> Have you tried looking in the assp log at using the timestamp? Yes, but until just now, it had not proven useful. I suspect that I may have found the problem, although I'll need confirmation from Fritz and Thomas. Just as your e-mail come in, another rogue came in:
Return-Path: <b...@secure.bmtmicro.com> Received: from mini.thj.ca ([unix socket]) by mini.thj.ca (Cyrus v2.3.8-OS X Server 10.5: 9G69) with LMTPA; Sat, 08 Aug 2009 13:03:45 -0400 X-Sieve: CMU Sieve 2.3 Received: from localhost (localhost [127.0.0.1]) by mini.thj.ca (Postfix) with ESMTP id ABE2FB7174F for <edi...@alternate.com>; Sat, 8 Aug 2009 13:03:44 -0400 (EDT) X-Virus-Scanned: amavisd-new at thj.ca Received: from mini.thj.ca ([127.0.0.1]) by localhost (mini.thj.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnXFDASjWA-2 for <edi...@alternate.com>; Sat, 8 Aug 2009 13:03:43 -0400 (EDT) Received: from mout0.freenet.de (localhost [127.0.0.1]) by mini.thj.ca (Postfix) with ESMTP id 1BEE9B71743 for <edi...@alternate.com>; Sat, 8 Aug 2009 13:03:43 -0400 (EDT) Received: from [195.4.92.25] (helo=15.mx.freenet.de) by mout0.freenet.de with esmtpa (ID zxsgsgd9...@bossmail.de) (port 25) (Exim 4.69 #92) id 1MZpJq-0004Ux-UN; Sat, 08 Aug 2009 19:02:58 +0200 Received: from [82.128.0.85] (port=3808 helo=User) by 15.mx.freenet.de with esmtpa (ID zxsgsgd9...@bossmail.de) (port 25) (Exim 4.69 #93) id 1MZpJp-0002GR-3T; Sat, 08 Aug 2009 19:02:58 +0200 Reply-To: <ccgo...@gmail.com> From: "Federal Reserve System"<b...@secure.bmtmicro.com> Subject: From The Desk of: Dr. Ben S. Bernanke(VIEW ATTACHMENT AND GET BACK TO ME) Date: Sat, 8 Aug 2009 13:02:18 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00EA_01C2A9A6.30362AA4" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-purgate-ID: 149285::1249750978-00000B35-1E05ABCD/0-0/0-0 Message-Id: <20090808170343.1bee9b71...@mini.thj.ca> To: undisclosed-recipients:; It was again from mout0.freenet.de. On a hunch, I looked up the IP for this subdomain. It turns out that an SMTP request came in to assp from that IP at that time: Aug-8-09 13:03:41 [Worker_2] Worker_2 wakes up Aug-8-09 13:03:41 [Worker_2] Info: Worker_2 got connection from MainThread Aug-8-09 13:03:41 [Main_Thread] Info: Main_Thread freed by idle Worker_2 in 0.021 seconds Aug-8-09 13:03:41 [Worker_2] Connected: 195.4.92.90:46593 -> 66.96.20.5:25 -> 127.0.0.1:125 Aug-8-09 13:03:42 [Worker_2] 195.4.92.90 info: got STARTTLS request from 195.4.92.90 Aug-8-09 13:03:45 [Worker_2] Info: closed TLS connection for 127.0.0.1:125 and 195.4.92.90:46593 Aug-8-09 13:03:45 [Worker_2] Info: closed Proxy connection for and Aug-8-09 13:03:45 [Worker_2] Worker_2 will sleep now This tells me we have a potential problem with TLS. If a spammer sends mail from an MTA that uses TLS to my MTA, then it gets through without assp processing the contents. We might as well not have assp on the machine at all from these connexions. An unauthenticated SMTP mail came in to the server through TLS. This suggests to me that we should only be doing TLS for authenticated users, otherwise anyone can get around assp with TLS, but assp does not seem to be doing that. > Note that if they are ingenious haxors they would inject into > 127.0.0.1:10025 because it is the example post spam filter port. This port is denied to external IPs by the firewall. > I would also take a look at my webaccess logs for the timestamp. See > if there is a PUT or POST in that minute, check the link is legal. I think that the TLS example from just now points to the culprit. I have it set to TLS by Proxy. If Do TLS does not prevent further e-mail getting through, then we do have a problem with TLS. Perhaps TLS should be separated into incoming and outgoing connexions. I've had other problems with TLS, in that, with Do TLS, I do get proper assp review of messages but many clients have problems with this assp mode. I gave up and went back to TLS by Proxy, not realising that unauthenticated users could subvert assp with this setting. Thomas, any suggestions? > If you have other external services which could be misused by > spammers, check those logs in that 2 minute time-frame. None that appear to be available to external users. > You should find a link via timestamps unless your server is > completely compromised. I believe it's as secure as I can make it. > I've been there - due to the secretary believing she didn't need to > update anti-virus. She PC was taken over and the hacker watch all > the traffic in the ISP LAN where he got both sides of SSH > conversations. Yet another reason why I use Macs for everything. :-) T. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test