Are you sure you want to redlist Windows-1251? Thats Cryllic/Russian: http://www.espinola.net/wiki/Filtering_character_sets#Windows_.28ANSI.29_Code_Pages_.28prefix:_ms.2C_windows.29
There is may be a logic flaw in ASSP's processing in this set of circumstance. I recommend that you secure your mail server to also prevent external relaying. I would recommend that anyone do that in addition to the protection that ASSP should be providing - because things can always go wrong. Is there a possibility that something in the headers is what got the message whitelisted? Have you tried feeding the message into the analyzer? Anything relevant in the ASSP message headers? Amy Stinson wrote: > I started receiving SCOMP abuse reports yesterday and they weren't my normal > list > subscriber that just happens to not like what's being posted to the list > crap, but indicated that > one of my server's security had been breached and I was being relayed off of. > > Here's a sample of the log: > > Jun-28-07 15:55:42 id-30605354 204.16.143.218 <[EMAIL PROTECTED]> to: > [EMAIL PROTECTED] Regex:Red > 'Windows-1251' > Jun-28-07 15:55:42 id-30605354 204.16.143.218 <[EMAIL PROTECTED]> to: > [EMAIL PROTECTED] local or > whitelisted - (no bad attachments) Resolution_Center_ -> > nocollect:red > Jun-28-07 15:55:47 id-30605456 204.16.143.218 <[EMAIL PROTECTED]> to: > [EMAIL PROTECTED] > Regex:Red 'Windows-1251' > Jun-28-07 15:55:48 id-30605456 204.16.143.218 <[EMAIL PROTECTED]> to: > [EMAIL PROTECTED] local or > whitelisted - (no bad attachments) Resolution_Center_ -> > nocollect:red > Jun-28-07 15:55:55 id-30605518 204.16.143.218 <[EMAIL PROTECTED]> to: [EMAIL > PROTECTED] > Regex:Red > 'Windows-1251' > > I have NO idea how that address was considered "local" or whitelisted (which > it's not), and > even so, how could a non-local sender relay off my server like that? > > Here's my config... > > AddConfidenceHeader:= > AddCustomHeader:=X-Spam-Flag: YES > AddIntendedForHeader:=1 > AddRBLHeader:=1 > AddRWLHeader:=1 > AddRegexHeader:= > AddSPFHeader:=1 > AddScoringHeader:=1 > AddSpamHeader:=1 > AddSpamProbHeader:=1 > AddSpamReasonHeader:=1 > AddURIBLHeader:=1 > AsADaemon:= > AsAService:=1 > AttachmentError:=550 These attachments are not allowed -- Compress before > mailing. > AvClamdPort:=/tmp/clamd > AvError:=554 5.7.1 Mail appears infected with '$infection'. > BadAttachL1:=exe|scr|pif|vb[es]|js|jse|ws[fh]|sh[sb]|lnk|bat|cmd|com|ht[ab] > BadAttachL2:= > BadAttachL3:= > BayesianLog:= > BlockExes:=4 > BlockNPExes:=0 > BlockUuencoded:=1 > BlockWLExes:=0 > BounceSenders:=postmaster|mailer-daemon > ChangeRoot:= > ClamAVBytes:=100000 > CleanDelayDBInterval:=3600 > ConnectionLog:= > DEBUG:= > DebugSPF:= > DelayAddHeader:=1 > DelayEmbargoTime:=5 > DelayError:=451 4.7.1 Please try again later > DelayExpireOnSpam:=1 > DelayExpiryTime:=36 > DelayLog:= > DelayNormalizeVERPs:=1 > DelaySL:= > DelayUseNetblocks:=1 > DelayWL:= > DelayWaitTime:=28 > DoBayesian:=1 > DoBombHeaderRe:=0 > DoBombRe:=0 > DoBombSenderRe:=0 > DoDomainCheck:=1 > DoExtremeNP:= > DoExtremeWL:= > DoFakedLocalHelo:=1 > DoFakedNP:= > DoFakedWL:= > DoInvalidFormatHelo:=1 > DoInvalidPTR:=1 > DoLDAP:= > DoLocalSender:= > DoNoSpoofing:=1 > DoNoValidLocalSender:=1 > DoNotCollectBounces:=1 > DoNotCollectRed:=1 > DoNotPenalizeBounces:=1 > DoNotPenalizeRed:= > DoPenalty:=2 > DoPenaltyMessage:= > DoRBLCache:=1 > DoRFC822:=1 > DoReversed:=1 > DoScriptRe:=0 > DoTestRe:= > DoURIBLCache:=1 > DoValidFormatHelo:=1 > EmailAdminReportsTo:= > EmailErrorsModifyWhite:=1 > EmailErrorsReply:=1 > EmailErrorsTo:= > EmailFrom:=<[EMAIL PROTECTED]> > EmailHam:=asspnotspam > EmailHelp:=assphelp > EmailInterfaceOk:=1 > EmailNoNPRemove:=1 > EmailNoWhiteToRed:= > EmailRedlistAdd:=asspred > EmailRedlistRemove:=asspnotred > EmailRedlistReply:=1 > EmailRedlistTo:= > EmailSenderOK:= > EmailSpam:=asspspam > EmailVirusReportsTo:= > EmailWhitelistAdd:=asspwhite > EmailWhitelistRemove:=asspnotwhite > EmailWhitelistReply:=1 > EmailWhitelistTo:= > EnableDelaying:=1 > EnableFloatingMenu:= > EnableHTTPCompression:=1 > EnableInternalNamesInDesc:=1 > EnableSRS:= > EnforceAuth:= > ErrorMaxBytes:=40000 > ExtremeExpiration:=7 > ForceRBLCache:=1 > GoodAttach:=ai|asc|bhx|doc|dat|eps|gif|htm|html|ics|jpg|jpeg|hqx|pdf|ppt|rar|rpt|rtf|snp|txt|xls|zi > p > HeaderMaxLength:=100000 > HeaderMaxLocal:=1 > InternalAddresses:= > LDAPFail:= > LDAPFilter:= > LDAPHost:=localhost > LDAPLog:= > LDAPLogin:= > LDAPPassword:= > LDAPRoot:= > LocalAddressesValid:= > LocalAddresses_Flat:=root|abuse|admin|postmaster|astinson|a_stinson|classifieds|php|info| > machknit|pay.pal|spam|thagerty|webmaster|webserver|www > LocalPolicySPF:=v=spf1 a/24 mx/24 ptr ~all > LogRollDays:=7 > MaillogTailBytes:=50000 > MaillogTailJump:=1 > MaillogTailWrapColumn:=80 > MaintenanceLog:= > MaxBytes:=4000 > MaxErrors:=10 > MaxFiles:=18009 > MaxWhitelistDays:=90 > NoAutoWhite:= > NoExternalSpamProb:=1 > NoHaiku:= > NoMaillog:= > NoRelaying:=530 Relaying not allowed > NoScanRe:= > NoTagInTestmode:= > NoValidRecipient:=550 5.1.1 User unknown: EMAILADDRESS > NonSpamLog:=2 > NotGreedyWhitelist:= > OrderedTieHashSize:=5000 > OutgoingBufSize:=102400 > PenaltyDuration:=60 > PenaltyError:= > PenaltyExpiration:=360 > PenaltyExtreme:=150 > PenaltyLimit:=50 > PenaltyLog:=1 > PenaltyMessageLimit:=50 > PenaltyMessageLow:=40 > PenaltyUseNetblocks:= > PopB4SMTPFile:= > PopB4SMTPMerak:= > RBLCacheRefresh:=24 > RBLError:=554 5.7.1 DNS Blacklisted by RBLLISTED > RBLFailLog:=3 > RBLLog:= > RBLServiceProvider:=zen.spamhaus.org|list.dsbl.org|dul.dnsbl.sorbs.net > RBLWL:=1 > RBLmaxhits:=1 > RBLmaxreplies:=3 > RBLmaxtime:=10 > RBLsocktime:=1 > RWLLog:= > RWLServiceProvider:=query.bondedsender.org|exemptions.ahbl.org|iadb.isipp.com|hul.habe > as.com > RWLmaxreplies:=3 > RWLmaxtime:=10 > RWLminhits:=1 > RegExLength:=32 > RestartEvery:=3600 > SPFError:=554 5.7.1 failed SPF: SPFRESULT > SPFFailLog:=3 > SPFLog:=1 > SPFNP:= > SPFWL:= > SPFneutral:= > SPFsoftfail:= > SRSAliasDomain:=thisdomain.com > SRSFailLog:=3 > SRSHashLength:=4 > SRSSecretKey:= > SRSTimestampMaxAge:=21 > SRSValidateBounce:=1 > SaveStatsEvery:=5 > ScanLocal:= > ScanLog:= > ScanNP:= > ScanWL:=1 > SenderInvalidError:=554 5.7.1 REASON . > SepChar:= > SessionLog:= > Showmaxreplies:= > SpamError:=554 5.7.1 Mail appears to be unsolicited -- send error reports to > [EMAIL PROTECTED] > SpamVirusLog:=5 > SysLogFac:=mail > URIBLCCTLDS:=file:files/URIBLCCTLDS.txt > URIBLCacheRefresh:=240 > URIBLError:=554 5.7.1 Blacklisted by URIBLNAME Contact the postmaster of this > domain for > resolution. This attempt has been logged. > URIBLFailLog:=3 > URIBLLog:= > URIBLNoObfuscated:=1 > URIBLPolicyError:=554 5.7.1 Message rejected by domain policy. Contact the > postmaster of > this domain for resolution. This attempt has been logged. > URIBLServiceProvider:=multi.surbl.org > URIBLmaxdomains:=15 > URIBLmaxhits:=1 > URIBLmaxreplies:=1 > URIBLmaxtime:=10 > URIBLmaxuris:=25 > URIBLsocktime:=1 > URIBLwhitelist:=doubleclick.net > UpdateWhitelist:=3600 > UseAvClamd:=1 > UseLocalTime:=1 > UseSubjectsAsMaillogNames:= > UuencodedError:=554 5.7.1 This mail is uuencoded and will be blocked. > ValidateMaxURI:=1 > ValidateRBL:=1 > ValidateRWL:= > ValidateSPF:=0 > ValidateSenderLog:= > ValidateURIBL:=1 > ValidateUserLog:=1 > WhiteExpiration:=30 > WhitelistLocalFromOnly:=1 > WhitelistLocalOnly:= > WhitelistOnly:= > acceptAllMail:=206.53.239|192.168.12 > allowAdminConnectionsFrom:= > asspLog:=1 > base:=d:\\internet\\assp > baysConfidence:= > baysNonSpamLog:=6 > baysSpamLog:=3 > baysSpamLovers:= > baysSpamLoversRed:= > baysTestMode:=1 > baysValencePB:=0 > blDomainLog:=3 > blSpamLovers:= > blTestMode:= > blValencePB:=5 > blackListedDomains:=ebay.com > blackRe:=http://[\w\.]+@|\w<[a-z0-9]+[abcdfghjklmnpqrstuvwxyz0-9]{4}[a-z0-9]*>|subject: > > [^\n]* \S > blackValencePB:=5 > bombCharSets:=BIG5|CHINESEBIG|GB2312|KS_C_5601|KOI8-R|EUC-KR|ISO-2022- > JP|ISO-2022-KR|ISO-2022-CN|WINDOWS-1251|WINDOWS-1250|CP1251 > bombError:=554 5.7.1 Delivery not authorized, message refused -- . > bombErrorReason:=1 > bombHeaderRe:=\d\s+(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d\d\d\d\s+\d\d > :\d\d(:\d\d)?\s+[+\-]\d\d[6-9]\d > bombRe:=file:files/bombre.txt > bombReLocal:= > bombReNP:= > bombReWL:= > bombSenderRe:[EMAIL PROTECTED] > bombSpamLovers:= > bombTestMode:= > bombValencePB:=0 > ccHamFilter:= > ccSpamAlways:= > ccSpamFilter:= > contentOnlyRe:= > correctednotspam:=mail/errors/notspam > correctedspam:=mail/errors/spam > defaultLocalHost:= > delaySpamLovers:= > delaydb:=delaydb > denySMTPConnectionsFrom:= > denySMTPnoLog:= > erValencePB:=5 > exportExtremeFile:= > extAttachLog:=5 > fhTestMode:= > fhValencePB:=200 > fileLogging:=1 > flValencePB:=10 > flsTestMode:= > forgedHeloLog:=6 > freqNonSpam:=1 > freqSpam:=1 > griplist:=griplist > heloBlacklistIgnore:= > hlSpamLovers:= > hlTestMode:= > hlValencePB:=5 > iaValencePB:=25 > idValencePB:=150 > ifValencePB:=150 > ihTestMode:= > ihValencePB:=15 > ilValencePB:=10 > incomingOkMail:=mail/okmail > invalidFormatHeloRe:=^\d+\.\d+\.\d+\.\d+$|^[^\.]+\.?$ > invalidPTRRe:=file:files/invalidptr.txt > irValencePB:=5 > isSpamLovers:= > ispgreyvalue:=0.5 > ispip:= > ldLDAP:= > ldLDAPFilter:= > listenPort:=25 > listenPort2:= > localDomains:=MACHINE-KNIT.COM|MAIL.MACHINE- > KNIT.COM|Fibercrafter.com|LIST.LISTHOST.COM|LISTHOST.COM > localDomainsFile:= > logfile:=logs/maillog.txt > maillogExt:=.txt > malformedLog:=6 > maxSMTPSessions:=32 > maxSMTPdomainIP:=3 > maxSMTPdomainIPExpiration:=7200 > maxSMTPipConnects:=0 > maxSMTPipDuration:=60 > maxSMTPipExpiration:=3600 > maxSMTPipSessions:=5 > meValencePB:=15 > msTestMode:= > mxValencePB:=10 > mxaSpamLovers:= > mxaTestMode:= > myName:=MACHINE-KNIT.COM > myServerRe:= > mydb:= > myhost:= > mypassword:= > myuser:= > noBayesian:= > noBombScript:= > noDelay:=file:files/nodelay.txt > noGriplistDownload:= > noGriplistUpload:= > noLog:= > noPB:= > noProcessing:= > noProcessingIPs:= > noRBL:= > noRWL:= > noSPFRe:= > noSRS:= > noURIBL:= > nolocalDomains:= > notspamlog:=mail/notspam > npAttachLog:=5 > npRe:= > npSize:=500000 > pbSpamLovers:= > pbTestMode:= > pbdb:=pb/pbdb > pidfile:=pid > poTestMode:= > processOnlyAddresses:= > proxyserver:= > ptValencePB:=10 > ptrSpamLovers:= > ptrTestMode:= > rblSpamLovers:= > rblTestMode:= > rblValencePB:=100 > rblnValencePB:=25 > redRe:=file:files/redre.txt > redlistdb:=redlist > regexLogging:=1 > relayHost:= > relayHostFile:= > relayPort:= > rlValencePB:=15 > runAsGroup:= > runAsUser:= > saValencePB:=25 > sbTestMode:= > scriptError:=554 5.7.1 Your email contains html scripting code -- please > resend as plain text. > scriptLog:=3 > scriptRe:= > scriptTestMode:= > scriptValencePB:=0 > sendAllAbuse:[EMAIL PROTECTED] > sendAllCollect:= > sendAllDestination:= > sendAllPostmaster:[EMAIL PROTECTED] > sendAllSpam:= > sendAllTraps:= > sendHamInbound:= > sendHamOutbound:= > sendNoopInfo:= > silent:= > smtpAuthServer:= > smtpDestination:=125 > smtpDestinationRT:= > smtpIdleTimeout:=120 > smtpReportServer:= > spamBombLog:=6 > spamBucketLog:=3 > spamHeloLog:=6 > spamISLog:=6 > spamLovers:=postmaster|abuse > spamMSLog:=3 > spamMXALog:=3 > spamPBLog:=6 > spamPTRLog:=3 > spamSubject:= > spamSubjectCC:= > spamSubjectSL:= > spamTag:= > spamTagCC:= > spamaddresses:=put|[EMAIL PROTECTED]|addresses|@here.org > spamdb:=spamdb > spamlog:=mail/spam > spamtrapaddresses:=put|[EMAIL PROTECTED]|addresses|@here.org > spfSpamLovers:= > spfTestMode:= > spfValencePB:=10 > spfnValencePB:=5 > spfsValencePB:=5 > srsSpamLovers:= > srsTestMode:= > stValencePB:=25 > strictSPFRe:= > subjectLogging:=1 > sysLog:= > sysLogIp:=127.0.0.1 > sysLogPort:=514 > testRe:= > totalizeSpamStats:=1 > uniqeIDLogging:=1 > uniqueIDPrefix:=id- > uriblSpamLovers:= > uriblTestMode:= > uriblValencePB:=20 > uriblnValencePB:=10 > urimaxValencePB:=10 > useHeloBlacklist:=1 > validFormatHeloRe:=^(([a-z\d][a-z\d\-]*)?[a-z\d]\.)+[a-z]{2,6}$ > vdValencePB:=15 > viruslog:=mail/quarantine > webAdminPassword:=************** > webAdminPort:=55555 > whiteListedDomains:=sourceforge.net > whiteListedIPs:=206.53.239.114|206.53.239.113|192.168.12 > whiteRe:= > whitelistdb:=whitelist > wlAttachLog:=5 > > > Can someone give me some insight > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Assp-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-user > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
