Anti-Spam SMTP Proxy Server

> -----Original Message-----
> From: Fritz Borgstedt [mailto:fb@...]
> Sent: Wednesday, December 29, 2010 9:11 AM
> To: ASSP development mailing list
> Subject: Re: [Assp-test] Unknown Local Address - Error ASSP 1.8.x
> 
> What way of recipient validation are you using?
> The code was changed some time ago to collect local domains from
> recipient validation in ldaplist. By that (and by theory) it should be
> possible to configure ASSP without setting up localDomains.
> I must have overlooked something in your configuration. However I went
> through the code and cleaned all things up which handle the said case.
> There are new developer and stable versions available.

Hi Fritz,

I use DoLDAP for recipient validation (against my Active Directory
servers).  I do still have localDomains in use (however I only have 2
domains specified, my domain and the spam domain that I created for use
with ASSP).  I also use LocalAddresses_Flat for email addresses that may
have been hidden from LDAP search.  LocalAddresses_Flat_Strict is also
checked.

Kind Regards,
Brett

ASSP development mailing list <assp-test@...>
schreibt:
>
>I use DoLDAP for recipient validation (against my Active Directory
>servers).  I do still have localDomains in use (however I only have 2
>domains specified, my domain and the spam domain that I created for
>use
>with ASSP).  I also use LocalAddresses_Flat for email addresses that
>may
>have been hidden from LDAP search.  LocalAddresses_Flat_Strict is also
>checked.


Just to understand the needs, do you have more domains in
LocalAddresses_Flat/LDAP or just the two you have in localdomains?

The code now puts the domain of a successful hit in
LDAP/LocalAdresses_Flat into LDAPlist.

> -----Original Message-----
> From: Fritz Borgstedt [mailto:fb@...]
> Sent: Wednesday, December 29, 2010 12:01 PM
> To: ASSP development mailing list
> Subject: Re: [Assp-test] Unknown Local Address - Error ASSP 1.8.x
> 
> Just to understand the needs, do you have more domains in
> LocalAddresses_Flat/LDAP or just the two you have in localdomains?
> 
> The code now puts the domain of a successful hit in
> LDAP/LocalAdresses_Flat into LDAPlist.

All I have in LocalAddresses_Flat are local email addresses that can't
be looked up by LDAP and are part of my local domain.  I've been using
it like that for a long time.  Please let me know if I should be doing
this a different way.

I've only specified the two domains in localdomains and nowhere else.

Kind Regards,
Brett

ASSP development mailing list <assp-test@...>
schreibt:
>  Please let me know if I should be doing
>this a different way.



No, that is ok. Please have a look into LDAPlist regularly and tell me
when you you see strange items.

> I'm not sure what I should do with DNSBL's that return a 127.0.0.0/8
> address out of the 127.0.0.0/24 scope.
>
> Only 1 DNSBL did this.

which one ?

> The script works in combination with IPaudit that has a top 20
> of mailclients. It will take all the IP's from the last list and test
> all of the DNSBL's every hour. If someone makes it on a
> blacklist, we will be informed through Zabbix.

And what should the above be useful for ?

> Please try the script.

which script ?

> Please try the script.

Saw it ... if you're referring to this one

http://pastebin.com/raw.php?i=FLB3kkLs

but it sounds like http://wd.mirmana.com/dnsbl.txt
bombs with a 404 so there's no way to try the script 
nor to have a look at the lists you're checking

> but it sounds like http://wd.mirmana.com/dnsbl.txt 
[http://wd.mirmana.com/dnsbl.txt] 
bombs with a 404 so there's no way to try the script 

nor to have a look at the lists you're checking.



No, it doesn't. You didn't run the script, but just clicked with your 
browser on the hyperlink.

That domain will only work with wget (like the 404-page said: Browsers 
are not supported).

That link is giving the 46 DNSBL's that survived from the other 95 that 
were offered in that other link.



You're right about many DNSBL's, but it's only once every hour to see 
if the IP's that are mailing a lot are being listed. The script has already 
served its purpose many times.



Cheers

-----Original 
Message-----

From: "GrayHat" <grayhat@...>

To: "ASSP development mailing list" 
<assp-test@...>

Date: Tue, 28 Dec 2010 19:10:52 +0100

Subject: Re: [Assp-test] (no subject)




> Please try the 
script.



Saw it ... if you're referring to this one



http://pastebin.com/raw.php?i=FLB3kkLs 
[http://pastebin.com/raw.php?i=FLB3kkLs]



but it sounds like http://wd.mirmana.com/dnsbl.txt 
[http://wd.mirmana.com/dnsbl.txt]

bombs with a 404 so there's no way to try the script 

nor to have a look at the lists you're checking





------------------------------------------------------------------------------

Learn how Oracle Real Application Clusters (RAC) One Node allows 
customers

to consolidate database storage, standardize their database environment, 
and, 

should the need arise, upgrade to a full multi-node Oracle RAC database 

without downtime or disruption

http://p.sf.net/sfu/oracle-sfdevnl [http://p.sf.net/sfu/oracle-sfdevnl]

_______________________________________________

Assp-test mailing list

Assp-test@...

https://lists.sourceforge.net/lists/listinfo/assp-test 
[https://lists.sourceforge.net/lists/listinfo/assp-test]

> No, it doesn't. You didn't run the script, but just clicked with your
> browser on the hyperlink.
>
> That domain will only work with wget (like the 404-page said: Browsers
> are not supported).

And, in fact, I tried fetching the file using wget ... and it didn
reply with a 404 :P

> You're right about many DNSBL's, but it's only once every hour to
> see if the IP's that are mailing a lot are being listed.

Uh... so you are saying that you use some other script to extract the
IPs which send you most emails and check them against that bunch of
DNSBLs ?

It doesn't make any sense at all imHo but if you're happy with
such a thing... up to you

> And, in fact, I tried fetching the file using wget ... 
> and it didn reply with a 404 :P

Ok, found out the reason, apparently the webserver
hosting that file doesn't like "proxied connections"
tried it using wget w/o any proxy and it worked, yet
it's odd since that script won't work in case the box
running it sits behind a proxy
 
That said... that list contains some DNSBLs I'd 
never use for whatever production purpose and it also
has some duplicate, overlapping lists which means 
that the script is running some unneeded queries

I'd still like to see the list of the DNSBLs you're
reporting as dead and the name of the DNSBL
which returned a "strange" result - not so strange
nobody says a DNSBL should use 127/24 and in
effect the right mask for that subnet is 127/8 <g>

I'm the author of a set of scripts that will expand the DD-WRT router to 
become a full linux box (OTRW). People are constantly downloading scripts 
from my site and whenever there's a problem I immediately get mailed. No-one 
complained and my logs indicate a constant flow of good connections.
I have no idea why you get a 404 whilst others don't.

> Uh... so you are saying that you use some other script to extract the IPs 
which send you most emails and check them against that bunch of DNSBLs ? It 
doesn't make any sense at all imHo but if you're happy with such a thing... 
up to you

No, that would be silly, wouldn't it?  ;-)

I work for an ISP that allow their customers to send mail themselves. 
Sometimes there's an ill behaving client among them. We can already detect 
spammers that send large quantities, but if that check fails and people 
still get on a DNSBL we will know it before they do. Most ISP's have to 
react on people that complain about their mail not being delivered.
Of course I'm also using the script for my own connection and I like to 
share the fruits of my labour.

Above the line which holds my domain there's a hyperlink to another list. 
It's that list which holds 96 DNSBL's. Before the script will start on the 
bunch of domains/ip's it's given through a file or on the command-line, it 
will start to test the DNSBL's at least once a day.

Feel free to comment on the list, but the content of that list is not 
important for the moment. If you use that list you will see it will 
invalidate many DNSBL's that the author of that list is still using without 
knowing they don't work.
Eventually the list is very important.


-----Original Message-----

From: "GrayHat" <grayhat@...>

To: "ASSP development mailing list" <assp-test@...>

Date: Wed, 29 Dec 2010 08:47:19 +0100

Subject: Re: [Assp-test] (no subject)




> No, it doesn't. You didn't run the script, but just clicked with your

> browser on the hyperlink.

>

> That domain will only work with wget (like the 404-page said: Browsers

> are not supported).



And, in fact, I tried fetching the file using wget ... and it didn

reply with a 404 :P



> You're right about many DNSBL's, but it's only once every hour to

> see if the IP's that are mailing a lot are being listed.



Uh... so you are saying that you use some other script to extract the

IPs which send you most emails and check them against that bunch of

DNSBLs ?



It doesn't make any sense at all imHo but if you're happy with

such a thing... up to you







------------------------------------------------------------------------------

Learn how Oracle Real Application Clusters (RAC) One Node allows customers

to consolidate database storage, standardize their database environment, 
and, 

should the need arise, upgrade to a full multi-node Oracle RAC database 

without downtime or disruption

http://p.sf.net/sfu/oracle-sfdevnl [http://p.sf.net/sfu/oracle-sfdevnl]

_______________________________________________

Assp-test mailing list

Assp-test@...

https://lists.sourceforge.net/lists/listinfo/assp-test 
[https://lists.sourceforge.net/lists/listinfo/assp-test]

> I'm the author of a set of scripts that will expand the DD-WRT
>  router to become a full linux box (OTRW). People are constantly
> downloading scripts from my site and whenever there's a problem
> I immediately get mailed. No-one complained and my logs indicate
> a constant flow of good connections. I have no idea why you get a
> 404 whilst others don't.

All I can say is that I tried fetching that file from a box sitting
behind
a proxy and got a 404, retried it from another box with a direct
connection and it succeeded; in both cases I just used a

wget -nd ....

to fetch the file, so I suspect that the proxy may be the issue here
I've no infos about the real source of the problem but I'm wondering
if the script blocking the file-fetch from browsers may be somewhat
misbehaving when it sees the proxy header in the get request... at
any rate ...

> I work for an ISP that allow their customers to send mail themselves.

Hm... I hope you don't mean sending "direct-to-MX" that would in
most cases fail and, worse, cause the IP to get into some DNSBL

> Sometimes there's an ill behaving client among them.
> We can already detect spammers that send large quantities

Well... ASSP has a built-in "rate limiter" to deal with that, if you set
the LocalFrequencyInt, LocalFrequencyNumRcpt and the
NoLocalFrequency (for MLs and any authorized mass-sender)
along with a well crafted NotifyRe, ASSP will issue a tempfail
in case someone goes over the rate-limit and will also alert
you (ok... the admins) with an email this helps detecting mass
senders (and in most cases infected machines or people which
thinks that spamming is good :P) and quickly "remediate" :)

> Above the line which holds my domain there's a hyperlink to
> another list. It's that list which holds 96 DNSBL's.

Saw it but didn't try fetching that list, yet I think that a lot
of DNSBLs sitting inside that file are unneeded, either
because they're overlapping (e.g. "zen.spamhaus.org"
includes other spamhaus lists) or because they're either
unreliable or too aggressive to be used in real world so
if some IP gets listed by one of the latter I won't even
consider it an issue :)

As for detecting spamming/infected hosts sitting on your
network, I think you may give http://www.bothunter.net/ a
spin, if you never tried it, I think you'll be surprised at the
results and... no, it's not the same as running (say) a
vanilla snort, the critter uses a quite cool "correlation
engine" which allows it to play some ... magic :)

> unreliable or too aggressive to be used in real world so

or even dead, as an example, one of the entries of the file
is relays.osirusoft.com (which is also mispelled since it
lacks the initial "r") now, if you try querying that list using
whatever IP you'll get back a 127.0.0.2 - now, try running
the following query please

dig +short 2.0.0.127.relays.osirusoft.com. TXT

so you'll get a 3rd party opinion about the idea of checking
such lists and about the "good contents" of the list you are
using to run those checks

> dig +short 2.0.0.127.relays.osirusoft.com. TXT

;-)

> so you'll get a 3rd party opinion about the idea of checking such lists
and about the "good contents" of the list you are using to run those checks

I am not using that DNSBL at all.
You are totally not getting it. We have bots and viruses totally covered
although we give our clients a lot of freedom.

That list is deliberately bad (well, not the one who is using it). It's a
demonstration of the script. Exactly that reason (both requests giving a
127.0.0.2 in return) is why I'm tossing relays.osirusoft.com. in the bin.

There's nothing wrong with the script nor with using it. If you don't like
it, don't use it.

> That list is deliberately bad (well, not the one who is using it).
> It's a demonstration of the script. Exactly that reason (both 
> requests giving a 127.0.0.2 in return) is why I'm tossing 
> relays.osirusoft.com. in the bin.
 
> There's nothing wrong with the script nor with using it. 
> If you don't like it, don't use it.

It's not that I don't like it... I can't see a need for it, that's all
then, as for DNSBL lists

http://www.dnsbl.com/

http://stats.dnsbl.com/

http://rbls.org/

http://www.moensted.dk/spam/

On Dec 29, 2010, at 11:38 AM, JP wrote:

>> dig +short 2.0.0.127.relays.osirusoft.com. TXT
> 
> ;-)
> 
>> so you'll get a 3rd party opinion about the idea of checking such lists
> and about the "good contents" of the list you are using to run those checks
> 
> I am not using that DNSBL at all.
> You are totally not getting it. We have bots and viruses totally covered
> although we give our clients a lot of freedom.
> 
> That list is deliberately bad (well, not the one who is using it). It's a
> demonstration of the script. Exactly that reason (both requests giving a
> 127.0.0.2 in return) is why I'm tossing relays.osirusoft.com. in the bin.


Just off hand osirusoft.com was shutdown years ago.

Tom

> Just off hand osirusoft.com was shutdown years ago.

Yes, we know....
# dig +short 2.0.0.127.relays.osirusoft.com. TXT
"Please stop using relays.osirusoft.com"
"Relays.osirusoft.com has not had valid data in years"
"Anyone using relays.osirusoft.com to stop spam must be intellectually 
challenged"
# host -t txt 2.0.0.127.relays.osirusoft.com.
2.0.0.127.relays.osirusoft.com descriptive text "Please stop using 
relays.osirusoft.com"
2.0.0.127.relays.osirusoft.com descriptive text "Relays.osirusoft.com has 
not had valid data in years"
2.0.0.127.relays.osirusoft.com descriptive text "Anyone using 
relays.osirusoft.com to stop spam must be intellectually challenged"

> No. The issue was caused by a bug (some months ago) , where such
> spaces where written by assp. I've checked all tables - and all others
> are OK.

I see... what about a "run-once" simple piece of Perl to deal with that
and cleanup the table ? That would fix the issue once and forever :)

>simple piece of Perl to deal with

We are shooting with a very large piece of Perl (assp) - the cleanup is 
doing a   delete $SPFCache{'1.1.1.1 '} - but the internals of 
RDBM/DBI/driver (or what ever) is doing something wrong - and will do it 
also wrong in a 'run once'. The Bug was published for some days - so maybe 
noone else will have this issue? It should be possible to open the 
SPFCache in the GUI and to do the cleanup there.



Von:    "GrayHat" <grayhat@...>
An:     "ASSP development mailing list" <assp-test@...>
Datum:  28.12.2010 17:04
Betreff:        Re: [Assp-test] SPF-Cache issue





> No. The issue was caused by a bug (some months ago) , where such
> spaces where written by assp. I've checked all tables - and all others
> are OK.

I see... what about a "run-once" simple piece of Perl to deal with that
and cleanup the table ? That would fix the issue once and forever :)



------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, 
and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Assp-test mailing list
Assp-test@...
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************