I started receiving SCOMP abuse reports yesterday and they weren't my normal
list
subscriber that just happens to not like what's being posted to the list crap,
but indicated that
one of my server's security had been breached and I was being relayed off of.
Here's a sample of the log:
Jun-28-07 15:55:42 id-30605354 204.16.143.218 <[EMAIL PROTECTED]> to:
[EMAIL PROTECTED] Regex:Red
'Windows-1251'
Jun-28-07 15:55:42 id-30605354 204.16.143.218 <[EMAIL PROTECTED]> to:
[EMAIL PROTECTED] local or
whitelisted - (no bad attachments) Resolution_Center_ ->
nocollect:red
Jun-28-07 15:55:47 id-30605456 204.16.143.218 <[EMAIL PROTECTED]> to:
[EMAIL PROTECTED]
Regex:Red 'Windows-1251'
Jun-28-07 15:55:48 id-30605456 204.16.143.218 <[EMAIL PROTECTED]> to:
[EMAIL PROTECTED] local or
whitelisted - (no bad attachments) Resolution_Center_ ->
nocollect:red
Jun-28-07 15:55:55 id-30605518 204.16.143.218 <[EMAIL PROTECTED]> to: [EMAIL
PROTECTED]
Regex:Red
'Windows-1251'
I have NO idea how that address was considered "local" or whitelisted (which
it's not), and
even so, how could a non-local sender relay off my server like that?
Here's my config...
AddConfidenceHeader:=
AddCustomHeader:=X-Spam-Flag: YES
AddIntendedForHeader:=1
AddRBLHeader:=1
AddRWLHeader:=1
AddRegexHeader:=
AddSPFHeader:=1
AddScoringHeader:=1
AddSpamHeader:=1
AddSpamProbHeader:=1
AddSpamReasonHeader:=1
AddURIBLHeader:=1
AsADaemon:=
AsAService:=1
AttachmentError:=550 These attachments are not allowed -- Compress before
mailing.
AvClamdPort:=/tmp/clamd
AvError:=554 5.7.1 Mail appears infected with '$infection'.
BadAttachL1:=exe|scr|pif|vb[es]|js|jse|ws[fh]|sh[sb]|lnk|bat|cmd|com|ht[ab]
BadAttachL2:=
BadAttachL3:=
BayesianLog:=
BlockExes:=4
BlockNPExes:=0
BlockUuencoded:=1
BlockWLExes:=0
BounceSenders:=postmaster|mailer-daemon
ChangeRoot:=
ClamAVBytes:=100000
CleanDelayDBInterval:=3600
ConnectionLog:=
DEBUG:=
DebugSPF:=
DelayAddHeader:=1
DelayEmbargoTime:=5
DelayError:=451 4.7.1 Please try again later
DelayExpireOnSpam:=1
DelayExpiryTime:=36
DelayLog:=
DelayNormalizeVERPs:=1
DelaySL:=
DelayUseNetblocks:=1
DelayWL:=
DelayWaitTime:=28
DoBayesian:=1
DoBombHeaderRe:=0
DoBombRe:=0
DoBombSenderRe:=0
DoDomainCheck:=1
DoExtremeNP:=
DoExtremeWL:=
DoFakedLocalHelo:=1
DoFakedNP:=
DoFakedWL:=
DoInvalidFormatHelo:=1
DoInvalidPTR:=1
DoLDAP:=
DoLocalSender:=
DoNoSpoofing:=1
DoNoValidLocalSender:=1
DoNotCollectBounces:=1
DoNotCollectRed:=1
DoNotPenalizeBounces:=1
DoNotPenalizeRed:=
DoPenalty:=2
DoPenaltyMessage:=
DoRBLCache:=1
DoRFC822:=1
DoReversed:=1
DoScriptRe:=0
DoTestRe:=
DoURIBLCache:=1
DoValidFormatHelo:=1
EmailAdminReportsTo:=
EmailErrorsModifyWhite:=1
EmailErrorsReply:=1
EmailErrorsTo:=
EmailFrom:=<[EMAIL PROTECTED]>
EmailHam:=asspnotspam
EmailHelp:=assphelp
EmailInterfaceOk:=1
EmailNoNPRemove:=1
EmailNoWhiteToRed:=
EmailRedlistAdd:=asspred
EmailRedlistRemove:=asspnotred
EmailRedlistReply:=1
EmailRedlistTo:=
EmailSenderOK:=
EmailSpam:=asspspam
EmailVirusReportsTo:=
EmailWhitelistAdd:=asspwhite
EmailWhitelistRemove:=asspnotwhite
EmailWhitelistReply:=1
EmailWhitelistTo:=
EnableDelaying:=1
EnableFloatingMenu:=
EnableHTTPCompression:=1
EnableInternalNamesInDesc:=1
EnableSRS:=
EnforceAuth:=
ErrorMaxBytes:=40000
ExtremeExpiration:=7
ForceRBLCache:=1
GoodAttach:=ai|asc|bhx|doc|dat|eps|gif|htm|html|ics|jpg|jpeg|hqx|pdf|ppt|rar|rpt|rtf|snp|txt|xls|zi
p
HeaderMaxLength:=100000
HeaderMaxLocal:=1
InternalAddresses:=
LDAPFail:=
LDAPFilter:=
LDAPHost:=localhost
LDAPLog:=
LDAPLogin:=
LDAPPassword:=
LDAPRoot:=
LocalAddressesValid:=
LocalAddresses_Flat:=root|abuse|admin|postmaster|astinson|a_stinson|classifieds|php|info|
machknit|pay.pal|spam|thagerty|webmaster|webserver|www
LocalPolicySPF:=v=spf1 a/24 mx/24 ptr ~all
LogRollDays:=7
MaillogTailBytes:=50000
MaillogTailJump:=1
MaillogTailWrapColumn:=80
MaintenanceLog:=
MaxBytes:=4000
MaxErrors:=10
MaxFiles:=18009
MaxWhitelistDays:=90
NoAutoWhite:=
NoExternalSpamProb:=1
NoHaiku:=
NoMaillog:=
NoRelaying:=530 Relaying not allowed
NoScanRe:=
NoTagInTestmode:=
NoValidRecipient:=550 5.1.1 User unknown: EMAILADDRESS
NonSpamLog:=2
NotGreedyWhitelist:=
OrderedTieHashSize:=5000
OutgoingBufSize:=102400
PenaltyDuration:=60
PenaltyError:=
PenaltyExpiration:=360
PenaltyExtreme:=150
PenaltyLimit:=50
PenaltyLog:=1
PenaltyMessageLimit:=50
PenaltyMessageLow:=40
PenaltyUseNetblocks:=
PopB4SMTPFile:=
PopB4SMTPMerak:=
RBLCacheRefresh:=24
RBLError:=554 5.7.1 DNS Blacklisted by RBLLISTED
RBLFailLog:=3
RBLLog:=
RBLServiceProvider:=zen.spamhaus.org|list.dsbl.org|dul.dnsbl.sorbs.net
RBLWL:=1
RBLmaxhits:=1
RBLmaxreplies:=3
RBLmaxtime:=10
RBLsocktime:=1
RWLLog:=
RWLServiceProvider:=query.bondedsender.org|exemptions.ahbl.org|iadb.isipp.com|hul.habe
as.com
RWLmaxreplies:=3
RWLmaxtime:=10
RWLminhits:=1
RegExLength:=32
RestartEvery:=3600
SPFError:=554 5.7.1 failed SPF: SPFRESULT
SPFFailLog:=3
SPFLog:=1
SPFNP:=
SPFWL:=
SPFneutral:=
SPFsoftfail:=
SRSAliasDomain:=thisdomain.com
SRSFailLog:=3
SRSHashLength:=4
SRSSecretKey:=
SRSTimestampMaxAge:=21
SRSValidateBounce:=1
SaveStatsEvery:=5
ScanLocal:=
ScanLog:=
ScanNP:=
ScanWL:=1
SenderInvalidError:=554 5.7.1 REASON .
SepChar:=
SessionLog:=
Showmaxreplies:=
SpamError:=554 5.7.1 Mail appears to be unsolicited -- send error reports to
[EMAIL PROTECTED]
SpamVirusLog:=5
SysLogFac:=mail
URIBLCCTLDS:=file:files/URIBLCCTLDS.txt
URIBLCacheRefresh:=240
URIBLError:=554 5.7.1 Blacklisted by URIBLNAME Contact the postmaster of this
domain for
resolution. This attempt has been logged.
URIBLFailLog:=3
URIBLLog:=
URIBLNoObfuscated:=1
URIBLPolicyError:=554 5.7.1 Message rejected by domain policy. Contact the
postmaster of
this domain for resolution. This attempt has been logged.
URIBLServiceProvider:=multi.surbl.org
URIBLmaxdomains:=15
URIBLmaxhits:=1
URIBLmaxreplies:=1
URIBLmaxtime:=10
URIBLmaxuris:=25
URIBLsocktime:=1
URIBLwhitelist:=doubleclick.net
UpdateWhitelist:=3600
UseAvClamd:=1
UseLocalTime:=1
UseSubjectsAsMaillogNames:=
UuencodedError:=554 5.7.1 This mail is uuencoded and will be blocked.
ValidateMaxURI:=1
ValidateRBL:=1
ValidateRWL:=
ValidateSPF:=0
ValidateSenderLog:=
ValidateURIBL:=1
ValidateUserLog:=1
WhiteExpiration:=30
WhitelistLocalFromOnly:=1
WhitelistLocalOnly:=
WhitelistOnly:=
acceptAllMail:=206.53.239|192.168.12
allowAdminConnectionsFrom:=
asspLog:=1
base:=d:\\internet\\assp
baysConfidence:=
baysNonSpamLog:=6
baysSpamLog:=3
baysSpamLovers:=
baysSpamLoversRed:=
baysTestMode:=1
baysValencePB:=0
blDomainLog:=3
blSpamLovers:=
blTestMode:=
blValencePB:=5
blackListedDomains:=ebay.com
blackRe:=http://[\w\.]+@|\w<[a-z0-9]+[abcdfghjklmnpqrstuvwxyz0-9]{4}[a-z0-9]*>|subject:
[^\n]* \S
blackValencePB:=5
bombCharSets:=BIG5|CHINESEBIG|GB2312|KS_C_5601|KOI8-R|EUC-KR|ISO-2022-
JP|ISO-2022-KR|ISO-2022-CN|WINDOWS-1251|WINDOWS-1250|CP1251
bombError:=554 5.7.1 Delivery not authorized, message refused -- .
bombErrorReason:=1
bombHeaderRe:=\d\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d\d\d\d\s+\d\d
:\d\d(:\d\d)?\s+[+\-]\d\d[6-9]\d
bombRe:=file:files/bombre.txt
bombReLocal:=
bombReNP:=
bombReWL:=
bombSenderRe:[EMAIL PROTECTED]
bombSpamLovers:=
bombTestMode:=
bombValencePB:=0
ccHamFilter:=
ccSpamAlways:=
ccSpamFilter:=
contentOnlyRe:=
correctednotspam:=mail/errors/notspam
correctedspam:=mail/errors/spam
defaultLocalHost:=
delaySpamLovers:=
delaydb:=delaydb
denySMTPConnectionsFrom:=
denySMTPnoLog:=
erValencePB:=5
exportExtremeFile:=
extAttachLog:=5
fhTestMode:=
fhValencePB:=200
fileLogging:=1
flValencePB:=10
flsTestMode:=
forgedHeloLog:=6
freqNonSpam:=1
freqSpam:=1
griplist:=griplist
heloBlacklistIgnore:=
hlSpamLovers:=
hlTestMode:=
hlValencePB:=5
iaValencePB:=25
idValencePB:=150
ifValencePB:=150
ihTestMode:=
ihValencePB:=15
ilValencePB:=10
incomingOkMail:=mail/okmail
invalidFormatHeloRe:=^\d+\.\d+\.\d+\.\d+$|^[^\.]+\.?$
invalidPTRRe:=file:files/invalidptr.txt
irValencePB:=5
isSpamLovers:=
ispgreyvalue:=0.5
ispip:=
ldLDAP:=
ldLDAPFilter:=
listenPort:=25
listenPort2:=
localDomains:=MACHINE-KNIT.COM|MAIL.MACHINE-
KNIT.COM|Fibercrafter.com|LIST.LISTHOST.COM|LISTHOST.COM
localDomainsFile:=
logfile:=logs/maillog.txt
maillogExt:=.txt
malformedLog:=6
maxSMTPSessions:=32
maxSMTPdomainIP:=3
maxSMTPdomainIPExpiration:=7200
maxSMTPipConnects:=0
maxSMTPipDuration:=60
maxSMTPipExpiration:=3600
maxSMTPipSessions:=5
meValencePB:=15
msTestMode:=
mxValencePB:=10
mxaSpamLovers:=
mxaTestMode:=
myName:=MACHINE-KNIT.COM
myServerRe:=
mydb:=
myhost:=
mypassword:=
myuser:=
noBayesian:=
noBombScript:=
noDelay:=file:files/nodelay.txt
noGriplistDownload:=
noGriplistUpload:=
noLog:=
noPB:=
noProcessing:=
noProcessingIPs:=
noRBL:=
noRWL:=
noSPFRe:=
noSRS:=
noURIBL:=
nolocalDomains:=
notspamlog:=mail/notspam
npAttachLog:=5
npRe:=
npSize:=500000
pbSpamLovers:=
pbTestMode:=
pbdb:=pb/pbdb
pidfile:=pid
poTestMode:=
processOnlyAddresses:=
proxyserver:=
ptValencePB:=10
ptrSpamLovers:=
ptrTestMode:=
rblSpamLovers:=
rblTestMode:=
rblValencePB:=100
rblnValencePB:=25
redRe:=file:files/redre.txt
redlistdb:=redlist
regexLogging:=1
relayHost:=
relayHostFile:=
relayPort:=
rlValencePB:=15
runAsGroup:=
runAsUser:=
saValencePB:=25
sbTestMode:=
scriptError:=554 5.7.1 Your email contains html scripting code -- please resend
as plain text.
scriptLog:=3
scriptRe:=
scriptTestMode:=
scriptValencePB:=0
sendAllAbuse:[EMAIL PROTECTED]
sendAllCollect:=
sendAllDestination:=
sendAllPostmaster:[EMAIL PROTECTED]
sendAllSpam:=
sendAllTraps:=
sendHamInbound:=
sendHamOutbound:=
sendNoopInfo:=
silent:=
smtpAuthServer:=
smtpDestination:=125
smtpDestinationRT:=
smtpIdleTimeout:=120
smtpReportServer:=
spamBombLog:=6
spamBucketLog:=3
spamHeloLog:=6
spamISLog:=6
spamLovers:=postmaster|abuse
spamMSLog:=3
spamMXALog:=3
spamPBLog:=6
spamPTRLog:=3
spamSubject:=
spamSubjectCC:=
spamSubjectSL:=
spamTag:=
spamTagCC:=
spamaddresses:=put|[EMAIL PROTECTED]|addresses|@here.org
spamdb:=spamdb
spamlog:=mail/spam
spamtrapaddresses:=put|[EMAIL PROTECTED]|addresses|@here.org
spfSpamLovers:=
spfTestMode:=
spfValencePB:=10
spfnValencePB:=5
spfsValencePB:=5
srsSpamLovers:=
srsTestMode:=
stValencePB:=25
strictSPFRe:=
subjectLogging:=1
sysLog:=
sysLogIp:=127.0.0.1
sysLogPort:=514
testRe:=
totalizeSpamStats:=1
uniqeIDLogging:=1
uniqueIDPrefix:=id-
uriblSpamLovers:=
uriblTestMode:=
uriblValencePB:=20
uriblnValencePB:=10
urimaxValencePB:=10
useHeloBlacklist:=1
validFormatHeloRe:=^(([a-z\d][a-z\d\-]*)?[a-z\d]\.)+[a-z]{2,6}$
vdValencePB:=15
viruslog:=mail/quarantine
webAdminPassword:=**************
webAdminPort:=55555
whiteListedDomains:=sourceforge.net
whiteListedIPs:=206.53.239.114|206.53.239.113|192.168.12
whiteRe:=
whitelistdb:=whitelist
wlAttachLog:=5
Can someone give me some insight
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
