What is the point of the "default" lines, as opposed to the assp.cfg parameters bombReWL, bombRENP, bombReLocal, bombReISPIP? If I have them all unchecked - shouldn't my regexes be ignored for no-processing & whitelisted?
Daniel On 1/11/2015 1:00 AM, Thomas Eckardt wrote: > >*For all "**bomb***" regular expressions and > "**invalidFormatHeloRe**", "**invalidPTRRe**" and "**invalidMsgIDRe**" > it is possible to define a third parameter*..... > > now check the config parameter name 'preHeaderRe' in your mind against > this statement !!!???? > > preHeaderRe is for emergency blocking - if this matches, every mail > will be blocked - regardeless any setting > > Thomas > > > > > Von: Daniel Miller <dmil...@amfes.com> > An: Thomas Eckardt <thomas.ecka...@thockar.com> > Datum: 11.01.2015 09:44 > Betreff: Re: [Assp-test] BombHeaderRe/BombSuspiciousRe matching > against Noprocessing & Whitelist > ------------------------------------------------------------------------ > > > > It's gone from bad to worse - now sourceforge is getting rejected on > both bomb & helo! > -- > Daniel > > > On 1/11/2015 12:35 AM, Daniel Miller wrote: > Perhaps I did something wrong. The list posting of this email just > got rejected: > Jan-11-15 00:30:19 65019-12249 [Worker_1] [NoProcessing] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> message proxied without processing (except checks > enabled for noprocessingmails) > > Jan-11-15 00:30:19 65019-12249 [Worker_1] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> Whitelisted sender Domain: sourceforge.net > Jan-11-15 00:30:19 65019-12249 [Worker_1] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> Whitelisted sender Domain: sourceforge.net > Jan-11-15 00:30:19 65019-12249 [Worker_1] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> Regex:BombHeaderRe 'PB 70: for 1 Jan 2015 08:29:40 > +' > > Jan-11-15 00:30:19 65019-12249 [Worker_1] [BombHeaderRe] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> [scoring] (BombHeaderRe '1 Jan 2015 08:29:40 > +0000') > > Jan-11-15 00:30:19 65019-12249 [Worker_1] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> Message-Score: added 70 for BombHeaderRe '1 Jan > 2015 08:29:40 +0000', total score for thismessage is now 70 > > Jan-11-15 00:30:19 65019-12249 [Worker_1] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> Regex:BombSuspiciousRe 'PB 25: for news' > Jan-11-15 00:30:19 65019-12249 [Worker_1] > *216.34.181.88* <*_assp-test-bounces@lists.sourceforge.net_* > <mailto:assp-test-boun...@lists.sourceforge.net>> to: > *_dmiller@amfes.com_* > <mailto:dmil...@amfes.com> Message-Score: added 25 for BombSuspicious: > 'news', total score for this message is now 95 > > Jan-11-15 00:30:20 65019-12249 [Worker_1] [MessageLimit] 216.34.181.88 > _<assp-test-boun...@lists.sourceforge.net>_ > <mailto:assp-test-boun...@lists.sourceforge.net> to: > _dmiller@amfes.com_ > <mailto:dmil...@amfes.com> [spam found] (MessageScore 95, limit 50) [Re Assp > test BombHeaderReBombSuspiciousRe matching againstNoprocessing Whitelist] -> > *discarded/12249--95620.eml*; > > Analysis shows: > Analyzed file is /opt/assp/discarded/12249--95620.eml text processing > uses unicode normalization > ASSP-ID: mail.amfes.com 65019-12249 > ASSP-Session: C4AE218 (mail 1) > removed all local X-ASSP- header lines for analysis > Connecting IP: '*72.193.138.177* <javascript:void(0);>' > Connecting HELO: [192.168.5.5] > * > host and sender authentications:* > host 'ip72-193-138-177.lv.lv.cox.net (*72.193.138.177* > <javascript:void(0);>)' authenticated to 'mail.amfes.com' using 'SMTPSA' > * > sender and reply addresses:* > From: *dmil...@amfes.com* <javascript:void(0);> > Reply-To: *assp-test@lists.sourceforge.net* <javascript:void(0);> > Errors-To: *assp-test-boun...@lists.sourceforge.net* <javascript:void(0);> > * > recipient addresses:* > To: *assp-test@lists.sourceforge.net* <javascript:void(0);>* > using enhanced Originated IP detection* > •detected IP's on the mail routing way: *24.120.114.53* > <javascript:void(0);>(mail.amfes.com.)* > **216.34.181.88* <javascript:void(0);>(lists.sourceforge.net.) > •detected source IP: *24.120.114.53* <javascript:void(0);> > * > Feature Matching:* > * > •****NoProcessing Domain* > <http://bubba.amfes.lan:55555/#noProcessingDomains>: 'sourceforge.net'* > •****Whitelisted Domains* > <http://bubba.amfes.lan:55555/#whiteListedDomains>: 'sourceforge.net'* > •****Whitelisted Domains* > <http://bubba.amfes.lan:55555/#whiteListedDomains>: 'sourceforge.net'* > •****NoProcessing Domain* > <http://bubba.amfes.lan:55555/#noProcessingDomains>: 'sourceforge.net'* > •****Whitelisted Domains* > <http://bubba.amfes.lan:55555/#whiteListedDomains>: 'sourceforge.net'* > •****Whitelisted Domains* > <http://bubba.amfes.lan:55555/#whiteListedDomains>: 'sourceforge.net'* > •****On Global Whitelist* <http://bubba.amfes.lan:55555/lists>: > *'assp-test@lists.sourceforge.net'* <javascript:void(0);>* > •****Whitelisted Domains* > <http://bubba.amfes.lan:55555/#whiteListedDomains>: 'sourceforge.net'* > •****preHeaderRe* <http://bubba.amfes.lan:55555/#preHeaderRe>: > '!!!N-W-LI-!!!'* > •** SPF-check returned OK* for *72.193.138.177* > <javascript:void(0);> -> *dmil...@amfes.com* <javascript:void(0);>, > [192.168.5.5]* > •****BombHeader RE* <http://bubba.amfes.lan:55555/#bombHeaderRe>: > 'highest match: "1 Jan 2015 00:29:30 -0800" with valence: 30 - PB > value = 70' > • matching bombHeaderRe(): '0'* > •****BombSuspiciousRe RE* > <http://bubba.amfes.lan:55555/#bombSuspiciousRe>: 'highest match: > "news" with valence: 10 - PB value = 10' > • matching bombSuspiciousRe(*file:files/suspiciousre.txt[line 2]* > <javascript:void(0);>): 'news'* > •****URIBL check* <http://bubba.amfes.lan:55555/#ValidateURIBL>: 'OK'* > •** Known Good HELO*: '[192.168.5.5]'* > •****Not a Valid Format of HELO* > <http://bubba.amfes.lan:55555/#DoValidFormatHelo>: '[192.168.5.5]'* > •****Invalid Format of HELO* > <http://bubba.amfes.lan:55555/#invalidFormatHeloRe>: 'highest match: > "192.168.5" with valence: 20 - PB value = 20' > • matching invalidFormatHeloRe(*file:files/invalidhelo.txt[line 5]* > <javascript:void(0);>): '\d{1,3}[-x.]\d{1,3}[-x.]\d{1,3}'* > •****IP in Helo check* <http://bubba.amfes.lan:55555/#DoIPinHelo>: > 'failed' > • IP in Helo result: 'Suspicious HELO - contains IP: '[192.168.5.5]' > - and IP in HELO '[192.168.5.5]' does not match IP in connection > '*72.193.138.177* <javascript:void(0);>' '* > •** RBLCheck returned OK for **24.120.114.53* <javascript:void(0);>: * > •** RBLCheck returned OK for **216.34.181.88* <javascript:void(0);>: * > •** RBLCheck returned OK for **72.193.138.177* <javascript:void(0);>: > DNSBL: neutral, *72.193.138.177* <javascript:void(0);> listed in > safe.dnsbl.sorbs.net - message score: 45 > • RBLScore: safe.dnsbl.sorbs.net -> 127.0.0.10 -> 45* > •****72.193.138.177* <javascript:void(0);>* is in PTRCache*: > status=PTR NOTOK - ip72-193-138-177.lv.lv.cox.net. > > Complete suspiciousre.txt: > !!!N-W-LI-!!! > news=>0.4 > no-?reply=>-0.5 > passwor=>-0.7 > hotmail=>0.2 > gmail=>0.2 > > > -- > Daniel > > On 1/11/2015 12:26 AM, Daniel Miller wrote: > Thank you - I never read that section before. I've added > > !!!N-W-LI-!!! > > To the top of all my regex files. Hopefully this gives me the results > I want. > > -- > Daniel > > On 1/11/2015 12:07 AM, Thomas Eckardt wrote: > Hi Daniel, > > >files/suspiciousre.txt[line 1]): > > What is the content of line 1 of this file. > > Notice: BombSuspiciousRe is processed per default regardless of > noprocessing and whitelisting > > If you want to finetune this setting, you must use the enhanced > regular expression syntax. > > The description of this syntax could be found at the bottom of the GUI. > > For all "bomb*" regular expressions and "invalidFormatHeloRe", > "invalidPTRRe" and "invalidMsgIDRe" it is possible to define a third > parameter (to overwrite the default options) after the weight like: > Phishing\.=>1.45|~Heuristics|Email~=>50:>N[+-]W[+-]L[+-]I[+-]. The > characters and the optional to use + and - have the following functions: > use this regex (+ = only)(- = never) for: N = noprocessing , W = > whitelisted , L = local , I = ISP mails . So the line > ~Heuristics|Email~=>50:>N-W-LI could be read as: take the regex with a > weight of 50, never scan noprocessing mails, never scan whitelisted > mails, scan local mails and mails from ISP's (and all others). The > line ~Heuristics|Email~=>3.2:>N-W+I could be read as: take the regex > with a weight of 3.2 as factor, never scan noprocessing mails, scan > only whitelisted mails even if they are received from an ISP . > If the third parameter is not set or any of the N,W,L,I is not set, > the default configuration for the option will be used unless a default > option string is defined anywhere in a single line in the file in the > form !!!NWLI!!! (with + or - is possible). > > > Thomas > > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, > legally privileged and protected in law and are intended solely for > the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
