What is running on ports 2500 and 2600? Could that be your sneak path? Any possibility that you have an IRC client running on the server? (freenet is home of IRC)
It looks like your server is a BSD machine so try: sudo lsof -i tcp | grep LIST to find out what processes are listening on tcp. On Aug 3, 2009, at 7:01 AM, Trevor Jacques wrote: >> Ok; we had to be sure there wasn't something listening on 25/tcp > > True. > >> yet I can't understand why, as you reported > > Which is why I made the original post. :-) > >> seems to indicate that there must be something else running on the >> system and allowing to reach the SMTP server >> using the loopback address; such a program has to be listening on a >> public IP and "tunnelling" the connection toward 127.0.0.1 > > For the life of me, I can't guess what it might be. It might be > obvious if it were a hack that sent many e-mails. All I can see is the > occasional single e-mail (unless I just happen to get one of > thousands). My first thought was that amavisd was the culprit, since > it was present in the header, but it seems to be there only because > Postfix calls it. Also, the chain is from the outside directly to > Postfix. I'd be surprised that there was anything missing in the > chain. Here it is again, so you can see what I mean: > > Return-Path: <paym...@cenbank.org> > Received: from mymxserver.com ([unix socket]) > by mymxserver.com (Cyrus v2.3.8-OS X Server 10.5: 9G69) with > LMTPA; > Tue, 28 Jul 2009 14:32:48 -0400 > X-Sieve: CMU Sieve 2.3 > Received: from localhost (localhost [127.0.0.1]) > by mymxserver.com (Postfix) with ESMTP id 8AB13B16DA2 > for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:48 -0400 (EDT) > X-Quarantine-ID: <7pa9PF6Mj5nV> > X-Virus-Scanned: amavisd-new at myserver.com > Received: from mymxserver.com ([127.0.0.1]) > by localhost (mymxserver.com [127.0.0.1]) (amavisd-new, port 10024) > with ESMTP id 7pa9PF6Mj5nV for <u...@myvirtualdomain.com>; > Tue, 28 Jul 2009 14:32:46 -0400 (EDT) > Received: from mout3.freenet.de (localhost [127.0.0.1]) > by mymxserver.com (Postfix) with ESMTP id 9868FB16D96 > for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:46 -0400 (EDT) > Received: from [195.4.92.15] (helo=5.mx.freenet.de) > by mout3.freenet.de with esmtpa (ID ngt5...@justmail.de) (port 25) > (Exim 4.69 #92) > id 1MVTzj-0002vQ-JV; Mon, 27 Jul 2009 19:28:15 +0200 > Received: from ml82.128.2.28.multilinks.com ([82.128.2.28]:3927 > helo=User) > by 5.mx.freenet.de with esmtpa (ID ngt5...@justmail.de) (port 25) > (Exim 4.69 #93) > id 1MVTzg-0004nD-SO; Mon, 27 Jul 2009 19:28:15 +0200 > > The mail is sent by a user at multilinks.com to 5.mx.freenet.de, which > ships it to mout3.freenet.de, which, in turn, talks (apparently) > directly to my server's Postfix. If the structure of your suggestion > is the cause of the problem, I'm surprised that there's no > intermediary process at 127.0.0.1 between mout3.freenet.de and > Postfix. I'd have expected one more "Received:" (if that phantom > process is acting as a mail server; unless, of course, someone hacked > my machine that skillfully that the hack masked its presence by faking > a direct conversation between mout3.freenet.de and my Postfix). > >> the public IP listening port may even not be 25; > > True, but I'd have expected some evidence of another process at > 127.0.0.1. > >> so, the next step may be running nmap against the listening ports >> and grabbing the "banner" to see if one of those ports returns the >> SMTP server banner; > > I'm not a CLI guru. Could you help a little with the right command? > Thanks. > >> I'd check if the server is running any kind of web service; > > It is. > >> in such a case the "assp bypass" may come from some page or cgi >> allowing to directly send emails > > True. But, again, I'd expect in the header some evidence of where the > mail came from. I'm not seeing that. It would surely have required > that whatever came through the web server would have masked itself as > 5.mx.freenet.de and mout3.freenet.de, which I'm not seeing. I suppose > it could be lying about the port 25, too.... :-/ > > Thoughts? > > T. > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
