


On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt 

wrote:

> >1) Is there a way to have Senderbase return the DOMAIN that it's
> guessing?
>
> ASSP has to take what it gets - DNS is used - retun values are the same
> like in nslookup or other DNS tools.
>
> 2) Is there a way to specify in the White Org file that ASSP uses to 
only
>
> the 'White Org file' (regex) is checked against the SB-org and the domai 
-
> no other way.
>
> Thomas
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  08.05.2015 16:31
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> Thank you both for sticking with this.
>
> Greyhat, my name's Ken :)  Seriously though, the Force has taught me 
that
> you need to reverse the IP, which makes much more sense.  Thanks.
>
> Thomas, I know ASSP uses DNS, I just didn't know if it was querying
> differently than I was testing - and it is, the RIGHT way - reversing 
the
> IP.
>
> I now see the hostname being returned, and I can match on that through a
> regex.  Doesn't that open up vulnerability though if a spammer has their
> SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely, 
probably
> not, but it's what I would do if I were trying to send spam appearing to
> be
> from Delta - or worse, one of the banks.
>
> My language was also incorrect in my original post.  I talked about
> hostname, but what I'd really like to do is match on the "guess" DOMAIN
> name that the senderbase website shows, in this case e.delta.com.  So:
> 1) Is there a way to have Senderbase return the DOMAIN that it's 
guessing?
> 2) Is there a way to specify in the White Org file that ASSP uses to 
only
> match against network name, hostname, or domain name?
>
>
>
>
> On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt
> 
> wrote:
>
> > ASSP uses DNS queries for Senderbase.
> >
> > Thomas
> >
> >
> >
> >
> >
> > Von:K Post 
> > An: ASSP development mailing list 

> > Datum:  07.05.2015 20:36
> > Betreff:Re: [Assp-test] Senderbase not always matching domain
> >
> >
> >
> > It doesn't seem like the domain is being returned, just the network
> name,
> > so a lot domains that should result in a white org score, aren't
> hitting.
> > This doesn't appear to be an ASSP problem
> >
> > I just did a lookup for the ip 38.100.169.66
> > At the senderbase website, it shows a domain of e.delta.com, which I
> have
> > whitelisted (Delta Airlines)
> >
> > However, a nslookup for the txt record only shows
> > 38.100.169.66.query.senderbase.org  text =
> >
> > "0-0=1|1=CHARTER
> >
> >
>
> 
COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> > Worth|5
> > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
> >
> > Nowhere to I see e.delta.com which explains why ASSP isn't matching. 
Is
> > this the same way that ASSP queries senderbase?  Is there a way to 
have
> > ASSP ask senderbase to return the best guess domain name just like
> > SenderBase does on its website?  That would solve the problem where 
the
> > netblock is a major carrier, that carrier can't be whitelisted, but 
the
> > domain that's returned (or hostname) is whitelisted.
> >
> >
> >
> >
> >
> >
> > On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:
> >
> > > SenderBaseLog was set to standard before.  Set it to diagnostic.
> > >
> > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
> > > thomas.ecka...@thockar.com> wrote:
> > >
> > >> > > but where's the senderbase line in the log?
> > >>
> > >> check SenderBaseLog
> > >>
> > >> Thomas
> > >>
> > >>
> > >>
> > >>
> > >> Von:K Post 
> > >> An: ASSP development mailing list
> 
> > >> Datum:  05.05.2015 18:21
> > >> Betreff:Re: [Assp-test] Senderbase not always matching 
domain
> > >>
> > >>
> > >>
> > >> >good point but I've no ans

Re: [Assp-test] Senderbase not always matching domain

[K Post]

OH - so senderbase is only looking at the network name?  If that's the
case, the sample whiteorg.txt file at
http://assp.cvs.sourceforge.net/viewvc/assp/assp2/files/whiteorg.txt threw
me off based on its listings.

Does this mean that for something like Delta Airlines, who doesn't
generally send from a network that Senderbase identifies as theirs, that
we'd have to match against a giant network like Cogent instead of the
hostname or better domain name that senderbase sees?




On Fri, May 8, 2015 at 11:50 AM, Thomas Eckardt 
wrote:

> >Shouldn't it?
>
> No - it is not used.
>
> >, , Y, 11
>
> the Y shows that the hostname matches the IP
>
> Thomas
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  08.05.2015 17:11
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> And here's another, also from a delta.com address, this time them sending
> (legitimate) boarding passes.
>
> Came from IP 153.69.214.203
>
> querying
> 203.214.69.153.query.senderbase.org (yes I reversed it)
> returns
> 0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20=
> csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4
>
> .4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791
>
> parameter 20 shows the hostname
>
> However, in the analyze GUI, it shows:
> 153.69.214.203 SenderBase: status=not classified, data=US, NCR
> CORPORATION,
> , , Y, 11
> The hostname doesn't appear.  Shouldn't it?
>
>
>
> On Fri, May 8, 2015 at 10:28 AM, K Post  wrote:
>
> > Thank you both for sticking with this.
> >
> > Greyhat, my name's Ken :)  Seriously though, the Force has taught me
> that
> > you need to reverse the IP, which makes much more sense.  Thanks.
> >
> > Thomas, I know ASSP uses DNS, I just didn't know if it was querying
> > differently than I was testing - and it is, the RIGHT way - reversing
> the
> > IP.
> >
> > I now see the hostname being returned, and I can match on that through a
> > regex.  Doesn't that open up vulnerability though if a spammer has their
> > SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely,
> > probably not, but it's what I would do if I were trying to send spam
> > appearing to be from Delta - or worse, one of the banks.
> >
> > My language was also incorrect in my original post.  I talked about
> > hostname, but what I'd really like to do is match on the "guess" DOMAIN
> > name that the senderbase website shows, in this case e.delta.com.  So:
> > 1) Is there a way to have Senderbase return the DOMAIN that it's
> guessing?
> > 2) Is there a way to specify in the White Org file that ASSP uses to
> only
> > match against network name, hostname, or domain name?
> >
> >
> >
> >
> > On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt
>  > > wrote:
> >
> >> ASSP uses DNS queries for Senderbase.
> >>
> >> Thomas
> >>
> >>
> >>
> >>
> >>
> >> Von:K Post 
> >> An: ASSP development mailing list 
> >> Datum:  07.05.2015 20:36
> >> Betreff:Re: [Assp-test] Senderbase not always matching domain
> >>
> >>
> >>
> >> It doesn't seem like the domain is being returned, just the network
> name,
> >> so a lot domains that should result in a white org score, aren't
> hitting.
> >> This doesn't appear to be an ASSP problem
> >>
> >> I just did a lookup for the ip 38.100.169.66
> >> At the senderbase website, it shows a domain of e.delta.com, which I
> have
> >> whitelisted (Delta Airlines)
> >>
> >> However, a nslookup for the txt record only shows
> >> 38.100.169.66.query.senderbase.org  text =
> >>
> >> "0-0=1|1=CHARTER
> >>
> >>
>
> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> >> Worth|5
> >> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
> >>
> >> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is
> >> this the same way that ASSP queries senderbase?  Is there a way to have
> >> ASSP ask senderbase to return the best guess domain name just like
> >> SenderBase does on its website?  That would solve the problem where the
> >> netblock is a major carrier, that carrier can't be whitelisted, but the
> >> domain that's returned (or hostname) is whitelist

Re: [Assp-test] Senderbase not always matching domain

[Thomas Eckardt]

>Shouldn't it?

No - it is not used.

>, , Y, 11

the Y shows that the hostname matches the IP

Thomas



Von:K Post 
An: ASSP development mailing list 
Datum:  08.05.2015 17:11
Betreff:    Re: [Assp-test] Senderbase not always matching domain



And here's another, also from a delta.com address, this time them sending
(legitimate) boarding passes.

Came from IP 153.69.214.203

querying
203.214.69.153.query.senderbase.org (yes I reversed it)
returns
0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20=
csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4
.4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791

parameter 20 shows the hostname

However, in the analyze GUI, it shows:
153.69.214.203 SenderBase: status=not classified, data=US, NCR 
CORPORATION,
, , Y, 11
The hostname doesn't appear.  Shouldn't it?



On Fri, May 8, 2015 at 10:28 AM, K Post  wrote:

> Thank you both for sticking with this.
>
> Greyhat, my name's Ken :)  Seriously though, the Force has taught me 
that
> you need to reverse the IP, which makes much more sense.  Thanks.
>
> Thomas, I know ASSP uses DNS, I just didn't know if it was querying
> differently than I was testing - and it is, the RIGHT way - reversing 
the
> IP.
>
> I now see the hostname being returned, and I can match on that through a
> regex.  Doesn't that open up vulnerability though if a spammer has their
> SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely,
> probably not, but it's what I would do if I were trying to send spam
> appearing to be from Delta - or worse, one of the banks.
>
> My language was also incorrect in my original post.  I talked about
> hostname, but what I'd really like to do is match on the "guess" DOMAIN
> name that the senderbase website shows, in this case e.delta.com.  So:
> 1) Is there a way to have Senderbase return the DOMAIN that it's 
guessing?
> 2) Is there a way to specify in the White Org file that ASSP uses to 
only
> match against network name, hostname, or domain name?
>
>
>
>
> On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt 
 > wrote:
>
>> ASSP uses DNS queries for Senderbase.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von:K Post 
>> An: ASSP development mailing list 
>> Datum:  07.05.2015 20:36
>> Betreff:Re: [Assp-test] Senderbase not always matching domain
>>
>>
>>
>> It doesn't seem like the domain is being returned, just the network 
name,
>> so a lot domains that should result in a white org score, aren't 
hitting.
>> This doesn't appear to be an ASSP problem
>>
>> I just did a lookup for the ip 38.100.169.66
>> At the senderbase website, it shows a domain of e.delta.com, which I 
have
>> whitelisted (Delta Airlines)
>>
>> However, a nslookup for the txt record only shows
>> 38.100.169.66.query.senderbase.org  text =
>>
>> "0-0=1|1=CHARTER
>>
>> 
COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
>> Worth|5
>> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
>>
>> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is
>> this the same way that ASSP queries senderbase?  Is there a way to have
>> ASSP ask senderbase to return the best guess domain name just like
>> SenderBase does on its website?  That would solve the problem where the
>> netblock is a major carrier, that carrier can't be whitelisted, but the
>> domain that's returned (or hostname) is whitelisted.
>>
>>
>>
>>
>>
>>
>> On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:
>>
>> > SenderBaseLog was set to standard before.  Set it to diagnostic.
>> >
>> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
>> > thomas.ecka...@thockar.com> wrote:
>> >
>> >> > > but where's the senderbase line in the log?
>> >>
>> >> check SenderBaseLog
>> >>
>> >> Thomas
>> >>
>> >>
>> >>
>> >>
>> >> Von:K Post 
>> >> An: ASSP development mailing list 
> >
>> >> Datum:  05.05.2015 18:21
>> >> Betreff:Re: [Assp-test] Senderbase not always matching 
domain
>> >>
>> >>
>> >>
>> >> >good point but I've no answer, sounds like you found a bug
>> >> Hopefully Thomas will have some time to look into this.
>> >>
>> >> Thanks again.
>> >>
>> >> On Tu

Re: [Assp-test] Senderbase not always matching domain

[K Post]

I hear ya...

What about the senderbase result as it appears in the analyze gui?  Why
isn't this showing the hostname?


On Fri, May 8, 2015 at 11:46 AM, Thomas Eckardt 
wrote:

> >1) Is there a way to have Senderbase return the DOMAIN that it's
> guessing?
>
> ASSP has to take what it gets - DNS is used - retun values are the same
> like in nslookup or other DNS tools.
>
> 2) Is there a way to specify in the White Org file that ASSP uses to only
>
> the 'White Org file' (regex) is checked against the SB-org and the domai -
> no other way.
>
> Thomas
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  08.05.2015 16:31
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> Thank you both for sticking with this.
>
> Greyhat, my name's Ken :)  Seriously though, the Force has taught me that
> you need to reverse the IP, which makes much more sense.  Thanks.
>
> Thomas, I know ASSP uses DNS, I just didn't know if it was querying
> differently than I was testing - and it is, the RIGHT way - reversing the
> IP.
>
> I now see the hostname being returned, and I can match on that through a
> regex.  Doesn't that open up vulnerability though if a spammer has their
> SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely, probably
> not, but it's what I would do if I were trying to send spam appearing to
> be
> from Delta - or worse, one of the banks.
>
> My language was also incorrect in my original post.  I talked about
> hostname, but what I'd really like to do is match on the "guess" DOMAIN
> name that the senderbase website shows, in this case e.delta.com.  So:
> 1) Is there a way to have Senderbase return the DOMAIN that it's guessing?
> 2) Is there a way to specify in the White Org file that ASSP uses to only
> match against network name, hostname, or domain name?
>
>
>
>
> On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt
> 
> wrote:
>
> > ASSP uses DNS queries for Senderbase.
> >
> > Thomas
> >
> >
> >
> >
> >
> > Von:K Post 
> > An: ASSP development mailing list 
> > Datum:  07.05.2015 20:36
> > Betreff:Re: [Assp-test] Senderbase not always matching domain
> >
> >
> >
> > It doesn't seem like the domain is being returned, just the network
> name,
> > so a lot domains that should result in a white org score, aren't
> hitting.
> > This doesn't appear to be an ASSP problem
> >
> > I just did a lookup for the ip 38.100.169.66
> > At the senderbase website, it shows a domain of e.delta.com, which I
> have
> > whitelisted (Delta Airlines)
> >
> > However, a nslookup for the txt record only shows
> > 38.100.169.66.query.senderbase.org  text =
> >
> > "0-0=1|1=CHARTER
> >
> >
>
> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> > Worth|5
> > 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
> >
> > Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is
> > this the same way that ASSP queries senderbase?  Is there a way to have
> > ASSP ask senderbase to return the best guess domain name just like
> > SenderBase does on its website?  That would solve the problem where the
> > netblock is a major carrier, that carrier can't be whitelisted, but the
> > domain that's returned (or hostname) is whitelisted.
> >
> >
> >
> >
> >
> >
> > On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:
> >
> > > SenderBaseLog was set to standard before.  Set it to diagnostic.
> > >
> > > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
> > > thomas.ecka...@thockar.com> wrote:
> > >
> > >> > > but where's the senderbase line in the log?
> > >>
> > >> check SenderBaseLog
> > >>
> > >> Thomas
> > >>
> > >>
> > >>
> > >>
> > >> Von:K Post 
> > >> An: ASSP development mailing list
> 
> > >> Datum:  05.05.2015 18:21
> > >> Betreff:Re: [Assp-test] Senderbase not always matching domain
> > >>
> > >>
> > >>
> > >> >good point but I've no answer, sounds like you found a bug
> > >> Hopefully Thomas will have some time to look into this.
> > >>
> > >> Thanks again.
> > >>
> > >> On Tue, May 5, 2015 at 

Re: [Assp-test] Senderbase not always matching domain

[Thomas Eckardt]

>1) Is there a way to have Senderbase return the DOMAIN that it's 
guessing?

ASSP has to take what it gets - DNS is used - retun values are the same 
like in nslookup or other DNS tools.

2) Is there a way to specify in the White Org file that ASSP uses to only

the 'White Org file' (regex) is checked against the SB-org and the domai - 
no other way.

Thomas




Von:K Post 
An: ASSP development mailing list 
Datum:  08.05.2015 16:31
Betreff:    Re: [Assp-test] Senderbase not always matching domain



Thank you both for sticking with this.

Greyhat, my name's Ken :)  Seriously though, the Force has taught me that
you need to reverse the IP, which makes much more sense.  Thanks.

Thomas, I know ASSP uses DNS, I just didn't know if it was querying
differently than I was testing - and it is, the RIGHT way - reversing the
IP.

I now see the hostname being returned, and I can match on that through a
regex.  Doesn't that open up vulnerability though if a spammer has their
SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely, probably
not, but it's what I would do if I were trying to send spam appearing to 
be
from Delta - or worse, one of the banks.

My language was also incorrect in my original post.  I talked about
hostname, but what I'd really like to do is match on the "guess" DOMAIN
name that the senderbase website shows, in this case e.delta.com.  So:
1) Is there a way to have Senderbase return the DOMAIN that it's guessing?
2) Is there a way to specify in the White Org file that ASSP uses to only
match against network name, hostname, or domain name?




On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt 

wrote:

> ASSP uses DNS queries for Senderbase.
>
> Thomas
>
>
>
>
>
> Von:K Post 
> An:     ASSP development mailing list 
> Datum:  07.05.2015 20:36
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> It doesn't seem like the domain is being returned, just the network 
name,
> so a lot domains that should result in a white org score, aren't 
hitting.
> This doesn't appear to be an ASSP problem
>
> I just did a lookup for the ip 38.100.169.66
> At the senderbase website, it shows a domain of e.delta.com, which I 
have
> whitelisted (Delta Airlines)
>
> However, a nslookup for the txt record only shows
> 38.100.169.66.query.senderbase.org  text =
>
> "0-0=1|1=CHARTER
>
> 
COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> Worth|5
> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
>
> Nowhere to I see e.delta.com which explains why ASSP isn't matching. Is
> this the same way that ASSP queries senderbase?  Is there a way to have
> ASSP ask senderbase to return the best guess domain name just like
> SenderBase does on its website?  That would solve the problem where the
> netblock is a major carrier, that carrier can't be whitelisted, but the
> domain that's returned (or hostname) is whitelisted.
>
>
>
>
>
>
> On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:
>
> > SenderBaseLog was set to standard before.  Set it to diagnostic.
> >
> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
> > thomas.ecka...@thockar.com> wrote:
> >
> >> > > but where's the senderbase line in the log?
> >>
> >> check SenderBaseLog
> >>
> >> Thomas
> >>
> >>
> >>
> >>
> >> Von:K Post 
> >> An: ASSP development mailing list 

> >> Datum:  05.05.2015 18:21
> >> Betreff:Re: [Assp-test] Senderbase not always matching domain
> >>
> >>
> >>
> >> >good point but I've no answer, sounds like you found a bug
> >> Hopefully Thomas will have some time to look into this.
> >>
> >> Thanks again.
> >>
> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:
> >>
> >> > :: On Tue, 5 May 2015 11:22:07 -0400
> >> > ::
> 
> >> > :: K Post  wrote:
> >> >
> >> > > > Sorry Greyhat, you lost me.  What does this show different from
> >> > > > what I was
> >> > > saying?   Maybe I wasn't clear.
> >> > > When I pull up the analyze interface in assp it shows only 
Cogent,
> >> > > doesn't show e.delta.com, do it's not a match to my regex, and
> >> > > thereby doesn't get the whitesenderorg bonus.
> >> >
> >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is
> using
> >> > the /24 instead of the IP (didn't check the code) .

Re: [Assp-test] Senderbase not always matching domain

[K Post]

And here's another, also from a delta.com address, this time them sending
(legitimate) boarding passes.

Came from IP 153.69.214.203

querying
203.214.69.153.query.senderbase.org (yes I reversed it)
returns
0-0=1|1=NCR CORPORATION|2=6.2|3=6.2|6=0|7=2|8=3410716|9=4530|20=
csmail03.ncrwebhost.com|22=Y|40=4.6|41=4.5|43=4
.4|44=12.2|45=N|46=11|48=24|50=Duluth|51=GA|52=30096|53=US|54=-84.1494|55=33.9791

parameter 20 shows the hostname

However, in the analyze GUI, it shows:
153.69.214.203 SenderBase: status=not classified, data=US, NCR CORPORATION,
, , Y, 11
The hostname doesn't appear.  Shouldn't it?



On Fri, May 8, 2015 at 10:28 AM, K Post  wrote:

> Thank you both for sticking with this.
>
> Greyhat, my name's Ken :)  Seriously though, the Force has taught me that
> you need to reverse the IP, which makes much more sense.  Thanks.
>
> Thomas, I know ASSP uses DNS, I just didn't know if it was querying
> differently than I was testing - and it is, the RIGHT way - reversing the
> IP.
>
> I now see the hostname being returned, and I can match on that through a
> regex.  Doesn't that open up vulnerability though if a spammer has their
> SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely,
> probably not, but it's what I would do if I were trying to send spam
> appearing to be from Delta - or worse, one of the banks.
>
> My language was also incorrect in my original post.  I talked about
> hostname, but what I'd really like to do is match on the "guess" DOMAIN
> name that the senderbase website shows, in this case e.delta.com.  So:
> 1) Is there a way to have Senderbase return the DOMAIN that it's guessing?
> 2) Is there a way to specify in the White Org file that ASSP uses to only
> match against network name, hostname, or domain name?
>
>
>
>
> On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt  > wrote:
>
>> ASSP uses DNS queries for Senderbase.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von:K Post 
>> An: ASSP development mailing list 
>> Datum:  07.05.2015 20:36
>> Betreff:Re: [Assp-test] Senderbase not always matching domain
>>
>>
>>
>> It doesn't seem like the domain is being returned, just the network name,
>> so a lot domains that should result in a white org score, aren't hitting.
>> This doesn't appear to be an ASSP problem
>>
>> I just did a lookup for the ip 38.100.169.66
>> At the senderbase website, it shows a domain of e.delta.com, which I have
>> whitelisted (Delta Airlines)
>>
>> However, a nslookup for the txt record only shows
>> 38.100.169.66.query.senderbase.org  text =
>>
>> "0-0=1|1=CHARTER
>>
>> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
>> Worth|5
>> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
>>
>> Nowhere to I see e.delta.com which explains why ASSP isn't matching.   Is
>> this the same way that ASSP queries senderbase?  Is there a way to have
>> ASSP ask senderbase to return the best guess domain name just like
>> SenderBase does on its website?  That would solve the problem where the
>> netblock is a major carrier, that carrier can't be whitelisted, but the
>> domain that's returned (or hostname) is whitelisted.
>>
>>
>>
>>
>>
>>
>> On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:
>>
>> > SenderBaseLog was set to standard before.  Set it to diagnostic.
>> >
>> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
>> > thomas.ecka...@thockar.com> wrote:
>> >
>> >> > > but where's the senderbase line in the log?
>> >>
>> >> check SenderBaseLog
>> >>
>> >> Thomas
>> >>
>> >>
>> >>
>> >>
>> >> Von:K Post 
>> >> An: ASSP development mailing list > >
>> >> Datum:  05.05.2015 18:21
>> >> Betreff:Re: [Assp-test] Senderbase not always matching domain
>> >>
>> >>
>> >>
>> >> >good point but I've no answer, sounds like you found a bug
>> >> Hopefully Thomas will have some time to look into this.
>> >>
>> >> Thanks again.
>> >>
>> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:
>> >>
>> >> > :: On Tue, 5 May 2015 11:22:07 -0400
>> >> > ::
>> 
>> >> > :: K Post  wrote:
>> >> >
>> >> > > > Sorry Greyhat, you lost

Re: [Assp-test] Senderbase not always matching domain

[K Post]

Thank you both for sticking with this.

Greyhat, my name's Ken :)  Seriously though, the Force has taught me that
you need to reverse the IP, which makes much more sense.  Thanks.

Thomas, I know ASSP uses DNS, I just didn't know if it was querying
differently than I was testing - and it is, the RIGHT way - reversing the
IP.

I now see the hostname being returned, and I can match on that through a
regex.  Doesn't that open up vulnerability though if a spammer has their
SMTP server's IP address reverse to mtaxxx.e.delta.com?   Likely, probably
not, but it's what I would do if I were trying to send spam appearing to be
from Delta - or worse, one of the banks.

My language was also incorrect in my original post.  I talked about
hostname, but what I'd really like to do is match on the "guess" DOMAIN
name that the senderbase website shows, in this case e.delta.com.  So:
1) Is there a way to have Senderbase return the DOMAIN that it's guessing?
2) Is there a way to specify in the White Org file that ASSP uses to only
match against network name, hostname, or domain name?




On Fri, May 8, 2015 at 2:55 AM, Thomas Eckardt 
wrote:

> ASSP uses DNS queries for Senderbase.
>
> Thomas
>
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  07.05.2015 20:36
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> It doesn't seem like the domain is being returned, just the network name,
> so a lot domains that should result in a white org score, aren't hitting.
> This doesn't appear to be an ASSP problem
>
> I just did a lookup for the ip 38.100.169.66
> At the senderbase website, it shows a domain of e.delta.com, which I have
> whitelisted (Delta Airlines)
>
> However, a nslookup for the txt record only shows
> 38.100.169.66.query.senderbase.org  text =
>
> "0-0=1|1=CHARTER
>
> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> Worth|5
> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"
>
> Nowhere to I see e.delta.com which explains why ASSP isn't matching.   Is
> this the same way that ASSP queries senderbase?  Is there a way to have
> ASSP ask senderbase to return the best guess domain name just like
> SenderBase does on its website?  That would solve the problem where the
> netblock is a major carrier, that carrier can't be whitelisted, but the
> domain that's returned (or hostname) is whitelisted.
>
>
>
>
>
>
> On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:
>
> > SenderBaseLog was set to standard before.  Set it to diagnostic.
> >
> > On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
> > thomas.ecka...@thockar.com> wrote:
> >
> >> > > but where's the senderbase line in the log?
> >>
> >> check SenderBaseLog
> >>
> >> Thomas
> >>
> >>
> >>
> >>
> >> Von:K Post 
> >> An: ASSP development mailing list 
> >> Datum:  05.05.2015 18:21
> >> Betreff:Re: [Assp-test] Senderbase not always matching domain
> >>
> >>
> >>
> >> >good point but I've no answer, sounds like you found a bug
> >> Hopefully Thomas will have some time to look into this.
> >>
> >> Thanks again.
> >>
> >> On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:
> >>
> >> > :: On Tue, 5 May 2015 11:22:07 -0400
> >> > ::
> 
> >> > :: K Post  wrote:
> >> >
> >> > > > Sorry Greyhat, you lost me.  What does this show different from
> >> > > > what I was
> >> > > saying?   Maybe I wasn't clear.
> >> > > When I pull up the analyze interface in assp it shows only Cogent,
> >> > > doesn't show e.delta.com, do it's not a match to my regex, and
> >> > > thereby doesn't get the whitesenderorg bonus.
> >> >
> >> > yeah, you're right, it's a strange behavior; I wonder if ASSP is
> using
> >> > the /24 instead of the IP (didn't check the code) ...
> >> >
> >> > > And here's another issue I'm seeing with Senderbase:
> >> > >
> >> > > 12.130.137.89  to:
> >> u...@ourcharity.org
> >> > > DKIM-Signature found
> >> >
> >> > and here ASSP says that the message contains a DKIM signature
> >> >
> >> > > 12.130.137.89  to:
> >> u...@ourcharity.org
> >> > > info: domain emails.snapfish.com has published a DMARC record
>

Re: [Assp-test] Senderbase not always matching domain

[Thomas Eckardt]

ASSP uses DNS queries for Senderbase.

Thomas





Von:K Post 
An: ASSP development mailing list 
Datum:  07.05.2015 20:36
Betreff:Re: [Assp-test] Senderbase not always matching domain



It doesn't seem like the domain is being returned, just the network name,
so a lot domains that should result in a white org score, aren't hitting.
This doesn't appear to be an ASSP problem

I just did a lookup for the ip 38.100.169.66
At the senderbase website, it shows a domain of e.delta.com, which I have
whitelisted (Delta Airlines)

However, a nslookup for the txt record only shows
38.100.169.66.query.senderbase.org  text =

"0-0=1|1=CHARTER
COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
Worth|5
1=TX|52=76114|53=US|54=-97.3972|55=32.7807"

Nowhere to I see e.delta.com which explains why ASSP isn't matching.   Is
this the same way that ASSP queries senderbase?  Is there a way to have
ASSP ask senderbase to return the best guess domain name just like
SenderBase does on its website?  That would solve the problem where the
netblock is a major carrier, that carrier can't be whitelisted, but the
domain that's returned (or hostname) is whitelisted.






On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:

> SenderBaseLog was set to standard before.  Set it to diagnostic.
>
> On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> > > but where's the senderbase line in the log?
>>
>> check SenderBaseLog
>>
>> Thomas
>>
>>
>>
>>
>> Von:K Post 
>> An: ASSP development mailing list 
>> Datum:  05.05.2015 18:21
>> Betreff:Re: [Assp-test] Senderbase not always matching domain
>>
>>
>>
>> >good point but I've no answer, sounds like you found a bug
>> Hopefully Thomas will have some time to look into this.
>>
>> Thanks again.
>>
>> On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:
>>
>> > :: On Tue, 5 May 2015 11:22:07 -0400
>> > :: 

>> > :: K Post  wrote:
>> >
>> > > > Sorry Greyhat, you lost me.  What does this show different from
>> > > > what I was
>> > > saying?   Maybe I wasn't clear.
>> > > When I pull up the analyze interface in assp it shows only Cogent,
>> > > doesn't show e.delta.com, do it's not a match to my regex, and
>> > > thereby doesn't get the whitesenderorg bonus.
>> >
>> > yeah, you're right, it's a strange behavior; I wonder if ASSP is 
using
>> > the /24 instead of the IP (didn't check the code) ...
>> >
>> > > And here's another issue I'm seeing with Senderbase:
>> > >
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > DKIM-Signature found
>> >
>> > and here ASSP says that the message contains a DKIM signature
>> >
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > info: domain emails.snapfish.com has published a DMARC record
>> >
>> > and that the sending MTA domain (emails...) publishes a DMARC record
>> >
>> > http://www.senderbase.org/lookup/?search_string=12.130.137.89
>> >
>> > > [MissingMX] 12.130.137.89  to:
>> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > Message-Score: added 10 (mxValencePB) for MX missing:
>> > > emails.snapfish.com, total score for this message is now 10
>> >
>> > wrong, the domain has two MX records, that is
>> >
>> > MX 10 imh.rsys2.net.
>> > MX 20 imh2.rsys2.net.
>> >
>> > > 12.130.137.89  to:
>> > > u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > Message-Score: added 49 for HMM Probability: 1., total score 
for
>> > > this message is now 59
>> >
>> > ok sounds like HMM isn't properly trained, let's skip this one for 
the
>> > moment ...
>> >
>> > > The from IP in the Responsys network, and I've got that network
>> > > whitelisted in my senderbasewhite org config.  I've got senderbase
>> > > set to score. Senderbase logging is set to normal.
>> >
>> > here's what senderbase replies when queried (over DNS) for that IP
>> >
>> > IP address   : 12.130.137.89
>> > version  : 1

Re: [Assp-test] Senderbase not always matching domain

[Grayhat]

:: On Thu, 7 May 2015 14:35:35 -0400
:: 
:: K Post  wrote:

> However, a nslookup for the txt record only shows
> 38.100.169.66.query.senderbase.org  text =
> 
> "0-0=1|1=CHARTER
> COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
> Worth|5
> 1=TX|52=76114|53=US|54=-97.3972|55=32.7807"

reverse the IP, luke

dig +short 66.169.100.38.query.senderbase.org. TXT

"0-0=1|1=COGENT
COMMUNICATIONS|2=7.7|3=7.7|6=0|7=317|8=24457518|9=49497|20=mta60
2.e.delta.com|22=Y|40=4.9|41=4.7|43=4.7|44=9.7|45=N|46=21|48=24|53=US|54=-97.0|5
5=38.0"

or, using nslookup

nslookup -type=TXT 66.169.100.38.query.senderbase.org.

but the result will be the same; the org_name (1) will be COGENT and
the hostname (20) mta602.e.delta.com while the country (53) is US; for
further details about the results, see here

http://cpansearch.perl.org/src/JOENIO/Net-SenderBase-1.02/lib/Net/SenderBase/Results.pm



--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

[K Post]

It doesn't seem like the domain is being returned, just the network name,
so a lot domains that should result in a white org score, aren't hitting.
This doesn't appear to be an ASSP problem

I just did a lookup for the ip 38.100.169.66
At the senderbase website, it shows a domain of e.delta.com, which I have
whitelisted (Delta Airlines)

However, a nslookup for the txt record only shows
38.100.169.66.query.senderbase.org  text =

"0-0=1|1=CHARTER
COMMUNICATIONS|2=7.2|3=7.3|4=62870|6=0|7=47|8=9404927|9=157351|45=N|46=16|48=24|50=Fort
Worth|5
1=TX|52=76114|53=US|54=-97.3972|55=32.7807"

Nowhere to I see e.delta.com which explains why ASSP isn't matching.   Is
this the same way that ASSP queries senderbase?  Is there a way to have
ASSP ask senderbase to return the best guess domain name just like
SenderBase does on its website?  That would solve the problem where the
netblock is a major carrier, that carrier can't be whitelisted, but the
domain that's returned (or hostname) is whitelisted.






On Tue, May 5, 2015 at 5:34 PM, K Post  wrote:

> SenderBaseLog was set to standard before.  Set it to diagnostic.
>
> On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> > > but where's the senderbase line in the log?
>>
>> check SenderBaseLog
>>
>> Thomas
>>
>>
>>
>>
>> Von:K Post 
>> An: ASSP development mailing list 
>> Datum:  05.05.2015 18:21
>> Betreff:Re: [Assp-test] Senderbase not always matching domain
>>
>>
>>
>> >good point but I've no answer, sounds like you found a bug
>> Hopefully Thomas will have some time to look into this.
>>
>> Thanks again.
>>
>> On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:
>>
>> > :: On Tue, 5 May 2015 11:22:07 -0400
>> > :: 
>> > :: K Post  wrote:
>> >
>> > > > Sorry Greyhat, you lost me.  What does this show different from
>> > > > what I was
>> > > saying?   Maybe I wasn't clear.
>> > > When I pull up the analyze interface in assp it shows only Cogent,
>> > > doesn't show e.delta.com, do it's not a match to my regex, and
>> > > thereby doesn't get the whitesenderorg bonus.
>> >
>> > yeah, you're right, it's a strange behavior; I wonder if ASSP is using
>> > the /24 instead of the IP (didn't check the code) ...
>> >
>> > > And here's another issue I'm seeing with Senderbase:
>> > >
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > DKIM-Signature found
>> >
>> > and here ASSP says that the message contains a DKIM signature
>> >
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > info: domain emails.snapfish.com has published a DMARC record
>> >
>> > and that the sending MTA domain (emails...) publishes a DMARC record
>> >
>> > http://www.senderbase.org/lookup/?search_string=12.130.137.89
>> >
>> > > [MissingMX] 12.130.137.89  to:
>> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > Message-Score: added 10 (mxValencePB) for MX missing:
>> > > emails.snapfish.com, total score for this message is now 10
>> >
>> > wrong, the domain has two MX records, that is
>> >
>> > MX 10 imh.rsys2.net.
>> > MX 20 imh2.rsys2.net.
>> >
>> > > 12.130.137.89  to:
>> > > u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam
>> > > 12.130.137.89  to:
>> u...@ourcharity.org
>> > > Message-Score: added 49 for HMM Probability: 1., total score for
>> > > this message is now 59
>> >
>> > ok sounds like HMM isn't properly trained, let's skip this one for the
>> > moment ...
>> >
>> > > The from IP in the Responsys network, and I've got that network
>> > > whitelisted in my senderbasewhite org config.  I've got senderbase
>> > > set to score. Senderbase logging is set to normal.
>> >
>> > here's what senderbase replies when queried (over DNS) for that IP
>> >
>> > IP address   : 12.130.137.89
>> > version  : 1
>> > org_name : RESPONSYS
>> > org_daily_magnitude  : 7.3
>> > org_monthly_magnitude: 7.2
>> > org_first_message

Re: [Assp-test] Senderbase not always matching domain

[K Post]

SenderBaseLog was set to standard before.  Set it to diagnostic.

On Tue, May 5, 2015 at 12:25 PM, Thomas Eckardt 
wrote:

> > > but where's the senderbase line in the log?
>
> check SenderBaseLog
>
> Thomas
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  05.05.2015 18:21
> Betreff:Re: [Assp-test] Senderbase not always matching domain
>
>
>
> >good point but I've no answer, sounds like you found a bug
> Hopefully Thomas will have some time to look into this.
>
> Thanks again.
>
> On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:
>
> > :: On Tue, 5 May 2015 11:22:07 -0400
> > :: 
> > :: K Post  wrote:
> >
> > > > Sorry Greyhat, you lost me.  What does this show different from
> > > > what I was
> > > saying?   Maybe I wasn't clear.
> > > When I pull up the analyze interface in assp it shows only Cogent,
> > > doesn't show e.delta.com, do it's not a match to my regex, and
> > > thereby doesn't get the whitesenderorg bonus.
> >
> > yeah, you're right, it's a strange behavior; I wonder if ASSP is using
> > the /24 instead of the IP (didn't check the code) ...
> >
> > > And here's another issue I'm seeing with Senderbase:
> > >
> > > 12.130.137.89  to: u...@ourcharity.org
> > > DKIM-Signature found
> >
> > and here ASSP says that the message contains a DKIM signature
> >
> > > 12.130.137.89  to: u...@ourcharity.org
> > > info: domain emails.snapfish.com has published a DMARC record
> >
> > and that the sending MTA domain (emails...) publishes a DMARC record
> >
> > http://www.senderbase.org/lookup/?search_string=12.130.137.89
> >
> > > [MissingMX] 12.130.137.89  to:
> > > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
> > > 12.130.137.89  to: u...@ourcharity.org
> > > Message-Score: added 10 (mxValencePB) for MX missing:
> > > emails.snapfish.com, total score for this message is now 10
> >
> > wrong, the domain has two MX records, that is
> >
> > MX 10 imh.rsys2.net.
> > MX 20 imh2.rsys2.net.
> >
> > > 12.130.137.89  to:
> > > u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam
> > > 12.130.137.89  to: u...@ourcharity.org
> > > Message-Score: added 49 for HMM Probability: 1., total score for
> > > this message is now 59
> >
> > ok sounds like HMM isn't properly trained, let's skip this one for the
> > moment ...
> >
> > > The from IP in the Responsys network, and I've got that network
> > > whitelisted in my senderbasewhite org config.  I've got senderbase
> > > set to score. Senderbase logging is set to normal.
> >
> > here's what senderbase replies when queried (over DNS) for that IP
> >
> > IP address   : 12.130.137.89
> > version  : 1
> > org_name : RESPONSYS
> > org_daily_magnitude  : 7.3
> > org_monthly_magnitude: 7.2
> > org_first_message: 0
> > org_domains_count: 3
> > org_ip_controlled_count  : 5640
> > org_ip_used_count: 2889
> > hostname : omp.emails.snapfish.com
> > hostname_matches_ip  : Y
> > ip_daily_magnitude   : 4.1
> > ip_monthly_magnitude : 4.7
> > ip_average_magnitude : 4.8
> > ip_30_day_volume_percent : 7.8
> > ip_in_bonded_sender  : N
> > ip_cidr_range: 12.130.136.0/22
> > undocumented #48 : 24
> > ip_country   : US
> > ip_longitude : -97.0
> > ip_latitude  : 38.0
> >
> > so, yes, the ASSP org check should match that "RESPONSYS" if you placed
> > it in whiteorg
> >
> >
> > > In the ASSP analyze interface, it shows a WHITE match  as it should)
> > > 12.130.137.89 SenderBase: status=white SenderBase,
> > > data=US, RESPONSYS, , , Y, 22
> > > but where's the senderbase line in the log?
> >
> > good point but I've no answer, sounds like you found a bug
> >
> >
> >
> >
>
> --
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring supp

Re: [Assp-test] Senderbase not always matching domain

[Thomas Eckardt]

> > but where's the senderbase line in the log?

check SenderBaseLog

Thomas




Von:K Post 
An: ASSP development mailing list 
Datum:  05.05.2015 18:21
Betreff:    Re: [Assp-test] Senderbase not always matching domain



>good point but I've no answer, sounds like you found a bug
Hopefully Thomas will have some time to look into this.

Thanks again.

On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:

> :: On Tue, 5 May 2015 11:22:07 -0400
> :: 
> :: K Post  wrote:
>
> > > Sorry Greyhat, you lost me.  What does this show different from
> > > what I was
> > saying?   Maybe I wasn't clear.
> > When I pull up the analyze interface in assp it shows only Cogent,
> > doesn't show e.delta.com, do it's not a match to my regex, and
> > thereby doesn't get the whitesenderorg bonus.
>
> yeah, you're right, it's a strange behavior; I wonder if ASSP is using
> the /24 instead of the IP (didn't check the code) ...
>
> > And here's another issue I'm seeing with Senderbase:
> >
> > 12.130.137.89  to: u...@ourcharity.org
> > DKIM-Signature found
>
> and here ASSP says that the message contains a DKIM signature
>
> > 12.130.137.89  to: u...@ourcharity.org
> > info: domain emails.snapfish.com has published a DMARC record
>
> and that the sending MTA domain (emails...) publishes a DMARC record
>
> http://www.senderbase.org/lookup/?search_string=12.130.137.89
>
> > [MissingMX] 12.130.137.89  to:
> > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
> > 12.130.137.89  to: u...@ourcharity.org
> > Message-Score: added 10 (mxValencePB) for MX missing:
> > emails.snapfish.com, total score for this message is now 10
>
> wrong, the domain has two MX records, that is
>
> MX 10 imh.rsys2.net.
> MX 20 imh2.rsys2.net.
>
> > 12.130.137.89  to:
> > u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam
> > 12.130.137.89  to: u...@ourcharity.org
> > Message-Score: added 49 for HMM Probability: 1., total score for
> > this message is now 59
>
> ok sounds like HMM isn't properly trained, let's skip this one for the
> moment ...
>
> > The from IP in the Responsys network, and I've got that network
> > whitelisted in my senderbasewhite org config.  I've got senderbase
> > set to score. Senderbase logging is set to normal.
>
> here's what senderbase replies when queried (over DNS) for that IP
>
> IP address   : 12.130.137.89
> version  : 1
> org_name : RESPONSYS
> org_daily_magnitude  : 7.3
> org_monthly_magnitude: 7.2
> org_first_message: 0
> org_domains_count: 3
> org_ip_controlled_count  : 5640
> org_ip_used_count: 2889
> hostname : omp.emails.snapfish.com
> hostname_matches_ip  : Y
> ip_daily_magnitude   : 4.1
> ip_monthly_magnitude : 4.7
> ip_average_magnitude : 4.8
> ip_30_day_volume_percent : 7.8
> ip_in_bonded_sender  : N
> ip_cidr_range: 12.130.136.0/22
> undocumented #48 : 24
> ip_country   : US
> ip_longitude : -97.0
> ip_latitude  : 38.0
>
> so, yes, the ASSP org check should match that "RESPONSYS" if you placed
> it in whiteorg
>
>
> > In the ASSP analyze interface, it shows a WHITE match  as it should)
> > 12.130.137.89 SenderBase: status=white SenderBase,
> > data=US, RESPONSYS, , , Y, 22
> > but where's the senderbase line in the log?
>
> good point but I've no answer, sounds like you found a bug
>
>
>
> 
--
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable

Re: [Assp-test] Senderbase not always matching domain

[K Post]

>good point but I've no answer, sounds like you found a bug
Hopefully Thomas will have some time to look into this.

Thanks again.

On Tue, May 5, 2015 at 11:42 AM, Grayhat  wrote:

> :: On Tue, 5 May 2015 11:22:07 -0400
> :: 
> :: K Post  wrote:
>
> > > Sorry Greyhat, you lost me.  What does this show different from
> > > what I was
> > saying?   Maybe I wasn't clear.
> > When I pull up the analyze interface in assp it shows only Cogent,
> > doesn't show e.delta.com, do it's not a match to my regex, and
> > thereby doesn't get the whitesenderorg bonus.
>
> yeah, you're right, it's a strange behavior; I wonder if ASSP is using
> the /24 instead of the IP (didn't check the code) ...
>
> > And here's another issue I'm seeing with Senderbase:
> >
> > 12.130.137.89  to: u...@ourcharity.org
> > DKIM-Signature found
>
> and here ASSP says that the message contains a DKIM signature
>
> > 12.130.137.89  to: u...@ourcharity.org
> > info: domain emails.snapfish.com has published a DMARC record
>
> and that the sending MTA domain (emails...) publishes a DMARC record
>
> http://www.senderbase.org/lookup/?search_string=12.130.137.89
>
> > [MissingMX] 12.130.137.89  to:
> > u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
> > 12.130.137.89  to: u...@ourcharity.org
> > Message-Score: added 10 (mxValencePB) for MX missing:
> > emails.snapfish.com, total score for this message is now 10
>
> wrong, the domain has two MX records, that is
>
> MX 10 imh.rsys2.net.
> MX 20 imh2.rsys2.net.
>
> > 12.130.137.89  to:
> > u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam
> > 12.130.137.89  to: u...@ourcharity.org
> > Message-Score: added 49 for HMM Probability: 1., total score for
> > this message is now 59
>
> ok sounds like HMM isn't properly trained, let's skip this one for the
> moment ...
>
> > The from IP in the Responsys network, and I've got that network
> > whitelisted in my senderbasewhite org config.  I've got senderbase
> > set to score. Senderbase logging is set to normal.
>
> here's what senderbase replies when queried (over DNS) for that IP
>
> IP address   : 12.130.137.89
> version  : 1
> org_name : RESPONSYS
> org_daily_magnitude  : 7.3
> org_monthly_magnitude: 7.2
> org_first_message: 0
> org_domains_count: 3
> org_ip_controlled_count  : 5640
> org_ip_used_count: 2889
> hostname : omp.emails.snapfish.com
> hostname_matches_ip  : Y
> ip_daily_magnitude   : 4.1
> ip_monthly_magnitude : 4.7
> ip_average_magnitude : 4.8
> ip_30_day_volume_percent : 7.8
> ip_in_bonded_sender  : N
> ip_cidr_range: 12.130.136.0/22
> undocumented #48 : 24
> ip_country   : US
> ip_longitude : -97.0
> ip_latitude  : 38.0
>
> so, yes, the ASSP org check should match that "RESPONSYS" if you placed
> it in whiteorg
>
>
> > In the ASSP analyze interface, it shows a WHITE match  as it should)
> > 12.130.137.89 SenderBase: status=white SenderBase,
> > data=US, RESPONSYS, , , Y, 22
> > but where's the senderbase line in the log?
>
> good point but I've no answer, sounds like you found a bug
>
>
>
> --
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

[Grayhat]

:: On Tue, 5 May 2015 11:22:07 -0400
:: 
:: K Post  wrote:

> > Sorry Greyhat, you lost me.  What does this show different from
> > what I was
> saying?   Maybe I wasn't clear.
> When I pull up the analyze interface in assp it shows only Cogent,
> doesn't show e.delta.com, do it's not a match to my regex, and
> thereby doesn't get the whitesenderorg bonus.

yeah, you're right, it's a strange behavior; I wonder if ASSP is using
the /24 instead of the IP (didn't check the code) ...

> And here's another issue I'm seeing with Senderbase:
> 
> 12.130.137.89  to: u...@ourcharity.org
> DKIM-Signature found

and here ASSP says that the message contains a DKIM signature

> 12.130.137.89  to: u...@ourcharity.org
> info: domain emails.snapfish.com has published a DMARC record

and that the sending MTA domain (emails...) publishes a DMARC record

http://www.senderbase.org/lookup/?search_string=12.130.137.89

> [MissingMX] 12.130.137.89  to:
> u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
> 12.130.137.89  to: u...@ourcharity.org
> Message-Score: added 10 (mxValencePB) for MX missing:
> emails.snapfish.com, total score for this message is now 10

wrong, the domain has two MX records, that is

MX 10 imh.rsys2.net.
MX 20 imh2.rsys2.net.

> 12.130.137.89  to:
> u...@ourcharity.org HMM Check [scoring] - Prob: 1.0 => spam
> 12.130.137.89  to: u...@ourcharity.org
> Message-Score: added 49 for HMM Probability: 1., total score for
> this message is now 59

ok sounds like HMM isn't properly trained, let's skip this one for the
moment ...

> The from IP in the Responsys network, and I've got that network
> whitelisted in my senderbasewhite org config.  I've got senderbase
> set to score. Senderbase logging is set to normal.

here's what senderbase replies when queried (over DNS) for that IP

IP address   : 12.130.137.89
version  : 1
org_name : RESPONSYS
org_daily_magnitude  : 7.3
org_monthly_magnitude: 7.2
org_first_message: 0
org_domains_count: 3
org_ip_controlled_count  : 5640
org_ip_used_count: 2889
hostname : omp.emails.snapfish.com
hostname_matches_ip  : Y
ip_daily_magnitude   : 4.1
ip_monthly_magnitude : 4.7
ip_average_magnitude : 4.8
ip_30_day_volume_percent : 7.8
ip_in_bonded_sender  : N
ip_cidr_range: 12.130.136.0/22
undocumented #48 : 24
ip_country   : US
ip_longitude : -97.0
ip_latitude  : 38.0

so, yes, the ASSP org check should match that "RESPONSYS" if you placed
it in whiteorg

 
> In the ASSP analyze interface, it shows a WHITE match  as it should)
> 12.130.137.89 SenderBase: status=white SenderBase,
> data=US, RESPONSYS, , , Y, 22
> but where's the senderbase line in the log?

good point but I've no answer, sounds like you found a bug


--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

[K Post]

>
> http://www.senderbase.org/lookup/ip/?search_string=38.100.169.66
>
> :)
>
> Sorry Greyhat, you lost me.  What does this show different from what I was
saying?   Maybe I wasn't clear.
When I pull up the analyze interface in assp it shows only Cogent, doesn't
show e.delta.com, do it's not a match to my regex, and thereby doesn't get
the whitesenderorg bonus.


And here's another issue I'm seeing with Senderbase:

12.130.137.89  to: u...@ourcharity.org
DKIM-Signature found
12.130.137.89  to: u...@ourcharity.org
info: domain emails.snapfish.com has published a DMARC record
[MissingMX] 12.130.137.89  to:
u...@ourcharity.org [scoring] MX missing: emails.snapfish.com
12.130.137.89  to: u...@ourcharity.org
Message-Score: added 10 (mxValencePB) for MX missing: emails.snapfish.com,
total score for this message is now 10
12.130.137.89  to: u...@ourcharity.org HMM
Check [scoring] - Prob: 1.0 => spam
12.130.137.89  to: u...@ourcharity.org
Message-Score: added 49 for HMM Probability: 1., total score for this
message is now 59
12.130.137.89  to: u...@ourcharity.org
deleting spamming safelisted tuplet: (12.130.137.0,envfrm.rsys2.com) age: 2s
[MessageLimit] 12.130.137.89  to:
u...@ourcharity.org [spam found] (MessageScore 59, limit 50) [Hours left
Get your gifts in time for Mother s Day with free overnight shipping] ->
messages/spam/Hours_left_Get_your_gifts_in_time_for_Mother_s_Day_with_free--2903.txt;


The from IP in the Responsys network, and I've got that network whitelisted
in my senderbasewhite org config.  I've got senderbase set to score.
Senderbase logging is set to normal.

In the ASSP analyze interface, it shows a WHITE match  as it should)
12.130.137.89 SenderBase: status=white SenderBase, data=US,
RESPONSYS, , , Y, 22
but where's the senderbase line in the log?

The message still got a score of 59 (10 for no MX record, 49 for HMM
fail).  Yes HMM is totally wrong and clearly needs to be trained better,
but the -35 white sworgValencePB doesn't seem to get applied.  I would have
expected a score of 24, which would have let this pass instead of be
blocked.
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase not always matching domain

[Grayhat]

:: On Tue, 5 May 2015 10:42:12 -0400
:: 
:: K Post  wrote:

> Take Delta Airlines for example.  They send a message from
> 38.100.169.66
> 
> Looking at senderbase:
> http://www.senderbase.org/lookup/?search_string=38.100.169.66
> I get
> Hostname mta602.e.delta.com
> Domain  Help e.delta.com
> Network Owner  Help Cogent Communications

http://www.senderbase.org/lookup/ip/?search_string=38.100.169.66

:)

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase not always matching domain

[K Post]

Take Delta Airlines for example.  They send a message from  38.100.169.66

Looking at senderbase:
http://www.senderbase.org/lookup/?search_string=38.100.169.66
I get
Hostname mta602.e.delta.com
Domain  Help e.delta.com
Network Owner  Help Cogent Communications

I can't sender whitelist Cogent Communications, as they are a big ISP.
I already had be\.delta\.com in the whitelist.

However, it doesn't appear to match.  When I look at analyze I see:

  38.100.169.66 SenderBase: status=not classified, data=US, COGENT
COMMUNICATIONS, , , Y, 21

e.delta.com isn't in the results.

Now, I know that the senderbase web results indicate that the hostname is
just a sampling from the /24 for that netblock.  However, is there a way to
have the ASSP query to senderbase return that guess?

I'm seeing this quite a bit.

Thanks
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase white list formatting

[Thomas Eckardt]

>Is a \b (or $) assumed at the end of each line?

No.

Thomas





Von:K Post 
An: ASSP development mailing list 
Datum:  30.04.2015 15:43
Betreff:Re: [Assp-test] Senderbase white list formatting



Thanks.

I've reviewed those sites (and those similar to them) many times.  I'm
comfortable with regex, and use them frequently elsewhere.  What I don't
know is specifically how ASSP uses regex with senderbase.

 Looking at the files folder that comes with the distribution, it appears
that whiteorgs.txt is the only file that starts each line with \b.  I
understand what this does, but why is there a \b at the beginning of every
line, but not the end?  Is a \b (or $) assumed at the end of each line?
For example, you've got:
\b3com corporation
will that also match
3com corporations global
3com corporation hate group




On Thu, Apr 30, 2015 at 4:31 AM, Thomas Eckardt 

wrote:

> The following links will help to answer your question.
>
> assp/docs/Regular Expression Tutorial.htm   # the basics
> http://perldoc.perl.org/perlretut.html#  the complete documentation
> http://www.rexegg.com/   #  the best tutorial with many very nice 
step
> by step examples
>
> Thomas
>
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  29.04.2015 20:01
> Betreff:[Assp-test] Senderbase white list formatting
>
>
>
> What is the best practice for formatting lines in the whiteSenderBase
> file?
>
> For example I want to match:
>
> Ebay as the network owner (is that what we're calling the 
"organization),
> but I do not want to match *Ebay* so not "Ebayshore" "Ebay Concepts"
> "Bebayless" etc
>
> ebay.com as the domain but not *ebay.com*
>
>
> Does
> \bEbay
> \bEbay\.com
> accomplish this?  Will a period match any 1 character (does it need to 
be
> escaped)?
>
> Are line beginning and endings assumed by assp?  If so, why have the \b?
>
> thanks.  Sorry for the newbie question for a non-newbie.
>
> 
--
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, 
legally
> privileged and protected in law and are intended solely for the use of 
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
> 
--
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
One dashboard for servers a

Re: [Assp-test] Senderbase white list formatting

[K Post]

Thanks.

I've reviewed those sites (and those similar to them) many times.  I'm
comfortable with regex, and use them frequently elsewhere.  What I don't
know is specifically how ASSP uses regex with senderbase.

 Looking at the files folder that comes with the distribution, it appears
that whiteorgs.txt is the only file that starts each line with \b.  I
understand what this does, but why is there a \b at the beginning of every
line, but not the end?  Is a \b (or $) assumed at the end of each line?
For example, you've got:
\b3com corporation
will that also match
3com corporations global
3com corporation hate group




On Thu, Apr 30, 2015 at 4:31 AM, Thomas Eckardt 
wrote:

> The following links will help to answer your question.
>
> assp/docs/Regular Expression Tutorial.htm   # the basics
> http://perldoc.perl.org/perlretut.html#  the complete documentation
> http://www.rexegg.com/   #  the best tutorial with many very nice step
> by step examples
>
> Thomas
>
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  29.04.2015 20:01
> Betreff:[Assp-test] Senderbase white list formatting
>
>
>
> What is the best practice for formatting lines in the whiteSenderBase
> file?
>
> For example I want to match:
>
> Ebay as the network owner (is that what we're calling the "organization),
> but I do not want to match *Ebay* so not "Ebayshore" "Ebay Concepts"
> "Bebayless" etc
>
> ebay.com as the domain but not *ebay.com*
>
>
> Does
> \bEbay
> \bEbay\.com
> accomplish this?  Will a period match any 1 character (does it need to be
> escaped)?
>
> Are line beginning and endings assumed by assp?  If so, why have the \b?
>
> thanks.  Sorry for the newbie question for a non-newbie.
>
> --
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
> --
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase white list formatting

[Thomas Eckardt]

The following links will help to answer your question.

assp/docs/Regular Expression Tutorial.htm   # the basics
http://perldoc.perl.org/perlretut.html#  the complete documentation
http://www.rexegg.com/   #  the best tutorial with many very nice step 
by step examples

Thomas





Von:K Post 
An: ASSP development mailing list 
Datum:  29.04.2015 20:01
Betreff:[Assp-test] Senderbase white list formatting



What is the best practice for formatting lines in the whiteSenderBase 
file?

For example I want to match:

Ebay as the network owner (is that what we're calling the "organization),
but I do not want to match *Ebay* so not "Ebayshore" "Ebay Concepts"
"Bebayless" etc

ebay.com as the domain but not *ebay.com*


Does
\bEbay
\bEbay\.com
accomplish this?  Will a period match any 1 character (does it need to be
escaped)?

Are line beginning and endings assumed by assp?  If so, why have the \b?

thanks.  Sorry for the newbie question for a non-newbie.
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase white list formatting

[K Post]

What is the best practice for formatting lines in the whiteSenderBase file?

For example I want to match:

Ebay as the network owner (is that what we're calling the "organization),
but I do not want to match *Ebay* so not "Ebayshore" "Ebay Concepts"
"Bebayless" etc

ebay.com as the domain but not *ebay.com*


Does
\bEbay
\bEbay\.com
accomplish this?  Will a period match any 1 character (does it need to be
escaped)?

Are line beginning and endings assumed by assp?  If so, why have the \b?

thanks.  Sorry for the newbie question for a non-newbie.
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[Grayhat]

> On my way to a new version - this is the nudge that I needed.
> (pending some more answers to my other thread on general windows
> recommendations and the requirements of hmm)

Well, as for the hMM, start vanilla, that is, install your new ASSP,
configure it, migrate your files, upgrade to DB and then once it will
be working, you may experiment by enabling HMM but, as Thomas wrote,
just one step at a time :)

--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[K Post]

On my way to a new version - this is the nudge that I needed.  (pending
some more answers to my other thread on general windows recommendations and
the requirements of hmm)

cheers.


On Thu, Jan 30, 2014 at 2:09 AM, Thomas Eckardt
wrote:

> Since some time V2 does not use Net::Senderbase, it has its own SenderBase
> code included. For this reason Net::Senderbase is no longer shown in the
> module list (Info & Stats)
> Use the latest version.
>
> Thomas
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list ,
> Datum:  29.01.2014 20:35
> Betreff:Re: [Assp-test] Senderbase
>
>
>
> tried 1.02 (not 1.2 as I type-o'ed above).  No difference.  Still timing
> out at line 45 of dns.pm.  dns.pm is the same in 1.01 and 1.02.
>
>
>
> On Wed, Jan 29, 2014 at 2:04 PM, K Post  wrote:
>
> > temporarily changing dns.pm to use query.senderbase.org instead of
> > test.senderbase.org doesn't do anything.  Still times out.
> >
> > If from the assp machien I use nslookup and do:
> > set type=txt
> > 8.8.8.8.query.senderbase.org
> >
> > it gives me the txt record.
> >
> > doing the same thing with test.senderbase.org times out.
> >
> > Do based on my crude test, I'd say that this machine can query
> senderbase
> > using DNS.  The question now is what is this test.senderbase.org and how
> > is it queried?  Port 53 tcp and udp is wide open on the firewall.
> >
> > I've got Net-Senderbase 1.01 installed, which ppm indicates is the
> newest.
> >  BUT, there's 1.2 over at cpan.  Should I be using that?
> >
> >
> >
> >
> >
> >
> > On Wed, Jan 29, 2014 at 1:32 PM, K Post  wrote:
> >
> >> Scratch that.  The one that I saw go through was cached
> >>
> >> The error is on line 45
> >> Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
> >> e/Query/DNS.pm
> >>
> >> It's like dns.pm is potentially querying .test.senderbase.org
>  is that right or should it be .
> >> query.senderbase.org??
> >>
> >>
> >>
> >> On Wed, Jan 29, 2014 at 10:22 AM, K Post  wrote:
> >>
> >>> And now it's working.  Must have been something DNS related, but I
> >>> didn't change anything  Thanks for the guidance.
> >>>
> >>>
> >>>
> >>>
> >>> On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt <
> >>> thomas.ecka...@thockar.com> wrote:
> >>>
> >>>> SenderBase is working like expected (using 14025)
> >>>>
> >>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
> >>>> u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE
> >>>> ARGENTINA
> >>>> domain:speedy.com.ar
> >>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
> >>>> u...@domain.com Message-Score: added 10 for Foreign Country AR
> >>>> (TELEFONICA
> >>>> DE ARGENTINA), total score for this message is now 10
> >>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
> >>>> u...@domain.com [scoring] SenderBase -- Foreign Country AR
> (TELEFONICA
> >>>> DE
> >>>> ARGENTINA)
> >>>>
> >>>> >Should senderbase test showup in the mail analyzer?
> >>>>
> >>>> Yes
> >>>>
> >>>> after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and
> having
> >>>> it in the SenderBaseCache
> >>>>
> >>>> * 186.39.19.146 is in CountryCache: status=changed to black country,
> >>>> data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15
> >>>>
> >>>> or after removing the SBCache entry
> >>>>
> >>>> * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA
> DE
> >>>> ARGENTINA, speedy.com.ar, , N, 15
> >>>>
> >>>>
> >>>> Thomas
> >>>>
> >>>>
> >>>> Von:K Post 
> >>>> An: ASSP development mailing list
>  >>>> >,
> >>>> Datum:  28.01.2014 14:14
> >>>> Betreff:[Assp-test] Senderbase
> >>>>
> >>>>
> >>>>
> >>>> Any suggestions for debugging SenderBase on 2.x?
> >>>>
> >>>> Sometimes it works, but ASSP doesn't appea

Re: [Assp-test] Senderbase

[Thomas Eckardt]

Since some time V2 does not use Net::Senderbase, it has its own SenderBase 
code included. For this reason Net::Senderbase is no longer shown in the 
module list (Info & Stats)
Use the latest version.

Thomas




Von:K Post 
An: ASSP development mailing list , 
Datum:  29.01.2014 20:35
Betreff:Re: [Assp-test] Senderbase



tried 1.02 (not 1.2 as I type-o'ed above).  No difference.  Still timing
out at line 45 of dns.pm.  dns.pm is the same in 1.01 and 1.02.



On Wed, Jan 29, 2014 at 2:04 PM, K Post  wrote:

> temporarily changing dns.pm to use query.senderbase.org instead of
> test.senderbase.org doesn't do anything.  Still times out.
>
> If from the assp machien I use nslookup and do:
> set type=txt
> 8.8.8.8.query.senderbase.org
>
> it gives me the txt record.
>
> doing the same thing with test.senderbase.org times out.
>
> Do based on my crude test, I'd say that this machine can query 
senderbase
> using DNS.  The question now is what is this test.senderbase.org and how
> is it queried?  Port 53 tcp and udp is wide open on the firewall.
>
> I've got Net-Senderbase 1.01 installed, which ppm indicates is the 
newest.
>  BUT, there's 1.2 over at cpan.  Should I be using that?
>
>
>
>
>
>
> On Wed, Jan 29, 2014 at 1:32 PM, K Post  wrote:
>
>> Scratch that.  The one that I saw go through was cached
>>
>> The error is on line 45
>> Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
>> e/Query/DNS.pm
>>
>> It's like dns.pm is potentially querying .test.senderbase.org 
 is that right or should it be .
>> query.senderbase.org??
>>
>>
>>
>> On Wed, Jan 29, 2014 at 10:22 AM, K Post  wrote:
>>
>>> And now it's working.  Must have been something DNS related, but I
>>> didn't change anything  Thanks for the guidance.
>>>
>>>
>>>
>>>
>>> On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt <
>>> thomas.ecka...@thockar.com> wrote:
>>>
>>>> SenderBase is working like expected (using 14025)
>>>>
>>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>>> u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE
>>>> ARGENTINA
>>>> domain:speedy.com.ar
>>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>>> u...@domain.com Message-Score: added 10 for Foreign Country AR
>>>> (TELEFONICA
>>>> DE ARGENTINA), total score for this message is now 10
>>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>>> u...@domain.com [scoring] SenderBase -- Foreign Country AR 
(TELEFONICA
>>>> DE
>>>> ARGENTINA)
>>>>
>>>> >Should senderbase test showup in the mail analyzer?
>>>>
>>>> Yes
>>>>
>>>> after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and 
having
>>>> it in the SenderBaseCache
>>>>
>>>> * 186.39.19.146 is in CountryCache: status=changed to black country,
>>>> data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15
>>>>
>>>> or after removing the SBCache entry
>>>>
>>>> * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA 
DE
>>>> ARGENTINA, speedy.com.ar, , N, 15
>>>>
>>>>
>>>> Thomas
>>>>
>>>>
>>>> Von:K Post 
>>>> An: ASSP development mailing list 
>>> >,
>>>> Datum:  28.01.2014 14:14
>>>> Betreff:[Assp-test] Senderbase
>>>>
>>>>
>>>>
>>>> Any suggestions for debugging SenderBase on 2.x?
>>>>
>>>> Sometimes it works, but ASSP doesn't appear to be checking senderbase 
at
>>>> all.  I'm wondering if it's only looking at the cache and not 
attempting
>>>> to
>>>> make new queries.  Looking at the log, I don't see white senderbase 
for
>>>> messages that I'd expect.  I see nothing on senderbase, not a 
failure,
>>>> good
>>>> or bad.
>>>>
>>>> Should senderbase test showup in the mail analyzer?
>>>>
>>>> 
--
>>>> WatchGuard Dimension instantly turns raw network data into actionable
>>>> security intelligence. It gives you real-time visual feedback on key
>>>> security issues and trends.  Skip the complicated setup - 

Re: [Assp-test] Senderbase

[K Post]

tried 1.02 (not 1.2 as I type-o'ed above).  No difference.  Still timing
out at line 45 of dns.pm.  dns.pm is the same in 1.01 and 1.02.



On Wed, Jan 29, 2014 at 2:04 PM, K Post  wrote:

> temporarily changing dns.pm to use query.senderbase.org instead of
> test.senderbase.org doesn't do anything.  Still times out.
>
> If from the assp machien I use nslookup and do:
> set type=txt
> 8.8.8.8.query.senderbase.org
>
> it gives me the txt record.
>
> doing the same thing with test.senderbase.org times out.
>
> Do based on my crude test, I'd say that this machine can query senderbase
> using DNS.  The question now is what is this test.senderbase.org and how
> is it queried?  Port 53 tcp and udp is wide open on the firewall.
>
> I've got Net-Senderbase 1.01 installed, which ppm indicates is the newest.
>  BUT, there's 1.2 over at cpan.  Should I be using that?
>
>
>
>
>
>
> On Wed, Jan 29, 2014 at 1:32 PM, K Post  wrote:
>
>> Scratch that.  The one that I saw go through was cached
>>
>> The error is on line 45
>> Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
>> e/Query/DNS.pm
>>
>> It's like dns.pm is potentially querying .test.senderbase.org  is 
>> that right or should it be .
>> query.senderbase.org??
>>
>>
>>
>> On Wed, Jan 29, 2014 at 10:22 AM, K Post  wrote:
>>
>>> And now it's working.  Must have been something DNS related, but I
>>> didn't change anything  Thanks for the guidance.
>>>
>>>
>>>
>>>
>>> On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt <
>>> thomas.ecka...@thockar.com> wrote:
>>>
>>>> SenderBase is working like expected (using 14025)
>>>>
>>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>>> u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE
>>>> ARGENTINA
>>>> domain:speedy.com.ar
>>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>>> u...@domain.com Message-Score: added 10 for Foreign Country AR
>>>> (TELEFONICA
>>>> DE ARGENTINA), total score for this message is now 10
>>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>>> u...@domain.com [scoring] SenderBase -- Foreign Country AR (TELEFONICA
>>>> DE
>>>> ARGENTINA)
>>>>
>>>> >Should senderbase test showup in the mail analyzer?
>>>>
>>>> Yes
>>>>
>>>> after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and having
>>>> it in the SenderBaseCache
>>>>
>>>> * 186.39.19.146 is in CountryCache: status=changed to black country,
>>>> data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15
>>>>
>>>> or after removing the SBCache entry
>>>>
>>>> * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA DE
>>>> ARGENTINA, speedy.com.ar, , N, 15
>>>>
>>>>
>>>> Thomas
>>>>
>>>>
>>>> Von:K Post 
>>>> An: ASSP development mailing list >>> >,
>>>> Datum:  28.01.2014 14:14
>>>> Betreff:[Assp-test] Senderbase
>>>>
>>>>
>>>>
>>>> Any suggestions for debugging SenderBase on 2.x?
>>>>
>>>> Sometimes it works, but ASSP doesn't appear to be checking senderbase at
>>>> all.  I'm wondering if it's only looking at the cache and not attempting
>>>> to
>>>> make new queries.  Looking at the log, I don't see white senderbase for
>>>> messages that I'd expect.  I see nothing on senderbase, not a failure,
>>>> good
>>>> or bad.
>>>>
>>>> Should senderbase test showup in the mail analyzer?
>>>>
>>>> --
>>>> WatchGuard Dimension instantly turns raw network data into actionable
>>>> security intelligence. It gives you real-time visual feedback on key
>>>> security issues and trends.  Skip the complicated setup - simply import
>>>> a virtual appliance and go from zero to informed in seconds.
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>>>>
>>>> ___
>>>> Assp-test mailing list
>>>> 

Re: [Assp-test] Senderbase

[K Post]

temporarily changing dns.pm to use query.senderbase.org instead of
test.senderbase.org doesn't do anything.  Still times out.

If from the assp machien I use nslookup and do:
set type=txt
8.8.8.8.query.senderbase.org

it gives me the txt record.

doing the same thing with test.senderbase.org times out.

Do based on my crude test, I'd say that this machine can query senderbase
using DNS.  The question now is what is this test.senderbase.org and how is
it queried?  Port 53 tcp and udp is wide open on the firewall.

I've got Net-Senderbase 1.01 installed, which ppm indicates is the newest.
 BUT, there's 1.2 over at cpan.  Should I be using that?






On Wed, Jan 29, 2014 at 1:32 PM, K Post  wrote:

> Scratch that.  The one that I saw go through was cached
>
> The error is on line 45
> Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
> e/Query/DNS.pm
>
> It's like dns.pm is potentially querying .test.senderbase.org
> is that right or should it be .query.senderbase.org??
>
>
>
> On Wed, Jan 29, 2014 at 10:22 AM, K Post  wrote:
>
>> And now it's working.  Must have been something DNS related, but I didn't
>> change anything  Thanks for the guidance.
>>
>>
>>
>>
>> On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt <
>> thomas.ecka...@thockar.com> wrote:
>>
>>> SenderBase is working like expected (using 14025)
>>>
>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>> u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE ARGENTINA
>>> domain:speedy.com.ar
>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>> u...@domain.com Message-Score: added 10 for Foreign Country AR
>>> (TELEFONICA
>>> DE ARGENTINA), total score for this message is now 10
>>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>>> u...@domain.com [scoring] SenderBase -- Foreign Country AR (TELEFONICA
>>> DE
>>> ARGENTINA)
>>>
>>> >Should senderbase test showup in the mail analyzer?
>>>
>>> Yes
>>>
>>> after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and having
>>> it in the SenderBaseCache
>>>
>>> * 186.39.19.146 is in CountryCache: status=changed to black country,
>>> data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15
>>>
>>> or after removing the SBCache entry
>>>
>>> * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA DE
>>> ARGENTINA, speedy.com.ar, , N, 15
>>>
>>>
>>> Thomas
>>>
>>>
>>> Von:K Post 
>>> An: ASSP development mailing list ,
>>> Datum:  28.01.2014 14:14
>>> Betreff:[Assp-test] Senderbase
>>>
>>>
>>>
>>> Any suggestions for debugging SenderBase on 2.x?
>>>
>>> Sometimes it works, but ASSP doesn't appear to be checking senderbase at
>>> all.  I'm wondering if it's only looking at the cache and not attempting
>>> to
>>> make new queries.  Looking at the log, I don't see white senderbase for
>>> messages that I'd expect.  I see nothing on senderbase, not a failure,
>>> good
>>> or bad.
>>>
>>> Should senderbase test showup in the mail analyzer?
>>>
>>> --
>>> WatchGuard Dimension instantly turns raw network data into actionable
>>> security intelligence. It gives you real-time visual feedback on key
>>> security issues and trends.  Skip the complicated setup - simply import
>>> a virtual appliance and go from zero to informed in seconds.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>>>
>>> ___
>>> Assp-test mailing list
>>> Assp-test@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>>
>>>
>>>
>>>
>>> DISCLAIMER:
>>> ***
>>> This email and any files transmitted with it may be confidential, legally
>>> privileged and protected in law and are intended solely for the use of
>>> the
>>>
>>> individual to whom it is addressed.
>>> This email was multiple times scanned for viruses. There should be no
>>> known virus in this email!
>>> ***
>&

Re: [Assp-test] Senderbase

[K Post]

Scratch that.  The one that I saw go through was cached

The error is on line 45
Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
e/Query/DNS.pm

It's like dns.pm is potentially querying .test.senderbase.org
is that right or should it be .query.senderbase.org??



On Wed, Jan 29, 2014 at 10:22 AM, K Post  wrote:

> And now it's working.  Must have been something DNS related, but I didn't
> change anything  Thanks for the guidance.
>
>
>
>
> On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> SenderBase is working like expected (using 14025)
>>
>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>> u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE ARGENTINA
>> domain:speedy.com.ar
>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>> u...@domain.com Message-Score: added 10 for Foreign Country AR
>> (TELEFONICA
>> DE ARGENTINA), total score for this message is now 10
>> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
>> u...@domain.com [scoring] SenderBase -- Foreign Country AR (TELEFONICA DE
>> ARGENTINA)
>>
>> >Should senderbase test showup in the mail analyzer?
>>
>> Yes
>>
>> after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and having
>> it in the SenderBaseCache
>>
>> * 186.39.19.146 is in CountryCache: status=changed to black country,
>> data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15
>>
>> or after removing the SBCache entry
>>
>> * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA DE
>> ARGENTINA, speedy.com.ar, , N, 15
>>
>>
>> Thomas
>>
>>
>> Von:K Post 
>> An: ASSP development mailing list ,
>> Datum:  28.01.2014 14:14
>> Betreff:[Assp-test] Senderbase
>>
>>
>>
>> Any suggestions for debugging SenderBase on 2.x?
>>
>> Sometimes it works, but ASSP doesn't appear to be checking senderbase at
>> all.  I'm wondering if it's only looking at the cache and not attempting
>> to
>> make new queries.  Looking at the log, I don't see white senderbase for
>> messages that I'd expect.  I see nothing on senderbase, not a failure,
>> good
>> or bad.
>>
>> Should senderbase test showup in the mail analyzer?
>>
>> --
>> WatchGuard Dimension instantly turns raw network data into actionable
>> security intelligence. It gives you real-time visual feedback on key
>> security issues and trends.  Skip the complicated setup - simply import
>> a virtual appliance and go from zero to informed in seconds.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>>
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> ***
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>>
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> ***
>>
>>
>>
>>
>> --
>> WatchGuard Dimension instantly turns raw network data into actionable
>> security intelligence. It gives you real-time visual feedback on key
>> security issues and trends.  Skip the complicated setup - simply import
>> a virtual appliance and go from zero to informed in seconds.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>> ___
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[K Post]

And now it's working.  Must have been something DNS related, but I didn't
change anything  Thanks for the guidance.




On Wed, Jan 29, 2014 at 5:30 AM, Thomas Eckardt
wrote:

> SenderBase is working like expected (using 14025)
>
> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
> u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE ARGENTINA
> domain:speedy.com.ar
> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
> u...@domain.com Message-Score: added 10 for Foreign Country AR (TELEFONICA
> DE ARGENTINA), total score for this message is now 10
> Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to:
> u...@domain.com [scoring] SenderBase -- Foreign Country AR (TELEFONICA DE
> ARGENTINA)
>
> >Should senderbase test showup in the mail analyzer?
>
> Yes
>
> after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and having
> it in the SenderBaseCache
>
> * 186.39.19.146 is in CountryCache: status=changed to black country,
> data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15
>
> or after removing the SBCache entry
>
> * 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA DE
> ARGENTINA, speedy.com.ar, , N, 15
>
>
> Thomas
>
>
> Von:K Post 
> An: ASSP development mailing list ,
> Datum:  28.01.2014 14:14
> Betreff:[Assp-test] Senderbase
>
>
>
> Any suggestions for debugging SenderBase on 2.x?
>
> Sometimes it works, but ASSP doesn't appear to be checking senderbase at
> all.  I'm wondering if it's only looking at the cache and not attempting
> to
> make new queries.  Looking at the log, I don't see white senderbase for
> messages that I'd expect.  I see nothing on senderbase, not a failure,
> good
> or bad.
>
> Should senderbase test showup in the mail analyzer?
>
> --
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
>
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
>
> --
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[Thomas Eckardt]

SenderBase is working like expected (using 14025)

Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to: 
u...@domain.com SenderBase -- country:AR orgname:TELEFONICA DE ARGENTINA 
domain:speedy.com.ar
Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to: 
u...@domain.com Message-Score: added 10 for Foreign Country AR (TELEFONICA 
DE ARGENTINA), total score for this message is now 10
Jan-29-14 01:29:44 M1-55380-06017 [Worker_1] 186.39.19.146 to: 
u...@domain.com [scoring] SenderBase -- Foreign Country AR (TELEFONICA DE 
ARGENTINA)

>Should senderbase test showup in the mail analyzer?

Yes

after adding '\bTELEFONICA DE ARGENTINA' to 'blackSenderBase' and having 
it in the SenderBaseCache

• 186.39.19.146 is in CountryCache: status=changed to black country, 
data=AR, TELEFONICA DE ARGENTINA, speedy.com.ar, , N, 15 

or after removing the SBCache entry

• 186.39.19.146 SenderBase: status=black country, data=AR, TELEFONICA DE 
ARGENTINA, speedy.com.ar, , N, 15 


Thomas


Von:K Post 
An: ASSP development mailing list , 
Datum:  28.01.2014 14:14
Betreff:    [Assp-test] Senderbase



Any suggestions for debugging SenderBase on 2.x?

Sometimes it works, but ASSP doesn't appear to be checking senderbase at
all.  I'm wondering if it's only looking at the cache and not attempting 
to
make new queries.  Looking at the log, I don't see white senderbase for
messages that I'd expect.  I see nothing on senderbase, not a failure, 
good
or bad.

Should senderbase test showup in the mail analyzer?
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[Grayhat]

:: On Tue, 28 Jan 2014 13:56:42 -0500
:: 
:: K Post  wrote:

> Hey, would you look at that!  There's a setting for senderbase log
> verbosity!  Changing it to verbose, gives me:
> Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
> e/Query/DNS.pm
> 
> DNSTimeout was 5 seconds.  Changed to 10, no difference.
> 
> Any suggestions?  DNS settings on the server seem fine and are
> responsive.

ensure that you're able to run DNS queries over TCP not just over UDP;
if your firewall is blocking queries to 53/TCP then you're in trouble;
on windows, fire up "nslookup" without parameters, next enter

server 8.8.8.8
set vc

and done that enter some hostnames to see if resolution is ok; on
Linux, use "dig +tcp host.name @8.8.8.8" where "host.name" will be a
valid hostname; in both cases the queries will be sent to the google
DNS resolver over TCP and if they fail...





--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[K Post]

Hey, would you look at that!  There's a setting for senderbase log
verbosity!  Changing it to verbose, gives me:
Timeout occurred getting results at C:/Perl/site/lib/Net/SenderBas
e/Query/DNS.pm

DNSTimeout was 5 seconds.  Changed to 10, no difference.

Any suggestions?  DNS settings on the server seem fine and are responsive.


On Tue, Jan 28, 2014 at 11:48 AM, Grayhat  wrote:

>
> > Hey Grayhat- been a while...  Thanks for your followup.
>
> Hi there, yes, been (and being ) busy
>
> > I'm using our internal dns servers, without forwarders.  I see DNSBL
> > messages, RWL, etc as expected.
>
> ok, one thing less to check (I hope) :)
>
> > Could a format error in the whiteSenderBase be the culprit?  I don't
> > see an error when it's loaded.  There's 1000+ entries, hard to check
>
> well, maybe, sure or may be due to some check kicking in *before* the
> senderbase one; carefully checking the logs and/or increasing logging
> would be a good idea imVHo
>
>
> --
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[Grayhat]

> Hey Grayhat- been a while...  Thanks for your followup.

Hi there, yes, been (and being ) busy
 
> I'm using our internal dns servers, without forwarders.  I see DNSBL
> messages, RWL, etc as expected.

ok, one thing less to check (I hope) :)
 
> Could a format error in the whiteSenderBase be the culprit?  I don't
> see an error when it's loaded.  There's 1000+ entries, hard to check

well, maybe, sure or may be due to some check kicking in *before* the
senderbase one; carefully checking the logs and/or increasing logging
would be a good idea imVHo

--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[K Post]

Hey Grayhat- been a while...  Thanks for your followup.

I'm using our internal dns servers, without forwarders.  I see DNSBL
messages, RWL, etc as expected.

Could a format error in the whiteSenderBase be the culprit?  I don't see an
error when it's loaded.  There's 1000+ entries, hard to check manually.  I
suppose I could try just a shorter list, but it'll be hard to test - would
need a domain that should be senderbase ok, but isn't in the cache to send
an email

The code should be querying senderbase.org each time if the entry isn't in
cache right?If so, maybe I'll dive into the code and start logging.


On Tue, Jan 28, 2014 at 10:06 AM, Grayhat  wrote:

> :: On Tue, 28 Jan 2014 09:02:50 -0500
> :: 
> :: K Post  wrote:
>
> > Confirmed that it seems like only the cached entries are working.
> > Every one of the 300+ senderbase matches from today, are from the
> > cache. For example:
> > 199.101.162.46
>
> couple questions:
>
> 1: are there any DNS-related messages in your logs ?
>
> 2: are you using your own (no forwarders) DNS resolvers or are you
>using public resolvers like OpenDNS, Google or whatever else ?
>
>
>
> --
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[Grayhat]

:: On Tue, 28 Jan 2014 09:02:50 -0500
:: 
:: K Post  wrote:

> Confirmed that it seems like only the cached entries are working.
> Every one of the 300+ senderbase matches from today, are from the
> cache. For example:
> 199.101.162.46

couple questions:

1: are there any DNS-related messages in your logs ?

2: are you using your own (no forwarders) DNS resolvers or are you
   using public resolvers like OpenDNS, Google or whatever else ?


--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase White Org regex

[K Post]

Thanks for the reply Thomas.   I appreciate the - clarification.

Might you consider changing senderbase functionality such that it looks for
an exact match?  I worry about allowing anything from Hosting Service (just
an example) but consider it a network name that we know only sends good,
erroneously matching Bob's Bad Hosting Service too in senderbase...

FYI - I was wondering why so many of my questions have gone unanswered
recently.  Totally not typical for you - I should have known better.  Turns
out the gmail servers were filtering your message to spam!  Irony in its
truest form


On Sun, Jan 26, 2014 at 2:29 AM, Thomas Eckardt
wrote:

> 1) \bacer-euro\.com is listed.  Doesn't the - need to be escaped?  (if
> not,
> why not?)
>
> No need to escape the - here. It is required in a character class like
> [fth\-kl] - but not if the - is the last character in a character class
> like [a-z0-9-] see
> http://perldoc.perl.org/perlretut.html#Using-character-classes
> It does not matter to escape the - everywhere in a regex. like
> \bacer\-euro\.com
>
>
> >2) Should we use ^ to indicate beginning of line and $ to indicate end so
> that something like:
> Would ^Hosting Service$ work?
>
> No - assp processes all regexes against the complete target string
> (header, body, mail), there is no line processing!
>
> btw: \bHosting Service
> matches both: "Bob's Hosting Service" and "Hosting Service Inc."
>
> Thomas
>
>
>
>
>
>
>
> Von:K Post 
> An: ASSP development mailing list ,
> Datum:  25.01.2014 18:16
> Betreff:[Assp-test] Senderbase White Org regex
>
>
>
> I just downloaded 2.3.3 and am reviewing the whiteorg.txt sample file for
> SenderBase.
>
> I understand that that \b is necessary to indicate the word boundary.  I
> get that the . needs to be escaped with \ so they don't match any
> character.
>
> Questions:
> 1) \bacer-euro\.com is listed.  Doesn't the - need to be escaped?  (if
> not,
> why not?)
> 2) Should we use ^ to indicate beginning of line and $ to indicate end so
> that something like:
> \bHosting Service  (to match any host in the "Hosting Service" network
> doesn't match "Bob's Hosting Service" or "Hosting Service Inc."
> Would ^Hosting Service$ work?
>
> Thanks all!
> ken
>
> --
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
>
> --
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[K Post]

Also, I was able to confirm that I can directly query
query.senderbase.orgfrom the machine


On Tue, Jan 28, 2014 at 9:02 AM, K Post  wrote:

> Confirmed that it seems like only the cached entries are working.  Every
> one of the 300+ senderbase matches from today, are from the cache.
> For example:
> 199.101.162.46 
> to: ouru...@.org [whiting] SenderBase -- White Organization/Domain
> 'LinkedIn Corporation' in cache
> That works great.  Any way to debug why new hits don't seem to be
> happening even though there's emails that should match entries in the
> whiteSenderBase file?  That certainly wasn't the case before.  I don't
> think it's the code, I think it's my setup.
>
>
> On Tue, Jan 28, 2014 at 8:12 AM, K Post  wrote:
>
>> Any suggestions for debugging SenderBase on 2.x?
>>
>> Sometimes it works, but ASSP doesn't appear to be checking senderbase at
>> all.  I'm wondering if it's only looking at the cache and not attempting to
>> make new queries.  Looking at the log, I don't see white senderbase for
>> messages that I'd expect.  I see nothing on senderbase, not a failure, good
>> or bad.
>>
>> Should senderbase test showup in the mail analyzer?
>>
>>
>>
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[K Post]

Confirmed that it seems like only the cached entries are working.  Every
one of the 300+ senderbase matches from today, are from the cache.
For example:
199.101.162.46 
to: ouru...@.org [whiting] SenderBase -- White Organization/Domain
'LinkedIn Corporation' in cache
That works great.  Any way to debug why new hits don't seem to be happening
even though there's emails that should match entries in the whiteSenderBase
file?  That certainly wasn't the case before.  I don't think it's the code,
I think it's my setup.


On Tue, Jan 28, 2014 at 8:12 AM, K Post  wrote:

> Any suggestions for debugging SenderBase on 2.x?
>
> Sometimes it works, but ASSP doesn't appear to be checking senderbase at
> all.  I'm wondering if it's only looking at the cache and not attempting to
> make new queries.  Looking at the log, I don't see white senderbase for
> messages that I'd expect.  I see nothing on senderbase, not a failure, good
> or bad.
>
> Should senderbase test showup in the mail analyzer?
>
>
>
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase

[K Post]

Any suggestions for debugging SenderBase on 2.x?

Sometimes it works, but ASSP doesn't appear to be checking senderbase at
all.  I'm wondering if it's only looking at the cache and not attempting to
make new queries.  Looking at the log, I don't see white senderbase for
messages that I'd expect.  I see nothing on senderbase, not a failure, good
or bad.

Should senderbase test showup in the mail analyzer?
--
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase White Org regex

[Thomas Eckardt]

1) \bacer-euro\.com is listed.  Doesn't the - need to be escaped?  (if 
not,
why not?)

No need to escape the - here. It is required in a character class like 
[fth\-kl] - but not if the - is the last character in a character class 
like [a-z0-9-] see 
http://perldoc.perl.org/perlretut.html#Using-character-classes
It does not matter to escape the - everywhere in a regex. like 
\bacer\-euro\.com


>2) Should we use ^ to indicate beginning of line and $ to indicate end so
that something like:
Would ^Hosting Service$ work?

No - assp processes all regexes against the complete target string 
(header, body, mail), there is no line processing!

btw: \bHosting Service
matches both: "Bob's Hosting Service" and "Hosting Service Inc."

Thomas







Von:K Post 
An: ASSP development mailing list , 
Datum:  25.01.2014 18:16
Betreff:[Assp-test] Senderbase White Org regex



I just downloaded 2.3.3 and am reviewing the whiteorg.txt sample file for
SenderBase.

I understand that that \b is necessary to indicate the word boundary.  I
get that the . needs to be escaped with \ so they don't match any 
character.

Questions:
1) \bacer-euro\.com is listed.  Doesn't the - need to be escaped?  (if 
not,
why not?)
2) Should we use ^ to indicate beginning of line and $ to indicate end so
that something like:
\bHosting Service  (to match any host in the "Hosting Service" network
doesn't match "Bob's Hosting Service" or "Hosting Service Inc."
Would ^Hosting Service$ work?

Thanks all!
ken
--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase White Org regex

[K Post]

I just downloaded 2.3.3 and am reviewing the whiteorg.txt sample file for
SenderBase.

I understand that that \b is necessary to indicate the word boundary.  I
get that the . needs to be escaped with \ so they don't match any character.

Questions:
1) \bacer-euro\.com is listed.  Doesn't the - need to be escaped?  (if not,
why not?)
2) Should we use ^ to indicate beginning of line and $ to indicate end so
that something like:
\bHosting Service  (to match any host in the "Hosting Service" network
doesn't match "Bob's Hosting Service" or "Hosting Service Inc."
Would ^Hosting Service$ work?

Thanks all!
ken
--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] senderbase bug

[Adrian Stoica]

Hello

The last version that works ok for me is assp version 2.3.3 13217
After that , every new version of the program get stuck after a few minutes.
In the latest version 2.3.3 13276 i see this after ~ 500s:

ASSP Worker/DB/Regex Status - not healthy
Worker  loop agecurrent action
*1* 480 s   ASSP::Senderbase::Query::results -> 62.134.45.45 (stuck)
*2* 321 s   ASSP::Senderbase::Query::results -> 212.100.252.14 (stuck)
*3* 10 sASSP::Senderbase::Query::results -> 193.33.200.148
*4* 205 s   ASSP::Senderbase::Query::results -> 178.120.6.197 (stuck)
*5* 3 s ASSP::Senderbase::Query::results -> 217.156.36.43
*1* 0 s idle loop (5 s)
*10001* 2 s idle loop (6 s)


I have disabled everything on senderbase: DoOrgWhiting , DoOrgWhiting , 
DoOrgWhiting, DoOrgWhiting.
The same result , all assp threads get stuckone after one, and after 
that the assp dies:
14-Noi-13 14:03:33 [Main_Thread] Info: unable to detect any running 
worker for a new connection - wait (max 30 seconds)
14-Noi-13 14:03:33 [Main_Thread] Info: ConnectionTransferTimeOut (30 
seconds) is now reached
14-Noi-13 14:03:33 [Main_Thread] Warning: Main_Thread is unable to 
transfer connection to any worker - try again!

I have tryied DBCacheMaxAge = 5 , but no luck.

Perl version is 5.010001 , running on linux (latest centos)


-- 




*Otopeni - ROMÂNIA, Jud. Ilfov
Str. Ardealului nr.9F*





*Stoica Adrian
* Administrator Retea





Tel.: (004) 021 350 67 57
Fax: (004) 021 350 67 59
Mobil: 0725.722.717

E-mail: adrian.sto...@dacris.net 
www.dacris.net 



--
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase

[Daniel L. Miller]

On 7/18/2012 6:33 AM, Daniel L. Miller wrote:
> Watching the Worker/DB/Regex Status screen, I will occasionally see 
> entries such as, "ASSP::Senderbase::Query::results -> 79.234.165.81 
> (stuck)".
>
> These can take an extended period of time to resolve.

Found these log entries:
Jul-18-12 07:21:44 [Main_Thread] Info: Loop in Worker_1 was not active 
for 245 seconds
Jul-18-12 07:21:44 [Main_Thread] Info: Worker_1 : last sigoff in main, 
sub main::SenderBaseOK, 4, main::SenderBaseOK_Run, 1, , ,  at 12-18-6 
7:1742 1342621062.02035 - 39
Jul-18-12 07:21:44 [Main_Thread] Info: Worker_1 : last sigon in main, 
sub main::SenderBaseOK, 4, main::SenderBaseOK_Run, 1, , ,  at 12-18-6 
7:1742 1342621062.1589 - 52
Jul-18-12 07:21:44 [Main_Thread] Info: Worker_1 : last action was : 
ASSP::Senderbase::Query::
Jul-18-12 07:21:44 [Main_Thread] Warning: try to terminate 
inactive/stucking Worker_1
Jul-18-12 07:21:44 [Main_Thread] Info: Loop in Worker_2 was not active 
for 324 seconds
Jul-18-12 07:21:44 [Main_Thread] Info: Worker_2 : last sigoff in main, 
sub main::SenderBaseOK, 4, main::SenderBaseOK_Run, 1, , ,  at 12-18-6 
7:1629 1342620989.68008 - 39
Jul-18-12 07:21:44 [Main_Thread] Info: Worker_2 : last sigon in main, 
sub main::SenderBaseOK, 4, main::SenderBaseOK_Run, 1, , ,  at 12-18-6 
7:1629 1342620989.7239 - 52
Jul-18-12 07:21:44 [Main_Thread] Info: Worker_2 : last action was : 
ASSP::Senderbase::Query::
Jul-18-12 07:21:44 [Main_Thread] Warning: try to terminate 
inactive/stucking Worker_2



-- 
Daniel
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase

[Daniel L. Miller]

Watching the Worker/DB/Regex Status screen, I will occasionally see 
entries such as, "ASSP::Senderbase::Query::results -> 79.234.165.81 
(stuck)".

These can take an extended period of time to resolve.
-- 
Daniel
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase not working

[marrco]

> 1. RWL was disabled: Fixed->
>
http://downloads.sourceforge.net/project/assp/ASSP%20Installation/AutoUpdate
/ASSP1x/assp.pl.gz


Confirmed, works fine now with 1.9.1.8(1.1.02) 

Thx again


--
RSA® Conference 2012
Save $700 by Nov 18
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase not working

[marrco]

> 1.01 is available.

Update. Working fine now. 

Issue solved. Thx fritz


--
RSA® Conference 2012
Save $700 by Nov 18
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase not working

[marrco]

>>Oct-29-11 12:54:53 Net::SenderBase module version 1.00 installed -
> 1.01 is available.

I did a clean install using updated  assp.mod.zip and then I run ppm upgrade
--install

But I see there's a new version (1.01) available, testing now, will report
later

Thx again


--
RSA® Conference 2012
Save $700 by Nov 18
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase not working

[marrco]

> 1. RWL was disabled: Fixed->
>
http://downloads.sourceforge.net/project/assp/ASSP%20Installation/AutoUpdate
/ASSP1x/assp.pl.gz

Thx testing now the new version. Will report later


--
RSA® Conference 2012
Save $700 by Nov 18
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase not working

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>Oct-29-11 12:54:53 Net::SenderBase module version 1.00 installed -


1.01 is available.


--
RSA® Conference 2012
Save $700 by Nov 18
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase not working

[Fritz Borgstedt]

1. RWL was disabled: Fixed->
http://downloads.sourceforge.net/project/assp/ASSP%20Installation/AutoUpdate/ASSP1x/assp.pl.gz

2. Senderbase: Not reproducable


--
RSA® Conference 2012
Save $700 by Nov 18
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] senderbase not working

[marrco]

I just reinstalled my assp box using

1.9.1.8(1.1.01) on windows server and a few things are not working as
expected:

 

Senderbase is not working , if I enable verbose logging I find the following
error: 

Nov-01-11 12:19:06 id-32014-86466 187.45.217.104
 to: m...@customer.com warning:
SenderBase: Unknown key: 48 at C:/Perl/site/lib/Net/SenderBase/Results.pm
line 65.;

(in cleanup) No such method: DESTROY at
C:/Perl/site/lib/Net/SenderBase/Results.pm line 74.

 

 

I have senderbase perl module installed:

Oct-29-11 12:54:53 Net::SenderBase module version 1.00 installed -
SenderBase Queries available;

Oct-30-11 02:02:20 Option list file: 'c:/assp/files/sbwhite.txt' reloaded
(whiteSenderBase) with 109 records;

Oct-31-11 04:01:05 SenderBaseCache: cleaning up cache finished: IP's
before=1, deleted=0;

Nov-01-11 04:01:53 SenderBaseCache: cleaning up cache finished: IP's
before=3, deleted=0;

 

And I'm not sure about RWL:

I have Enable Realtime Whitelist Validation set to ON, in my RWL service
providers I set swl.spamhaus.org|list.dnswl.org  but nothing in the logs,
set MWLmaxreplies=2 and RWLminhits=1 but whenever I hit "show cache" I get a
message that c:/assp/pb/pbdb.rwl.db and even if I set logging to verbose I
never see an entry about RWL

 

Any hint?

--
RSA® Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase finding 'AMAZON.COM' but message came from ifixit.com

[Fritz Borgstedt]

#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=75.101.159.182?showDetails=true&showARIN=true
#

Amazon.com, Inc. AMAZON-EC2-4 (NET-75-101-128-0-1) 75.101.128.0 -
75.101.255.255
American Registry for Internet Numbers NET75 (NET-75-0-0-0-0) 75.0.0.0
- 75.255.255.255



--
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] SenderBase finding 'AMAZON.COM' but message came from ifixit.com

[James Brown]

For some reason ASSP found "AMAZON.COM' in this message:

From:   iFixit 
Subject:iFixit: Order #280035 Placed
Date:   17 August 2011 11:25:01 AM AEST
To: James Brown 
Return-Path:
X-Original-To:  m...@bordo.com.au
Delivered-To:   m...@bordo.com.au
Received:   from astaro1.bordo.com.au (localhost [127.0.0.1]) by 
mail.bordo.com.au (Postfix) with ESMTP id 7CEA1151C55 for ; 
Wed, 17 Aug 2011 11:25:21 +1000 (EST)
Received:   from astaro1.bordo.com.au ([192.168.1.2] 
helo=astaro1.bordo.com.au) by ASSP.nospam with ESMTP (2.0.2); 17 Aug 2011 
11:25:20 +1000
Received:   from mailer.ifixit.com ([75.101.159.182]:37636) by 
astaro1.bordo.com.au with esmtp (Exim 4.69) (envelope-from 
) id 1QtUsY-0005Zd-1j for m...@bordo.com.au; Wed, 17 Aug 
2011 11:25:12 +1000
Received:   from www.ifixit.com (ip-10-250-222-176.ec2.internal 
[10.250.222.176]) by mailer.ifixit.com (Postfix) with ESMTP id A7A681DC117 for 
; Tue, 16 Aug 2011 18:25:02 -0700 (MST)
Received:   from ip-10-250-222-176.ec2.internal (localhost 
[127.0.0.1]) by www.ifixit.com (Postfix) with ESMTP id C259A120284 for 
; Tue, 16 Aug 2011 18:25:02 -0700 (MST)
Received:   (from apache@localhost) by 
ip-10-250-222-176.ec2.internal (8.13.8/8.13.8/Submit) id p7H1P1mr031821; Tue, 
16 Aug 2011 18:25:01 -0700
X-Ctch-Refid:   
str=0001.0A150202.4E4B1878.0061:SCFSTAT12979188,ss=1,fgs=0
X-Authentication-Warning:   ip-10-250-222-176.ec2.internal: apache 
set sender to supp...@ifixit.com using -f
Message-Id: <8f24a2f3a17e4fada563ae31f0eac...@www.ifixit.com>
X-Priority: 3
X-Mailer:   iMailer
Mime-Version:   1.0
Content-Type:   text/plain; charset="iso-8859-1"
Content-Transfer-Encoding:  quoted-printable
X-Assp-Version: 2.0.2(3.2.16) on ASSP.nospam
X-Assp-Message/Ip-Score:-10 (SPF pass)
X-Assp-Message/Ip-Score:-25 (White Organization/Domain 
'AMAZON.COM')
X-Assp-Whitelisted: Yes
X-Assp-Envelope-From:   supp...@ifixit.com
X-Assp-Intended-For:m...@bordo.com.au
X-Assp-Id:  ASSP.nospam id-44321-01393

Dear James,

Thank you for ordering from iFixit.

We have received and are processing your credit card payment. 

After verifying your payment, we will ship your order within one
business day.

You will receive an e-mail notification when your order is shipped.

Order id: #280035
Order date: 08/16/2011

Contact info:
James Brown
61232327212 | m...@bordo.com.au

Billing Address:
James Brown
Bordo International Pty Ltd
3 Kingston Park Court
Scoresby, VIC 3179 
Australia

Shipping Address:
James Brown
Bordo International Pty Ltd
3 Kingston Park Court
Scoresby, VIC 3179 
Australia

Products ordered:
Mac Mini Dual Hard Drive Kit
Quantity: 1
Price: $69.95

Payment via Credit Card.
Ship with FedEx International Priority.

Subtotal: $69.95
Tax: $0.00
Shipping: $35.00

Order Total: $104.95

--

iFixit
sa...@ifixit.com
http://www.iFixit.com
866.61.FIXIT | 805.464.0573




Here are the logs:

Aug-17-11 11:25:21 [Worker_1] VRFY - found m...@bordo.com.au in LDAPlist
Aug-17-11 11:25:21 id-44321-01393 [Worker_1] 192.168.1.2 [OIP: 75.101.159.182] 
 to: m...@bordo.com.au Originating IP/HELO:  75.101.159.182 
/ astaro1.bordo.com.au
Aug-17-11 11:25:23 id-44321-01393 [Worker_1] 192.168.1.2 [OIP: 75.101.159.182] 
 to: m...@bordo.com.au Message-Score: added -10 for SPF 
pass, total score for this message is now -10
Aug-17-11 11:25:24 id-44321-01393 [Worker_1] 192.168.1.2 [OIP: 75.101.159.182] 
 to: m...@bordo.com.au Message-Score: added -25 for White 
Organization/Domain 'AMAZON.COM', total score for this message is now -35
Aug-17-11 11:25:24 id-44321-01393 [Worker_1] 192.168.1.2 [OIP: 75.101.159.182] 
 to: m...@bordo.com.au [whiting] SenderBase -- White 
Organization/Domain 'AMAZON.COM'
Aug-17-11 11:25:25 id-44321-01393 [Worker_1] [MessageOK] 192.168.1.2 [OIP: 
75.101.159.182]  to: m...@bordo.com.au message ok - 
(senderbase: AMAZON.COM) - [iFixit Order 280035 Placed] -> 
/Applications/assp/okmail/--188567.eml


Running ASSP 2.0.2(3.2.16) on Mac OS X 10.5.8

James.
--
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] SenderBase error -> 2.0.1_RC0.6.01

[Thomas Eckardt/eck]

Hi all,

if assp has not got an answer from the DNS-Server for the SenderBase query 
- the worker died with

Nov-11-09 04:51:21 Error: Worker_1: Can't call method 
"ip_in_bonded_sender" on an undefined value at /usr/local/assp/assp.pl 
line 15924. 

This is fixed in 2.0.1_RC0.6.01 .

Thomas


DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***


--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] SenderBase settings missing option?

[Dave Watkins]

Hi

In the SenderBase section of the config DoOrgBlocking has the following text

"If activated, each sending IP address has it's assigned organization looked up 
. If no data for country and organisation are available and " 
allowNoOrgAndCountry " is not set, the message is consider spam. This requires 
an installed 
Net::SenderBase module in 
PERL."

But allowNoOrgAndCountry isn't an option anywhere that can be set. Looking 
through assp.pl there is only a single occurance of allowNoOrgAndCountry and 
it's to display this page.

Version 2.0.1(RC 0.3.17)

Dave
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Charles Marcus]

On 5/14/2009, Hill, Brett (hil...@nlbusa.com) wrote:
> Mitch Shanley wrote:
>> Sent: Thursday, May 14, 2009 11:52 AM
>> To: ASSP development mailing list
>> Subject: Re: [Assp-test] SenderBase question
>> 
>> you guys must not care about new users or new installs..  
>> i am unsubscribing i will use another product.
>> 
>> Sincerely,
>> Mitch Shanley
>> Microsoft MCP, MCSE+I, Novell CNA, CNE, Compaq ASE

> Where did that come from?

Probably a troll... or best case, major language barrier problems...

-- 

Best regards,

Charles

--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Hill, Brett]

Mitch Shanley wrote:
> Sent: Thursday, May 14, 2009 11:52 AM
> To: ASSP development mailing list
> Subject: Re: [Assp-test] SenderBase question
> 
> you guys must not care about new users or new installs..  
> i am unsubscribing i will use another product.
> 
> Sincerely,
> Mitch Shanley
> Microsoft MCP, MCSE+I, Novell CNA, CNE, Compaq ASE

Where did that come from?  Fritz answered your question as best as he
could with the information provided.  If you want me to guess, I'd say
that something's screwed up on your Win2003 server install with regard
to your proxy settings.  It was but only a couple of months ago that I
did a fresh install of Windows 2003 server R2 with Perl 5.10 and used
the Module Installation Script.  I did not have any problems with the
install.  The only problem that I've noticed when doing a "first-time"
install is that the Module Installation Script depends on the assp.cfg
file and without it, it won't run.  By default there is no assp.cfg
file, but you can fix that by simply renaming the assp.default file to
assp.cfg.  Then, run the module installation script.  After that, you
can rename the assp.cfg file back to assp.default and run assp.pl to
create a new assp.cfg file with all the defaults (not sure if that's
even needed, but I do it).

Kind Regards,
Brett


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Fritz Borgstedt]

mshan...@coloradoonly.com schreibt:
>you guys must not care about new users or new installs..  
>i am unsubscribing i will use another product.


This is a development and testing list. Certainly not the best choice
for new users.
The standard mailing list is much better for such users:

https://lists.sourceforge.net/lists/listinfo/assp-user


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Mitch Shanley]

you guys must not care about new users or new installs..  
i am unsubscribing i will use another product.

Sincerely,
Mitch Shanley
Microsoft MCP, MCSE+I, Novell CNA, CNE, Compaq ASE
  
  
If you want to know your past - look into your present conditions. If you want 
to know your future - look into your present actions.
--Chinese Proverb 

  



From: "Fritz Borgstedt" 
Sent: Thursday, May 14, 2009 7:44 AM
To: "ASSP development mailing list" 
Subject: Re: [Assp-test] SenderBase question 

ASSP development mailing list 
schreibt:
>The problem with delayed and never repeated message still exists and
>I stay with my suggestion that there should be a config option
>preventing "whiteorged" IPs from delaying.

Delaying is the fist step in the process, I see it it as unwise to do
a dsn - based query in this early step.
Please show a log, where I can see the match. And please show the
senderbase cache where it should be also shown.

Put 207.46.0.0/16 into 
No Processing IPs (noProcessingIPs)

--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

 
--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>This raises a question: There are well configured 
>servers that will always pass the greylist. There is no point
>delaying them.
>One specific dnswhite list query could solve 
>this. I wonder also if this list could b downloaded to make local
>queries.
>reference: http://www.dnswl.org/  

My esperience with 
>http://www.dnswl.org/  
 is not as good as yours. In fact I shut it off in my installations.
(I disabled DNSWL in all my installations - not worth the hassle).
Currently you have quite many possibilities to prevent delaying.


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Hilario Fochi Silveira]

This raises a question: There are well configured 
servers that will always pass the greylist. There is no point delaying them.
One specific dnswhite list query could solve 
this. I wonder also if this list could b downloaded to make local queries.
reference: http://www.dnswl.org/  see home page: recommended usage.
Of course we still have to decide what comes first, the delay or the dns query.



At 10:03 2009-05-14, Fritz Borgstedt wrote:
>ASSP development mailing list 
>schreibt:
> >The problem with delayed and never repeated message still exists and
> >I stay with my suggestion that there should be a config option
> >preventing "whiteorged" IPs from delaying.
>
>Delaying is the fist step in the process, I see it it as unwise to do
>a dsn - based query in this early step.
>Please show a log, where I can see the match. And please show the
>senderbase cache where it should be also shown.
>
>Put 207.46.0.0/16 into
>No Processing IPs  (noProcessingIPs)
>
>
>--
>The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
>production scanning environment may not be a perfect world - but thanks to
>Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
>Series Scanner you'll get full speed at 300 dpi even with all image
>processing features enabled. http://p.sf.net/sfu/kodak-com
>___
>Assp-test mailing list
>Assp-test@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/assp-test

Atenciosamente,

Hilário Fochi Silveira
Soliton Controles Industriais Ltda.
02017-002 Rua Alfredo Pujol, 1010 - São Paulo - SP - Brasil
Tel: +55 11 2950-1834  Fax: +55 11 
2979-8980  e-mail: hila...@soliton.com.br
Distribuidor SSD Drives (Anteriormente Eurotherm 
Drives), Eurotherm Controls, Action Instruments, Montalvo, Koyo, Sharp
www.soliton.com.br 
www.eurotherm.com.br 
www.actionio.com.br www.montalvo.com.br

--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Thilo.Klein]

>Delaying is the fist step in the process, I see it it as unwise to do a dsn - 
>based query in this early step.

Yes, if I think that over, you are right, because of performance reasons. 
Albeit that check would help from loosing not repeated messages. Delaying is a 
good thing, so I don't want to disable it.

>Please show a log, where I can see the match. And please show the senderbase 
>cache where it should be also shown.

SenderBase logging is set to "Standard". I'll set it to "verbose" now. The sb 
cache expiration is 72 hours. It was just cleared, so microsoft.com is not 
there and I cannot prove if it ever has been there or not. I would have to 
check this from backup tape, but don't have the time right now. Maybe tomorrow 
or next week.

>Put 207.46.0.0/16 into
>No Processing IPs  (noProcessingIPs)

I already have done that yesterday.

Thanks
tk
 

-Ursprüngliche Nachricht-
Von: Fritz Borgstedt [mailto:f...@iworld.de] 
Gesendet: Donnerstag, 14. Mai 2009 15:03
An: ASSP development mailing list
Betreff: Re: [Assp-test] SenderBase question

ASSP development mailing list 
schreibt:
>The problem with delayed and never repeated message still exists and I 
>stay with my suggestion that there should be a config option preventing 
>"whiteorged" IPs from delaying.

Delaying is the fist step in the process, I see it it as unwise to do a dsn - 
based query in this early step.
Please show a log, where I can see the match. And please show the senderbase 
cache where it should be also shown.

Put 207.46.0.0/16 into
No Processing IPs  (noProcessingIPs)


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>The problem with delayed and never repeated message still exists and
>I stay with my suggestion that there should be a config option
>preventing "whiteorged" IPs from delaying.

Delaying is the fist step in the process, I see it it as unwise to do
a dsn - based query in this early step.
Please show a log, where I can see the match. And please show the
senderbase cache where it should be also shown.

Put 207.46.0.0/16 into 
No Processing IPs  (noProcessingIPs)


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Thilo.Klein]

Then I just wonder why 207.46.22.98 is not there 

May-12-09 14:05:24 id-29923-10050 207.46.22.98  to: 
m...@mydomain.com
   recipient delayed: m...@mydomain.com

PBWhiteBox:

206.165.243.1351240384982 1240384982 2
207.46.248.401219239376 1240410488 2
207.46.248.411224690120 1241614997 2
207.46.248.421206581106 1241620696 2
207.46.248.431225899245 1236783758 2
207.46.248.641226597922 1239730125 2
207.46.248.651241085407 1241085407 2
207.46.248.661221735027 1236714920 2
207.46.248.671240499318 1240499318 2
207.46.248.681228855617 1241026579 2
207.46.248.691235076218 1242169483 2
212.121.159.1091231862299 1239181200 2

microsoft.com is in whiteorg.txt and should match. SenderBase.org gives 
microsoft.com for 207.46.0.0/16

Have I made any config mistake?

The problem with delayed and never repeated message still exists and I stay 
with my suggestion that there should be a config option preventing "whiteorged" 
IPs from delaying.

tk

-Ursprüngliche Nachricht-
Von: Fritz Borgstedt [mailto:f...@iworld.de] 
Gesendet: Mittwoch, 13. Mai 2009 16:19
An: ASSP development mailing list
Betreff: Re: [Assp-test] SenderBase question

ASSP development mailing list 
schreibt:
>Correct me if I'm wrong, but "orgwhited" IPs are put in the PBWhiteBox 
>only if the mail finally passes through.

No. They are put in the whitebox when the regex match.


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your 
production scanning environment may not be a perfect world - but thanks to 
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 
Series Scanner you'll get full speed at 300 dpi even with all image processing 
features enabled. http://p.sf.net/sfu/kodak-com 
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>Correct me if I'm wrong, but "orgwhited" IPs are put in the
>PBWhiteBox only if the mail finally passes through.

No. They are put in the whitebox when the regex match.


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Thilo.Klein]

Correct me if I'm wrong, but "orgwhited" IPs are put in the PBWhiteBox only if 
the mail finally passes through. If it is delayed and not repeated by the 
sending MTA, nothing will ever go to the PBWhiteBox. 

My WhiteExpiration is set to 90 and for example microsoft.com is in 
whiteorg.txt (whiteSenderBase is set to file:files/whiteorg.txt)

Excerpt from my current whiteorg.txt:

...
microchip.com
microsoft european internet data centres
microsoft.com 
morningstar.com
motogp.com
.

The following line of the log file shows a delayed and NEVER repeated entry 
from Microsoft (still within WhiteExpiration time, so it definitely could not 
have been cleared from PBWhiteBox):

May-12-09 14:05:24 id-29923-10050 207.46.22.98  to: 
m...@mydomain.com
   recipient delayed: m...@mydomain.com

Excerpt from my current PBWhiteBox:

206.165.243.1351240384982 1240384982 2
207.46.248.401219239376 1240410488 2
207.46.248.411224690120 1241614997 2
207.46.248.421206581106 1241620696 2
207.46.248.431225899245 1236783758 2
207.46.248.641226597922 1239730125 2
207.46.248.651241085407 1241085407 2
207.46.248.661221735027 1236714920 2
207.46.248.671240499318 1240499318 2
207.46.248.681228855617 1241026579 2
207.46.248.691235076218 1242169483 2
212.121.159.1091231862299 1239181200 2

207.46.22.98 clearly is not there! The mail is lost (it was important) and 
there is no next time.

I would suggest a config option which prevents "orgwhited" IPs from delaying 
for the next version of ASSP.
tk


-Ursprüngliche Nachricht-
Von: Fritz Borgstedt [mailto:f...@iworld.de] 
Gesendet: Mittwoch, 13. Mai 2009 10:49
An: ASSP development mailing list
Betreff: Re: [Assp-test] SenderBase question

If found "orgwhitelisted", the IP is put into PBwhitebox. IPs in WhiteBox are 
not delayed. So this takes effect not for the first time when orgwhitelisted 
but the next time...


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your 
production scanning environment may not be a perfect world - but thanks to 
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 
Series Scanner you'll get full speed at 300 dpi even with all image processing 
features enabled. http://p.sf.net/sfu/kodak-com 
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SenderBase question

[Fritz Borgstedt]

If found "orgwhitelisted", the IP is put into PBwhitebox. IPs in
WhiteBox are not delayed. So this takes effect not for the first time
when orgwhitelisted but the next time...


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] SenderBase question

[Thilo.Klein]

I'm currently running the latest ASSP V1 (1.5.1.2(3.1.02))

I have set EnableDelaying to "on" and DoOrgWhiting to "whiting". 

Despite the sender IPs domain/organization is in whiteSenderBase, it will be 
delayed. Is that wanted? There is no option similar to DelayWL for whitelisted 
sender/domains to prevent delaying for DoOrgWhiting.

The problem is that some organizations MTAs don't repeat delayed mails and 
noDelay IPs sometimes is no workaround. 

For example nslookup (querytype=MX) for power-one.com gives:

power-one.com   MX preference = 10, mail exchanger = 
mx1.power-one.com.gslb.pphosted.com
power-one.com   MX preference = 10, mail exchanger = 
mx2.power-one.com.gslb.pphosted.com

mx2.power-one.com.gslb.pphosted.com internet address = 208.84.65.8
mx1.power-one.com.gslb.pphosted.com internet address = 208.86.201.8


My maillog shows the following (real sender substituted with "sender", 
recipient with u...@mydomain.com)

Apr-30-09 14:44:14 id-95454-25535 63.163.226.6  
found
   u...@mydomain.com in LDAP-cache
Apr-30-09 14:44:15 id-95454-25535 63.163.226.6  to:
   u...@mydomain.com recipient delayed: u...@mydomain.com

In this case the sending MTA didn't repeat the message and, as the log clearly 
shows, even has a different ip compared to the nslookup above. My be the next 
time it sends from smtp1/2/3/4. Therefore it would be helpful to have an 
option to prevent whiteSenderBase domains/organization from delaying.

Maybe this could be done in the next version of ASSP, as 1.5.1.2 should be 
feature complete.

Comments are welcome
tk


--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image 
processing features enabled. http://p.sf.net/sfu/kodak-com
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase scoring 1.5.1.2(2.0.04)

[Juergen Stoll]

Hi,

it seems to me that scoring for Suspicious Countries is done
with Foreign Country Code Score (instead of Suspicious Country Code Score).

Thanks
Juergen



  
--
Register Now & Save for Velocity, the Web Performance & Operations 
Conference from O'Reilly Media. Velocity features a full day of 
expert-led, hands-on workshops and two days of sessions from industry 
leaders in dedicated Performance & Operations tracks. Use code vel09scf 
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Cache Scores question

[GrayHat]

> 0 = neutral
> 1 = used for blocking
> 2 = used for whiting
> 3 = spam detected from this IP

Fritz... what about adding the above infos near the
"show cache" button on the ASSP GUI ?


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase bug

[GrayHat]

> Delete the cache. The cache is completely different 
> organized in 1.5.1.2

did that and it got repopulated with correct format entries
I just wonder... I only deleted the pbdb.sb.db; do I need
to also delete other cache files due to format changes ?


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Cache Scores question

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>Ok, then what is the status significance of 0, 1, 2, and 3?
>
>I guess what I'm getting at is, if I wanted to share my Senderbase
>database with others, which one would I use?  0?

0 = neutral
1 = used for blocking
2 = used for whiting
3 = spam detected from this IP


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Cache Scores question

[Hill, Brett]

Fritz Borgstedt wrote:
> >Looking at the Senderbase cache, I see that there is a possibility of
> >4
> >scores (0, 1, 2, and 3).  What do they mean?
> 
> 
> It is not a score and it is a "status". 

Ok, then what is the status significance of 0, 1, 2, and 3?

I guess what I'm getting at is, if I wanted to share my Senderbase
database with others, which one would I use?  0?

Kind Regards,
Brett


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] senderbase bug

[Fritz Borgstedt]

Delete the cache. The cache is completely different organized in
1.5.1.2



--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase Cache Scores question

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>Looking at the Senderbase cache, I see that there is a possibility of
>4
>scores (0, 1, 2, and 3).  What do they mean?


It is not a score and it is a "status". 


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] Senderbase Cache Scores question

[Hill, Brett]

Looking at the Senderbase cache, I see that there is a possibility of 4
scores (0, 1, 2, and 3).  What do they mean?
 
Kind Regards,
Brett
--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

[Assp-test] senderbase bug

[GrayHat]

Looking at the senderbase cache I found entries like

12.10.219.431240239639 2 US|AMERICAN
12.10.219.441240240231 2 US|AMERICAN
12.10.219.611240232500 2 US|AMERICAN

now; if you query the above IPs against senderbase
you'll obtain

0=1|1=AMERICAN
EXPRESS|2=4.6|3=4.9|4=5062|6=1089301675|8=265871|9=19|20=lppiu550
.|21=aexp.com|22=Y|23=4.9|24=5.2|25=1049184000|40=3.7|41=4.0|43=4.5|44=0
.04|45=N
|46=24|48=24|49=1.00|50=Phoenix|51=AZ|52=85027|53=US|54=-112.089|55=33.7
248

so it sounds like ASSP is truncating the orgname at the first
space char it meets; this isn't a good idea at all since it may
(and probably will) allow "spoofing" and also since it would
cause problems with the "" the only way to use the senderbase
org is to cache the full orgname including spaces and other
chars; also, the cache looks somewhat strange, for example
there are entries like

124.83.200.491239388228 0 JP|Internet Content Provider|yahoo.co.jp
124.83.200.571239631190 0 JP|Internet Content Provider|yahoo.co.jp
124.83.200.681239311402 0 JP|Internet Content Provider|yahoo.co.jp
124.83.200.701240072565 3 JP|Internet_Content_Provider|yahoo.co.jp
124.83.212.231240215367 3 JP|Internet_Content_Provider|yahoo.co.jp
124.83.212.251239868738 3 JP|Internet_Content_Provider|yahoo.co.jp
124.83.212.871240238692 3 JP|Internet_Content_Provider|yahoo.co.jp
124.83.212.911239892751 3 JP|Internet_Content_Provider|yahoo.co.jp

which are using two different format, one of which includes spaces
at this point I think there's something strange inside the code which
handles the senderbase entries and cache






--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[GrayHat]

> If you don't mind sending to me in rar format, I'd appreciate it.

You've new mail, and btw if you feel like you may "integrate"
it with some more entries and "pass it back" it would be cool


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[Hill, Brett]

GrayHat wrote:
> 
> Uh... bad wraps or buggy email client :) ?
> 
> Set aside kidding, I may either send the list to Fritz or to 
> whatever else address if you feel it appropriate, just tell 
> me where, no problems in packing up the list (zip, rar, 7z,  
> tgz ...) and emailing it

I suppose bad wraps (Sourceforge seems to do it quite a bit, but
anywho).  I'm using Outlook 2003 which I don't consider to be a "buggy"
client.  

If you don't mind sending to me in rar format, I'd appreciate it.

Kind Regards,
Brett


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[GrayHat]

> In the email that I received, there's a section in the middle that
looks
> like the above.  In an email after this, you mentioned how some of
> these have spaces in their names.  Well, with it bunched up like that,
> it is a little difficult to determine what belongs to what.  Is there
> a chance you could either post it to another location or have Fritz
> update the whiteorg.txt file?

Uh... bad wraps or buggy email client :) ?

Set aside kidding, I may either send the list to Fritz or to whatever
else address if you feel it appropriate, just tell me where, no problems
in packing up the list (zip, rar, 7z,  tgz ...) and emailing it


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[Hill, Brett]

Grayhat wrote:
> A somewhat more comprehensive list
> 
> HTH
> 
> 3com corporation
> acer-euro.com
> activedir.org
> activepdf.com
> addt.com
> >
> microsoft european internet data centres microsoft.com 
> morningstar.com motogp.com myusairways.com nai.com national 
> aeronautics and space association navy.mil network of emea 
> iga ibm network support network of ign arch. and design gb 
> networkworld.info newegg.com newsguy.com nokia.com nortel.com 
> nranews.org nytimes.com ochsner.org officeliveemail.com 
> opendns.com oracle corporation oracleeblast.com oxy.edu 
> pandasecurity.com paypal.com pcworld.com pgdp.net 
> planetrecruit.net presidenza del consiglio dei ministri pspinc.com
> pt010801 virusbuster kft.
> <
> wilderssecurity.com
> wiley.com
> windowsitpro.com
> winzip.com
> wordpress.com
> workwithus.org
> worldcommunitygrid.org
> wt air cargo ltd

In the email that I received, there's a section in the middle that looks
like the above.  In an email after this, you mentioned how some of these
have spaces in their names.  Well, with it bunched up like that, it is a
little difficult to determine what belongs to what.  Is there a chance
you could either post it to another location or have Fritz update the
whiteorg.txt file?

Kind Regards,
Brett


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[GrayHat]

> Nice list, Grayhat, but I would shy away from the following

> This microsoft address block as phish/fraud haven based
> upon our log history:

> live.com
> officeliveemail.com

Hmmm... good finding, sounds like when I "pruned" the list
I left out the above two; removed them and re-checked the
list just to be sure; the other entries seem to be ok (at least
I think so)

> I don't trust .edu's as they get infected too often:
> oxy.edu

Well... it was a request from some folks, and that edu didn't
send any spam (till now), so I left it in; btw feel free to remove
it if you think it isn't appropriate, but before doing so, have a
look here

http://www.senderbase.org/senderbase_queries/detaildomain?search_string=oxy.edu

> Is this their entire IP block or just corp?
> In general large ISPs are not a good bet:

> quest.com

The list contains name of entities owning given IP blocks and
no, it doesn't contain "generic" entries (like ISPs) and quest.com
isn't an ISP, maybe you're confusing it with "kwest" or "qwest"
but it isn't the same; quest is a different company

That said, I would be interested in building up a "good entities"
list, so, if someone here has further entries to submit I'd be
interested in them; the idea isn't to "allow" them, just to ensure
that mails from those entities won't be blocked



--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[Grayhat]

> Whiteorg cannot contain spaces.
> Please replace spaces with "_" or "."

When did that start ? And in any case, why didn't you
put somewhere a note about it ? Also, senderbase org
strings contain spaces, so such a thing doesn't make so
much sense to me


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] Senderbase whiteorg

[Fritz Borgstedt]

ASSP development mailing list 
schreibt:
>Whiteorg cannot contain spaces.


Ok. Now they can contain spaces. They are internally changed tp "_".


--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test