DoNoSpoofing4From

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DoNoSpoofing4From

Brunner Markus-2

Hi,

 

is there a way that assp recognize UTF8/b64 encoded “from” header for spoofing?

 

Header looks like:

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=

 

Freundliche Grüsse / Kind regards

Markus Brunner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DoNoSpoofing4From

Thomas Eckardt/eck
this header is invalid - so there is nothing to recognize

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?= <[hidden email]>

would be the valid variant
 
a from header has to contain a valid email address - if this is provided, it will be used by assp

Thomas





Von:        Brunner Markus <[hidden email]>
An:        "[hidden email]" <[hidden email]>
Datum:        31.05.2017 13:11
Betreff:        [Assp-user] DoNoSpoofing4From




Hi,
 
is there a way that assp recognize UTF8/b64 encoded “from” header for spoofing?
 
Header looks like:
From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=
 
Freundliche Grüsse / Kind regards

Markus Brunner
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DoNoSpoofing4From

Brunner Markus-2

Hi,

 

this is the full header.

 

Received: from mail.starrag.com (10.152.1.40) by RO57anon.starrag.com

(10.152.1.23) with Microsoft SMTP Server id 14.3.279.2; Wed, 10 May 2017

21:27:36 +0200

Received: from alz51.rev.netart.pl (ro37.starrag.com [10.254.1.223])      by

mail.starrag.com (Postfix) with ESMTPS id 53717E00CF          for

<[hidden email]>; Wed, 10 May 2017 21:27:54 +0200 (CEST)

X-Assp-ID: mail.starrag.com m1-44474-10908

X-Assp-Session: F283A48 (mail 1)

X-Assp-Intended-For: [hidden email]

X-Assp-Version: 2.5.5(16366) on mail.starrag.com

X-Assp-Server-TLS: yes

X-Assp-Delay: not delayed (gripvalue low: 0.29); 10 May 2017

            21:27:54 +0200

X-Assp-Received-SPF: none (cache) ip=85.128.182.51 [hidden email]

            helo=alz51.rev.netart.pl

X-Original-Authentication-Results: mail.starrag.com; spf=none

X-Assp-Message-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in

            l2.apews.org)

X-Assp-IP-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in

            l2.apews.org)

X-Assp-DNSBL: neutral, 85.128.182.51 listed in (l2.apews.org<-127.0.0.2; )

X-Assp-Spam-Level: ****

Received: from alz51.rev.netart.pl ([85.128.182.51] helo=alz51.rev.netart.pl)

            by mail.starrag.com with SMTP (2.5.5); 10 May 2017 21:27:54 +0200

X-Virus-Scanned: by amavisd-new using ClamAV (14)

X-Spam-Flag: NO

X-Spam-Score: 3.812

X-Spam-Level: ***

X-Spam-Status: No, score=3.812 tagged_above=-10

            tests=[FROM_EXCESS_BASE64=0.105, FROM_NO_USER=2.599,

            HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,

            MIME_HTML_ONLY=1.105] autolearn=disabled

Received: from [10.0.0.38] (remote.dse-ltd.co.uk [81.133.147.22])         by

goreckizory.nazwa.pl (Postfix) with ESMTP id E2A9737FEEB   for

<[hidden email]>; Wed, 10 May 2017 21:27:34 +0200 (CEST)

Date: Wed, 10 May 2017 20:27:30 +0000

From: =?UTF-8?B?Sm9obi5Sb2JiaW5zQHN0YXJyYWcuY29t?=

Message-ID: <[hidden email]>

To: <[hidden email]>

Subject: =?UTF-8?B?SW52b2ljZSA4MTY4NzYyNDE5NSBDcmlzdCBMZWFo?=

MIME-Version: 1.0

Content-Type: multipart/mixed;

            boundary="_c10740b4-96ca-4ccf-89ab-02bf68b8d5c3_"

Return-Path: <>

X-MS-Exchange-Organization-AuthSource: RO57.starrag.com

X-MS-Exchange-Organization-AuthAs: Internal

X-MS-Exchange-Organization-AuthMechanism: 10

 

How can mails like this be blocked?

 

Best Regards

Markus

 

 

 

Von: Thomas Eckardt [mailto:[hidden email]]
Gesendet: Mittwoch, 31.
Mai 2017 13:49
An: For Users of ASSP <[hidden email]>
Betreff: Re: [Assp-user] DoNoSpoofing4From

 

this header is invalid - so there is nothing to recognize

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?= <[hidden email]>

would be the valid variant
 
a from header has to contain a valid email address - if this is provided, it will be used by assp

Thomas





Von:        Brunner Markus <[hidden email]>
An:        "[hidden email]" <[hidden email]>
Datum:        31.05.2017 13:11
Betreff:        [Assp-user] DoNoSpoofing4From





Hi,
 
is there a way that assp recognize UTF8/b64 encoded “from” header for spoofing?
 
Header looks like:
From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=
 
Freundliche Grüsse / Kind regards

Markus Brunner
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DoNoSpoofing4From

Thomas Eckardt/eck
'DoNoFrom' will detect this from header as invalid

btw: not only assp detects this mistake (if configured)

X-Spam-Status: No, score=3.812 tagged_above=-10
            tests=[FROM_EXCESS_BASE64=0.105, FROM_NO_USER=2.599,
            HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,
            MIME_HTML_ONLY=1.105] autolearn=disabled

spamassassin also

Thomas





Von:        Brunner Markus <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        31.05.2017 16:22
Betreff:        Re: [Assp-user] DoNoSpoofing4From




Hi,
 
this is the full header.
 
Received: from mail.starrag.com (10.152.1.40) by RO57anon.starrag.com
(10.152.1.23) with Microsoft SMTP Server id 14.3.279.2; Wed, 10 May 2017
21:27:36 +0200
Received: from alz51.rev.netart.pl (ro37.starrag.com [10.254.1.223])      by
mail.starrag.com (Postfix) with ESMTPS id 53717E00CF          for
<Leah.Crist@...>; Wed, 10 May 2017 21:27:54 +0200 (CEST)
X-Assp-ID: mail.starrag.com m1-44474-10908
X-Assp-Session: F283A48 (mail 1)
X-Assp-Intended-For: Leah.Crist@...
X-Assp-Version: 2.5.5(16366) on mail.starrag.com
X-Assp-Server-TLS: yes
X-Assp-Delay: not delayed (gripvalue low: 0.29); 10 May 2017
            21:27:54 +0200
X-Assp-Received-SPF: none (cache) ip=85.128.182.51 [hidden email]
            helo=alz51.rev.netart.pl
X-Original-Authentication-Results: mail.starrag.com; spf=none
X-Assp-Message-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in
            l2.apews.org)
X-Assp-IP-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in
            l2.apews.org)
X-Assp-DNSBL: neutral, 85.128.182.51 listed in (l2.apews.org<-127.0.0.2; )
X-Assp-Spam-Level: ****
Received: from alz51.rev.netart.pl ([85.128.182.51] helo=alz51.rev.netart.pl)
            by mail.starrag.com with SMTP (2.5.5); 10 May 2017 21:27:54 +0200
X-Virus-Scanned: by amavisd-new using ClamAV (14)
X-Spam-Flag: NO
X-Spam-Score: 3.812
X-Spam-Level: ***
X-Spam-Status: No, score=3.812 tagged_above=-10
            tests=[FROM_EXCESS_BASE64=0.105, FROM_NO_USER=2.599,
            HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,
            MIME_HTML_ONLY=1.105] autolearn=disabled
Received: from [10.0.0.38] (remote.dse-ltd.co.uk [81.133.147.22])         by
goreckizory.nazwa.pl (Postfix) with ESMTP id E2A9737FEEB   for
<Leah.Crist@...>; Wed, 10 May 2017 21:27:34 +0200 (CEST)
Date: Wed, 10 May 2017 20:27:30 +0000
From: =?UTF-8?B?Sm9obi5Sb2JiaW5zQHN0YXJyYWcuY29t?=
Message-ID: <62112125579.2017510192730@...>
To: <Leah.Crist@...>
Subject: =?UTF-8?B?SW52b2ljZSA4MTY4NzYyNDE5NSBDcmlzdCBMZWFo?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
            boundary="_c10740b4-96ca-4ccf-89ab-02bf68b8d5c3_"
Return-Path: <>
X-MS-Exchange-Organization-AuthSource: RO57.starrag.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 10
 
How can mails like this be blocked?
 
Best Regards
Markus
 
 
 
Von: Thomas Eckardt [mailto:Thomas.Eckardt@...]
Gesendet:
Mittwoch, 31. Mai 2017 13:49
An:
For Users of ASSP <[hidden email]>
Betreff:
Re: [Assp-user] DoNoSpoofing4From

 
this header is invalid - so there is nothing to recognize

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?= <
user@...>

would be the valid variant

 
a from header has to contain a valid email address - if this is provided, it will be used by assp


Thomas





Von:        
Brunner Markus <Markus.Brunner@...>
An:        
"[hidden email]" <[hidden email]>
Datum:        
31.05.2017 13:11
Betreff:        
[Assp-user] DoNoSpoofing4From





Hi,

 
is there a way that assp recognize UTF8/b64 encoded “from” header for spoofing?

 
Header looks like:

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=

 
Freundliche Grüsse / Kind regards

Markus Brunner
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DoNoSpoofing4From

Brunner Markus-2

Hi,

 

'DoNoFrom' is set to score and nofromValencePB is set to 50. But it was not added to total score.

 

 

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] [isbounce] 85.128.182.51 bounce message detected

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] [scoring] SPF: none (cache) ip=85.128.182.51 mailfrom=[hidden email] helo=alz51.rev.netart.pl

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] [DNSBL] 85.128.182.51 to: [hidden email] [scoring] DNSBL: neutral, 85.128.182.51 listed in l2.apews.org

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] Message-Score: added 17 for DNSBL: neutral, 85.128.182.51 listed in l2.apews.org, total score for this message is now 17

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] [monitoring] IP: 85.128.182.51 is listed by [CACHE] ips.backscatterer.org

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] HMM-Check has given less than 6 results - using monitoring mode only

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] HMM Check [monitoring] - Prob: 0.00000 => ham - answer/query relation: 6% of 46

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 54% of 48

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] info: found bounced sender: <> and recipient: <[hidden email]> without valid MSGID-signature

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] [MSGID-sig] 85.128.182.51 to: [hidden email] [scoring] MSGID-sig check failed for bounce sender

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] Message-Score: added 25 (fbmtvValencePB) for MSGID-sig check failed for bounce sender , total score for this message is now 42

17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] [Plugin] calling plugin ASSP_AFC

17-05-10.maillog.txt:May-10-17 21:27:55 m1-44474-10908 [Worker_1] [TLS-out] [MessageOK] 85.128.182.51 to: [hidden email] message ok [Invoice 81687624195 Crist Leah]

17-05-10.maillog.txt:May-10-17 21:27:55 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] info: PB-IP-Score for '85.128.182.0' is 0, added 17 in this session

 

 

Why?

 

Markus

 

 

Von: Thomas Eckardt [mailto:[hidden email]]
Gesendet: Mittwoch, 31. Mai 2017 16:44
An: For Users of ASSP <[hidden email]>
Betreff: Re: [Assp-user] DoNoSpoofing4From

 

'DoNoFrom' will detect this from header as invalid

btw: not only assp detects this mistake (if configured)

X-Spam-Status: No, score=3.812 tagged_above=-10
            tests=[FROM_EXCESS_BASE64=0.105, FROM_NO_USER=2.599,
            HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,
            MIME_HTML_ONLY=1.105] autolearn=disabled

spamassassin also

Thomas





Von:        Brunner Markus <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        31.05.2017 16:22
Betreff:        Re: [Assp-user] DoNoSpoofing4From





Hi,
 
this is the full header.
 
Received: from mail.starrag.com (10.152.1.40) by RO57anon.starrag.com
(10.152.1.23) with Microsoft SMTP Server id 14.3.279.2; Wed, 10 May 2017
21:27:36 +0200
Received: from alz51.rev.netart.pl (ro37.starrag.com [10.254.1.223])      by
mail.starrag.com (Postfix) with ESMTPS id 53717E00CF          for
<[hidden email]>; Wed, 10 May 2017 21:27:54 +0200 (CEST)
X-Assp-ID: mail.starrag.com m1-44474-10908
X-Assp-Session: F283A48 (mail 1)
X-Assp-Intended-For: [hidden email]
X-Assp-Version: 2.5.5(16366) on mail.starrag.com
X-Assp-Server-TLS: yes
X-Assp-Delay: not delayed (gripvalue low: 0.29); 10 May 2017
            21:27:54 +0200
X-Assp-Received-SPF: none (cache) ip=85.128.182.51 [hidden email]
            helo=alz51.rev.netart.pl
X-Original-Authentication-Results: mail.starrag.com; spf=none
X-Assp-Message-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in
            l2.apews.org)
X-Assp-IP-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in
            l2.apews.org)
X-Assp-DNSBL: neutral, 85.128.182.51 listed in (l2.apews.org<-127.0.0.2; )
X-Assp-Spam-Level: ****
Received: from alz51.rev.netart.pl ([85.128.182.51] helo=alz51.rev.netart.pl)
            by mail.starrag.com with SMTP (2.5.5); 10 May 2017 21:27:54 +0200
X-Virus-Scanned: by amavisd-new using ClamAV (14)
X-Spam-Flag: NO
X-Spam-Score: 3.812
X-Spam-Level: ***
X-Spam-Status: No, score=3.812 tagged_above=-10
            tests=[FROM_EXCESS_BASE64=0.105, FROM_NO_USER=2.599,
            HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,
            MIME_HTML_ONLY=1.105] autolearn=disabled
Received: from [10.0.0.38] (remote.dse-ltd.co.uk [81.133.147.22])         by
goreckizory.nazwa.pl (Postfix) with ESMTP id E2A9737FEEB   for
<[hidden email]>; Wed, 10 May 2017 21:27:34 +0200 (CEST)
Date: Wed, 10 May 2017 20:27:30 +0000
From: =?UTF-8?B?Sm9obi5Sb2JiaW5zQHN0YXJyYWcuY29t?=
Message-ID: <[hidden email]>
To: <[hidden email]>
Subject: =?UTF-8?B?SW52b2ljZSA4MTY4NzYyNDE5NSBDcmlzdCBMZWFo?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
            boundary="_c10740b4-96ca-4ccf-89ab-02bf68b8d5c3_"
Return-Path: <>
X-MS-Exchange-Organization-AuthSource: RO57.starrag.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 10
 
How can mails like this be blocked?
 
Best Regards
Markus
 
 
 
Von: Thomas Eckardt [[hidden email]]
Gesendet:
Mittwoch, 31.
Mai 2017 13:49
An:
For Users of ASSP <
[hidden email]>
Betreff:
Re: [Assp-user] DoNoSpoofing4From

 
this header is invalid - so there is nothing to recognize

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=
<[hidden email]>

would be the valid variant

 
a from header has to contain a valid email address - if this is provided, it will be used by assp


Thomas





Von:        
Brunner Markus <[hidden email]>
An:        
"[hidden email]" <[hidden email]>
Datum:        
31.05.2017 13:11
Betreff:        
[Assp-user] DoNoSpoofing4From






Hi,

 
is there a way that assp recognize UTF8/b64 encoded “from” header for spoofing?

 
Header looks like:

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=

 
Freundliche Grüsse / Kind regards

Markus Brunner
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DoNoSpoofing4From

Thomas Eckardt/eck
>info: found bounced sender: <>

If there is no envelope sender provided (it's a bounce mail) - the 'from' header check is skipped.

>[scoring] MSGID-sig check failed for bounce sender

If all your outgoing mails are msgid tagged by assp - block on this check.

At least

is listed by [CACHE] ips.backscatterer.org    +  MSGID-sig check failed for bounce sender     =    should be blocked by the penalty box MessageScore  


Thomas





Von:        Brunner Markus <[hidden email]>
An:        For Users of ASSP <[hidden email]>
Datum:        31.05.2017 17:03
Betreff:        Re: [Assp-user] DoNoSpoofing4From




Hi,
 
'DoNoFrom' is set to score and nofromValencePB is set to 50. But it was not added to total score.
 
 
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] [isbounce] 85.128.182.51 bounce message detected
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] [scoring] SPF: none (cache) ip=85.128.182.51 mailfrom=[hidden email] helo=alz51.rev.netart.pl
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] [DNSBL] 85.128.182.51 to: [hidden email] [scoring] DNSBL: neutral, 85.128.182.51 listed in l2.apews.org
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] Message-Score: added 17 for DNSBL: neutral, 85.128.182.51 listed in l2.apews.org, total score for this message is now 17
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] [monitoring] IP: 85.128.182.51 is listed by [CACHE] ips.backscatterer.org
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] HMM-Check has given less than 6 results - using monitoring mode only
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] HMM Check [monitoring] - Prob: 0.00000 => ham - answer/query relation: 6% of 46
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] Bayesian Check [scoring] - Prob: 0.00000 => ham - answer/query relation: 54% of 48
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] info: found bounced sender: <> and recipient: <[hidden email]> without valid MSGID-signature
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] [MSGID-sig] 85.128.182.51 to: [hidden email] [scoring] MSGID-sig check failed for bounce sender
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] Message-Score: added 25 (fbmtvValencePB) for MSGID-sig check failed for bounce sender , total score for this message is now 42
17-05-10.maillog.txt:May-10-17 21:27:54 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] [Plugin] calling plugin ASSP_AFC
17-05-10.maillog.txt:May-10-17 21:27:55 m1-44474-10908 [Worker_1] [TLS-out] [MessageOK] 85.128.182.51 to: [hidden email] message ok [Invoice 81687624195 Crist Leah]
17-05-10.maillog.txt:May-10-17 21:27:55 m1-44474-10908 [Worker_1] [TLS-out] 85.128.182.51 to: [hidden email] info: PB-IP-Score for '85.128.182.0' is 0, added 17 in this session
 
 
Why?
 
Markus
 
 
Von: Thomas Eckardt [mailto:Thomas.Eckardt@...]
Gesendet:
Mittwoch, 31. Mai 2017 16:44
An:
For Users of ASSP <[hidden email]>
Betreff:
Re: [Assp-user] DoNoSpoofing4From

 
'DoNoFrom' will detect this from header as invalid

btw: not only assp detects this mistake (if configured)


X-Spam-Status: No, score=3.812 tagged_above=-10

           tests=[FROM_EXCESS_BASE64=0.105,
FROM_NO_USER=2.599,
           HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,

           MIME_HTML_ONLY=1.105] autolearn=disabled


spamassassin also


Thomas





Von:        
Brunner Markus <Markus.Brunner@...>
An:        
For Users of ASSP <[hidden email]>
Datum:        
31.05.2017 16:22
Betreff:        
Re: [Assp-user] DoNoSpoofing4From





Hi,

 
this is the full header.

 
Received: from mail.starrag.com (10.152.1.40) by RO57anon.starrag.com

(10.152.1.23) with Microsoft SMTP Server id 14.3.279.2; Wed, 10 May 2017

21:27:36 +0200

Received: from alz51.rev.netart.pl (ro37.starrag.com [10.254.1.223])      by

mail.starrag.com (Postfix) with ESMTPS id 53717E00CF          for

<
Leah.Crist@...>; Wed, 10 May 2017 21:27:54 +0200 (CEST)
X-Assp-ID: mail.starrag.com m1-44474-10908

X-Assp-Session: F283A48 (mail 1)

X-Assp-Intended-For:
Leah.Crist@...
X-Assp-Version: 2.5.5(16366) on mail.starrag.com

X-Assp-Server-TLS: yes

X-Assp-Delay: not delayed (gripvalue low: 0.29); 10 May 2017

           21:27:54 +0200

X-Assp-Received-SPF: none (cache) ip=85.128.182.51
[hidden email]
           helo=alz51.rev.netart.pl

X-Original-Authentication-Results: mail.starrag.com; spf=none

X-Assp-Message-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in

           l2.apews.org)

X-Assp-IP-Score: 17 (DNSBL: neutral, 85.128.182.51 listed in

           l2.apews.org)

X-Assp-DNSBL: neutral, 85.128.182.51 listed in (l2.apews.org<-127.0.0.2; )

X-Assp-Spam-Level: ****

Received: from alz51.rev.netart.pl ([85.128.182.51] helo=alz51.rev.netart.pl)

           by mail.starrag.com with SMTP (2.5.5); 10 May 2017 21:27:54 +0200

X-Virus-Scanned: by amavisd-new using ClamAV (14)

X-Spam-Flag: NO

X-Spam-Score: 3.812

X-Spam-Level: ***

X-Spam-Status: No, score=3.812 tagged_above=-10

           tests=[FROM_EXCESS_BASE64=0.105, FROM_NO_USER=2.599,

           HELO_MISC_IP=0.001, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=0.001,

           MIME_HTML_ONLY=1.105] autolearn=disabled

Received: from [10.0.0.38] (remote.dse-ltd.co.uk [81.133.147.22])         by

goreckizory.nazwa.pl (Postfix) with ESMTP id E2A9737FEEB   for

<
Leah.Crist@...>; Wed, 10 May 2017 21:27:34 +0200 (CEST)
Date: Wed, 10 May 2017 20:27:30 +0000

From: =?UTF-8?B?Sm9obi5Sb2JiaW5zQHN0YXJyYWcuY29t?=

Message-ID: <
62112125579.2017510192730@...>
To: <
Leah.Crist@...>
Subject: =?UTF-8?B?SW52b2ljZSA4MTY4NzYyNDE5NSBDcmlzdCBMZWFo?=

MIME-Version: 1.0

Content-Type: multipart/mixed;

           boundary="_c10740b4-96ca-4ccf-89ab-02bf68b8d5c3_"

Return-Path: <>

X-MS-Exchange-Organization-AuthSource: RO57.starrag.com

X-MS-Exchange-Organization-AuthAs: Internal

X-MS-Exchange-Organization-AuthMechanism: 10

 
How can mails like this be blocked?

 
Best Regards

Markus

 
 
 
Von:
Thomas Eckardt [
mailto:Thomas.Eckardt@...]
Gesendet:
Mittwoch, 31. Mai 2017 13:49
An:
For Users of ASSP <
[hidden email]>
Betreff:
Re: [Assp-user] DoNoSpoofing4From

 

this header is invalid - so there is nothing to recognize


From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?= <
user@...>

would be the valid variant


a from header has to contain a valid email address - if this is provided, it will be used by assp


Thomas






Von:        
Brunner Markus <Markus.Brunner@...>
An:        
"[hidden email]" <[hidden email]>
Datum:        
31.05.2017 13:11
Betreff:        
[Assp-user] DoNoSpoofing4From






Hi,


is there a way that assp recognize UTF8/b64 encoded “from” header for spoofing?


Header looks like:

From: =?UTF-8?B?U2NoZXJyZXIgS2V2aW4=?=


Freundliche Grüsse / Kind regards

Markus Brunner
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Loading...