Anti-Spam SMTP Proxy Server

Hello all,

long time, no write.

I am at a pretty desperate situation at the moment where,
somehow, on an installation of mine, they managed to get hold
of the boss address (of all addresses) and they send spam
to the outside world.

I tried most tricks, including changing the users' password
(didn't work), veryfying the local subnets should send mail
only and not foreign ones etc.

However, assp kept spewing spam.
I was forced to shut it down and operate the mail
server directly on port 25.

This is a CentOS 5.3 i386 server with assp v1.7.5.7 (1.0.07).

What can I do ?
Should I scrap the existing assp installation and start from scratch ?

Any help would be nice.

Thank you in advance,

Spyros

Re: [Assp-test] Version change problems From: Nicole Hähnel <ml@ni...> - 2012-12-14 10:03 I changed listenPort to 25, without the public ip. Now I see Connected: 75.260.171.165:44645 > xx.xx.xx.xx:25 > 127.0.0.1:33090 > 127.0.0.1:1025 , 16-17 instead of Connected: 75.260.171.165:44644 > xx.xx.xx.xx:25 > 127.0.0.1:26031 > 127.0.0.1:125 , 18-19 So it should be, but this conflicts with our relay port 127.0.0.2:25. According the example, I can write the ip address in front of the port, but this results in changing the mailrouting. Kind regards, Nicole Am 13.12.2012 23:12, schrieb Fritz Borgstedt: > ASSP development mailing list <assp-test@...> > schreibt: >> Listening for additional SMTP connections on listenPort2 >> >> Listening for additional SMTP connections > > is missing for example in the log of V2 > > What is in your listenPort and listenport2 > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Assp-test mailing list > Assp-test@... > https://lists.sourceforge.net/lists/listinfo/assp-test >

Re: [Assp-test] Version change problems From: Nicole Hähnel <ml@ni...> - 2012-12-14 11:09 I wrote it xx.xx.xx.xx:25, but this caused the mailrouting problem. Am 14.12.2012 11:54, schrieb Fritz Borgstedt: > ASSP development mailing list <assp-test@...> > schreibt: >> So it should be, but this conflicts with our relay port 127.0.0.2:25. >> According the example, I can write the ip address in front of the >> port, >> but this results in changing the mailrouting. > You can write an interface, so write 127.0.0.1:25 > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Assp-test mailing list > Assp-test@... > https://lists.sourceforge.net/lists/listinfo/assp-test >

Re: [Assp-test] Version change problems From: Nicole Hähnel <ml@ni...> - 2013-01-13 15:03 Am 14.12.2012 12:24, schrieb Fritz Borgstedt: > ASSP development mailing list <assp-test@...> > schreibt: >> I wrote it xx.xx.xx.xx:25, but this caused the mailrouting problem. > > But you wrote your public ip. did you try 127.0.0.1:25 > Yes, assp hast to listen on the public ip. There is obviously a bug in 2.2.2(12343) concerning mail routing and smtp listen port. When I have only the port 25 in there, I get the right routing: 209.85.212.171:54541 > public-IP:25 > 127.0.0.1:44602 > 127.0.0.1:1025 When I have my public-IP:25 in smtp listening port assp proxies to the relay host not the internal mail server: 209.85.212.171:43826 > public-IP:25 > 127.0.0.1:37552 > 127.0.0.1:125 127.0.0.1:125 is my relay host configured in assp and this is wrong. Regards, Nicole

Re: [Assp-test] Version change problems From: Fritz Borgstedt <fb@iw...> - 2013-01-13 17:07 ASSP development mailing list <assp-test@...> schreibt: >When I have only the port 25 in there, I get the right routing: If you have 25 only in listenPort, it will cover all interfaces with port 25: it will receive all connections to port 25 regardless of IP.

Re: [Assp-test] Antwort: Re: Antwort: Re: Version change problems From: Nicole Hähnel <ml@ni...> - 2013-01-14 17:26 I used this config with 127.0.0.x already the last two years with version 1.x. Why should I change this now? I have only one public ip on this server. Adding private ip addresses makes the firewall concept obsolete. Am 14.01.2013 17:22, schrieb Fritz Borgstedt: > ASSP development mailing list <assp-test@...> > schreibt: >> listenPort=publicIP:25 >> smtpDestination=127.0.01:1025 >> relayHost=127.0.0.1:125 >> relayPort=127.0.0.2:25 >> localDomains=ourLocalDomain > Please use: > listenPort=publicIP:25 > smtpDestination=privateIP:1025 > relayHost=privateIP:125 > relayPort=privateIP:25 > > Do not use 127.0.0.x > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122412 > _______________________________________________ > Assp-test mailing list > Assp-test@... > https://lists.sourceforge.net/lists/listinfo/assp-test >

Re: [Assp-test] Antwort: Re: Antwort: Re: Version change problems From: Fritz Borgstedt <fb@iw...> - 2013-01-14 17:45 ASSP development mailing list <assp-test@...> schreibt: >Adding private ip addresses makes the firewall concept obsolete. Why that?

Re: [Assp-test] Antwort: Re: Antwort: Re: Version change problems From: Fritz Borgstedt <fb@iw...> - 2013-01-14 17:47 ASSP development mailing list <assp-test@...> schreibt: >Adding private ip addresses makes the firewall concept obsolete. Adding one private address makes your firewall obsolete? Ok, then I am out.

Re: [Assp-test] Antwort: Re: Antwort: Re: Version change problems From: Nicole Hähnel <ml@ni...> - 2013-01-14 18:41 Confusing... I had no problems the last two years with version 1.x - 1.8 and relayHost=127.0.0.2:25. The problems appeared with version 1.9.x and 2.2.x. While I changed only the version, not the config. The server is a VM in a DMZ with one public ip and only one interface. How should I use private ip addresses? Adding two more interfaces without connecting to the lan? If I connect an interface to the internal lan, it is if I connect the DMZ to the lan without a firewall in between. This is not desired. Am 14.01.2013 18:53, schrieb Fritz Borgstedt: > ASSP development mailing list <assp-test@...> > schreibt: >> I used this config with 127.0.0.x already the last two years with >> version 1.x. >> Why should I change this now? > In V1 127.0.0.2 will not work. Because 127.0.0.1-127.0.0.8 are all the > same address. > > RFC 3330 - Special-Use IPv4 Addresses > 127.0.0.0/8 - This block is assigned for use as the Internet host > loopback address. A datagram sent by a higher level protocol to an > address anywhere within this block should loop back inside the host. > This is ordinarily implemented using only 127.0.0.1/32 for loopback, > but no addresses within this block should ever appear on any network > anywhere [RFC1700, page 5]. > > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122412 > _______________________________________________ > Assp-test mailing list > Assp-test@... > https://lists.sourceforge.net/lists/listinfo/assp-test >

Re: [Assp-test] Antwort: Re: Antwort: Re: Version change problems From: Fritz Borgstedt <fb@iw...> - 2013-01-14 20:09 I do not understand your config, please send me an old working assp.config fb at iworld.de

Re: [Assp-test] assp spawning spam From: Fritz Borgstedt <fb@iw...> - 2013-05-21 16:30 Spyros Mailinglists <mlspyros@...> schreibt: >Should I scrap the existing assp installation and start from scratch ? May be you should update to 1.99 ?

Re: [Assp-test] assp spawning spam From: Spyros Mailinglists <mlspyros@ya...> - 2013-05-21 18:11 > ----- Original Message ----- > From: Fritz Borgstedt <fb@...> > To: assp-test <assp-test@...> > Cc: > Sent: Tuesday, 21 May 2013, 19:26 > Subject: Re: [Assp-test] assp spawning spam >  > Spyros Mailinglists <mlspyros@...> schreibt: > >Should I scrap the existing assp installation and start from scratch ? >  >  > May be you should update to 1.99 ? Hi Fritz, so you suggest that if I upgrade to the latest and greatest version of assp, the issue will go away ? Is that all ? Is there a rough guide on how to do this on a live system ? Something like a "quick-start" guide ? Or do I just drop the assp v1.9 files on the same folder and upgrade ? It's been years since I've last done this. And always used to do installs not upgrades. Regards, s.

[Assp-test] assp spawning spam From: Spyros Mailinglists <mlspyros@ya...> - 2013-05-22 09:30 I would like to thank all the kind people who helped on this. Especially Fritz. I don't know if this is on the same issue. However, I noticed that sending e-mail, even on the local domain is painfully slow since the troubles began. Can I do something to remedy this ? Thank you again, spyros

Re: [Assp-test] assp spawning spam From: Fritz Borgstedt <fb@iw...> - 2013-05-22 10:12 Spyros Mailinglists <mlspyros@...> schreibt: >Can I do something to remedy this ? You have to find the intruder. Look into the header of such a mail: you will see many Received headers. It goes multiple times through your servers.

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp Re: assp spawning spam From: Victor Miasnikov <vvm@tu...> - 2013-05-22 10:16 Hi! > upgrade to the latest and greatest version of assp > Is there a rough guide on how to do this ( VVM:upgade ) on a live system ? 0) Stop ASSP service/daemon 1) Do backup assp.cfg ( best -- all assp folders) 2a) Copy aspp.cfg to aspp.cfg-0 2) Rename aspp.pl to assp.pl-0 3) Upgrade assp.pl ( and *.pl from plugins and lib ) 4) Start ASSP service/daemon X) Look on "diff -u aspp.cfg-0 aspp.cfg | more" Y) RTFM news about changed parametrs, if need -- change it Z) Optional: Look on "diff -u aspp.pl-0 aspp.pl | more" ZZ) Start ASSP service/daemon > Subj: assp spawning spam > on an installation of mine >they managed to get hold of the boss address (of all addresses) >and they send spam to the outside world. "they" -- is who? Computer with antispam? Or computers of internal users? "managed to get hold of all addresses" -- list of all local e-mail addresses leak to who? Or? > that sending e-mail, even on the local domain is painfully slow > since the troubles began. > This is a CentOS 5.3 i386 server with assp ( VVM: on today v1.99 ) v1.7.5.7 (1.0.07). > What can I do ? > Should I scrap the existing assp installation and start from scratch ? a) You can use LAN sniffer? Best on _different_ comp what possible compromissed by hacker server? b) CentOS 5.3 -- is _very_ old, and 99.99% has security holes Are you shue, what real owner of Yors server is not external hacker? May be can sence: "scrap the existing OS installation and start from scratch" ? Best regards, Victor Miasnikov Blog: http://vvm.blog.tut.by/ P.S. Are You see this e-mail msg. ? ----- Original Message ----- From: "Victor Miasnikov" To: "Spyros Mailinglists" Sent: Tuesday, May 21, 2013 5:11 PM Subject: Re: [-A-s-s-p- t-e-st] assp spawning spam > Hi! > >> Any help would be nice. > > Actual? > > > Best regards, Victor Miasnikov ----- Original Message ----- From: "Spyros Mailinglists" To: "assp-test" Sent: Wednesday, May 22, 2013 12:30 PM Subject: [Assp-test] assp spawning spam >I would like to thank all the kind people who helped on this. > Especially Fritz. > > I don't know if this is on the same issue. > However, I noticed > that sending e-mail, even on the local domain is painfully slow > since the troubles began. > > Can I do something to remedy this ? > > Thank you again, > > spyros

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp From: Fritz Borgstedt <fb@iw...> - 2013-05-22 10:38 ASSP development mailing list <assp-test@...> schreibt: >0) Stop ASSP service/daemon >1) Do backup assp.cfg ( best -- all assp folders) >2a) Copy aspp.cfg to aspp.cfg-0 >2) Rename aspp.pl to assp.pl-0 >3) Upgrade assp.pl ( and *.pl from plugins and lib ) >4) Start ASSP service/daemon >X) Look on "diff -u aspp.cfg-0 aspp.cfg | more" >Y) RTFM news about changed parametrs, if need -- change it >Z) Optional: Look on "diff -u aspp.pl-0 aspp.pl | more" > >ZZ) Start ASSP service/daemon Or use AutoUpdate and AutoUpdateNow.

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp Re: assp spawning spam From: Grayhat <grayhat@gm...> - 2013-05-22 11:02 > > Subj: assp spawning spam > > on an installation of mine > >they managed to get hold of the boss address (of all addresses) > >and they send spam to the outside world. > > "they" -- is who? > Computer with antispam? > Or computers of internal users? I suspect that someone "bruteforced" or either obtained by other means (a virus, phishing...) the email credentials and is now using them to authenticate and spit out junk; there are a couple settings in ASSPv2 which I'd recommend to avoid such issues; first of all, the "rate limiter" which allows you to configure the max number of messages per time interval which a given account can send; start by setting up it this way LocalFrequencyInt:=1800 LocalFrequencyNumRcpt:=120 LocalFrequencyOnly:= NoLocalFrequency:=file:files/nolocalfrequency.txt and configure the "files/nolocalfrequency.txt" file to contain just the local assp address (used to send reports and so on); also, ensure that the "notification email to" (Notify) under "logging" contains a valid address since ASSP will then send infos about senders tripping over the rate limiter to such an address; next, edit "lib\CorrectASSPcfg.pm" and add it (or uncomment) the following $main::AUTHLogUser = 1; save the file and restart ASSP, the above tells ASSP to log a line to the maillog containing a given authenticated user "name", this way, you'll be able to check "who" is logging (or trying to log) into your box... then, sit back and monitor your ASSP for a while

Re: [Assp-test] assp spawning spam From: Spyros Mailinglists <mlspyros@ya...> - 2013-05-22 11:20 Hi again Fritz, Thanks for this : > >Can I do something to remedy this ? >  > You have to find the intruder. >  > Look into the header of such a mail: you will see many Received headers.  It goes multiple times through your servers. This is a header from an e-mail initiated in the internal domain to the internal domain : ------------------------------------------------ X-Assp-Version: 1.7.5.7(1.0.07) on mailgate.domain.gr X-Assp-ID: mailgate.domain.gr 17742-01546 X-Assp-Intended-For: userA@... X-Assp-Envelope-From: userB@... received: from [10.0.10.29] ([10.0.10.29] helo=[10.0.10.29]) with IPv4:25 by mailgate.domain.gr; 22 May 2013 13:15:42 +0300 Message-ID: <519C9ACB.2060500@...> Date: Wed, 22 May 2013 13:15:39 +0300 From: User B <userB@...> User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: user A <userA@...> Subject: Fwd: special offer for june References: <9C9D3732512F4779A8D680C19B839BD4@...> In-Reply-To: <9C9D3732512F4779A8D680C19B839BD4@...> X-Forwarded-Message-Id: <9C9D3732512F4779A8D680C19B839BD4@...> Content-Type: multipart/alternative;  boundary="------------050707000807000400000208" This is a multi-part message in MIME format. --------------050707000807000400000208 Content-Type: text/plain; charset=ISO-8859-7; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: special offer for june Date: Wed, 22 May 2013 11:29:08 +0300 From: Someone outside - Front Office <reservations@...> To: user B <userB@...> Dear Partners, We would like to give you a special offer -15% valid from today  for all  new reservations, non cumulative with any other offer, for arrivals  until 24/6. We hope that this offer will push your sales and we count on your  support for an increase on your bookings. Best Regards ------------------------------------------------ (and so on) This is a message that got forwarded from user B to user A inside the same domain/subnet. I, for one, don't see anything suspicious in the mail headers. Regards and thank you, spyros

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp From: Spyros Mailinglists <mlspyros@ya...> - 2013-05-22 11:29 > ASSP development mailing list <assp-test@...> > schreibt: > >0) Stop ASSP service/daemon > >1) Do backup assp.cfg ( best -- all assp folders) > >2a) Copy aspp.cfg to aspp.cfg-0 > >2) Rename aspp.pl to assp.pl-0 > >3) Upgrade assp.pl ( and *.pl from plugins and lib ) > >4) Start ASSP service/daemon > >X) Look on "diff -u aspp.cfg-0 aspp.cfg | more" > >Y) RTFM news about changed parametrs, if need -- change it > >Z) Optional:  Look on "diff -u aspp.pl-0 aspp.pl | more" > > > >ZZ) Start ASSP service/daemon >  >  > Or use AutoUpdate and AutoUpdateNow. I am willing to do this , however I suspect trickery and anxiety  when it will come to the perl modules. We'll see. Thanks, s.

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp Re: assp spawning spam From: Spyros Mailinglists <mlspyros@ya...> - 2013-05-22 11:40 Hello, > ----- Original Message ----- > From: Grayhat <grayhat@...> > To: assp-test@... > Cc: > Sent: Wednesday, 22 May 2013, 14:02 > Subject: Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp Re: assp spawning spam >  >  > > > Subj: assp spawning spam > > > on an installation of mine > > >they managed to get hold of the boss address (of all addresses) > > >and they send spam to the outside world. > > > > "they"  -- is who?   The "bad" guys :-) > > Computer with antispam?   Computers with no anti-spam since I am using assp on the "gateway". > > Or computers of internal users? Computers of internal users if I can understand the question correctly. > I suspect that someone "bruteforced" or either obtained by other means > (a virus, phishing...) the email credentials and is now using them to > authenticate and spit out junk; there are a couple settings in ASSPv2 That's what I though at the beginning and swiftly changed the boss'  password with a very complicated one. ASSP kept sending spam. After a lot of hunting and with fritzs' help, I realised I had 127.0.0.1  able to send smtp to the outside world, so I took it out of the config. I put the old password back and it doesn't send spam anymore (since I took away 127.0.0.1 from being able to send mail). > which I'd recommend to avoid such issues; first of all, the "rate > limiter" which allows you to configure the max number of messages per > time interval which a given account can send; start by setting up it > this way >  > LocalFrequencyInt:=1800 > LocalFrequencyNumRcpt:=120 > LocalFrequencyOnly:= > NoLocalFrequency:=file:files/nolocalfrequency.txt >  > and configure the "files/nolocalfrequency.txt" file to contain just the > local assp address (used to send reports and so on); also, ensure that > the "notification email to" (Notify) under "logging" contains a valid > address since ASSP will then send infos about senders tripping over the > rate limiter to such an address; next, edit "lib\CorrectASSPcfg.pm" and > add it (or uncomment) the following >  > $main::AUTHLogUser = 1; >  In regards to ASSPs' version . Which one should I use if I upgrade ? Should I use v1.98 as Fritz suggests or should I go straight for v2.2.x which, I think, is the latest ? > save the file and restart ASSP, the above tells ASSP to log a line to > the maillog containing a given authenticated user "name", this way, > you'll be able to check "who" is logging (or trying to log) into your > box... then, sit back and monitor your ASSP for a while Thank you very much, spyros

[Assp-test] Yes, but how about: RTFM news about changed parameters Re:Or use AutoUpdate and AutoUpdateNow. Re: Need guide on how to do upgrade to the latest version of assp From: Victor Miasnikov <vvm@tu...> - 2013-05-22 11:53 Hi! > Or use AutoUpdate and AutoUpdateNow. Yes, but how about: >>X) Look on "diff -u aspp.cfg-0 aspp.cfg | more" >>Y) RTFM news about changed parameters, if need -- change it Best regards, Victor Miasnikov Blog: http://vvm.blog.tut.by/

Re: [Assp-test] Need guide on how to do upgrade to the latest version of as From: Fritz Borgstedt <fb@iw...> - 2013-05-22 12:06 Spyros Mailinglists <mlspyros@...> schreibt: > >I am willing to do this , however I suspect trickery and anxiety >when it will come to the perl modules. There are no new modules necessary from 1.75 to 1.99.

Re: [Assp-test] Yes, but how about: RTFM news about changed parameters Re:Or use From: Fritz Borgstedt <fb@iw...> - 2013-05-22 12:15 ASSP development mailing list <assp-test@...> schreibt: >>>Y) RTFM news about changed parameters, if need -- change it We are talking here about autoupdate from from V1 1.75 to v1 1.99. It is not like V1 to V2. If there are new options, they have a reasonable default. Big changes are listed in changelog.txt

Re: [Assp-test] Need guide on how to do upgrade to the latest version of assp From: Fritz Borgstedt <fb@iw...> - 2013-05-22 12:31 >> address since ASSP will then send infos about senders tripping over the >> rate limiter to such an address; next, edit "lib\CorrectASSPcfg.pm" and >> add it (or uncomment) the following >> >> $main::AUTHLogUser = 1; This is valid for V2 only. In V1 it is simple to activate the checkbox before Control Outgoing:AUTHLogUser

Re: [Assp-test]  From: Spyros Mailinglists <mlspyros@ya...> - 2013-05-22 13:42 ok, Thanks for this. That's why you suggest i should go 1.99 and not 2.x s. ----- Original Message ----- From: Fritz Borgstedt <fb@...> To: ASSP development mailing list <assp-test@...> Cc: Sent: Wednesday, 22 May 2013, 15:02 Subject: Re: [Assp-test] Need guide on how to do upgrade to the latest version of as Spyros Mailinglists <mlspyros@...> schreibt: > >I am willing to do this , however I suspect trickery and anxiety >when it will come to the perl modules. There are no new modules necessary from 1.75 to 1.99. ------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may _______________________________________________ Assp-test mailing list Assp-test@... https://lists.sourceforge.net/lists/listinfo/assp-test

14 messages have been excluded from this view by a project administrator.

Next Messages