Missing Connecting IP / no blocking

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Missing Connecting IP / no blocking

Raynaud Alexandre
Hi Thomas Eckardt,
I agree i haven't been clear enough.

>The analyzer uses the "Received:" headerline to detect the connected IP -
show the one for this mail.

Here are 2 mail headers :
case 1 : no "Connecting IP" information in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with Microsoft SMTPSVC(6.0.3790.1830);
         Thu, 25 Feb 2016 15:03:51 +0100
Received: from mta184030.ems01.eu (localhost [127.0.0.1])
        by smtp.ourdomain.fr (Postfix) with ESMTP id 89132C052D
        for <[hidden email]>; Thu, 25 Feb 2016 15:03:48 +0100 (CET)
Received: from mta184030.ems01.eu ([178.248.184.30] helo=mta184030.ems01.eu)
        by ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:03:47 +0100
==> We use "Block" for DoReversed and DoInvalidPTR. In this case 1 where there is no "Connecting IP" information in ASSP Mail Analyzer, the connected IP appears like this : detected IP's on the mail routing way: 178.248.184.30(mta184030.ems01.eu)
But even if this IP has no PTR (PTR record via DNS: status=no PTR), ASSP won't block the email.

Case 2 : "Connecting IP" information is present in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with Microsoft SMTPSVC(6.0.3790.1830);
         Thu, 25 Feb 2016 15:04:17 +0100
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in (localhost [127.0.0.1])
        by smtp.ourdomain.fr (Postfix) with ESMTP id 48166C052D
        for <[hidden email]>; Thu, 25 Feb 2016 15:04:14 +0100 (CET)
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
        ([122.172.51.24] helo=abts-kk-dynamic-024.51.172.122.airtelbroadband.in) by
        ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:04:14 +0100
==>In this case, if the connected IP has no valid PTR, it is blocked as expected.

When we compare these 2 headers, nothing distinguish them but as i said, in certain situations there are no "Connecting IP" information in ASSP Mail Analyzer and in this case DoReversed=Block, DoInvalidPTR=block won't be applied even ASSP Mail Analyzer shows something like : PTR record via DNS: status=no PTR

This is the situation i wanted to describe Thomas and i hope i have been enough clear this time.

>>do i need to restart ASSP or wait?

>After all workers have reread the config, your changes will take place.

OK, when the workers are supposed to reread the config? I ask this because yesterday 15 minutes after i activated Do Reversed Lookup for Whitelisted (DoReversedWL), the parameter was not yet effective and junkmail from whitelisted domain were continuing to pass through even connected IP addresses were DNSBlacklisted.

Thank you for your analyse.

Regards,
Alexandre



Von:    "Raynaud Alexandre" <alexandre.raynaud@...>
An:     <assp-user@...>
Datum:  25.02.2016 16:26
Betreff:        [Assp-user] Missing Connecting IP / DoReversed blocking



Hi list,
Since a long time i have noticed that for some incoming mails, there is no
information on the "Connecting IP" then even if i use "block" for
DoReversed, this kind of mail pass through.

Here is an example of email that has no information about the "Connecting
IP" in the ASSP "Mail Analyzer":

General Hints:

text processing uses unicode normalization
ASSP-ID: ASSP.nospam m1-09027-06745
ASSP-Session: 7F35D1174AA0 (mail 1)
removed all local X-ASSP- header lines for analysis

sender and reply addresses:
MAIL FROM: xxx@...

recipient addresses:
RCPT TO: some.addresse@...
using enhanced Originated IP detection
*detected IP's on the mail routing way: 178.248.x.x(mtaxx.xx.eu)
*detected source IP: 178.248.x.x

Feature Matching:

* DKIM-check returned OK verified-OK
* URIBL check: 'OK'
* RBLCheck returned OK for 178.248.x.x:
* domain domain.fr (in Reply-To) has a valid MX record: x.l.x.com
* domainMX aspmx.l.google.com has a valid A record: 66.102.x.x
* domain news.x.fr (in Mail From: , Errors-to , From , Return-Path) has a
valid MX record: bounce.x.eu
* domainMX bounce.x.eu has a valid A record: 62.27.x.x
* PTR record via DNS: status=no PTR
* RWLcheck returned OK for : status=unknown



But in ASSP mail log first line log entry for the concerned email i can
see the connecting IP : 178.248.x.x. Strangely, in ASSP "Mail Analyzer"
this IP address is in the section : "using enhanced Originated IP
detection" and there are no information at "Connecting Ip" level.
Everytime that kind of email arrive, DoReversed is never apply.


Another issue question is (actually we are receiving an incredible amount
of cryptowall), while assp running, if i activate RBLWL (Whitelisted DNSBL
Validation), do i need to restart ASSP or wait? I ask this because i did
this but even adresses were blacklisted, mails with this cryptwall were
continuing pass through ASSP.

If anybody has any explation i would appreciate. Thank you.

Regards,

Alexandre RAYNAUD
MAIRIE DE SALLANCHES

 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: Missing Connecting IP / no blocking

Thomas Eckardt/eck
>Received: from mta184030.ems01.eu ([178.248.184.30]
helo=mta184030.ems01.eu)
>                by ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:03:47
+0100

and

>Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
>                ([122.172.51.24]
helo=abts-kk-dynamic-024.51.172.122.airtelbroadband.in) by
>                ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:04:14 +0100


the 'by' is at the new line in variant 1 - possibly this is the reason -
I'll check this.

Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

Re: Missing Connecting IP / no blocking

Thomas Eckardt/eck
In reply to this post by Raynaud Alexandre
Raynaud, please try 2.4.8 16060 and tell me if this is fixed.

http://assp.cvs.sourceforge.net/viewvc/assp/assp2/

Thomas





Von:    "Raynaud Alexandre" <[hidden email]>
An:     <[hidden email]>
Datum:  26.02.2016 11:06
Betreff:        [Assp-user] Missing Connecting IP / no blocking



Hi Thomas Eckardt,
I agree i haven't been clear enough.

>The analyzer uses the "Received:" headerline to detect the connected IP -

show the one for this mail.

Here are 2 mail headers :
case 1 : no "Connecting IP" information in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with
Microsoft SMTPSVC(6.0.3790.1830);
                  Thu, 25 Feb 2016 15:03:51 +0100
Received: from mta184030.ems01.eu (localhost [127.0.0.1])
                 by smtp.ourdomain.fr (Postfix) with ESMTP id 89132C052D
                 for <[hidden email]>; Thu, 25 Feb 2016 15:03:48 +0100
(CET)
Received: from mta184030.ems01.eu ([178.248.184.30]
helo=mta184030.ems01.eu)
                 by ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:03:47
+0100
==> We use "Block" for DoReversed and DoInvalidPTR. In this case 1 where
there is no "Connecting IP" information in ASSP Mail Analyzer, the
connected IP appears like this : detected IP's on the mail routing way:
178.248.184.30(mta184030.ems01.eu)
But even if this IP has no PTR (PTR record via DNS: status=no PTR), ASSP
won't block the email.

Case 2 : "Connecting IP" information is present in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with
Microsoft SMTPSVC(6.0.3790.1830);
                  Thu, 25 Feb 2016 15:04:17 +0100
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
(localhost [127.0.0.1])
                 by smtp.ourdomain.fr (Postfix) with ESMTP id 48166C052D
                 for <[hidden email]>; Thu, 25 Feb 2016 15:04:14 +0100
(CET)
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
                 ([122.172.51.24]
helo=abts-kk-dynamic-024.51.172.122.airtelbroadband.in) by
                 ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:04:14 +0100
==>In this case, if the connected IP has no valid PTR, it is blocked as
expected.

When we compare these 2 headers, nothing distinguish them but as i said,
in certain situations there are no "Connecting IP" information in ASSP
Mail Analyzer and in this case DoReversed=Block, DoInvalidPTR=block won't
be applied even ASSP Mail Analyzer shows something like : PTR record via
DNS: status=no PTR

This is the situation i wanted to describe Thomas and i hope i have been
enough clear this time.

>>do i need to restart ASSP or wait?

>After all workers have reread the config, your changes will take place.

OK, when the workers are supposed to reread the config? I ask this because
yesterday 15 minutes after i activated Do Reversed Lookup for Whitelisted
(DoReversedWL), the parameter was not yet effective and junkmail from
whitelisted domain were continuing to pass through even connected IP
addresses were DNSBlacklisted.

Thank you for your analyse.

Regards,
Alexandre



Von:    "Raynaud Alexandre" <alexandre.raynaud@...>
An:     <assp-user@...>
Datum:  25.02.2016 16:26
Betreff:        [Assp-user] Missing Connecting IP / DoReversed blocking



Hi list,
Since a long time i have noticed that for some incoming mails, there is no

information on the "Connecting IP" then even if i use "block" for
DoReversed, this kind of mail pass through.

Here is an example of email that has no information about the "Connecting
IP" in the ASSP "Mail Analyzer":

General Hints:

text processing uses unicode normalization
ASSP-ID: ASSP.nospam m1-09027-06745
ASSP-Session: 7F35D1174AA0 (mail 1)
removed all local X-ASSP- header lines for analysis

sender and reply addresses:
MAIL FROM: xxx@...

recipient addresses:
RCPT TO: some.addresse@...
using enhanced Originated IP detection
*detected IP's on the mail routing way: 178.248.x.x(mtaxx.xx.eu)
*detected source IP: 178.248.x.x

Feature Matching:

* DKIM-check returned OK verified-OK
* URIBL check: 'OK'
* RBLCheck returned OK for 178.248.x.x:
* domain domain.fr (in Reply-To) has a valid MX record: x.l.x.com
* domainMX aspmx.l.google.com has a valid A record: 66.102.x.x
* domain news.x.fr (in Mail From: , Errors-to , From , Return-Path) has a
valid MX record: bounce.x.eu
* domainMX bounce.x.eu has a valid A record: 62.27.x.x
* PTR record via DNS: status=no PTR
* RWLcheck returned OK for : status=unknown



But in ASSP mail log first line log entry for the concerned email i can
see the connecting IP : 178.248.x.x. Strangely, in ASSP "Mail Analyzer"
this IP address is in the section : "using enhanced Originated IP
detection" and there are no information at "Connecting Ip" level.
Everytime that kind of email arrive, DoReversed is never apply.


Another issue question is (actually we are receiving an incredible amount
of cryptowall), while assp running, if i activate RBLWL (Whitelisted DNSBL

Validation), do i need to restart ASSP or wait? I ask this because i did
this but even adresses were blacklisted, mails with this cryptwall were
continuing pass through ASSP.

If anybody has any explation i would appreciate. Thank you.

Regards,

Alexandre RAYNAUD
MAIRIE DE SALLANCHES

 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|

TR: Missing Connecting IP / no blocking

Raynaud Alexandre
In reply to this post by Raynaud Alexandre

Hi Thomas,
I have just installed version 2.4.8 16060.
To confirm that when Connecting Ip is missing in "ASSP mail Analyzer" and mail pass through even DoReversed=Block, DoInvalidPTR=block, i have to wait some bad mails with no ptr been sent to our domains.

On the other hand, what i can say is that I have just done a new analyze using "ASSP mail Analyzer" of the header case 1 i sent in my previous post but still no information about Connecting IP. I don't know if this matters.....

Regards,

Alexandre RAYANAUD
 
-----Message d'origine-----
De : Thomas Eckardt [mailto:[hidden email]]
Envoyé : mardi 1 mars 2016 16:19
À : For Users of ASSP
Objet : Re: [Assp-user] Missing Connecting IP / no blocking

Raynaud, please try 2.4.8 16060 and tell me if this is fixed.

http://assp.cvs.sourceforge.net/viewvc/assp/assp2/

Thomas





Von:    "Raynaud Alexandre" <[hidden email]>
An:     <[hidden email]>
Datum:  26.02.2016 11:06
Betreff:        [Assp-user] Missing Connecting IP / no blocking



Hi Thomas Eckardt,
I agree i haven't been clear enough.

>The analyzer uses the "Received:" headerline to detect the connected IP -

show the one for this mail.

Here are 2 mail headers :
case 1 : no "Connecting IP" information in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with
Microsoft SMTPSVC(6.0.3790.1830);
                  Thu, 25 Feb 2016 15:03:51 +0100
Received: from mta184030.ems01.eu (localhost [127.0.0.1])
                 by smtp.ourdomain.fr (Postfix) with ESMTP id 89132C052D
                 for <[hidden email]>; Thu, 25 Feb 2016 15:03:48 +0100
(CET)
Received: from mta184030.ems01.eu ([178.248.184.30]
helo=mta184030.ems01.eu)
                 by ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:03:47
+0100
==> We use "Block" for DoReversed and DoInvalidPTR. In this case 1 where
there is no "Connecting IP" information in ASSP Mail Analyzer, the
connected IP appears like this : detected IP's on the mail routing way:
178.248.184.30(mta184030.ems01.eu)
But even if this IP has no PTR (PTR record via DNS: status=no PTR), ASSP
won't block the email.

Case 2 : "Connecting IP" information is present in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with
Microsoft SMTPSVC(6.0.3790.1830);
                  Thu, 25 Feb 2016 15:04:17 +0100
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
(localhost [127.0.0.1])
                 by smtp.ourdomain.fr (Postfix) with ESMTP id 48166C052D
                 for <[hidden email]>; Thu, 25 Feb 2016 15:04:14 +0100
(CET)
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
                 ([122.172.51.24]
helo=abts-kk-dynamic-024.51.172.122.airtelbroadband.in) by
                 ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:04:14 +0100
==>In this case, if the connected IP has no valid PTR, it is blocked as
expected.

When we compare these 2 headers, nothing distinguish them but as i said,
in certain situations there are no "Connecting IP" information in ASSP
Mail Analyzer and in this case DoReversed=Block, DoInvalidPTR=block won't
be applied even ASSP Mail Analyzer shows something like : PTR record via
DNS: status=no PTR

This is the situation i wanted to describe Thomas and i hope i have been
enough clear this time.

>>do i need to restart ASSP or wait?

>After all workers have reread the config, your changes will take place.

OK, when the workers are supposed to reread the config? I ask this because
yesterday 15 minutes after i activated Do Reversed Lookup for Whitelisted
(DoReversedWL), the parameter was not yet effective and junkmail from
whitelisted domain were continuing to pass through even connected IP
addresses were DNSBlacklisted.

Thank you for your analyse.

Regards,
Alexandre



Von:    "Raynaud Alexandre" <alexandre.raynaud@...>
An:     <assp-user@...>
Datum:  25.02.2016 16:26
Betreff:        [Assp-user] Missing Connecting IP / DoReversed blocking



Hi list,
Since a long time i have noticed that for some incoming mails, there is no

information on the "Connecting IP" then even if i use "block" for
DoReversed, this kind of mail pass through.

Here is an example of email that has no information about the "Connecting
IP" in the ASSP "Mail Analyzer":

General Hints:

text processing uses unicode normalization
ASSP-ID: ASSP.nospam m1-09027-06745
ASSP-Session: 7F35D1174AA0 (mail 1)
removed all local X-ASSP- header lines for analysis

sender and reply addresses:
MAIL FROM: xxx@...

recipient addresses:
RCPT TO: some.addresse@...
using enhanced Originated IP detection
*detected IP's on the mail routing way: 178.248.x.x(mtaxx.xx.eu)
*detected source IP: 178.248.x.x

Feature Matching:

* DKIM-check returned OK verified-OK
* URIBL check: 'OK'
* RBLCheck returned OK for 178.248.x.x:
* domain domain.fr (in Reply-To) has a valid MX record: x.l.x.com
* domainMX aspmx.l.google.com has a valid A record: 66.102.x.x
* domain news.x.fr (in Mail From: , Errors-to , From , Return-Path) has a
valid MX record: bounce.x.eu
* domainMX bounce.x.eu has a valid A record: 62.27.x.x
* PTR record via DNS: status=no PTR
* RWLcheck returned OK for : status=unknown



But in ASSP mail log first line log entry for the concerned email i can
see the connecting IP : 178.248.x.x. Strangely, in ASSP "Mail Analyzer"
this IP address is in the section : "using enhanced Originated IP
detection" and there are no information at "Connecting Ip" level.
Everytime that kind of email arrive, DoReversed is never apply.


Another issue question is (actually we are receiving an incredible amount
of cryptowall), while assp running, if i activate RBLWL (Whitelisted DNSBL

Validation), do i need to restart ASSP or wait? I ask this because i did
this but even adresses were blacklisted, mails with this cryptwall were
continuing pass through ASSP.

If anybody has any explation i would appreciate. Thank you.

Regards,

Alexandre RAYNAUD
MAIRIE DE SALLANCHES

 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user

ATT01359.txt (222 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: TR: Missing Connecting IP / no blocking

Thomas Eckardt/eck
>but still no information about Connecting IP. I don't know if this
matters....

ZIP such an eml file an send it to my privat email address.

Thomas





Von:    "Raynaud Alexandre" <[hidden email]>
An:     <[hidden email]>
Datum:  01.03.2016 17:12
Betreff:        [Assp-user] TR:  Missing Connecting IP / no blocking




Hi Thomas,
I have just installed version 2.4.8 16060.
To confirm that when Connecting Ip is missing in "ASSP mail Analyzer" and
mail pass through even DoReversed=Block, DoInvalidPTR=block, i have to
wait some bad mails with no ptr been sent to our domains.

On the other hand, what i can say is that I have just done a new analyze
using "ASSP mail Analyzer" of the header case 1 i sent in my previous post
but still no information about Connecting IP. I don't know if this
matters....

Regards,

Alexandre RAYANAUD
 
-----Message d'origine-----
De : Thomas Eckardt [mailto:[hidden email]]
Envoyé : mardi 1 mars 2016 16:19
À : For Users of ASSP
Objet : Re: [Assp-user] Missing Connecting IP / no blocking

Raynaud, please try 2.4.8 16060 and tell me if this is fixed.

http://assp.cvs.sourceforge.net/viewvc/assp/assp2/

Thomas





Von:    "Raynaud Alexandre" <[hidden email]>
An:     <[hidden email]>
Datum:  26.02.2016 11:06
Betreff:        [Assp-user] Missing Connecting IP / no blocking



Hi Thomas Eckardt,
I agree i haven't been clear enough.

>The analyzer uses the "Received:" headerline to detect the connected IP -


show the one for this mail.

Here are 2 mail headers :
case 1 : no "Connecting IP" information in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with
Microsoft SMTPSVC(6.0.3790.1830);
                  Thu, 25 Feb 2016 15:03:51 +0100
Received: from mta184030.ems01.eu (localhost [127.0.0.1])
                 by smtp.ourdomain.fr (Postfix) with ESMTP id 89132C052D
                 for <[hidden email]>; Thu, 25 Feb 2016 15:03:48 +0100
(CET)
Received: from mta184030.ems01.eu ([178.248.184.30]
helo=mta184030.ems01.eu)
                 by ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:03:47
+0100
==> We use "Block" for DoReversed and DoInvalidPTR. In this case 1 where
there is no "Connecting IP" information in ASSP Mail Analyzer, the
connected IP appears like this : detected IP's on the mail routing way:
178.248.184.30(mta184030.ems01.eu)
But even if this IP has no PTR (PTR record via DNS: status=no PTR), ASSP
won't block the email.

Case 2 : "Connecting IP" information is present in ASSP Mail Analyzer
Microsoft Mail Internet Headers Version 2.0
Received: from smtp.ourdomain.fr ([10.2.x.x]) by mailhost.local with
Microsoft SMTPSVC(6.0.3790.1830);
                  Thu, 25 Feb 2016 15:04:17 +0100
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
(localhost [127.0.0.1])
                 by smtp.ourdomain.fr (Postfix) with ESMTP id 48166C052D
                 for <[hidden email]>; Thu, 25 Feb 2016 15:04:14 +0100
(CET)
Received: from abts-kk-dynamic-024.51.172.122.airtelbroadband.in
                 ([122.172.51.24]
helo=abts-kk-dynamic-024.51.172.122.airtelbroadband.in) by
                 ASSP.nospam with SMTP (2.4.7); 25 Feb 2016 15:04:14 +0100
==>In this case, if the connected IP has no valid PTR, it is blocked as
expected.

When we compare these 2 headers, nothing distinguish them but as i said,
in certain situations there are no "Connecting IP" information in ASSP
Mail Analyzer and in this case DoReversed=Block, DoInvalidPTR=block won't
be applied even ASSP Mail Analyzer shows something like : PTR record via
DNS: status=no PTR

This is the situation i wanted to describe Thomas and i hope i have been
enough clear this time.

>>do i need to restart ASSP or wait?

>After all workers have reread the config, your changes will take place.

OK, when the workers are supposed to reread the config? I ask this because

yesterday 15 minutes after i activated Do Reversed Lookup for Whitelisted
(DoReversedWL), the parameter was not yet effective and junkmail from
whitelisted domain were continuing to pass through even connected IP
addresses were DNSBlacklisted.

Thank you for your analyse.

Regards,
Alexandre



Von:    "Raynaud Alexandre" <alexandre.raynaud@...>
An:     <assp-user@...>
Datum:  25.02.2016 16:26
Betreff:        [Assp-user] Missing Connecting IP / DoReversed blocking



Hi list,
Since a long time i have noticed that for some incoming mails, there is no


information on the "Connecting IP" then even if i use "block" for
DoReversed, this kind of mail pass through.

Here is an example of email that has no information about the "Connecting
IP" in the ASSP "Mail Analyzer":

General Hints:

text processing uses unicode normalization
ASSP-ID: ASSP.nospam m1-09027-06745
ASSP-Session: 7F35D1174AA0 (mail 1)
removed all local X-ASSP- header lines for analysis

sender and reply addresses:
MAIL FROM: xxx@...

recipient addresses:
RCPT TO: some.addresse@...
using enhanced Originated IP detection
*detected IP's on the mail routing way: 178.248.x.x(mtaxx.xx.eu)
*detected source IP: 178.248.x.x

Feature Matching:

* DKIM-check returned OK verified-OK
* URIBL check: 'OK'
* RBLCheck returned OK for 178.248.x.x:
* domain domain.fr (in Reply-To) has a valid MX record: x.l.x.com
* domainMX aspmx.l.google.com has a valid A record: 66.102.x.x
* domain news.x.fr (in Mail From: , Errors-to , From , Return-Path) has a
valid MX record: bounce.x.eu
* domainMX bounce.x.eu has a valid A record: 62.27.x.x
* PTR record via DNS: status=no PTR
* RWLcheck returned OK for : status=unknown



But in ASSP mail log first line log entry for the concerned email i can
see the connecting IP : 178.248.x.x. Strangely, in ASSP "Mail Analyzer"
this IP address is in the section : "using enhanced Originated IP
detection" and there are no information at "Connecting Ip" level.
Everytime that kind of email arrive, DoReversed is never apply.


Another issue question is (actually we are receiving an incredible amount
of cryptowall), while assp running, if i activate RBLWL (Whitelisted DNSBL


Validation), do i need to restart ASSP or wait? I ask this because i did
this but even adresses were blacklisted, mails with this cryptwall were
continuing pass through ASSP.

If anybody has any explation i would appreciate. Thank you.

Regards,

Alexandre RAYNAUD
MAIRIE DE SALLANCHES

 


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the


individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************

[Anhang "ATT01359.txt" gelöscht von Thomas Eckardt/eck]
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user