>22-Dec-2011 14:37:43 m3-82663-01738 187.14.220.166
<red...@somelocaldomain.ca> to: valid...@yahoo.com.br recipient accepted:
valid...@yahoo.com.br
Anywhere before this line, there must be a logline, which shows the reason
why 'valid...@yahoo.com.br' is a valid local address/local domain or (
187.14.220.166) is in acceptAllMail.
The command sequence 'EHLO,RSET,MAIL FROM,.....' could not be the reason,
because the first action of ASSP on 'MAIL FROM' is an internal 'RSET'.
Thomas
Von: Administrateur des Sytèmes <sysad...@satelcom.qc.ca>
An: assp-test@lists.sourceforge.net
Datum: 23.12.2011 20:58
Betreff: [Assp-test] ASSP 2.1.1 / HELO followed by RSET =
openrelay?
Hi All,
I'm currently running ASSP 2.1.1 (11355) on five Linux boxes and I'm
currently observing a strange behavior from ASSP. Well, a few
days back, my MTA queue got filled by spam messages from spoofed sender
that are usually blocked by ASSP. After some hours spent
investigating this issue (and cleaning the notspam corpus), I've found
that the spammers where able to bypass most (if not all)
IP/sender/content validation tests by sending an RSET command right after
the HELO command, thus turning my five ASSP boxes into
openrelays. I was running version 11354 when I saw this for the first
time. I upgraded to 11355 and the issue is still there.
Example:
22-Dec-2011 14:37:43 m3-82663-01738 187.14.220.166
<red...@somelocaldomain.ca> to: valid...@yahoo.com.br recipient accepted:
valid...@yahoo.com.br
22-Dec-2011 14:37:44 m3-82663-01738 [MessageOK] 187.14.220.166
<red...@somelocaldomain.ca> to: valid...@yahoo.com.br message ok
[smtp.somelocaldomain.ca:587] ->
/opt/assp/notspam/smtp_somelocaldomain_ca_587--151296.eml
22-Dec-2011 14:37:44 m3-82663-01738 187.14.220.166
<red...@somelocaldomain.ca> to: valid...@yahoo.com.br info: no (more) data
readable from 187.14.220.166 (connection closed by peer) - last command
was 'QUIT'
22-Dec-2011 14:37:44 m3-82663-01738 187.14.220.166
<red...@somelocaldomain.ca> to: valid...@yahoo.com.br finished message -
received
DATA size: 0 Byte - sent DATA size: 465 Byte
22-Dec-2011 14:37:44 Disconnected: 187.14.220.166 - command list was
'EHLO,RSET,MAIL FROM,RCPT TO,DATA,QUIT' - used 9 SocketCalls
I'm I the only one with this issue?
Thanks
Eric
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
