Hello Martin Gregorie, Am 2011-04-26 23:59:23, hacktest Du folgendes herunter: > Now I'm confused. AFAIK SA doesn't have any connection with AS112 > lookups as either client or server - unless there's a plugin that hasn't > been mentioned on this list since I joined. If I'm wrong about this I > expect somebody will speak up and correct me....
Hmm, there are some enterprises or such which are checking ALL Received:
headers using spamassassin instead of checking the most recent SMTPRelay
and the are bouncing my messages because I send my messages over my
intranet server to my SMTP-Relay
192.168.0.91 Workstation
192.168.0.69 Intranet Server
78.47.247.21 Mail-Relay
x.y.z.n some_other_destination_server
and if I send the mail like
192.168.0.91 Workstation
78.47.247.21 Mail-Relay
x.y.z.n some_other_destination_server
then it works. And it is definitively spamassassin which score my mail
VERY high which lead to rejecting my messages.
Since not all incoming messages (I use fetchmail have this as112 problm)
I see, that the message triggering the UDP-Flooding allert are send like
my messages from a network with an internal Mail-Server. So, the UDP-
Synflood is trigered by
10.a.b.c some_workstation
10.d.e.f some_other_sending_server
w.x.y.z PUBLIC_MAIL_RELAY
78.47.247.21 mail.tamay-dogan.net
fetchmail
procmail
spamassassin
192.168.0.69 Intranet Server
Which mean, MY spamassassin is trying to resolv something which can not
resolved instead of resolving <w.x.y.z> only.
> If SA is involved I'd expect that means that your 'trusted_networks'
> list is missing an entry. Should 10.165.11.117 be included in the
> 'trusted_networks' list?
This does not work, because I get spam origination from private IPs like
the schematic above.
> Can you look at logs and/or run Wireshark to verify that (a) your system
> is generating AS112 messages and, if it is generating them,
I will check this...
> (b) see
> where they are coming from? If this traffic is due to SA doing UBL
> lookups, Wireshark should soon show that's the case.
Since the UDP-Synflood mail claim, it comes from 192.168.0.69 requesting
port 53, it can ony be spamassassin, because there no other tools making
such requests. OK courier-mta is installed to and send messages, but I
suspect it is courier-mta.
> > Note 1: It was someone who told me ist is "as112" flooding
> Does this mean that there may not be an AS112 server anywhere in your
> intranet?
No, because to install an AS112 server you need a BGA-Router like quaga
which I do not have on my GSM connection.
> I meant just to make sure that all IPs that you consider part of your
> intranet are in zone files on your internal DNS (192.168.0.74) and to
I have the full zome here like:
[michelle.konzack@michelle1:~] dig ANY samba3.private.tamay-dogan.net
@dns.private.tamay-dogan.net
;; Truncated, retrying in TCP mode.
samba3.private.tamay-dogan.net. 14400 IN A 192.168.0.69
samba3.private.tamay-dogan.net. 14400 IN RRSIG A 5 4 14400 20110517193357
20110417193357 47103 private.tamay-dogan.net.
232IGPI2+iY4EJxDZ510rClcIw6jJvyq7Bqs7Rf33PeayvcezVbiuRTY
cZtJtykajeEj9tFYgnvYRu1gRhBPC7Gky8a5IEx2FbfpoZMdV72bMOoz
RLYzghlmVv22PIR5PSZbUwwviktHj2YnDHYxebIYYzsxsK+0u7p2oK5a /EU=
samba3.private.tamay-dogan.net. 14400 IN TXT "Home\; 17 GByte left"
samba3.private.tamay-dogan.net. 14400 IN RRSIG TXT 5 4 14400 20110517193357
20110417193357 47103 private.tamay-dogan.net.
hAp4yL08LVy9er1tzu1/FVvepclLBThvo7y77uANPRYj4qW6vn76vwAs
relBx+T5abj1l/C/NGXaffZWUMResVRbCIHrnkcpUH4iT4pyDOJregW5
PM90TTxsctrh8gIMMuwYWR2zCcBzcYc41ju1f5cvGoc+XCadoCuNHOOo eMk=
samba3.private.tamay-dogan.net. 86400 IN NSEC syslog.private.tamay-dogan.net.
A TXT RRSIG NSEC
samba3.private.tamay-dogan.net. 86400 IN RRSIG NSEC 5 4 86400 20110517193357
20110417193357 47103 private.tamay-dogan.net.
QDngx6RhADo1rab2/7SSJR9wgdy+eHCZeEWGtbGufQrAI799o0xuxyFs
gzcLw8zdTkhXR6n/ySollmXBnuGBkZtiyKMVIPU8WfaxFFDwKajZG/m8
f7gbZfG/XzuzpYQJEOIfvehHE2e9bCzuFfczKa9sws0plf9ZPurrSH9U 3pM=
private.tamay-dogan.net. 3600 IN NS dns.private.tamay-dogan.net.
dns.private.tamay-dogan.net. 14400 IN A 192.168.0.74
[michelle.konzack@michelle1:~] dig ANY -x 192.168.0.69
69.0.168.192.in-addr.arpa. 38400 IN PTR samba3.private.tamay-dogan.net.
0.168.192.in-addr.arpa. 38400 IN NS dns.private.tamay-dogan.net.
dns.private.tamay-dogan.net. 14400 IN A 192.168.0.74
as you can see, even DNSSEC is working properly.
> add any that are missing. I do exactly that because I find it easier to
> maintain one zone file on a local DNS than to fiddle with dynamic
> addressing or to maintain /etc/hosts files for the various boxes on my
> fairly small network, not to mention boxes that don't have accessible
> host files, e.g. my SB Touch.
I do this for exactly the same reason... OK, I have 12 servers and
3 workstations here, but /etc/hosts is no option.
> However, as changing SA's trusted_networks list is easier to do, I'd try
> that first.
I do not know whether I should do this, because the 10.x.y.z comes from
my ISP (Telefonica/O2) and from the view of my network, it is OUTSIDE.
> Martin
Thanks, Greetings and nice Day/Evening
Michelle Konzack
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsystems@tdnet France EURL itsystems@tdnet UG (limited liability)
Owner Michelle Konzack Owner Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4miche...@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
signature.pgp
Description: Digital signature
