Ahh, then I went into far too much detail! You need to find out the credentials being used because it looks like someone has gotten hold of a password. Authenticated email bypasses a lot of checks that ASSP does.
On 11/12/2014 10:15, James Brown wrote: > Done some more looking at logs. > > One thing I didn’t mention is that we use stunnel to TLS SMTP. Looking at its > log at this time I see: > > 2014.12.11 10:23:51 LOG7[140735150184800]: Service [ssmtp] accepted (FD=10) > from 41.43.219.15:3693 > 2014.12.11 10:23:51 LOG7[4403986432]: Service [ssmtp] started > 2014.12.11 10:23:51 LOG5[4403986432]: Service [ssmtp] accepted connection > from 41.43.219.15:3693 > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): before/accept > initialization > 2014.12.11 10:23:51 LOG7[4403986432]: SNI: no virtual services defined > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 read client > hello A > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server > hello A > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write > certificate A > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write key > exchange A > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server > done A > 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 flush data > 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read client > key exchange A > 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read finished > A > 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write session > ticket A > 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write change > cipher spec A > 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write > finished A > 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 flush data > 2014.12.11 10:23:53 LOG7[4403986432]: 51 items in the session cache > 2014.12.11 10:23:53 LOG7[4403986432]: 0 client connects (SSL_connect()) > 2014.12.11 10:23:53 LOG7[4403986432]: 0 client connects that finished > 2014.12.11 10:23:53 LOG7[4403986432]: 0 client renegotiations requested > 2014.12.11 10:23:53 LOG7[4403986432]: 101 server connects (SSL_accept()) > 2014.12.11 10:23:53 LOG7[4403986432]: 98 server connects that finished > 2014.12.11 10:23:53 LOG7[4403986432]: 0 server renegotiations requested > 2014.12.11 10:23:53 LOG7[4403986432]: 14 session cache hits > 2014.12.11 10:23:53 LOG7[4403986432]: 0 external session cache hits > 2014.12.11 10:23:53 LOG7[4403986432]: 1 session cache misses > 2014.12.11 10:23:53 LOG7[4403986432]: 9 session cache timeouts > 2014.12.11 10:23:53 LOG6[4403986432]: No peer certificate received > 2014.12.11 10:23:53 LOG6[4403986432]: SSL accepted: new session negotiated > 2014.12.11 10:23:53 LOG6[4403986432]: Negotiated TLSv1.2 ciphersuite > ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) > 2014.12.11 10:23:53 LOG6[4403986432]: Compression: null, expansion: null > 2014.12.11 10:23:53 LOG6[4403986432]: s_connect: connecting 127.0.0.1:25 > 2014.12.11 10:23:53 LOG7[4403986432]: s_connect: s_poll_wait 127.0.0.1:25: > waiting 10 seconds > 2014.12.11 10:23:53 LOG5[4403986432]: s_connect: connected 127.0.0.1:25 > 2014.12.11 10:23:53 LOG5[4403986432]: Service [ssmtp] connected remote server > from 127.0.0.1:51769 > 2014.12.11 10:23:53 LOG7[4403986432]: Remote socket (FD=11) initialized > 2014.12.11 10:24:12 LOG7[4403986432]: SSL_read returned WANT_READ: retrying > 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (read): warning: close notify > 2014.12.11 10:24:14 LOG6[4403908608]: SSL closed (SSL_read) > 2014.12.11 10:24:14 LOG7[4403908608]: Sent socket write shutdown > 2014.12.11 10:24:14 LOG6[4403908608]: Read socket closed (readsocket) > 2014.12.11 10:24:14 LOG7[4403908608]: Sending close_notify alert > 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (write): warning: close notify > 2014.12.11 10:24:14 LOG6[4403908608]: SSL_shutdown successfully sent > close_notify alert > 2014.12.11 10:24:14 LOG5[4403908608]: Connection closed: 296 byte(s) sent to > SSL, 17742 byte(s) sent to socket > 2014.12.11 10:24:14 LOG7[4403908608]: Remote socket (FD=9) closed > 2014.12.11 10:24:14 LOG7[4403908608]: Local socket (FD=3) closed > 2014.12.11 10:24:14 LOG7[4403908608]: Service [ssmtp] finished (1 left) > 2014.12.11 10:24:24 LOG7[4403986432]: SSL_read returned WANT_READ: retrying > 2014.12.11 10:24:26 LOG6[4403986432]: Read socket closed (readsocket) > 2014.12.11 10:24:26 LOG7[4403986432]: Sending close_notify alert > 2014.12.11 10:24:26 LOG7[4403986432]: SSL alert (write): warning: close notify > 2014.12.11 10:24:26 LOG6[4403986432]: SSL_shutdown successfully sent > close_notify alert > 2014.12.11 10:24:27 LOG7[4403986432]: SSL alert (read): warning: close notify > 2014.12.11 10:24:27 LOG6[4403986432]: SSL closed (SSL_read) > 2014.12.11 10:24:27 LOG7[4403986432]: Sent socket write shutdown > 2014.12.11 10:24:27 LOG5[4403986432]: Connection closed: 596 byte(s) sent to > SSL, 4446 byte(s) sent to socket > 2014.12.11 10:24:27 LOG7[4403986432]: Remote socket (FD=11) closed > 2014.12.11 10:24:27 LOG7[4403986432]: Local socket (FD=10) closed > 2014.12.11 10:24:27 LOG7[4403986432]: Service [ssmtp] finished (0 left) > > So looks like the remote IP is 41.43.219.15 in this case (not our IP). > > James. > >> On 11 Dec 2014, at 8:46 pm, Colin <[email protected]> wrote: >> >> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used >> >> This line gives me cause for concern for you. Something running on >> localhost sent or proxied this message AND used valid credentials to >> send the message. >> >> What do the collected emails show? Are they definitely junk messages? >> If so you need to turn up logging to find out which credentials have >> been used and change those. Next step would be to see what process on >> localhost is passing these messages to ASSP and lock it down. >> >> I did a little bit of poking around on your IP to see if anything >> obvious stood out, but didn't want to do anything intrusive without >> asking. The only thing I can see is it looks like you have two different >> MTAs running. Port 25 responds with a Symantec banner and port 587 >> responds with a Postfix banner. I'm not sure if one may be proxying and >> less secure but I didn't test. >> >> You could update OpenSSL that Apache is using from za to zc as there >> have been a lot of OpenSSL vulnerabilities this year. I don't know if >> that is likely to have any relevance though. >> >> On 11/12/2014 00:21, James Brown wrote: >>> I’m a bit puzzled by this. I’ve noticed in the logs emails coming from and >>> going to email addresses that have nothing to do with my domain. >>> >>> Eg: >>> >>> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 >>> 127.0.0.1:51769 > 127.0.0.1:25 > 127.0.0.1:10026 >>> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used >>> Dec-11-14 10:24:12 id-53842-01613 [Worker_2] [MessageOK] 127.0.0.1 >>> <[email protected]> to: [email protected] message ok [Re Josette et >>> Michel Basset] -> /Applications/assp/notspam/1613.eml >>> Dec-11-14 10:24:14 [Worker_1] Finished message - received DATA size: 17.27 >>> kByte - sent DATA size: 17.49 kByte >>> Dec-11-14 10:24:14 [Worker_1] Disconnected: session:7FACFD3C7970 127.0.0.1 >>> - processing time 62 seconds >>> Dec-11-14 10:24:25 id-53858-12500 [Worker_2] [MessageOK] 127.0.0.1 >>> <[email protected]> to: [email protected] message ok [To MJ Burgat] -> >>> /Applications/assp/notspam/12500.eml >>> Dec-11-14 10:24:26 [Worker_2] Finished message - received DATA size: 1.78 >>> kByte - sent DATA size: 2.18 kByte >>> Dec-11-14 10:24:26 [Worker_2] Disconnected: session:7FAD1B6519F8 127.0.0.1 >>> - processing time 33 seconds >>> >>> My domain is bordo.com.au <http://bordo.com.au/>, not yahoo.com or >>> orange.fr <http://orange.fr/>. >>> >>> I’ve done external tests and they all show that I’m not an open relay. >>> >>> I think I need to remove 127.0.0.1 from acceptAllMail, and turn on >>> DoLocalSenderDomain. >>> >>> Does this sound right? >>> >>> Anything else I should look at? >>> >>> ASSP version 2.4.4(14343) >>> >>> Thanks, >>> >>> James. >>> >>> ------------------------------------------------------------------------------ >>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >>> with Interactivity, Sharing, Native Excel Exports, App Integration & more >>> Get technology previously reserved for billion-dollar corporations, FREE >>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Assp-test mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
