Re: [Assp-test] Don't to DNSBL for a from domain

2015-10-14 Thread K Post
Thank you both for that info.  Turning off the force early option now.


On Fri, Oct 9, 2015 at 4:19 AM, Thomas Eckardt 
wrote:

> 'ForceRBLCache' is a bad option - it forces false positives by it's logic
>
> GUI description:
> 'ForceRBLCache': If set, ASSP will use cached DNSBL hits to block
> messages before other tests.
>
> Assume an IP is DNSBL/RBL listed and many domains/orgs are sending mails
> via this IP.
> You've configured SPF and/or Senderbase in a way that ignores DNSBL for a
> such a single domain/org (dom1) - BUT.
> After some time any other domain causes a RBLCache addition for this IP.
> The next time dom1 sends a mail from this IP, the 'ForceRBLCache' matches
> in the SMTP-handshake and will block regardless your nice SPF/Senderbase
> setting.
> The IP will get penalty points and if this happens often, the IP will
> possibly become extreme black over the time.
>
> The default for 'ForceRBLCache' is OFF - if you set it to ON, you should
> know what you do!
>
> The documentation gives you an overview about the regular check order.
>
> http://sourceforge.net/projects/assp/files/ASSP%20V2%20multithreading/assp_check_order.txt/download
>
> Most '..early...' and '..force..' checks are processed before the first
> header line is received and  the required and checked information is
> available.
>
> IP - connect
> HELO - HELO was sent
> sender - MAIL FROM was sent
> single recipient - RCPT To was sent
> all recipients - DATA was sent
>
> Assume you forces an IP check and there is an option to skip this check
> based on the HELO or sending domain - no luck at the 'connect'  state.
>
> Thomas
>
>
> **
> FOR ALL USERS !!!
> **
>
> NOTICE - and keep in mind:
>
> Most '..early...' and '..force..' checks will increase the count of false
> positives after some time (except the early HELO check), because they are
> not regular checks!
> These options can be used to prevent system overloads in case of a
> spam-attack over a short time. They should be disabled as soon as
> possible, followed by a cache cleaning for this option.
>
>
>
> Von:K Post 
> An: ASSP development mailing list 
> Datum:  08.10.2015 22:28
> Betreff:Re: [Assp-test] Don't to DNSBL for a from domain
>
>
>
> Thanks Greyhat.
>
> I'm already doing that.  The domain that's listed in senderbase is in the
> white sender file, preceded with a \b  with the dots escaped \.
>
> I do have ForceRBL enabled for early DNSBL checks.  Is >THAT< the problem?
> ValidateRBL is set to score with 50 as a threshold (the same score that
> rejects for us).  I don't even see that senderbase is running for these.
>
> (this isn't urgent, it's just an annoyance)
>
>
> On Thu, Oct 8, 2015 at 11:32 AM, Grayhat  wrote:
>
> > :: On Thu, 8 Oct 2015 11:23:49 -0400
> > :: 
> > :: K Post  wrote:
> >
> > > and for clarification, it looks like the organization sends from
> > > something like 98 different IP's that I know about - I'm sure there
> > > are others - and some of them are blacklisted.
> > >
> > > If I could skip dnsbl either using a wildcard reverse dns match for
> > > the server, say *.thesenderdomain.com or matching the domain of the
> > > from line, that would allow me to easily let these through without
> > > constantly updating norbl.
> >
> > you may use the senderbase/whois query to retrieve the IP owner and
> > then whitelist it using the name (or a matching regexp)
> >
> >
> >
>
> --
> > ___
> > Assp-test mailing list
> > Assp-test@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/assp-test
> >
>
> --
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> ***
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> ***
>
>
>
> --
>
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test


Re: [Assp-test] Don't to DNSBL for a from domain

2015-10-09 Thread Thomas Eckardt
'ForceRBLCache' is a bad option - it forces false positives by it's logic

GUI description:
'ForceRBLCache': If set, ASSP will use cached DNSBL hits to block 
messages before other tests.

Assume an IP is DNSBL/RBL listed and many domains/orgs are sending mails 
via this IP.
You've configured SPF and/or Senderbase in a way that ignores DNSBL for a 
such a single domain/org (dom1) - BUT.
After some time any other domain causes a RBLCache addition for this IP.
The next time dom1 sends a mail from this IP, the 'ForceRBLCache' matches 
in the SMTP-handshake and will block regardless your nice SPF/Senderbase 
setting.
The IP will get penalty points and if this happens often, the IP will 
possibly become extreme black over the time.

The default for 'ForceRBLCache' is OFF - if you set it to ON, you should 
know what you do!

The documentation gives you an overview about the regular check order.
http://sourceforge.net/projects/assp/files/ASSP%20V2%20multithreading/assp_check_order.txt/download

Most '..early...' and '..force..' checks are processed before the first 
header line is received and  the required and checked information is 
available.

IP - connect
HELO - HELO was sent
sender - MAIL FROM was sent
single recipient - RCPT To was sent
all recipients - DATA was sent

Assume you forces an IP check and there is an option to skip this check 
based on the HELO or sending domain - no luck at the 'connect'  state.

Thomas


**
FOR ALL USERS !!!
**

NOTICE - and keep in mind:

Most '..early...' and '..force..' checks will increase the count of false 
positives after some time (except the early HELO check), because they are 
not regular checks!
These options can be used to prevent system overloads in case of a 
spam-attack over a short time. They should be disabled as soon as 
possible, followed by a cache cleaning for this option.



Von:    K Post 
An:     ASSP development mailing list 
Datum:  08.10.2015 22:28
Betreff:Re: [Assp-test] Don't to DNSBL for a from domain



Thanks Greyhat.

I'm already doing that.  The domain that's listed in senderbase is in the
white sender file, preceded with a \b  with the dots escaped \.

I do have ForceRBL enabled for early DNSBL checks.  Is >THAT< the problem?
ValidateRBL is set to score with 50 as a threshold (the same score that
rejects for us).  I don't even see that senderbase is running for these.

(this isn't urgent, it's just an annoyance)


On Thu, Oct 8, 2015 at 11:32 AM, Grayhat  wrote:

> :: On Thu, 8 Oct 2015 11:23:49 -0400
> :: 
> :: K Post  wrote:
>
> > and for clarification, it looks like the organization sends from
> > something like 98 different IP's that I know about - I'm sure there
> > are others - and some of them are blacklisted.
> >
> > If I could skip dnsbl either using a wildcard reverse dns match for
> > the server, say *.thesenderdomain.com or matching the domain of the
> > from line, that would allow me to easily let these through without
> > constantly updating norbl.
>
> you may use the senderbase/whois query to retrieve the IP owner and
> then whitelist it using the name (or a matching regexp)
>
>
> 
--
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
***
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
***

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test


Re: [Assp-test] Don't to DNSBL for a from domain

2015-10-08 Thread K Post
Thanks Greyhat.

I'm already doing that.  The domain that's listed in senderbase is in the
white sender file, preceded with a \b  with the dots escaped \.

I do have ForceRBL enabled for early DNSBL checks.  Is >THAT< the problem?
ValidateRBL is set to score with 50 as a threshold (the same score that
rejects for us).  I don't even see that senderbase is running for these.

(this isn't urgent, it's just an annoyance)


On Thu, Oct 8, 2015 at 11:32 AM, Grayhat  wrote:

> :: On Thu, 8 Oct 2015 11:23:49 -0400
> :: 
> :: K Post  wrote:
>
> > and for clarification, it looks like the organization sends from
> > something like 98 different IP's that I know about - I'm sure there
> > are others - and some of them are blacklisted.
> >
> > If I could skip dnsbl either using a wildcard reverse dns match for
> > the server, say *.thesenderdomain.com or matching the domain of the
> > from line, that would allow me to easily let these through without
> > constantly updating norbl.
>
> you may use the senderbase/whois query to retrieve the IP owner and
> then whitelist it using the name (or a matching regexp)
>
>
> --
> ___
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test


Re: [Assp-test] Don't to DNSBL for a from domain

2015-10-08 Thread Grayhat
:: On Thu, 8 Oct 2015 11:23:49 -0400
:: 
:: K Post  wrote:

> and for clarification, it looks like the organization sends from
> something like 98 different IP's that I know about - I'm sure there
> are others - and some of them are blacklisted.
> 
> If I could skip dnsbl either using a wildcard reverse dns match for
> the server, say *.thesenderdomain.com or matching the domain of the
> from line, that would allow me to easily let these through without
> constantly updating norbl.

you may use the senderbase/whois query to retrieve the IP owner and
then whitelist it using the name (or a matching regexp)

--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test


Re: [Assp-test] Don't to DNSBL for a from domain

2015-10-08 Thread K Post
and for clarification, it looks like the organization sends from something
like 98 different IP's that I know about - I'm sure there are others - and
some of them are blacklisted.

If I could skip dnsbl either using a wildcard reverse dns match for the
server, say *.thesenderdomain.com or matching the domain of the from line,
that would allow me to easily let these through without constantly updating
norbl.

thanks

On Thu, Oct 8, 2015 at 11:15 AM, K Post  wrote:

> I feel like this has to have been discussed before, but I can't find any
> reference to it.
>
> Is there a way to skip DNSBL checking based on the envelope from / from
> line?  I want the message to contribute to the corpus, just not be scored
> based on DNSBL.
>
--
___
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test