> Ok; we had to be sure there wasn't something listening on 25/tcp True.
> yet I can't understand why, as you reported Which is why I made the original post. :-) > seems to indicate that there must be something else running on the > system and allowing to reach the SMTP server > using the loopback address; such a program has to be listening on a > public IP and "tunnelling" the connection toward 127.0.0.1 For the life of me, I can't guess what it might be. It might be obvious if it were a hack that sent many e-mails. All I can see is the occasional single e-mail (unless I just happen to get one of thousands). My first thought was that amavisd was the culprit, since it was present in the header, but it seems to be there only because Postfix calls it. Also, the chain is from the outside directly to Postfix. I'd be surprised that there was anything missing in the chain. Here it is again, so you can see what I mean: Return-Path: <paym...@cenbank.org> Received: from mymxserver.com ([unix socket]) by mymxserver.com (Cyrus v2.3.8-OS X Server 10.5: 9G69) with LMTPA; Tue, 28 Jul 2009 14:32:48 -0400 X-Sieve: CMU Sieve 2.3 Received: from localhost (localhost [127.0.0.1]) by mymxserver.com (Postfix) with ESMTP id 8AB13B16DA2 for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:48 -0400 (EDT) X-Quarantine-ID: <7pa9PF6Mj5nV> X-Virus-Scanned: amavisd-new at myserver.com Received: from mymxserver.com ([127.0.0.1]) by localhost (mymxserver.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pa9PF6Mj5nV for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:46 -0400 (EDT) Received: from mout3.freenet.de (localhost [127.0.0.1]) by mymxserver.com (Postfix) with ESMTP id 9868FB16D96 for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:46 -0400 (EDT) Received: from [195.4.92.15] (helo=5.mx.freenet.de) by mout3.freenet.de with esmtpa (ID ngt5...@justmail.de) (port 25) (Exim 4.69 #92) id 1MVTzj-0002vQ-JV; Mon, 27 Jul 2009 19:28:15 +0200 Received: from ml82.128.2.28.multilinks.com ([82.128.2.28]:3927 helo=User) by 5.mx.freenet.de with esmtpa (ID ngt5...@justmail.de) (port 25) (Exim 4.69 #93) id 1MVTzg-0004nD-SO; Mon, 27 Jul 2009 19:28:15 +0200 The mail is sent by a user at multilinks.com to 5.mx.freenet.de, which ships it to mout3.freenet.de, which, in turn, talks (apparently) directly to my server's Postfix. If the structure of your suggestion is the cause of the problem, I'm surprised that there's no intermediary process at 127.0.0.1 between mout3.freenet.de and Postfix. I'd have expected one more "Received:" (if that phantom process is acting as a mail server; unless, of course, someone hacked my machine that skillfully that the hack masked its presence by faking a direct conversation between mout3.freenet.de and my Postfix). > the public IP listening port may even not be 25; True, but I'd have expected some evidence of another process at 127.0.0.1. > so, the next step may be running nmap against the listening ports > and grabbing the "banner" to see if one of those ports returns the > SMTP server banner; I'm not a CLI guru. Could you help a little with the right command? Thanks. > I'd check if the server is running any kind of web service; It is. > in such a case the "assp bypass" may come from some page or cgi > allowing to directly send emails True. But, again, I'd expect in the header some evidence of where the mail came from. I'm not seeing that. It would surely have required that whatever came through the web server would have masked itself as 5.mx.freenet.de and mout3.freenet.de, which I'm not seeing. I suppose it could be lying about the port 25, too.... :-/ Thoughts? T. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test