> Have you tried looking in the assp log at using the timestamp?
Yes, but until just now, it had not proven useful. I suspect that I
may have found the problem, although I'll need confirmation from Fritz
and Thomas. Just as your e-mail come in, another rogue came in:
Return-Path: <b...@secure.bmtmicro.com>
Received: from mini.thj.ca ([unix socket])
by mini.thj.ca (Cyrus v2.3.8-OS X Server 10.5: 9G69) with LMTPA;
Sat, 08 Aug 2009 13:03:45 -0400
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
by mini.thj.ca (Postfix) with ESMTP id ABE2FB7174F
for <edi...@alternate.com>; Sat, 8 Aug 2009 13:03:44 -0400 (EDT)
X-Virus-Scanned: amavisd-new at thj.ca
Received: from mini.thj.ca ([127.0.0.1])
by localhost (mini.thj.ca [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id RnXFDASjWA-2 for <edi...@alternate.com>;
Sat, 8 Aug 2009 13:03:43 -0400 (EDT)
Received: from mout0.freenet.de (localhost [127.0.0.1])
by mini.thj.ca (Postfix) with ESMTP id 1BEE9B71743
for <edi...@alternate.com>; Sat, 8 Aug 2009 13:03:43 -0400 (EDT)
Received: from [195.4.92.25] (helo=15.mx.freenet.de)
by mout0.freenet.de with esmtpa (ID zxsgsgd9...@bossmail.de) (port
25) (Exim 4.69 #92)
id 1MZpJq-0004Ux-UN; Sat, 08 Aug 2009 19:02:58 +0200
Received: from [82.128.0.85] (port=3808 helo=User)
by 15.mx.freenet.de with esmtpa (ID zxsgsgd9...@bossmail.de) (port
25) (Exim 4.69 #93)
id 1MZpJp-0002GR-3T; Sat, 08 Aug 2009 19:02:58 +0200
Reply-To: <ccgo...@gmail.com>
From: "Federal Reserve System"<b...@secure.bmtmicro.com>
Subject: From The Desk of: Dr. Ben S. Bernanke(VIEW ATTACHMENT AND GET
BACK TO ME)
Date: Sat, 8 Aug 2009 13:02:18 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00EA_01C2A9A6.30362AA4"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-purgate-ID: 149285::1249750978-00000B35-1E05ABCD/0-0/0-0
Message-Id: <20090808170343.1bee9b71...@mini.thj.ca>
To: undisclosed-recipients:;
It was again from mout0.freenet.de. On a hunch, I looked up the IP for
this subdomain. It turns out that an SMTP request came in to assp from
that IP at that time:
Aug-8-09 13:03:41 [Worker_2] Worker_2 wakes up
Aug-8-09 13:03:41 [Worker_2] Info: Worker_2 got connection from
MainThread
Aug-8-09 13:03:41 [Main_Thread] Info: Main_Thread freed by idle
Worker_2 in 0.021 seconds
Aug-8-09 13:03:41 [Worker_2] Connected: 195.4.92.90:46593 ->
66.96.20.5:25 -> 127.0.0.1:125
Aug-8-09 13:03:42 [Worker_2] 195.4.92.90 info: got STARTTLS request
from 195.4.92.90
Aug-8-09 13:03:45 [Worker_2] Info: closed TLS connection for
127.0.0.1:125 and 195.4.92.90:46593
Aug-8-09 13:03:45 [Worker_2] Info: closed Proxy connection for and
Aug-8-09 13:03:45 [Worker_2] Worker_2 will sleep now
This tells me we have a potential problem with TLS. If a spammer sends
mail from an MTA that uses TLS to my MTA, then it gets through without
assp processing the contents. We might as well not have assp on the
machine at all from these connexions. An unauthenticated SMTP mail
came in to the server through TLS. This suggests to me that we should
only be doing TLS for authenticated users, otherwise anyone can get
around assp with TLS, but assp does not seem to be doing that.
> Note that if they are ingenious haxors they would inject into
> 127.0.0.1:10025 because it is the example post spam filter port.
This port is denied to external IPs by the firewall.
> I would also take a look at my webaccess logs for the timestamp. See
> if there is a PUT or POST in that minute, check the link is legal.
I think that the TLS example from just now points to the culprit. I
have it set to TLS by Proxy. If Do TLS does not prevent further e-mail
getting through, then we do have a problem with TLS. Perhaps TLS
should be separated into incoming and outgoing connexions.
I've had other problems with TLS, in that, with Do TLS, I do get
proper assp review of messages but many clients have problems with
this assp mode. I gave up and went back to TLS by Proxy, not realising
that unauthenticated users could subvert assp with this setting.
Thomas, any suggestions?
> If you have other external services which could be misused by
> spammers, check those logs in that 2 minute time-frame.
None that appear to be available to external users.
> You should find a link via timestamps unless your server is
> completely compromised.
I believe it's as secure as I can make it.
> I've been there - due to the secretary believing she didn't need to
> update anti-virus. She PC was taken over and the hacker watch all
> the traffic in the ISP LAN where he got both sides of SSH
> conversations.
Yet another reason why I use Macs for everything. :-)
T.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
