Anti-Spam SMTP Proxy Server

please try .12

> please try .12

no way; I'm using VRFY (not ldap) still ASSP .12 rejects
valids recipients, rolling back to .08 fixed the issue, so,
I think there must be a bug into the validation code for
both VRFY and LDAP (since I'm using VRFY while the
other poster is using LDAP)

GrayHat <grayhat@...> schreibt:
>no way; I'm using VRFY (not ldap) still ASSP .12 rejects
>valids recipients, rolling back to .08 fixed the issue, so,
>I think there must be a bug into the validation code for
>both VRFY and LDAP (since I'm using VRFY while the
>other poster is using LDAP)


the verify code corrupted the ldap code.

so I fixed first the old situation. I think, .12 will work with ldap
and flat and not with verify.

> the verify code corrupted the ldap code.
>
> so I fixed first the old situation. I think, .12 will 
> work with ldap and flat and not with verify.

ok, so I'll stay with .08 until VRFY won't be back

>> please try .12 <<

OK, it was .14 by the time I got to it, and yes - on first look it does
appear to have fixed the issue. However, .14 is really unstable - it
crashes here every few minutes, making it unusable. I get the same from
.11 and .14. I have therefore reverted to .8, which is stable. If
there's any troubleshooting I can perform that might help, please
advise. Normal logging shows no clues - ASSP logging just ends as the
service stops. SBS event log shows nothing either (suggesting the ASSP
service exits 'normally').

Specs: SBS 2003, running ASSP as a service.

> OK, it was .14 by the time I got to it, and yes - on first look it
does
> appear to have fixed the issue. However, .14 is really unstable - it
> crashes here every few minutes, making it unusable.

are you using LDAP or VRFY for the recipient validation ?

ASSP development mailing list <assp-test@...>
schreibt:
>Normal logging shows no clues - ASSP logging just ends as the
>service stops. SBS event log shows nothing either (suggesting the ASSP
>service exits 'normally').

In such cases it would be very helpful to start ASSP from the
commandline.

fritz

I'm using LDAP - you can see this from the log extract I provided ;-)


-----Original Message-----
From: GrayHat [mailto:grayhat@...] 
Sent: Friday, January 30, 2009 4:27 PM
To: ASSP development mailing list
Subject: Re: [Assp-test] Recipient Validation Not Working in ASSP
1.5.0.x

> OK, it was .14 by the time I got to it, and yes - on first look it
does
> appear to have fixed the issue. However, .14 is really unstable - it
> crashes here every few minutes, making it unusable.

are you using LDAP or VRFY for the recipient validation ?

----- Original Message ----- 
From: "Sony" <sony@...>
To: "assp-test" <assp-test@...>
Sent: Friday, January 30, 2009 9:33 AM
Subject: [Assp-test] 1.5.1 rc 01 log issue


> Please see below where the first time the IP address was scored for a trap
> address, there's no reason inside the parentheses following "after adding
> 200".  A few seconds later, the score is increased again, and this time
> there's the reason inside the parentheses.  This probably started in the
> first 1.5.0 code.
>
> Jan-30-09 09:04:44 Connected: 83.11.233.161:4780 -> 192.168.0.5:25 ->
> 192.168.0.5:2525
> Jan-30-09 09:04:45 PB: trap address eth0rubin.bennett@... found
> Jan-30-09 09:04:45 ID-35085-06893 [Trap] 83.11.233.161
> <eth0wbqaygxqdd@...> penalty trap address:
> eth0rubin.bennett@...
> Jan-30-09 09:04:45 ID-35085-06893 83.11.233.161 <eth0wbqaygxqdd@...>
> IP-Score for '83.11.233.0' is now 200, after adding 200 ()
> Jan-30-09 09:04:45 Disconnected: 83.11.233.161
> Jan-30-09 09:04:47 Connected: 83.11.233.161:4873 -> 192.168.0.5:25 ->
> 192.168.0.5:2525
> Jan-30-09 09:04:48 PB: trap address eth0tom.eastep@... found
> Jan-30-09 09:04:48 ID-35088-08084 [Trap] 83.11.233.161
> <eth109@...> penalty trap address: eth0tom.eastep@...
> Jan-30-09 09:04:48 ID-35088-08084 83.11.233.161 <eth109@...>
> IP-Score for '83.11.233.0' is now 400, after adding 200
> (penaltytrap:eth0tom.eastep@...)
> Jan-30-09 09:04:48 Disconnected: 83.11.233.161
>

Similar logging is happening for another IP scoring reason as well:

Jan-30-09 09:45:22 Connected: 76.76.100.237:38320 -> 192.168.0.5:25 ->
192.168.0.5:2525
Jan-30-09 09:45:22 Cremory@... matches cremory@... in
LocalAddresses_Flat
Jan-30-09 09:45:22 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> accepting triplet:
(76.76.100.0,#-#-chewtoy.com?cremory@...
.com) waited: 9m 3s
Jan-30-09 09:45:22 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... recipient accepted: cremory@...
Jan-30-09 09:45:23 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... MessageScore is now 40, after adding 40 (Blocked Country
CA - Interweb Media)
Jan-30-09 09:45:23 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... IP-Score for '76.76.100.0' is now 40, after adding 40 ()
Jan-30-09 09:45:23 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... [scoring] Blocked Country CA - Interweb Media
Jan-30-09 09:45:23 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... ClamAV: scanned 7532 bytes in message - OK
Jan-30-09 09:45:24 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... Bayesian Check - Prob: 1.00000 => spam
Jan-30-09 09:45:24 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... MessageScore is now 90, after adding 50 (Bayesian
Probability: 1.0000)
Jan-30-09 09:45:24 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... IP-Score for '76.76.100.0' is now 90, after adding 50
(Bayesian Probability: 1.0000)
Jan-30-09 09:45:24 ID-37522-00099 [Bayesian] 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... [spam found] (Bayesian) -> d:\assp/discarded/37522.eml;
Jan-30-09 09:45:24 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... deleting spamming safelisted tuplet:
(76.76.100.0,vzifbu.moogoocrunch.com) age: 2s
Jan-30-09 09:45:24 ID-37522-00099 76.76.100.237
<25-20829261-chewtoy.com?cremory@...> to:
cremory@... [SMTP Error] 554 Mail appears to be unsolicited -- send
error reports to postmaster@...
Jan-30-09 09:45:24 Disconnected: 76.76.100.237

> I've also experienced this, but with version 2. An email will come  
> in and crash Perl. Have to restart ASSP. Everything works fine for a  
> while until the sender of the problem email tries to send it again.  
> The only way around the problem is to enter the sender's IP into  
> denySMTPConnectionsFrom.

I've also noticed a new form of spam, coming from hotmail. It seems to  
try to break the MTA with a bad header:

Jan-29-09 23:01:19 [Worker_1] Worker_1 wakes up
Jan-29-09 23:01:19 [Worker_1] Info: Worker_1 got connection from  
MainThread
Jan-29-09 23:01:19 [Worker_1] Connected: 65.54.246.234:40722 ->  
my.quad.ip.num:25 -> 127.0.0.
                    1:125
Jan-29-09 23:01:19 [Main_Thread] Info: Main_Thread freed by idle  
Worker_1 in 0.009 seconds
Jan-29-09 23:01:19 id-88079-28332 [Worker_1] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@... Message-Score: total for this  
message is 25, added 25 for Extreme
                    Bad History
Jan-29-09 23:01:19 id-88079-28332 [Worker_1] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@... Regex:SPFstrict '@hotmail.com'
Jan-29-09 23:01:19 id-88079-28332 [Worker_1] [SPF] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@...  SPF: pass (cache)  
ip=65.54.246.234 mailfrom=carbonell_115@....
                    com helo=bay0-omc3-s34.bay0.hotmail.com
Jan-29-09 23:01:26 id-88079-28332 [Worker_1] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@... ClamAV: scanned 75014 bytes in   
message - OK
Jan-29-09 23:01:26 id-88079-28332 [Worker_1] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@... Message-Score: total for this  
message is 35, added 10 for URIBL:
                    neutral,  listed in livecomuriblswinogch
Jan-29-09 23:01:28 id-88079-28332 [Worker_1] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@... Bayesian Check  - Prob:  
1.00000 / Confidence: 0.00000 =>
                    doubtful.spam
Jan-29-09 23:01:28 id-88079-28332 [Worker_1] [Penalty][lowconfidence]  
65.54.246.234 <carbonell_115@....
                    com> to: mail@... [spam found] and  
passing because of low confidence,
                    otherwise blocked (totalscore for 65.54.246.234 is  
1430, last penalty was
                    'URIBLneutral') [Enrique Carbonell MAdrid Pedido] - 
 > ./discarded/88079.eml
Jan-29-09 23:01:37 id-88079-28332 [Worker_1] [OversizedHeader]  
65.54.246.234 <carbonell_115@....
                    com> to: mail@... Possible Mailloop:  
Headerlength (100066) >
                    100000
Jan-29-09 23:01:37 id-88079-28332 [Worker_1] 65.54.246.234 <carbonell_115@... 
 > to:
                    mail@... [SMTP Error] 554 5.7.1 possible  
mailloop - oversized header
                    (100066)
Jan-29-09 23:01:37 [Worker_1] Disconnected: 65.54.246.234
Jan-29-09 23:01:37 [Worker_1] Worker_1 will sleep now

It's the first time )=I've seen this in my logs. It ends up chewing up  
the processor for a few seconds, but it does it every four minutes  
(possibly hotmail's retry period?). If many mails came in this way, I  
suspect I'd experience a DDoS.

I've also noticed other attacks two days ago, but I've not been able  
to narrow them down.

There's no doubt in my mind, however, that http://www.spamcop.net/spamgraph.shtml?spamyear 
  accurately portrays what I've experienced on my server. N.b.,  
sometimes, of late, the link does not have a chart in it. Not sure why.

BTW, Thomas, I will get back to you soon about the new version. I've  
been too busy on other project for the past week. Sorry.

T.

You should kick them out - if

>otherwise blocked (totalscore for 65.54.246.234 is  1430, last penalty 
was

Thomas



Trevor Jacques <Trevor@...> 
30.01.2009 15:56
Bitte antworten an
ASSP development mailing list <assp-test@...>


An
ASSP development mailing list <assp-test@...>
Kopie

Thema
Re: [Assp-test] ASSP 2.0.0(9.04) has started to hang SMTP






> I've also experienced this, but with version 2. An email will come 
> in and crash Perl. Have to restart ASSP. Everything works fine for a 
> while until the sender of the problem email tries to send it again. 
> The only way around the problem is to enter the sender's IP into 
> denySMTPConnectionsFrom.

I've also noticed a new form of spam, coming from hotmail. It seems to 
try to break the MTA with a bad header:

Jan-29-09 23:01:19 [Worker_1] Worker_1 wakes up
Jan-29-09 23:01:19 [Worker_1] Info: Worker_1 got connection from 
MainThread
Jan-29-09 23:01:19 [Worker_1] Connected: 65.54.246.234:40722 -> 
my.quad.ip.num:25 -> 127.0.0.
                    1:125
Jan-29-09 23:01:19 [Main_Thread] Info: Main_Thread freed by idle 
Worker_1 in 0.009 seconds
Jan-29-09 23:01:19 id-88079-28332 [Worker_1] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@... Message-Score: total for this 
message is 25, added 25 for Extreme
                    Bad History
Jan-29-09 23:01:19 id-88079-28332 [Worker_1] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@... Regex:SPFstrict '@hotmail.com'
Jan-29-09 23:01:19 id-88079-28332 [Worker_1] [SPF] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@...  SPF: pass (cache) 
ip=65.54.246.234 mailfrom=carbonell_115@....
                    com helo=bay0-omc3-s34.bay0.hotmail.com
Jan-29-09 23:01:26 id-88079-28332 [Worker_1] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@... ClamAV: scanned 75014 bytes in 
message - OK
Jan-29-09 23:01:26 id-88079-28332 [Worker_1] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@... Message-Score: total for this 
message is 35, added 10 for URIBL:
                    neutral,  listed in livecomuriblswinogch
Jan-29-09 23:01:28 id-88079-28332 [Worker_1] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@... Bayesian Check  - Prob: 
1.00000 / Confidence: 0.00000 =>
                    doubtful.spam
Jan-29-09 23:01:28 id-88079-28332 [Worker_1] [Penalty][lowconfidence] 
65.54.246.234 <carbonell_115@....
                    com> to: mail@... [spam found] and 
passing because of low confidence,
                    otherwise blocked (totalscore for 65.54.246.234 is 
1430, last penalty was
                    'URIBLneutral') [Enrique Carbonell MAdrid Pedido] - 
 > ./discarded/88079.eml
Jan-29-09 23:01:37 id-88079-28332 [Worker_1] [OversizedHeader] 
65.54.246.234 <carbonell_115@....
                    com> to: mail@... Possible Mailloop: 
Headerlength (100066) >
                    100000
Jan-29-09 23:01:37 id-88079-28332 [Worker_1] 65.54.246.234 
<carbonell_115@... 
 > to:
                    mail@... [SMTP Error] 554 5.7.1 possible 
mailloop - oversized header
                    (100066)
Jan-29-09 23:01:37 [Worker_1] Disconnected: 65.54.246.234
Jan-29-09 23:01:37 [Worker_1] Worker_1 will sleep now

It's the first time )=I've seen this in my logs. It ends up chewing up 
the processor for a few seconds, but it does it every four minutes 
(possibly hotmail's retry period?). If many mails came in this way, I 
suspect I'd experience a DDoS.

I've also noticed other attacks two days ago, but I've not been able 
to narrow them down.

There's no doubt in my mind, however, that 
http://www.spamcop.net/spamgraph.shtml?spamyear 
  accurately portrays what I've experienced on my server. N.b., 
sometimes, of late, the link does not have a chart in it. Not sure why.

BTW, Thomas, I will get back to you soon about the new version. I've 
been too busy on other project for the past week. Sorry.

T.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Assp-test mailing list
Assp-test@...
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

> You should kick them out - if
> >otherwise blocked (totalscore for 65.54.246.234 is  1430, last  
> penalty was

I had thought that it was on, but I had set DoPenalty to block, but  
the DoPenaltyMessage was disabled. I've now changed that, so let's see  
what happens. :-)

T.

> My servers got 200% more spam the last days, personally it is
> something like 300%. Anybody else with that experience?

did you see this ?

http://www.theregister.co.uk/2009/01/26/spam_trends/

maybe that's what you're observing ;-) also, and since we're
at it, are you, by chance, using URIBL on "high traffic" servers ?

In such a case, I think you'd better have a look at this

http://www.nabble.com/-Bug-6048--New:-URIBL.com-tests-should-be-removed-from-the-default-SpamAssassin-rulesets-td21594662.html

in short, if you query URIBL "too much" (don't ask me how
much is it) their DNS will start returning a 127.0.0.255 for
ANY host, and this may cause a whole LOT of false hits
for innocent machines/uris

> in short, if you query URIBL "too much" (don't ask me how
> much is it) their DNS will start returning a 127.0.0.255 for
> ANY host, and this may cause a whole LOT of false hits
> for innocent machines/uris

for further details, please see

http://www.uribl.com/faq.shtml#q4

Never mind, removed it already!

Op 29 jan 2009, om 20:52 heeft Micheal Espinola Jr het volgende  
geschreven:

> Please remove the "snake coiled around email' logo. That logo is of  
> my own personal creation, specifically for the wiki.  It was never  
> adopted as an official logo of the ASSP project.
>
> Thank you.
> --
> ME2
>
>
> On Thu, Jan 29, 2009 at 2:28 PM, Fritz Borgstedt <fb@...> wrote:
> ASSP development mailing list <assp-test@...>
> schreibt:
> >Im am running 2(11.17) next to LDAP Setup the blue i icon has a link
> >to: http://apps.sourceforge.net/mediawiki/assp/LDAPthat's not correct
>
>
> [Bild:290109_203007_0.png]
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test

Met vriendelijke groet / Best regards,

Pascal Dreissen

Virus
Inside
Switch
To
Apple

Thank you.
--
ME2


On Thu, Jan 29, 2009 at 3:33 PM, Pascal Dreissen <pascal@...> wrote:

> Never mind, removed it already!
>  Op 29 jan 2009, om 20:52 heeft Micheal Espinola Jr het volgende
> geschreven:
>
>   Please remove the "snake coiled around email' logo. That logo is of my
> own personal creation, specifically for the wiki.  It was never adopted as
> an official logo of the ASSP project.
>
> Thank you.
> --
> ME2
>
>
> On Thu, Jan 29, 2009 at 2:28 PM, Fritz Borgstedt <fb@...> wrote:
>
>> ASSP development mailing list <assp-test@...>
>> schreibt:
>> >Im am running 2(11.17) next to LDAP Setup the blue i icon has a link
>> >to: http://apps.sourceforge.net/mediawiki/assp/LDAPthat's not correct
>>
>>
>> [Bild:290109_203007_0.png]
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@...
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
>
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>    Met vriendelijke groet / Best regards,
>
> Pascal Dreissen
>
> *V*irus
> *I*nside
> *S*witch
> *T*o
> *A*pple
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>

I didnt contribute it anywhere, and when I brought it up for discussing
before, it was rebuked.  The graphic, as I created it, only existed on the
wiki - for which as with most everything else has been in an unofficial
context due to the nature and management of the project.

If you want to use it - ask me.  Dont just do it.
--
ME2


On Thu, Jan 29, 2009 at 3:13 PM, Pascal Dreissen <pascal@...> wrote:

>  Michael,
>
> You contributed this to the community didn't you ? Is it copyright
> protected then ?  I really appreciate what you did the last couple of
> years, but is it nescassary to fire off on everything we are using, which
> was part of the 'old'  community ?
>
> Thanks!
>
>  Op 29 jan 2009, om 20:52 heeft Micheal Espinola Jr het volgende
> geschreven:
>
>  Please remove the "snake coiled around email' logo. That logo is of my
> own personal creation, specifically for the wiki.  It was never adopted as
> an official logo of the ASSP project.
>
> Thank you.
> --
> ME2
>
>
> On Thu, Jan 29, 2009 at 2:28 PM, Fritz Borgstedt <fb@...> wrote:
>
>> ASSP development mailing list <assp-test@...>
>> schreibt:
>> >Im am running 2(11.17) next to LDAP Setup the blue i icon has a link
>> >to: http://apps.sourceforge.net/mediawiki/assp/LDAPthat's not correct
>>
>>
>> [Bild:290109_203007_0.png]
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by:
>> SourcForge Community
>> SourceForge wants to tell your story.
>> http://p.sf.net/sfu/sf-spreadtheword
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@...
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
>
> http://p.sf.net/sfu/sf-spreadtheword_______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>    Met vriendelijke groet / Best regards,
>
> Pascal Dreissen
>
> *V*irus
> *I*nside
> *S*witch
> *T*o
> *A*pple
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>