ASSP 1.8.1.0 Released
assp.pl 1.8.1.0
new rebuildspamdb.pl 2.8.1.0 (1.0.01)
new files/preheaderre.txt
Regular Expression to early Identify Spam in Handshake and Header Part* (preHeaderRe)
Until the complete mail header is received, assp is processing the handshake and header content line per line, but the first mail content check is done after the complete mail header is received.
It is possible, that some content (malformed headers, forbidden characters or character combinations) could cause assp to die or to run in to a unrecoverable exception.
Use this regular expression to identify such incoming mails based on a line per line check, at the moment where a single line is received.
This setting does not affect any other and is not affected by any other configuration setting, except that this check is only done for incoming mails.
If a match is found, assp will immediately send a '421 terminate connection' reply to the client and will immediately terminate the connection.
Default setting is file:files/preheaderre.txt
URIBL Service Providers* (URIBLServiceProvider)
Domain Names of URIBLs to use separated by "|". You may set for every provider a weight like multi.surbl.org=>50|black.uribl.com=>25.
The value of the weight can be set directly like=>45 or as a divisor of URIBLmaxweight . Low numbers < 6 are divisors . So if URIBLmaxweight = 50 (default) multi.surbl.org=>50 would be the same as multi.surbl.org=>1, multi.surbl.org=>2 would be the same as multi.surbl.org=>25.
If the sum of weights of all found uris surpasses URIBLmaxweight, the URIBL check fails. If not, the URIBL check is scored as "neutral" . URIBLmaxhits is ignored when weights are used.
Default is: multi.surbl.org=>1|black.uribl.com=>1|uribl.swinog.ch=>2
URIBL Maximum Weight (URIBLmaxweight)
A weight is a number representing the trust we put into a URIBL.
The URIBL module will check all of the URIBLs listed under URIBLServiceProvider for every URI found in an email. If the total of weights for all URIs is greater or equal this Maximum Weight, the email is flagged Failed.
If the total of weights is greater 0 and less Maximum Weight, the email is flagged Neutral . If not defined or set to zero only URIBLmaxhit will be used to detect a fail or neutral state.
RBL Service Providers* (RBLServiceProvider)
Names of DNSBLs to use separated by "|" or name of list 'file:files/dnsbls.txt'. Defaults are:
zen.spamhaus.org=>1|bl.spamcop.net=>1|bb.barracudacentral.org=>1|combined.njabl.org=>1|safe.dnsbl.sorbs.net=>1|psbl.surriel.com=>2|ix.dnsbl.manitu.net=>2|dnsbl-1.uceprotect.net=>2|dnsbl-2.uceprotect.net=>4.
DNSBL providers can be classified like bl.spamcop.net=>1. '1' is the most trustworthy class. '6' is the least trustworthy class. Numbers above 6 will be used as score directly. The value of the class acts as a divisor of RBLmaxweight. So if RBLmaxweight = 50 bl.spamcop.net=>1 would be the same as bl.spamcop.net=>50, bl.spamcop.net=>2 would be the same as bl.spamcop.net=>25. If the sum of scores surpasses RBLmaxweight, the DNSBL check fails. If not, the DNSBL check is scored as "neutral" even with RBLmaxhits reached. Setting Showmaxreplies will allow ALL replies to contribute to the total weight regardless of RBLmaxhits.
Some RBL Service Providers, like blackholes.five-ten-sg.com, provides different return codes in a single DNS-zone: like 127.a.b.c - where a,b,c are used to identify a weight or type (or what ever) of the returned entry. If you want to care about special return codes, or if you want to use different weights for different return codes, you should use the following enhanced entry syntax:
RBL-Service-Provider=>result-to-watch=>weight (like:)
blackholes.five-ten-sg.com=>127.0.0.2=>3
blackholes.five-ten-sg.com=>127.0.0.5=>4
blackholes.five-ten-sg.com=>127.0.?.*=>5
You can see, the wildcards * (multiple character) and ? (single character) are possible to use in the second parameter. Never mix the three possible syntax types for the same RBL Service Provider. An search for a match inside such a definition is done in reverse ASCII order, so the wildcards are used as last.
Switch Testmode to Message Scoring (switchTestToScoring)
Put the filter automatically in "Message Scoring Mode" when DoPenaltyMessage is set (instead of stopping spam processing altogether).
Switch Spam-Lover to Message Scoring (switchSpamLoverToScoring)
Put the filter automatically in "Message Scoring Mode" when DoPenaltyMessage is set (instead of stopping spam processing altogether).
Enable Configuration Sharing (enableCFGShare, default=off)
Read all positions in this section carefully (multiple times is recommended!!!)! A wrong configuration sequence or wrong configuration values can lead in to a destroyed ASSP configuration!
If set, the configuration value and option files synchronization will be enabled. This synchronization belong to the configuration values, to the file that is possibly defined in a value and to the include files that are possibly defined in the configured file.
If the configuration of all values in this section is valid, the synchronization status will be shown in the GUI for each config value that is, or could be shared. There are several configuration values, that could not be shared. The list of all shareable values could be found in the distributed file assp_sync.cfg
For an initial synchronization setup set the following config values in this order: setup syncServer, syncConfigFile, syncTestMode and as last syncCFGPass (leave isShareSlave and isShareMaster off). Use the default (distributed syncConfigFile assp_sync.cfg) file and configure all values to your needs - do this on all peers by removing lines or setting the general sync flag to 0 or 1 (see the description of syncConfigFile ).
If you have finished this initial setup, enable isShareMaster or isShareSlave - now assp will setup all entrys in the configuration file for all sync peers to the configured default values (to 1 if isShareMaster or to 3 if isShareSlave is selected). Do this on all peers. Now you can configure the synchronization behavior for each single configuration value for each peer, if it should differ from the default setup.
For the initial synchronization, configure only one ASSP installation as master (all others as slave). If the initial synchronization has finished, which will take up to one hour, you can configure all or some assp as master and slave. On the initial master simply switch on isShareSlave. On the inital slaves, switch on isShareMaster and change all values in the sync config file that should be bedirectional shared from 3 to 1. As last action enable enableCFGShare on the SyncSlaves first and then on the SyncMaster.
After such an initial setup, any changes of the peers (syncServer) will have no effect to the configuration file (syncConfigFile)! To add or remove a sync peer after an initial setup, you have to configure syncServer and you have to edit the sync config file manualy.
This option can only be enabled, if isShareMaster and/or isShareSlave and syncServer and syncConfigFile and syncCFGPass are configured!
Because the synchronization is done using a special SMTP protocol (without "mail from" and "rcpt to"), this option requires an installed Net::SMTP module in PERL. This special SMTP protocol is not usable to for any MTA for security reasons, so the "sync mails" could not be forwarded via any MTA.
For this reason all sync peers must have a direct or routed TCP connection to each other peer.
This is a Share Master (isShareMaster, default=off)
If selected, ASSP will send configured configuration changes to sync peers.
This is a Share Slave (isShareSlave)
If selected, ASSP will receive configured configuration changes from sync peers. To accept a sync request, every sending peer has to be defined in syncServer - even if there are manualy made entrys in the sync config file for a peer.
Default Sync Peers (syncServer)
Define all configuration sync peers here (to send changes to or to receive changes from). Sepatate multiple values by "|". Any value must be a pair of hostname or ip-address and :port, like 10.10.10.10:25 or mypeerhost:125 or mypeerhost.mydomain.com:225. The :port must be defined!
The target port can be the listenPort , listenPort2 or relayPort of the peer.
Test Mode for Config Sync (syncTestMode)
If selected, a master (isShareMaster) will process all steps to send configuration changes, but will not really send the request to the peers. A slave (isShareSlave) will receive all sync requests, but it will not change the configuration values and possibly sent configuration files will be stored at the original location and will get an extension of ".synctest".
Configuration File for Config Sync* (syncConfigFile)
Define the synchronization configuration file here (default is file:assp_sync.cfg).
This file holds the configuration and the current status of all synchronized assp configuration values.
The format of an initial value is: "varname:=syncflag" - where syncflag could be 0 -not shared and 1 -is shared - for example: HeaderMaxLength:=1 . The syncflag is a general sign, which meens, a value of 0 disables the synchronization of the config value for all peers. A value of 1, enables the peer configuration that possibly follows.
The format after an initial setup is: "varname:=syncflag,syncServer1=status,syncServer2=status,......". The "status" could be one of the following:
0 - no sync - changes of this value will not be sent to this syncServer - I will ignore all change requests for this value from there
1 - I am a SyncMaster, the value is still out of sync to this peer and should be synchronized as soon as possible
2 - I am a SyncMaster, the value is still in sync to this peer
3 - I am not a SyncMaster but a SyncSlave - only this SyncMaster (peer) knows the current sync status to me
4 - I am a SyncMaster and a SyncSlave (bidirectional sync) - a change of this value was still received from this syncServer (peer) and should not be sent back to this syncServer - this flag will be automaticaly set back to 2 at the next synchronization check
Config Sync Password (syncCFGPass)
The password that is used and required (additionaly to the sending IP address) to identify a valid sync request. This password has to be set equal in all ASSP installations, from where and/or to where the configuration should be synchronized.
The password must be at least six characters long.
If you want or need to change this password, first disable enableCFGShare here an on all peers, change the password on all peers, enable enableCFGShare on SyncSlaves then enable enableCFGShare on SyncMasters.
Show Detail Sync Information in GUI (syncShowGUIDetails, default=off)
If selected, the detail synchronization status is shown at the top of each configuration parameter like:
nothing shown - there is no entry defined for this parameter in the syncConfigFile or it is an unsharable parameter
"(shareable)" - the parameter is shareable but the general sync sign in the syncConfigFile is zero
"(shared: ...)" - the detail sync status for each sync peer
If not selected, only different colored bulls are shown at the top of each configuration parameter like:
nothing shown - no entry in the syncConfigFile or it is an unsharable parameter
"black bull •" - the parameter is shareable but the general sync sign in the syncConfigFile is zero
"green bull •" - the parameter is shared and in sync to each peer
"red bull •" - the parameter is shared but it is currently out of sync to at least one peer
If you move the mouse over the bull, a hint box will show the detail synchronization status.
Max Number of AUTHentication Errors (MaxAUTHErrors)
If an IP exceeds this number of authentication errors (535) the transmission of the current message will be canceled and any new connection from that IP will be blocked for 5-10 minutes.
Every 5 Minutes the 'AUTHError' -counter of the IP will be decreased by one. autValencePB is used for the penalty box.
No limit is imposed by ASSP if the field is left blank or set to 0. This option allows admins to prevent external bruteforce or dictionary attacks via AUTH command. Whitelisted and NoProcessing IP's and IP's in npPB are ignored like any relayed connection.
Bad SMTP Authentication (autValencePB)
Simple IP Greylisting (DelayIP)
Enable simple delaying for IP's in black penaltybox with totalscore above this value.
DNSBL Cache Refresh Interval for Misses (RBLCacheExpMiss)
Domains in cache with status=2 (miss) will be removed after this interval in hours. Empty or 0 will prevent caching of non-hits.
Do DNS-Backscatter Detection (DoBackSctr)
If activated, the IP-address of each message received for null sender,bounced or postmaster will be checked against the list below. DNS base checks requires an installed Net::DNS module in Perl.
For more information about backscatter detection please read http://www.backscatterer.org/?target=usage.
Enable DNS-Backscatter detection logging (BacksctrLog)
Backscatter-DNS Cache Refresh Interval (BackDNSInterval)
IP's in cache will be removed after this interval in days. 0 will disable the cache and the usage of downloadBackDNSFile and localBackDNSFile.
ServiceProvider for Backscatterer Detection* (BackSctrServiceProvider)
ServiceProvider for DNS check on Backscatterer. Possible value is ips.backscatterer.org for DNS check.
Download the Backscatterer DNS-IP-List (downloadBackDNSFile)
If selected, the complete IP-list is downloaded to a local file. IP's are checked on this file first, if the IP is not found on this list, a DNS query is done. It is recommended to use this option for ISP's and users with more than 1000 bounced mails a day. See wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz
Local File for the Backscatterer DNS-IP-List (localBackDNSFile)
The name of the local file that is used for this IP-list. The content of this file is filled in to the 'Backscatter-DNS Cache' ( BackDNSInterval ). IP's from this list will be removed after one day from the cache.
---------------
Fields marked with at least one asterisk (*) accept a list separated by '|' (for example: abc|def|ghi) or a file designated as follows (path relative to the ASSP directory): 'file:files/filename.txt'. Putting in the file: will prompt ASSP to put up a button to edit that file. files is the subdirectory for files. The file does not need to exist, you can create it from the editor by saving it. The file must have one entry per line; anything on a line following a numbersign or a semicolon ( # ;) is ignored (a comment).
It is possible to include custom-designed files at any line of such a file, using the following directive
# include filename
where filename is the relative path (from /Applications/assp) to the included file like files/inc1.txt or inc1.txt (one file per line). The line will be internaly replaced by the contents of the included file!
Fields marked with two asterisk (**) contains regular expressions (regex) and accept a second weight value. Every weighted regex that contains at least one '|' has to begin and end with a '~' - inside such regexes it is not allowed to use a '~', even it is escaped - for example: ~abc\~|def~=>23 or ~abc~|def~=>23. Every weighted regex has to be followed by '=>' and the weight value. For example: Phishing\.=>1.45|~Heuristics|Email~=>50 or ~(Email|HTML|Sanesecurity)\.(Phishing|Spear|(Spam|Scam)[a-z0-9]?)\.~=>4.6|Spam=>1.1|~Spear|Scam~=>2.1 . The multiplication result of the weight and the penaltybox valence value will be used for scoring, if the absolute value of weight is less or equal 6. Otherwise the value of weight is used for scoring. It is possible to define negative values to reduce the resulting message score.
For all "bomb*" regexes and "invalidFormatHeloRe", "invalidPTRRe" and "invalidMsgIDRe" it is possible to define a third parameter (to overwrite the default options) after the weight like: Phishing\.=>1.45|~Heuristics|Email~=>50:>N[+-]W[+-]L[+-]I[+-], where the characters and the optional to use + and - have the following functions:
use this regex (+ = only)(- = never) for: N = noprocessing , W = whitelisted , L = local , I = ISP mails . So the line ~Heuristics|Email~=>50:>N-W-LI could be read as: take the regex with a weight of 50, never scan noprocessing mails, never scan whitelisted mails, scan local mails and mails from ISP's (and all others). The line ~Heuristics|Email~=>3.2:>N-W+I could be read as: take the regex with a weight of 3.2 as factor, never scan noprocessing mails, scan only whitelisted mails even if they are received from an ISP .
If the third parameter is not set or any of the N,W,L,I is not set, the default configuration for the option will be used unless a default option string is defined anywhere in a single line in the file in the form !!!NWLI!!! (with + or - is possible).
If any parameter that allowes the usage of weighted regular expressions is set to "block", but the sum of the resulting weighted penalty value is less than the corresponding "Penalty Box Valence Value" (because of lower weights) - only scoring will be done!
The literal 'SESSIONID' will be replaced by the unique message logging ID in every SMTP error reply.
- the alpha index in the GUI has now a 'select' field (regex is possible)
to reduce the listed values as wanted - this makes it possible to fastly
find a config value by parts of its name
- If a file is resent, the non local sender (from:) will be added to
whitelist if 'autoAddResendToWhite' is set to 'admins only' or 'admins and
users'.
- If a file is copied (GUI) to the correctednotspam folder, the non local
sender (from:) of that file will be added to Whitelist if
'EmailErrorsModifyWhite' is set.
- If a file is copied (GUI) to the correctedspam folder, the non local
sender (from:) of that file will be removed from Whitelist if
'EmailErrorsModifyWhite' is set.