Open ecomstation opened 11 years ago
ecomstation
commented
10 years ago this problem seems to show only in moments when there is an heavy load in concurrent (e.g. spam) connections it's difficult to reproduce it
anyway i'm searching between my old logs (hundreds of MB..)
ecomstation
commented
10 years ago ok, i got it
CHIUSURA_SMTP_91_121_249_168 Comment = "chiude smtp ip spammer m1-demsemplice-it 04-09-13", Destination-Port = "25", Source = "91.121.249.168", Rule-Action = Deny, Log-Control = Enabled, Log-Mask = "date time severity message source prot", Log-File = "r:/fw_antispam.log", Log-Size = 9990, Direction = Incoming
spam passed trough the fw reaching weasel spam content filter:
Invoked: Thu Nov 21 01:10:19 2013 Sending IP Address: [91.121.249.168] evirit.serverlet.com From: news@mailing1.demsemplice.it To: myemail@my.... Score: 100, List F, match demsemplice.it Total Score 100 Reject as: 550 unknown user
regularly logged in injow connect.log:
[2013/11/21][01:10:17][Incoming][SRC:evirit.serverlet.com][DST:mail.quasarbbs.ne t][S-PORT:58248][D-PORT:smtp (25)][MSG:11:Connection opened]
note: no high load on the server or huge spam waves in that moment
massimo
SilvanScherrer
commented
10 years ago 2 questions:
ecomstation
commented
10 years ago question 1) of course not, that's a copy and paste question 2) of course, and it is full of filtered spam connections (lucklily the most) e.g.:
[2013/11/19][03:33:11][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:33:15][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:33:23][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:33:38][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:47:33][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:47:34][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:47:36][00:Info][MSG:][SRC:038.096.175.120][tcp] [2013/11/19][03:47:40][00:Info][MSG:][SRC:038.096.175.120][tcp]
massimo
SilvanScherrer
commented
10 years ago but did you ever see a log entry for the above rule?
ecomstation
commented
10 years ago of course
[2013/11/20][17:58:46][00:Info][MSG:][SRC:091.121.249.168][tcp] [2013/11/20][17:58:50][00:Info][MSG:][SRC:091.121.249.168][tcp] [2013/11/20][17:58:56][00:Info][MSG:][SRC:091.121.249.168][tcp]
as said before the problem occurs randomly
massimo
ecomstation
commented
10 years ago i add another example:
rule:
CHIUSURA_SMTP_78_46_171_68 Comment = "chiude smtp ip spammer tumbarello 11-09-13", Destination-Port = "25", Source = "78.46.171.68", Rule-Action = Deny, Log-Control = Enabled, Log-Mask = "date time severity message source prot", Log-File = "r:/fw_antispam.log", Log-Size = 9990, Direction = Incoming
reached 2 times the internal weasel content filter
Invoked: Thu Nov 28 09:53:01 2013 Sending IP Address: [78.46.171.68] smtpdem.giannitumbarello.com From: mailing@giannitumbarello.com To: Score: 100, List F, match @giannitumbarello.com Total Score 100 Reject as: 550 unknown user
Invoked: Thu Nov 28 10:01:50 2013 Sending IP Address: [78.46.171.68] smtpdem.giannitumbarello.com From: mailing@giannitumbarello.com To: Score: 100, List F, match @giannitumbarello.com Total Score 100 Reject as: 550 unknown user
ecomstation
commented
10 years ago any news?
ecomstation
commented
10 years ago Silvan, after about 4 months i still have not a solution. You know that i've a number of installations of injoy this is a big concern for me, do you suggest me to wait for the next version? Maybe next version will fix this problem
let me know thanks
regards
ecomstation
commented
10 years ago after about 8 months still no answer very very good
SilvanScherrer
commented
10 years ago we can't reproduce your bug, so how should we fix it? And this I told you already several times by mail. Did you try 4.2.2 GA btw?
ecomstation
commented
10 years ago this situation, i've verified, happens with bursts of tcp/ip (smtp) connections it's not so much difficult to reproduce that happens with >5 connections per second, some pass trough the fw and reach the smtp incominq queue anyway much thanks for the hint i will upgrade to 4.2.2 (didn't know about the upgrade sorry) and i will let you know
thanks
massimo
SilvanScherrer
commented
6 years ago is this still the case with all updates in place?
ecomstation
commented
6 years ago on this evening i will install 27 sep. 2019 build of fxwrap, and in the next days i will watch my server(1)
i will let you know if the issue still exist or not
injoy 4.1 with fxwrap v 3.0 (2) by David A.
e.g.
a rule from firerule.cnf:
CHIUSURA_SMTP_125_60_128-255 Comment = "chiude smtp ip smart broad inc wireless filippine", Destination-Port = "25", Source = "125.60.128.0", Source-Netmask = 255.255.128.0, Rule-Action = Deny, Log-Control = Enabled, Log-Mask = "date time severity message source prot", Log-File = "r:/fw_antispam.log", Log-Size = 9990, Direction = Incoming
but.... the spam passed trough the firewall and arrived to the content filter of the incoming smtp server (when spam is high the mail server slow down too much so i'd need that injoy should filter completely the spam closed by the acl rules, not randomly)
Invoked: Mon Oct 21 08:18:28 2013 Sending IP Address: [125.60.250.137] [125.60.250.137] From: unoffensivebcg98@ctrip.com To: info@mydomain.it Score: 100, List S, match ?windows-1252?b?qwl1dgf0zsbpig1hbgf0asblihjpy2v2 Total Score 100 Reject as: 550 unknown user
(for privacy reason i changed the domain into "mydomain.it")
massimo