Anti-Spam SMTP Proxy Server

Collecting =>Max Bytes (MaxBytes) is set to 32000

The entire source of the spam is attached (only mydomain name was 
modified). Unziped it is only 9k


At 16:25 2009-07-29, you wrote:
>Are you sure that whyza.net is in the first ( maxbytes  ) part of the
>mail? How big is maxbytes?
>Please show me the part of the mail, where whyza.net should be catched.

> Received: from mout3.freenet.de (localhost [127.0.0.1])
> 	by mymxserver.com (Postfix) with ESMTP id 9868FB16D96
> 	for <user@...>; Tue, 28 Jul 2009 14:32:46 -0400 (EDT)

I am beginning to suspect that it's possible to spoof localhost to get  
around assp. Anyone have any thoughts? I'm sure that incoming port  
10024 and 1025 are blocked from the outside, so perhaps one can  
successfully spoof the sending server's IP to be localhost (as above,  
perhaps), so that assp simply passes the mail to the SMTP server or  
amavisd.

Anyone have any thoughts?

T.

As requested, the example is bellow:

Jul-29-09 03:00:51 Connected: 
111.222.333.13:55106 -> 1.2.3.4:25 -> 127.0.0.1:125
Jul-29-09 03:00:51 recipient@... 
matches recipient@... in LocalAddresses_Flat
Jul-29-09 03:00:51 id-47251-00739 111.222.333.13 
<spammer@...> accepting triplet: 
(111.222.333.0,spammer@...) waited: 21m 50s
Jul-29-09 03:00:51 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... recipient accepted: recipient@...
Jul-29-09 03:00:52 id-47251-00739 [BombHeader] 
111.222.333.13 <spammer@...> to: 
recipient@... [scoring] (BombHeader Subject 'Receive SMS From');
Jul-29-09 03:00:52 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... added 10 (BombHeader 
Subject 'Receive SMS From'), total score for this message is now 10
Jul-29-09 03:00:52 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... deleting spamming 
safelisted tuplet: (111.222.333.0,mail.wnetrj.com.br) age: 1s
Jul-29-09 03:00:52 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... added 10 (BombHeader 
Subject 'Receive SMS From'), total score for IP '111.222.333.13' is now 10
Jul-29-09 03:00:52 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... SenderBase(Cache) -- 
country:BR orgname:Wireless Internet S.A. domain:wnetrj.com.br
Jul-29-09 03:00:56 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... added 6 (DNSBL: neutral, 
111.222.333.13 listed in l2.apews.org), total score for this message is now 16
Jul-29-09 03:00:56 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... added 6 (DNSBL: neutral, 
111.222.333.13 listed in l2.apews.org), total 
score for IP '111.222.333.13' is now 16
Jul-29-09 03:00:56 id-47251-00739 [DNSBL] 
111.222.333.13 <spammer@...> to: 
recipient@... [scoring] (DNSBL: 
neutral, 111.222.333.13 listed in (l2.apews.org<-127.0.0.2; ))
Jul-29-09 03:00:56 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... ClamAV: scanned 5021 bytes in  message - OK
Jul-29-09 03:00:58 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... [scoring] Bayesian Check - Prob: 1.00000 => spam
Jul-29-09 03:00:58 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... added 31 (Bayesian 
Probability: 1.0000), total score for this message is now 47
Jul-29-09 03:00:58 id-47251-00739 111.222.333.13 
<spammer@...> to: 
recipient@... added 31 (Bayesian 
Probability: 1.0000), total score for IP '111.222.333.13' is now 47
Jul-29-09 03:00:58 id-47251-00739 
[MessageScore][lowlimit] 111.222.333.13 
<spammer@...> to: 
recipient@... [spam found] and passing 
because messagescore 44 < 47 < 50 [Receive SMS 
 From 81319366] -> /usr/local/assp/discarded/4143.eml
Jul-29-09 03:00:58 Disconnected: 111.222.333.13

 From the log above, we see that it did not catch 
the offending mail with the BlackRegex and thus 
Bayes had its chance. This is a bit different of 
what I understood at first moment.
But the Problem is still there:

I have the phrase whyza.net in BombRaw as well as 
BlackRe and scriptRe Regular Expressions files.

Here is the output of ASSP Mail Analyzer:
• BombRaw RE: 'whyza.net'
• Black RE: 'whyza.net'
• Script RE: 'whyza.net'

As far as I can tell the regex files are OK, they 
detect the matches when I use the ASSP analyze 
function, but they do not work on real mails.

Is there anything I can do to help catch/log this 
failure? Is it possible that something is timing out?

Thanks,

Hilário

ASSP development mailing list <assp-test@...>
schreibt:
>Anyone got version RC 0.19 - i lost my backup and with the problem in
>line 
>8414  of ver RC 0.20 its real pain to get it work again

try RC 0.3.21

same error in line 34027 now (division by 0)


-- 
Serdecznie pozdrawiam,
Konrad Olszewski

Etop Sp. z o.o.
Al. Jerozolimskie 200, 02-222 Warszawa
telefon 022-5780 100
telefaks 022-5780 101 http://www.etop.pl
Regon 016310320   NIP 522-25-50-755   KRS 0000029426
Sad Rejonowy dla m. st. Warszawy, XIII Wydzial Gospodarczy KRS
Kapital zakladowy 75000 PLN
Raiffeisen Bank Polska S.A., konto nr 31 1750 0009 0000 0000 0697 4031

----- Original Message ----- 
From: "Fritz Borgstedt" <fb@...>
To: "ASSP development mailing list" <assp-test@...>
Sent: Wednesday, July 29, 2009 4:31 PM
Subject: Re: [Assp-test] (no subject)


> ASSP development mailing list <assp-test@...>
> schreibt:
>>Anyone got version RC 0.19 - i lost my backup and with the problem in
>>line
>>8414  of ver RC 0.20 its real pain to get it work again
>
> try RC 0.3.21
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus 
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>

ASSP development mailing list <assp-test@...>
schreibt:
>same error in line 34027 now (division by 0)

sorry, 22 should do it.

Thank you, no errors found in the log any more.

regards
Marco


-----Original Message-----
From: Fritz Borgstedt [mailto:fb@...] 
Sent: Mittwoch, 29. Juli 2009 17:00
To: ASSP development mailing list
Subject: Re: [Assp-test] (no subject)

ASSP development mailing list <assp-test@...>
schreibt:
>same error in line 34027 now (division by 0)

sorry, 22 should do it.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@...
https://lists.sourceforge.net/lists/listinfo/assp-test

sorry - it seems that I was not realy woken up this morning, when I sent 
this 3.20 to Fritz

Thomas




"Konrad Olszewski" <k@...> 
29.07.2009 16:49
Bitte antworten an
ASSP development mailing list <assp-test@...>


An
"ASSP development mailing list" <assp-test@...>
Kopie

Thema
Re: [Assp-test] (no subject)






same error in line 34027 now (division by 0)


-- 
Serdecznie pozdrawiam,
Konrad Olszewski

Etop Sp. z o.o.
Al. Jerozolimskie 200, 02-222 Warszawa
telefon 022-5780 100
telefaks 022-5780 101 http://www.etop.pl
Regon 016310320   NIP 522-25-50-755   KRS 0000029426
Sad Rejonowy dla m. st. Warszawy, XIII Wydzial Gospodarczy KRS
Kapital zakladowy 75000 PLN
Raiffeisen Bank Polska S.A., konto nr 31 1750 0009 0000 0000 0697 4031

----- Original Message ----- 
From: "Fritz Borgstedt" <fb@...>
To: "ASSP development mailing list" <assp-test@...>
Sent: Wednesday, July 29, 2009 4:31 PM
Subject: Re: [Assp-test] (no subject)


> ASSP development mailing list <assp-test@...>
> schreibt:
>>Anyone got version RC 0.19 - i lost my backup and with the problem in
>>line
>>8414  of ver RC 0.20 its real pain to get it work again
>
> try RC 0.3.21
>
>
> 
------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 
> 30-Day
> trial. Simplify your report design, integration and deployment - and 
focus 
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
> 


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 
30-Day 
trial. Simplify your report design, integration and deployment - and focus 
on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@...
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

What about file with these fields:
FileName
DateCreated
DateModified - if needed
OtherFlags - if needed too
AndAnotherFlags...
And so on, and so forth.

This file can be converted into DB table, if needed.

Best regards,
Alexander Shabalin



-----Original Message-----
From: Charles Marcus [mailto:CMarcus@...] 
Sent: 29 июля 2009 г. 15:47
To: ASSP development mailing list
Subject: Re: [Assp-test] Antwort: filedates in Spam folder suddenly wrong

On 7/29/2009, Fritz Borgstedt (fb@...) wrote:
>> I very strongly agree... it would be much better to 'adjust' 
>> accordingly the date being evaluated *against*, rather than change 
>> the date/time stamp of every email.

> How would that work? We need to mark files not to be deleted the next 
> month or so. The marking cannot change the filenames (because the log 
> already points to them).
> Happy to get a superior proposal.

Hmmm... well, if a simple 'delete all messages older than x + 30 days', and each message must have its own custom calculation, then how about just adding a custom header... ?

-- 

Best regards,

Charles

Hi all,

Would just like peoples opinions on what catch rate they would expect (realistically – no system will be 100%) on their spam filters, and what they’re actually getting....

(Making reports for my boss)

To make a start....I would have expected around 95%...but on a quick examination today, we’re on about 99.6% catch rate.....



Cheers


Steve

> Would just like peoples opinions on what catch rate they would expect

It has changed a lot in the past year, especially since mid-March. On  
one server I was getting ~2,100 connexions a day in mid-March. That  
server now gets about ~6,700 a day and it's still rising.... The rate  
a year or so ago was about 72%, then about 82% in mid-March, and has  
risen to about 98%, now. Five main users, ~ fifteen domains, one of  
those domains being hammered by spammers.

On the other server, I don't have the long-term numbers, but it is  
currently at about 78.9% spam. It has also experienced an increase in  
connexions since March, but it's not as large, say about 30% increase  
since March. It used to be at about 65% spam around a year ago. About  
100 users, about five domains (one is responsible for most e-mail),  
spam to mainly one domain.

HTH.

T.

ASSP development mailing list <assp-test@...>
schreibt:
>Seeing that the filenames should be unique (either by number, or by
>subject+number), surely a separate DB with deletion date?


The entries in the logs are already pointing to the folder/filename.
Changing that would make the whole process off finding them and
process them much more complicated.

We are talkiing catch % not spam %.
In my installations, the catch % percentage is >99,999 %.

Fritz,

Surely that makes it easier....

log: spam/imaspam—43.eml (then write to DeleteDB)
logged: 29/07/09 (then write to DeleteDB + x days)

Therefore, DeleteDB would reflect

Filename: spam/imaspam—43.eml
DeleteOn: 29/10/09

If someone manually deletes the files, then when the Daily DeleteFile schedule runs, checks if the file is still there....if it is....delete it, if it isn’t....who cares...was manually deleted...


Steve


On 29/07/2009 17:29, "Fritz Borgstedt" <fb@...> wrote:

ASSP development mailing list <assp-test@...>
schreibt:
>Seeing that the filenames should be unique (either by number, or by
>subject+number), surely a separate DB with deletion date?


The entries in the logs are already pointing to the folder/filename.
Changing that would make the whole process off finding them and
process them much more complicated.


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@...
https://lists.sourceforge.net/lists/listinfo/assp-test

ASSP development mailing list <assp-test@...>
schreibt:
>Fritz,
>
>Surely that makes it easier....

No, it does not make it easier.

I stand corrected :-)

Steve

Sent from my iPhone

On 29.07.2009, at 18:41, "Fritz Borgstedt" <fb@...> wrote:

> ASSP development mailing list <assp-test@...>
> schreibt:
>> Fritz,
>>
>> Surely that makes it easier....
>
> No, it does not make it easier.
>
>
> ---
> ---
> ---
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test

Trevor,

My bad....

Losf –i | grep urd

Lsof shows the ports as services.....not as port numbers...

Steve


On 29/07/2009 17:03, "Trevor Jacques" <Trevor@...> wrote:

> Do lsof –i | grep 465  This will tell you which program is listening
> on port 465 ;-)

This returns nothing at all, despite netstat -na | grep LIST still
showing more than one occurrence of port 465.... :-/

T.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@...
https://lists.sourceforge.net/lists/listinfo/assp-test

Maybe you just see mails passing by because they are proxied as SSL  
message through ASSP. Look into the assp logfile for STARTTLS messages.


Op 29 jul 2009, om 15:10 heeft Маллиндайн Стивен (Steve Mallindine)  
het volgende geschreven:

> Trevor,
>
> My bad....
>
> Losf –i | grep urd
>
> Lsof shows the ports as services.....not as port numbers...
>
> Steve
>
>
> On 29/07/2009 17:03, "Trevor Jacques" <Trevor@...> wrote:
>
>> Do lsof –i | grep 465  This will tell you which program is listening
>> on port 465 ;-)
>
> This returns nothing at all, despite netstat -na | grep LIST still
> showing more than one occurrence of port 465.... :-/
>
> T.
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Assp-test mailing list
> Assp-test@...
> https://lists.sourceforge.net/lists/listinfo/assp-test

Met vriendelijke groet / Best regards,

Pascal Dreissen

Virus
Inside
Switch
To
Apple