Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used
This line gives me cause for concern for you. Something running on localhost sent or proxied this message AND used valid credentials to send the message. What do the collected emails show? Are they definitely junk messages? If so you need to turn up logging to find out which credentials have been used and change those. Next step would be to see what process on localhost is passing these messages to ASSP and lock it down. I did a little bit of poking around on your IP to see if anything obvious stood out, but didn't want to do anything intrusive without asking. The only thing I can see is it looks like you have two different MTAs running. Port 25 responds with a Symantec banner and port 587 responds with a Postfix banner. I'm not sure if one may be proxying and less secure but I didn't test. You could update OpenSSL that Apache is using from za to zc as there have been a lot of OpenSSL vulnerabilities this year. I don't know if that is likely to have any relevance though. On 11/12/2014 00:21, James Brown wrote: > I’m a bit puzzled by this. I’ve noticed in the logs emails coming from and > going to email addresses that have nothing to do with my domain. > > Eg: > > Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 127.0.0.1:51769 > > 127.0.0.1:25 > 127.0.0.1:10026 > Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used > Dec-11-14 10:24:12 id-53842-01613 [Worker_2] [MessageOK] 127.0.0.1 > <[email protected]> to: [email protected] message ok [Re Josette et > Michel Basset] -> /Applications/assp/notspam/1613.eml > Dec-11-14 10:24:14 [Worker_1] Finished message - received DATA size: 17.27 > kByte - sent DATA size: 17.49 kByte > Dec-11-14 10:24:14 [Worker_1] Disconnected: session:7FACFD3C7970 127.0.0.1 - > processing time 62 seconds > Dec-11-14 10:24:25 id-53858-12500 [Worker_2] [MessageOK] 127.0.0.1 > <[email protected]> to: [email protected] message ok [To MJ Burgat] -> > /Applications/assp/notspam/12500.eml > Dec-11-14 10:24:26 [Worker_2] Finished message - received DATA size: 1.78 > kByte - sent DATA size: 2.18 kByte > Dec-11-14 10:24:26 [Worker_2] Disconnected: session:7FAD1B6519F8 127.0.0.1 - > processing time 33 seconds > > My domain is bordo.com.au <http://bordo.com.au/>, not yahoo.com or orange.fr > <http://orange.fr/>. > > I’ve done external tests and they all show that I’m not an open relay. > > I think I need to remove 127.0.0.1 from acceptAllMail, and turn on > DoLocalSenderDomain. > > Does this sound right? > > Anything else I should look at? > > ASSP version 2.4.4(14343) > > Thanks, > > James. > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
