Missing Connecting IP / DoReversed blocking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing Connecting IP / DoReversed blocking

Raynaud Alexandre
Hi list,
Since a long time i have noticed that for some incoming mails, there is no information on the "Connecting IP" then even if i use "block" for DoReversed, this kind of mail pass through.

Here is an example of email that has no information about the "Connecting IP" in the ASSP "Mail Analyzer":

General Hints:

text processing uses unicode normalization
ASSP-ID: ASSP.nospam m1-09027-06745
ASSP-Session: 7F35D1174AA0 (mail 1)
removed all local X-ASSP- header lines for analysis

sender and reply addresses:
MAIL FROM: [hidden email]

recipient addresses:
RCPT TO: [hidden email]
using enhanced Originated IP detection
*detected IP's on the mail routing way: 178.248.x.x(mtaxx.xx.eu)
*detected source IP: 178.248.x.x

Feature Matching:

* DKIM-check returned OK verified-OK
* URIBL check: 'OK'
* RBLCheck returned OK for 178.248.x.x:
* domain domain.fr (in Reply-To) has a valid MX record: x.l.x.com
* domainMX aspmx.l.google.com has a valid A record: 66.102.x.x
* domain news.x.fr (in Mail From: , Errors-to , From , Return-Path) has a valid MX record: bounce.x.eu
* domainMX bounce.x.eu has a valid A record: 62.27.x.x
* PTR record via DNS: status=no PTR
* RWLcheck returned OK for : status=unknown



But in ASSP mail log first line log entry for the concerned email i can see the connecting IP : 178.248.x.x. Strangely, in ASSP "Mail Analyzer" this IP address is in the section : "using enhanced Originated IP detection" and there are no information at "Connecting Ip" level.
Everytime that kind of email arrive, DoReversed is never apply.


Another issue question is (actually we are receiving an incredible amount of cryptowall), while assp running, if i activate RBLWL (Whitelisted DNSBL Validation), do i need to restart ASSP or wait? I ask this because i did this but even adresses were blacklisted, mails with this cryptwall were continuing pass through ASSP.

If anybody has any explation i would appreciate. Thank you.

Regards,

Alexandre RAYNAUD
MAIRIE DE SALLANCHES


 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: Missing Connecting IP / DoReversed blocking

Thomas Eckardt/eck
>and there are no information at "Connecting Ip" level

The analyzer uses the "Received:" headerline to detect the connected IP -
show the one for this mail.

> RBLWL (Whitelisted >DNSBL Validation)

What has RBLWL to do with virus detection. ClamAV or even the ASSP_AFC
plugin with UserAttach will block such mails to 100%.

>mails with this >cryptwall were continuing pass through ASSP

What was the reason for the pass through?

>do i need to restart ASSP or wait?

After all workers have reread the config, your changes will take place.

Thomas



Von:    "Raynaud Alexandre" <[hidden email]>
An:     <[hidden email]>
Datum:  25.02.2016 16:26
Betreff:        [Assp-user] Missing Connecting IP / DoReversed blocking



Hi list,
Since a long time i have noticed that for some incoming mails, there is no
information on the "Connecting IP" then even if i use "block" for
DoReversed, this kind of mail pass through.

Here is an example of email that has no information about the "Connecting
IP" in the ASSP "Mail Analyzer":

General Hints:

text processing uses unicode normalization
ASSP-ID: ASSP.nospam m1-09027-06745
ASSP-Session: 7F35D1174AA0 (mail 1)
removed all local X-ASSP- header lines for analysis

sender and reply addresses:
MAIL FROM: [hidden email]

recipient addresses:
RCPT TO: [hidden email]
using enhanced Originated IP detection
*detected IP's on the mail routing way: 178.248.x.x(mtaxx.xx.eu)
*detected source IP: 178.248.x.x

Feature Matching:

* DKIM-check returned OK verified-OK
* URIBL check: 'OK'
* RBLCheck returned OK for 178.248.x.x:
* domain domain.fr (in Reply-To) has a valid MX record: x.l.x.com
* domainMX aspmx.l.google.com has a valid A record: 66.102.x.x
* domain news.x.fr (in Mail From: , Errors-to , From , Return-Path) has a
valid MX record: bounce.x.eu
* domainMX bounce.x.eu has a valid A record: 62.27.x.x
* PTR record via DNS: status=no PTR
* RWLcheck returned OK for : status=unknown



But in ASSP mail log first line log entry for the concerned email i can
see the connecting IP : 178.248.x.x. Strangely, in ASSP "Mail Analyzer"
this IP address is in the section : "using enhanced Originated IP
detection" and there are no information at "Connecting Ip" level.
Everytime that kind of email arrive, DoReversed is never apply.


Another issue question is (actually we are receiving an incredible amount
of cryptowall), while assp running, if i activate RBLWL (Whitelisted DNSBL
Validation), do i need to restart ASSP or wait? I ask this because i did
this but even adresses were blacklisted, mails with this cryptwall were
continuing pass through ASSP.

If anybody has any explation i would appreciate. Thank you.

Regards,

Alexandre RAYNAUD
MAIRIE DE SALLANCHES


 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user