This is fixed in the current development release.
Thomas
Von: "William L. Thomson Jr." <[email protected]>
An: [email protected]
Datum: 10.02.2017 17:34
Betreff: [Assp-user] Possible bug in handling IPv6 mapped IPv4
For some time I had in my acceptall, ::ffff:x.x.x.x, where x.x.x.x is a
specific IP address of mine. It seems that ASSP has a potential bug in how
it
matches that address. It seems to match via wildcard vs the actual
address.
This ended up causing a gaping hole, and made my mail server an open
relay,
bypassing smtp auth, SPF, etc. Hundreds of spam emails... It did not stop
till
I removed the entry from my accept all.
After which I noticed something quite interesting that I think shows the
problem.
assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] ::ffff:87.100.250.136 info:
PB-
IP-Score for '0:0:0:0:0:0:0:0' is 600, added 60 in this session
assp.pl[2670]: [Worker_1] [SSL-in] ::ffff:79.100.72.131 info: PB-IP-Score
for
'0:0:0:0:0:0:0:0' is 675, added 60 in this session
assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] [MaxAUTHErrors] ::ffff:
159.148.200.200 too many (5) AUTH errors from 0:0:0:0:0:0:0:0
For some reason it turns ::ffff:x.x.x.x into 0:0:0:0:0:0:0:0. Which
explains
why email from any ::ffff: address was being allowed. It was not matching
my
entry, but instead considered my entry to be a wildcard. This was making
the
penalty box go crazy. As any ::ffff: address was triggering that and
increasing the score for 0:0:0:0:0:0:0:0
Now this is not the case in all places. The first below is rejected per
the
IPv4 address being in denySMTPConnectionsFromAlways.
::ffff:77.70.127.148 <[email protected]> to: [email protected] blocked by
denySMTPConnectionsFromAlways strict: 77.70.0.0/17
http://dpaste.com/3N6X04G ( will remain for 1 yr )
However the next comes through. So in some places it is matching the IPv4
portion. In other places it becomes a wildcard.
http://dpaste.com/3BJPRQN ( will remain for 1 yr )
I have closed my hole by removing the one ::ffff:x.x.x.x entry I had in my
acceptall. I think I should be able to have that address there and it
should
match the IPv4 portion. Which presently it does not seem to.
If you need further information to look into this let me know. I cannot
replicate how the spam was sent. That alone is quite interesting and still
looking into how it reached my servers that way. I have ASSP listening on
both
IPv4 and IPv6. Seems like the connection came as IPv6 mapped IPv4. But
that
should not be routable or seen. Other software that listens on only IPv6,
never has the ::ffff: portion.
Pretty odd!
--
William L. Thomson Jr.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
