Security problems? |
Post Reply 
|
| Author | |
fischer 
Newbie 
Joined: 05 August 2005 Status: Offline Points: 12 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Security problems?Posted: 24 September 2005 at 9:45pm |
|
I've got some curious entries in my Spam filter logs. After testing this program for nearly 2 months, I decided to switch all of my client mx records today so that Spam Filter ISP is protecting their email. I did this switch early this morning, and more and more emails are coming through. At 2:20p, 4:03p, and 7:20p today, I've had 3 sets of 49 entries, with the beginning of each log entry in a particular group 30 seconds apart from the others in that group, that look like this: 09/24/05 14:20:28:885 -- (104284) Connection from: <my SF IP> - Originating country : United States What I distinguish as a group is different to and from addresses and an actual break in the time sequence. I've done open relay tests, and I've tried using a pop client to send through SF without success. The only thing that has come close is using SF as the sending server from a pop client actually on the mail server itself. That test produced a log entry very similar to that above. However, I have no indication that I've had a server security breach, and a virus scan turns up nothing out of the ordinary. Does anyone have anything similar? Do a search on your log files for the phrase "We are sender". That's how I found mine. The reason I thought to look for this was that I watched one come in on the activity log. This is most puzzling. The fact that's been exactly 49 messages each time and that each message is 30 seconds apart from the last leads me to believe that its some sort of program doing this, but I can't seem to find any indication of that. Any help would be most appreciated. Edited by fischer |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4105 |
Post Options
Thanks(0)
Quote Reply
Posted: 24 September 2005 at 10:37pm |
|
fischer,
SpamFilter by default "trusts" the server it's installed on, and will allow any emails it generates to relay. When an event like this occurs, it's logged with the notation "We Are Sender". From the log entries you posted, it seems as if though your incoming connections do not indicate the original IP of the sender, but rather they show SpamFilter's IP address as the source. This would fall in the category above described, and the email is thus bypassing all rules. Please note that in order to take full advantage of its filtering abilities, SpamFilter needs to see the original IP address of the sender. Without the original IP address, all DNS/IP based filters, like the MAPS RBL test, the reverse DNS, the SPF filter, the country filter for example, will not work. To solve your immediate problem however, there is an option in the SpamFilter.ini file that changes the default relay behavior. In the SpamFilter.ini file, look for the following entry: ;by default SpamFilter will not allow any IP to relay thru it. Change DoNotTrustSelfByDefault to 1 if you want localhost to be able to relay DoNotTrustSelfByDefault=0 and change the value from 0 to 1. That should prevent all of the "Bypassed all rules" behavior. |
|
|
|
|
fischer
Newbie
Joined: 05 August 2005 Status: Offline Points: 12 |
Post Options
Thanks(0)
Quote Reply
Posted: 25 September 2005 at 10:46pm |
|
Actually, I figured out what this was... SF was trying to resend an email that was being rejected as an invalid address by the mail server. I though the client had email setup but did not. So SF saw it as a valid to address while the mail server didn't. How do I tell SF to give up before 49 attempts? |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.172 seconds.