I’ll start changing everyone’s email passwords tomorrow. Have also turned on outbound checking of mail on the Sophos UTM, which is stopping these emails leaving. So at least I won’t get on an RBL.
Will also have a look at other examples in logs. Thanks everyone for your help. James. > On 11 Dec 2014, at 9:32 pm, Colin <[email protected]> wrote: > > Ahh, then I went into far too much detail! You need to find out the > credentials being used because it looks like someone has gotten hold of > a password. Authenticated email bypasses a lot of checks that ASSP does. > > On 11/12/2014 10:15, James Brown wrote: >> Done some more looking at logs. >> >> One thing I didn’t mention is that we use stunnel to TLS SMTP. Looking at >> its log at this time I see: >> >> 2014.12.11 10:23:51 LOG7[140735150184800]: Service [ssmtp] accepted (FD=10) >> from 41.43.219.15:3693 >> 2014.12.11 10:23:51 LOG7[4403986432]: Service [ssmtp] started >> 2014.12.11 10:23:51 LOG5[4403986432]: Service [ssmtp] accepted connection >> from 41.43.219.15:3693 >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): before/accept >> initialization >> 2014.12.11 10:23:51 LOG7[4403986432]: SNI: no virtual services defined >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 read client >> hello A >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server >> hello A >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write >> certificate A >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write key >> exchange A >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 write server >> done A >> 2014.12.11 10:23:51 LOG7[4403986432]: SSL state (accept): SSLv3 flush data >> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read client >> key exchange A >> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 read >> finished A >> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write >> session ticket A >> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write change >> cipher spec A >> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 write >> finished A >> 2014.12.11 10:23:53 LOG7[4403986432]: SSL state (accept): SSLv3 flush data >> 2014.12.11 10:23:53 LOG7[4403986432]: 51 items in the session cache >> 2014.12.11 10:23:53 LOG7[4403986432]: 0 client connects (SSL_connect()) >> 2014.12.11 10:23:53 LOG7[4403986432]: 0 client connects that finished >> 2014.12.11 10:23:53 LOG7[4403986432]: 0 client renegotiations requested >> 2014.12.11 10:23:53 LOG7[4403986432]: 101 server connects (SSL_accept()) >> 2014.12.11 10:23:53 LOG7[4403986432]: 98 server connects that finished >> 2014.12.11 10:23:53 LOG7[4403986432]: 0 server renegotiations requested >> 2014.12.11 10:23:53 LOG7[4403986432]: 14 session cache hits >> 2014.12.11 10:23:53 LOG7[4403986432]: 0 external session cache hits >> 2014.12.11 10:23:53 LOG7[4403986432]: 1 session cache misses >> 2014.12.11 10:23:53 LOG7[4403986432]: 9 session cache timeouts >> 2014.12.11 10:23:53 LOG6[4403986432]: No peer certificate received >> 2014.12.11 10:23:53 LOG6[4403986432]: SSL accepted: new session negotiated >> 2014.12.11 10:23:53 LOG6[4403986432]: Negotiated TLSv1.2 ciphersuite >> ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) >> 2014.12.11 10:23:53 LOG6[4403986432]: Compression: null, expansion: null >> 2014.12.11 10:23:53 LOG6[4403986432]: s_connect: connecting 127.0.0.1:25 >> 2014.12.11 10:23:53 LOG7[4403986432]: s_connect: s_poll_wait 127.0.0.1:25: >> waiting 10 seconds >> 2014.12.11 10:23:53 LOG5[4403986432]: s_connect: connected 127.0.0.1:25 >> 2014.12.11 10:23:53 LOG5[4403986432]: Service [ssmtp] connected remote >> server from 127.0.0.1:51769 >> 2014.12.11 10:23:53 LOG7[4403986432]: Remote socket (FD=11) initialized >> 2014.12.11 10:24:12 LOG7[4403986432]: SSL_read returned WANT_READ: retrying >> 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (read): warning: close notify >> 2014.12.11 10:24:14 LOG6[4403908608]: SSL closed (SSL_read) >> 2014.12.11 10:24:14 LOG7[4403908608]: Sent socket write shutdown >> 2014.12.11 10:24:14 LOG6[4403908608]: Read socket closed (readsocket) >> 2014.12.11 10:24:14 LOG7[4403908608]: Sending close_notify alert >> 2014.12.11 10:24:14 LOG7[4403908608]: SSL alert (write): warning: close >> notify >> 2014.12.11 10:24:14 LOG6[4403908608]: SSL_shutdown successfully sent >> close_notify alert >> 2014.12.11 10:24:14 LOG5[4403908608]: Connection closed: 296 byte(s) sent to >> SSL, 17742 byte(s) sent to socket >> 2014.12.11 10:24:14 LOG7[4403908608]: Remote socket (FD=9) closed >> 2014.12.11 10:24:14 LOG7[4403908608]: Local socket (FD=3) closed >> 2014.12.11 10:24:14 LOG7[4403908608]: Service [ssmtp] finished (1 left) >> 2014.12.11 10:24:24 LOG7[4403986432]: SSL_read returned WANT_READ: retrying >> 2014.12.11 10:24:26 LOG6[4403986432]: Read socket closed (readsocket) >> 2014.12.11 10:24:26 LOG7[4403986432]: Sending close_notify alert >> 2014.12.11 10:24:26 LOG7[4403986432]: SSL alert (write): warning: close >> notify >> 2014.12.11 10:24:26 LOG6[4403986432]: SSL_shutdown successfully sent >> close_notify alert >> 2014.12.11 10:24:27 LOG7[4403986432]: SSL alert (read): warning: close notify >> 2014.12.11 10:24:27 LOG6[4403986432]: SSL closed (SSL_read) >> 2014.12.11 10:24:27 LOG7[4403986432]: Sent socket write shutdown >> 2014.12.11 10:24:27 LOG5[4403986432]: Connection closed: 596 byte(s) sent to >> SSL, 4446 byte(s) sent to socket >> 2014.12.11 10:24:27 LOG7[4403986432]: Remote socket (FD=11) closed >> 2014.12.11 10:24:27 LOG7[4403986432]: Local socket (FD=10) closed >> 2014.12.11 10:24:27 LOG7[4403986432]: Service [ssmtp] finished (0 left) >> >> So looks like the remote IP is 41.43.219.15 in this case (not our IP). >> >> James. >> >>> On 11 Dec 2014, at 8:46 pm, Colin <[email protected]> wrote: >>> >>> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is used >>> >>> This line gives me cause for concern for you. Something running on >>> localhost sent or proxied this message AND used valid credentials to >>> send the message. >>> >>> What do the collected emails show? Are they definitely junk messages? >>> If so you need to turn up logging to find out which credentials have >>> been used and change those. Next step would be to see what process on >>> localhost is passing these messages to ASSP and lock it down. >>> >>> I did a little bit of poking around on your IP to see if anything >>> obvious stood out, but didn't want to do anything intrusive without >>> asking. The only thing I can see is it looks like you have two different >>> MTAs running. Port 25 responds with a Symantec banner and port 587 >>> responds with a Postfix banner. I'm not sure if one may be proxying and >>> less secure but I didn't test. >>> >>> You could update OpenSSL that Apache is using from za to zc as there >>> have been a lot of OpenSSL vulnerabilities this year. I don't know if >>> that is likely to have any relevance though. >>> >>> On 11/12/2014 00:21, James Brown wrote: >>>> I’m a bit puzzled by this. I’ve noticed in the logs emails coming from and >>>> going to email addresses that have nothing to do with my domain. >>>> >>>> Eg: >>>> >>>> Dec-11-14 10:23:53 [Worker_2] Connected: session:7FAD1B6519F8 >>>> 127.0.0.1:51769 > 127.0.0.1:25 > 127.0.0.1:10026 >>>> Dec-11-14 10:23:56 [Worker_2] 127.0.0.1 info: authentication - plain is >>>> used >>>> Dec-11-14 10:24:12 id-53842-01613 [Worker_2] [MessageOK] 127.0.0.1 >>>> <[email protected]> to: [email protected] message ok [Re Josette et >>>> Michel Basset] -> /Applications/assp/notspam/1613.eml >>>> Dec-11-14 10:24:14 [Worker_1] Finished message - received DATA size: 17.27 >>>> kByte - sent DATA size: 17.49 kByte >>>> Dec-11-14 10:24:14 [Worker_1] Disconnected: session:7FACFD3C7970 127.0.0.1 >>>> - processing time 62 seconds >>>> Dec-11-14 10:24:25 id-53858-12500 [Worker_2] [MessageOK] 127.0.0.1 >>>> <[email protected]> to: [email protected] message ok [To MJ Burgat] -> >>>> /Applications/assp/notspam/12500.eml >>>> Dec-11-14 10:24:26 [Worker_2] Finished message - received DATA size: 1.78 >>>> kByte - sent DATA size: 2.18 kByte >>>> Dec-11-14 10:24:26 [Worker_2] Disconnected: session:7FAD1B6519F8 127.0.0.1 >>>> - processing time 33 seconds >>>> >>>> My domain is bordo.com.au <http://bordo.com.au/>, not yahoo.com or >>>> orange.fr <http://orange.fr/>. >>>> >>>> I’ve done external tests and they all show that I’m not an open relay. >>>> >>>> I think I need to remove 127.0.0.1 from acceptAllMail, and turn on >>>> DoLocalSenderDomain. >>>> >>>> Does this sound right? >>>> >>>> Anything else I should look at? >>>> >>>> ASSP version 2.4.4(14343) >>>> >>>> Thanks, >>>> >>>> James. >>>> >>>> ------------------------------------------------------------------------------ >>>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >>>> with Interactivity, Sharing, Native Excel Exports, App Integration & more >>>> Get technology previously reserved for billion-dollar corporations, FREE >>>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >>>> _______________________________________________ >>>> Assp-test mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/assp-test >>> >>> ------------------------------------------------------------------------------ >>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >>> with Interactivity, Sharing, Native Excel Exports, App Integration & more >>> Get technology previously reserved for billion-dollar corporations, FREE >>> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Assp-test mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk >> _______________________________________________ >> Assp-test mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/assp-test > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
