For some time I had in my acceptall, ::ffff:x.x.x.x, where x.x.x.x is a specific IP address of mine. It seems that ASSP has a potential bug in how it matches that address. It seems to match via wildcard vs the actual address.
This ended up causing a gaping hole, and made my mail server an open relay, bypassing smtp auth, SPF, etc. Hundreds of spam emails... It did not stop till I removed the entry from my accept all. After which I noticed something quite interesting that I think shows the problem. assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] ::ffff:87.100.250.136 info: PB- IP-Score for '0:0:0:0:0:0:0:0' is 600, added 60 in this session assp.pl[2670]: [Worker_1] [SSL-in] ::ffff:79.100.72.131 info: PB-IP-Score for '0:0:0:0:0:0:0:0' is 675, added 60 in this session assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] [MaxAUTHErrors] ::ffff: 159.148.200.200 too many (5) AUTH errors from 0:0:0:0:0:0:0:0 For some reason it turns ::ffff:x.x.x.x into 0:0:0:0:0:0:0:0. Which explains why email from any ::ffff: address was being allowed. It was not matching my entry, but instead considered my entry to be a wildcard. This was making the penalty box go crazy. As any ::ffff: address was triggering that and increasing the score for 0:0:0:0:0:0:0:0 Now this is not the case in all places. The first below is rejected per the IPv4 address being in denySMTPConnectionsFromAlways. ::ffff:77.70.127.148 <[email protected]> to: [email protected] blocked by denySMTPConnectionsFromAlways strict: 77.70.0.0/17 http://dpaste.com/3N6X04G ( will remain for 1 yr ) However the next comes through. So in some places it is matching the IPv4 portion. In other places it becomes a wildcard. http://dpaste.com/3BJPRQN ( will remain for 1 yr ) I have closed my hole by removing the one ::ffff:x.x.x.x entry I had in my acceptall. I think I should be able to have that address there and it should match the IPv4 portion. Which presently it does not seem to. If you need further information to look into this let me know. I cannot replicate how the spam was sent. That alone is quite interesting and still looking into how it reached my servers that way. I have ASSP listening on both IPv4 and IPv6. Seems like the connection came as IPv6 mapped IPv4. But that should not be routable or seen. Other software that listens on only IPv6, never has the ::ffff: portion. Pretty odd! -- William L. Thomson Jr. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
