Print Page | Close Window

Security problems?

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5342
Printed Date: 16 September 2025 at 1:42am


Topic: Security problems?
Posted By: fischer
Subject: Security problems?
Date Posted: 24 September 2005 at 9:45pm

I've got some curious entries in my Spam filter logs. After testing this program for nearly 2 months, I decided to switch all of my client mx records today so that Spam Filter ISP is protecting their email. I did this switch early this morning, and more and more emails are coming through.

At 2:20p, 4:03p, and 7:20p today, I've had 3 sets of 49 entries, with the beginning of each log entry in a particular group 30 seconds apart from the others in that group, that look like this:

09/24/05 14:20:28:885 -- (104284) Connection from: <my SF IP>  -  Originating country : United States
09/24/05 14:20:28:978 -- (104284) Resolving <my SF IP> - Not found
09/24/05 14:20:28:978 -- (104284) Bypassed all rules for: <valid_ client_address> from <unknown_3rd_party_address> ( We Are Sender)
09/24/05 14:20:29:056 -- (104284) EMail from <unknown_3rd_party_address> to <valid_ client_address> was queued. Size: 1 KB, 1024 bytes
09/24/05 14:20:29:056 -- (107472) (107472) Sending email from <unknown_3rd_party_address> to <valid_ client_address>
09/24/05 14:20:29:088 -- (110004) Time to add Msg to Bayes corpus:0
09/24/05 14:20:29:119 -- (104284) Disconnect
09/24/05 14:20:29:306 -- (107472) (107472) EMail from <unknown_3rd_party_address> to <valid_ client_address> was forwarded to <my.mail.server>:25

What I distinguish as a group is different to and from addresses and an actual break in the time sequence.

I've done open relay tests, and I've tried using a pop client to send through SF without success. The only thing that has come close is using SF as the sending server from a pop client actually on the mail server itself. That test produced a log entry very similar to that above. However, I have no indication that I've had a server security breach, and a virus scan turns up nothing out of the ordinary.

Does anyone have anything similar? Do a search on your log files for the phrase "We are sender". That's how I found mine. The reason I thought to look for this was that I watched one come in on the activity log.

This is most puzzling. The fact that's been exactly 49 messages each time and that each message is 30 seconds apart from the last leads me to believe that its some sort of program doing this, but I can't seem to find any indication of that. Any help would be most appreciated.


Replies:
Posted By: LogSat
Date Posted: 24 September 2005 at 10:37pm
fischer,

SpamFilter by default "trusts" the server it's installed on, and will allow any emails it generates to relay. When an event like this occurs, it's logged with the notation "We Are Sender".

From the log entries you posted, it seems as if though your incoming connections do not indicate the original IP of the sender, but rather they show SpamFilter's IP address as the source. This would fall in the category above described, and the email is thus bypassing all rules.

Please note that in order to take full advantage of its filtering abilities, SpamFilter needs to see the original IP address of the sender. Without the original IP address, all DNS/IP based filters, like the MAPS RBL test, the reverse DNS, the SPF filter, the country filter for example, will not work.
 
To solve your immediate problem however, there is an option in the SpamFilter.ini file that changes the default relay behavior. In the SpamFilter.ini file, look for the following entry:
 
;by default SpamFilter will not allow any IP to relay thru it. Change DoNotTrustSelfByDefault to 1 if you want localhost to be able to relay
DoNotTrustSelfByDefault=0

and change the value from 0 to 1. That should prevent all of the "Bypassed all rules" behavior.



-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: fischer
Date Posted: 25 September 2005 at 10:46pm

Actually, I figured out what this was... SF was trying to resend an email that was being rejected as an invalid address by the mail server. I though the client had email setup but did not. So SF saw it as a valid to address while the mail server didn't.

How do I tell SF to give up before 49 attempts?


Print Page | Close Window