Re: [Assp-test] Don't to DNSBL for a from domain
Thank you both for that info. Turning off the force early option now. On Fri, Oct 9, 2015 at 4:19 AM, Thomas Eckardt wrote: > 'ForceRBLCache' is a bad option - it forces false positives by it's logic > > GUI description: > 'ForceRBLCache': If set, ASSP will use cached DNSBL hits to block > messages before other tests. > > Assume an IP is DNSBL/RBL listed and many domains/orgs are sending mails > via this IP. > You've configured SPF and/or Senderbase in a way that ignores DNSBL for a > such a single domain/org (dom1) - BUT. > After some time any other domain causes a RBLCache addition for this IP. > The next time dom1 sends a mail from this IP, the 'ForceRBLCache' matches > in the SMTP-handshake and will block regardless your nice SPF/Senderbase > setting. > The IP will get penalty points and if this happens often, the IP will > possibly become extreme black over the time. > > The default for 'ForceRBLCache' is OFF - if you set it to ON, you should > know what you do! > > The documentation gives you an overview about the regular check order. > > http://sourceforge.net/projects/assp/files/ASSP%20V2%20multithreading/assp_check_order.txt/download > > Most '..early...' and '..force..' checks are processed before the first > header line is received and the required and checked information is > available. > > IP - connect > HELO - HELO was sent > sender - MAIL FROM was sent > single recipient - RCPT To was sent > all recipients - DATA was sent > > Assume you forces an IP check and there is an option to skip this check > based on the HELO or sending domain - no luck at the 'connect' state. > > Thomas > > > ** > FOR ALL USERS !!! > ** > > NOTICE - and keep in mind: > > Most '..early...' and '..force..' checks will increase the count of false > positives after some time (except the early HELO check), because they are > not regular checks! > These options can be used to prevent system overloads in case of a > spam-attack over a short time. They should be disabled as soon as > possible, followed by a cache cleaning for this option. > > > > Von:K Post > An: ASSP development mailing list > Datum: 08.10.2015 22:28 > Betreff:Re: [Assp-test] Don't to DNSBL for a from domain > > > > Thanks Greyhat. > > I'm already doing that. The domain that's listed in senderbase is in the > white sender file, preceded with a \b with the dots escaped \. > > I do have ForceRBL enabled for early DNSBL checks. Is >THAT< the problem? > ValidateRBL is set to score with 50 as a threshold (the same score that > rejects for us). I don't even see that senderbase is running for these. > > (this isn't urgent, it's just an annoyance) > > > On Thu, Oct 8, 2015 at 11:32 AM, Grayhat wrote: > > > :: On Thu, 8 Oct 2015 11:23:49 -0400 > > :: > > :: K Post wrote: > > > > > and for clarification, it looks like the organization sends from > > > something like 98 different IP's that I know about - I'm sure there > > > are others - and some of them are blacklisted. > > > > > > If I could skip dnsbl either using a wildcard reverse dns match for > > > the server, say *.thesenderdomain.com or matching the domain of the > > > from line, that would allow me to easily let these through without > > > constantly updating norbl. > > > > you may use the senderbase/whois query to retrieve the IP owner and > > then whitelist it using the name (or a matching regexp) > > > > > > > > -- > > ___ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > -- > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > *** > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > *** > > > > -- > > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Don't to DNSBL for a from domain
'ForceRBLCache' is a bad option - it forces false positives by it's logic GUI description: 'ForceRBLCache': If set, ASSP will use cached DNSBL hits to block messages before other tests. Assume an IP is DNSBL/RBL listed and many domains/orgs are sending mails via this IP. You've configured SPF and/or Senderbase in a way that ignores DNSBL for a such a single domain/org (dom1) - BUT. After some time any other domain causes a RBLCache addition for this IP. The next time dom1 sends a mail from this IP, the 'ForceRBLCache' matches in the SMTP-handshake and will block regardless your nice SPF/Senderbase setting. The IP will get penalty points and if this happens often, the IP will possibly become extreme black over the time. The default for 'ForceRBLCache' is OFF - if you set it to ON, you should know what you do! The documentation gives you an overview about the regular check order. http://sourceforge.net/projects/assp/files/ASSP%20V2%20multithreading/assp_check_order.txt/download Most '..early...' and '..force..' checks are processed before the first header line is received and the required and checked information is available. IP - connect HELO - HELO was sent sender - MAIL FROM was sent single recipient - RCPT To was sent all recipients - DATA was sent Assume you forces an IP check and there is an option to skip this check based on the HELO or sending domain - no luck at the 'connect' state. Thomas ** FOR ALL USERS !!! ** NOTICE - and keep in mind: Most '..early...' and '..force..' checks will increase the count of false positives after some time (except the early HELO check), because they are not regular checks! These options can be used to prevent system overloads in case of a spam-attack over a short time. They should be disabled as soon as possible, followed by a cache cleaning for this option. Von: K Post An: ASSP development mailing list Datum: 08.10.2015 22:28 Betreff:Re: [Assp-test] Don't to DNSBL for a from domain Thanks Greyhat. I'm already doing that. The domain that's listed in senderbase is in the white sender file, preceded with a \b with the dots escaped \. I do have ForceRBL enabled for early DNSBL checks. Is >THAT< the problem? ValidateRBL is set to score with 50 as a threshold (the same score that rejects for us). I don't even see that senderbase is running for these. (this isn't urgent, it's just an annoyance) On Thu, Oct 8, 2015 at 11:32 AM, Grayhat wrote: > :: On Thu, 8 Oct 2015 11:23:49 -0400 > :: > :: K Post wrote: > > > and for clarification, it looks like the organization sends from > > something like 98 different IP's that I know about - I'm sure there > > are others - and some of them are blacklisted. > > > > If I could skip dnsbl either using a wildcard reverse dns match for > > the server, say *.thesenderdomain.com or matching the domain of the > > from line, that would allow me to easily let these through without > > constantly updating norbl. > > you may use the senderbase/whois query to retrieve the IP owner and > then whitelist it using the name (or a matching regexp) > > > -- > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Don't to DNSBL for a from domain
Thanks Greyhat. I'm already doing that. The domain that's listed in senderbase is in the white sender file, preceded with a \b with the dots escaped \. I do have ForceRBL enabled for early DNSBL checks. Is >THAT< the problem? ValidateRBL is set to score with 50 as a threshold (the same score that rejects for us). I don't even see that senderbase is running for these. (this isn't urgent, it's just an annoyance) On Thu, Oct 8, 2015 at 11:32 AM, Grayhat wrote: > :: On Thu, 8 Oct 2015 11:23:49 -0400 > :: > :: K Post wrote: > > > and for clarification, it looks like the organization sends from > > something like 98 different IP's that I know about - I'm sure there > > are others - and some of them are blacklisted. > > > > If I could skip dnsbl either using a wildcard reverse dns match for > > the server, say *.thesenderdomain.com or matching the domain of the > > from line, that would allow me to easily let these through without > > constantly updating norbl. > > you may use the senderbase/whois query to retrieve the IP owner and > then whitelist it using the name (or a matching regexp) > > > -- > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Don't to DNSBL for a from domain
:: On Thu, 8 Oct 2015 11:23:49 -0400 :: :: K Post wrote: > and for clarification, it looks like the organization sends from > something like 98 different IP's that I know about - I'm sure there > are others - and some of them are blacklisted. > > If I could skip dnsbl either using a wildcard reverse dns match for > the server, say *.thesenderdomain.com or matching the domain of the > from line, that would allow me to easily let these through without > constantly updating norbl. you may use the senderbase/whois query to retrieve the IP owner and then whitelist it using the name (or a matching regexp) -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] Don't to DNSBL for a from domain
and for clarification, it looks like the organization sends from something like 98 different IP's that I know about - I'm sure there are others - and some of them are blacklisted. If I could skip dnsbl either using a wildcard reverse dns match for the server, say *.thesenderdomain.com or matching the domain of the from line, that would allow me to easily let these through without constantly updating norbl. thanks On Thu, Oct 8, 2015 at 11:15 AM, K Post wrote: > I feel like this has to have been discussed before, but I can't find any > reference to it. > > Is there a way to skip DNSBL checking based on the envelope from / from > line? I want the message to contribute to the corpus, just not be scored > based on DNSBL. > -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test