Done some more looking at logs. One thing I didn’t mention is that we use stunnel to TLS SMTP. Looking at its log at this time I see:
2014.12.11 10:23:51 LOG7[140735150184800]: Service [ssmtp] accepted (FD=10) from 41.43.219.15:3693 2014.12.11 10:23:51 LOG7[4403986432]: Service [ssmtp] started 2014.12.11 10:23:51 LOG5[4403986432]: Service [ssmtp] accepted connection from 41.43.219.15:3693 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): before/accept initialization 2014.12.11 10:23:51 LOG7[4403986432]: SNI: no virtual services defined 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 read client hello A 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server hello A 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write certificate A 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write key exchange A 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server done A 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 flush data 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read client key exchange A 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read finished A 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write session ticket A 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write change cipher spec A 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write finished A 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 flush data 2014.12.11 10:23:53 LOG7[4403986432]: 51 items in the session cache 2014.12.11 10:23:53 LOG7[4403986432]: 0 client connects (SSL_connect()) 2014.12.11 10:23:53 LOG7[4403986432]: 0 client connects that finished 2014.12.11 10:23:53 LOG7[4403986432]: 0 client renegotiations requested 2014.12.11 10:23:53 LOG7[4403986432]: 101 server connects (SSL_accept()) 2014.12.11 10:23:53 LOG7[4403986432]: 98 server connects that finished 2014.12.11 10:23:53 LOG7[4403986432]: 0 server renegotiations requested 2014.12.11 10:23:53 LOG7[4403986432]: 14 session cache hits 2014.12.11 10:23:53 LOG7[4403986432]: 0 external session cache hits 2014.12.11 10:23:53 LOG7[4403986432]: 1 session cache misses 2014.12.11 10:23:53 LOG7[4403986432]: 9 session cache timeouts 2014.12.11 10:23:53 LOG6[4403986432]: No peer certificate received 2014.12.11 10:23:53 LOG6[4403986432]: SSL accepted: new session negotiated 2014.12.11 10:23:53 LOG6[4403986432]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2014.12.11 10:23:53 LOG6[4403986432]: Compression: null, expansion: null 2014.12.11 10:23:53 LOG6[4403986432]: s_connect: connecting 127.0.0.1:25 2014.12.11 10:23:53 LOG7[4403986432]: s_connect: s_poll_wait 127.0.0.1:25: waiting 10 seconds 2014.12.11 10:23:53 LOG5[4403986432]: s_connect: connected 127.0.0.1:25 2014.12.11 10:23:53 LOG5[4403986432]: Service [ssmtp] connected remote server from 127.0.0.1:51769 2014.12.11 10:23:53 LOG7[4403986432]: Remote socket (FD=11) initialized 2014.12.11 10:24:12 LOG7[4403986432]: SSL_read returned WANT_READ: retrying 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (read): warning: close notify 2014.12.11 10:24:14 LOG6[4403908608]: SSL closed (SSL_read) 2014.12.11 10:24:14 LOG7[4403908608]: Sent socket write shutdown 2014.12.11 10:24:14 LOG6[4403908608]: Read socket closed (readsocket) 2014.12.11 10:24:14 LOG7[4403908608]: Sending close_notify alert 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (write): warning: close notify 2014.12.11 10:24:14 LOG6[4403908608]: SSL_shutdown successfully sent close_notify alert 2014.12.11 10:24:14 LOG5[4403908608]: Connection closed: 296 byte(s) sent to SSL, 17742 byte(s) sent to socket 2014.12.11 10:24:14 LOG7[4403908608]: Remote socket (FD=9) closed 2014.12.11 10:24:14 LOG7[4403908608]: Local socket (FD=3) closed 2014.12.11 10:24:14 LOG7[4403908608]: Service [ssmtp] finished (1 left) 2014.12.11 10:24:24 LOG7[4403986432]: SSL_read returned WANT_READ: retrying 2014.12.11 10:24:26 LOG6[4403986432]: Read socket closed (readsocket) 2014.12.11 10:24:26 LOG7[4403986432]: Sending close_notify alert 2014.12.11 10:24:26 LOG7[4403986432]: SSL alert (write): warning: close notify 2014.12.11 10:24:26 LOG6[4403986432]: SSL_shutdown successfully sent close_notify alert 2014.12.11 10:24:27 LOG7[4403986432]: SSL alert (read): warning: close notify 2014.12.11 10:24:27 LOG6[4403986432]: SSL closed (SSL_read) 2014.12.11 10:24:27 LOG7[4403986432]: Sent socket write shutdown 2014.12.11 10:24:27 LOG5[4403986432]: Connection closed: 596 byte(s) sent to SSL, 4446 byte(s) sent to socket 2014.12.11 10:24:27 LOG7[4403986432]: Remote socket (FD=11) closed 2014.12.11 10:24:27 LOG7[4403986432]: Local socket (FD=10) closed 2014.12.11 10:24:27 LOG7[4403986432]: Service [ssmtp] finished (0 left) So looks like the remote IP is 41.43.219.15 in this case (not our IP). James. > On 11 Dec 2014, at 8:46 pm, Colin <[email protected]> wrote: > > Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used > > This line gives me cause for concern for you. Something running on > localhost sent or proxied this message AND used valid credentials to > send the message. > > What do the collected emails show? Are they definitely junk messages? > If so you need to turn up logging to find out which credentials have > been used and change those. Next step would be to see what process on > localhost is passing these messages to ASSP and lock it down. > > I did a little bit of poking around on your IP to see if anything > obvious stood out, but didn't want to do anything intrusive without > asking. The only thing I can see is it looks like you have two different > MTAs running. Port 25 responds with a Symantec banner and port 587 > responds with a Postfix banner. I'm not sure if one may be proxying and > less secure but I didn't test. > > You could update OpenSSL that Apache is using from za to zc as there > have been a lot of OpenSSL vulnerabilities this year. I don't know if > that is likely to have any relevance though. > > On 11/12/2014 00:21, James Brown wrote: >> I’m a bit puzzled by this. I’ve noticed in the logs emails coming from and >> going to email addresses that have nothing to do with my domain. >> >> Eg: >> >> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 >> 127.0.0.1:51769 > 127.0.0.1:25 > 127.0.0.1:10026 >> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used >> Dec-11-14 10:24:12 id-53842-01613 [Worker_2] [MessageOK] 127.0.0.1 >> <[email protected]> to: [email protected] message ok [Re Josette et >> Michel Basset] -> /Applications/assp/notspam/1613.eml >> Dec-11-14 10:24:14 [Worker_1] Finished message - received DATA size: 17.27 >> kByte - sent DATA size: 17.49 kByte >> Dec-11-14 10:24:14 [Worker_1] Disconnected: session:7FACFD3C7970 127.0.0.1 - >> processing time 62 seconds >> Dec-11-14 10:24:25 id-53858-12500 [Worker_2] [MessageOK] 127.0.0.1 >> <[email protected]> to: [email protected] message ok [To MJ Burgat] -> >> /Applications/assp/notspam/12500.eml >> Dec-11-14 10:24:26 [Worker_2] Finished message - received DATA size: 1.78 >> kByte - sent DATA size: 2.18 kByte >> Dec-11-14 10:24:26 [Worker_2] Disconnected: session:7FAD1B6519F8 127.0.0.1 - >> processing time 33 seconds >> >> My domain is bordo.com.au <http://bordo.com.au/>, not yahoo.com or orange.fr >> <http://orange.fr/>. >> >> I’ve done external tests and they all show that I’m not an open relay. >> >> I think I need to remove 127.0.0.1 from acceptAllMail, and turn on >> DoLocalSenderDomain. >> >> Does this sound right? >> >> Anything else I should look at? >> >> ASSP version 2.4.4(14343) >> >> Thanks, >> >> James. >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
