Subj : RE: sap/smtp interaction - wcsmtp build 451.7 To : All From : DAVE GOURD Date : Thu Jan 31 2019 19:18:36 Date: Sat, 29 Apr 2006 11:19:55 -0400 From: DAVE GOURD To: all Subject: RE: sap/smtp interaction - wcsmtp build 451.7 Newsgroups: win.server.smtp.&.avs Message-ID: <1146323995.46.1146322326@winserver.com> References: <1146322326.46.0@winserver.com> X-Mailer: Wildcat! Interactive Net Server v7.0.454.5 Lines: 257 Have 'logfile spam' 3 more times now since this original post. The latest 3 were the same spam from the same IP/HOST, (not same same in original report) and all 4 incidents have different return path. -- D On 4/29/06 10:52 AM, DAVE GOURD wrote to all: -> When wcsap rejects a msg, does smtp/WINS close the connection with the -> client, or can/is the cip/cdn/hdn allowed to continue to send data to smtp in -> the same connection/transaction session? Should that session end at the -> time it is rejected? -> -> The messsage was rejected for [I think] spoofing our domain (CIP/CDN -> mismatch - spoofed our domain) although the sap log result showed reject -> (0) but not reason 'HELO/EHLO mismatch' as set in the filter file, smtp code -> was 554. -> -> I had what essentially is 'logfile spam' in my smtptrace log, wherein a given -> message/session had been rejected by wcsap, but the sender/caller started -> sending data anyway (the message w/headers). -> -> wcsmtp indicated "503 Need MAIL command." then caller evidently started -> sending the data stream anyway. -> -> wcsmtp sent back echos of the data '500 (data here) : command not -> understood' followed by the caller sending the next line of data/line of the -> message. -> -> This continued until the caller 'quit' the session, then WINS closed the -> connection '211 closing connection, **Completed. -> -> Is this normal? Never seen the log files get 'spammed' in 10 years running WC, -> figured I should ask. Am I missing something in the SAP ini or filter files? -> -> Caller IP is now firewalled, is listed with CBL (http://cbl.abuseat.org/), and -> reported to abuse at rr.com -> -> wcsmtp here is latest AUP (451.7). -> -> -> **wcsap log snippet (local user munged)** -> 20060428 18:28:11 00000446 ------------------------------------- -> 20060428 18:28:11 00000446 version : 2.06 / 1.62 -> 20060428 18:28:11 00000446 calltype : SMTP -> 20060428 18:28:11 00000446 state : rcpt -> 20060428 18:28:11 00000446 cip : 71.75.124.244 -> 20060428 18:28:11 00000446 cdn : foxriver.net -> 20060428 18:28:11 00000446 from : conrad0xsierra@rr.com -> 20060428 18:28:11 00000446 hdn : cpe-071-075-124- -> 244.carolina.res.rr.com -> 20060428 18:28:11 00000446 rcpt : john.doe@foxriver.net -> 20060428 18:28:11 00000446 ruid : 60 -> 20060428 18:28:12 00000446 sapfilter : reject (time:687) -> 20060428 18:28:12 00000446 result : reject (0) -> 20060428 18:28:12 00000446 smtp code : 554 -> 20060428 18:28:12 00000446 wcsap finish (797 msecs) -> -> -> **wcsmtp log snippet** -> 20060428 18:28:11 (0A88) HELO: Incoming connection: foxriver.net -> [71.75.124.244] -> 20060428 18:28:11 (0A88) Note: DNS says IP 71.75.124.244 belongs to host: -> cpe-071-075-124-244.carolina.res.rr.com -> 20060428 18:28:11 (0A88) MAIL FROM: ... Sender -> validation pending. Continue. -> 20060428 18:28:12 (0A88) RCPT: Return Path not verifiable: -> (Rejected by WCSAP Filter)! -> -> -> **wcsmtptrace snippet (local user munged)** -> ********************************************************** -> **************** -> Wildcat! SMTP Server v6.1.451.7 -> SMTP log started at Fri, 28 Apr 2006 18:28:11 -> Connection Time: 20060428 18:28:11 cid: 00000446 -> SSL Enabled: NO -> Client IP: 71.75.124.244 (cpe-071-075-124-244.carolina.res.rr.com) -> 18:28:11 S: 220-foxriver.net Wildcat! ESMTP Server v6.1.451.7 ready -> 18:28:11 S: 220-************** WARNING: FOR AUTHORIZED USE ONLY! -> ********************** -> 18:28:11 S: 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS -> PROPRIETARY COMPUTERS * -> 18:28:11 S: 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR -> DISTRIBUTE UNSOLICITED * -> 18:28:11 S: 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM -> WILL RESTRICT ACCESS * -> 18:28:11 S: 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS -> ONLY. * -> 18:28:11 S: 220 -> ********************************************************** -> ************** -> 18:28:11 C: HELO foxriver.net -> 18:28:11 S: 250 foxriver.net, Hello cpe-071-075-124- 244.carolina.res.rr.com, -> why do you call yourself foxriver.net? -> 18:28:11 C: MAIL FROM: -> 18:28:11 S: 250 ... Sender validation pending. -> Continue. -> 18:28:11 C: RCPT TO: -> 18:28:12 ** WCX Process: wcsap ret: 554 (Rejected by WCSAP Filter) -> 18:28:12 S: 550 Return Path not verifiable. -> 18:28:12 C: DATA -> 18:28:12 S: 503 Need MAIL command. -> 18:28:12 C: Received: (qmail 18448 invoked by uid 53853); -> 18:28:12 S: 500 'Received: (qmail 18448 invoked by uid 53853);': command -> not understood. -> 18:28:12 C: Message-Id: <0764736_26563_38280.fodvnbkr@rr.com> -> 18:28:12 S: 500 'Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>': -> command not understood. -> 18:28:12 C: Date: Fri, 29 Jul 2005 22:23:34 -0100 -> 18:28:12 S: 500 'Date: Fri, 29 Jul 2005 22:23:34 -0100': command not -> understood. -> 18:28:12 C: Content-Type: text/plain; -> 18:28:12 S: 500 'Content-Type: text/plain;': command not understood. -> 18:28:12 C: charset="us-ascii" -> 18:28:12 S: 500 ' charset="us-ascii"': command not understood. -> 18:28:12 C: Content-Transfer-Encoding: 7bit -> 18:28:12 S: 500 'Content-Transfer-Encoding: 7bit': command not understood. -> 18:28:12 C: To: john.doe@foxriver.net -> 18:28:12 S: 500 'To: john.doe@foxriver.net': command not understood. -> 18:28:12 C: From: "Conrad Sierra" -> 18:28:12 S: 500 'From: "Conrad Sierra" ': command -> not understood. -> 18:28:12 C: Subject: Reduce your monthly payments -> 18:28:12 S: 500 'Subject: Reduce your monthly payments': command not -> understood. -> 18:28:12 C: -> 18:28:12 C: Hello, -> 18:28:12 S: 500 'Hello,': command not understood. -> 18:28:12 C: -> 18:28:12 C: You have been chosen to participate in an invitation only limited -> time event! -> 18:28:12 S: 500 'You have been chosen to participate in an invitation only -> limited time event!': command not understood. -> 18:28:12 C: Are you currently paying over three percent for your mortgage? -> stop right now! -> 18:28:12 S: 500 'Are you currently paying over three percent for your -> mortgage? stop right now!': command not understood. -> 18:28:12 C: We can help you lower that today! -> 18:28:12 S: 500 'We can help you lower that today!': command not -> understood. -> 18:28:12 C: Answer only a few questions and we can give you an approval in -> under thirty seconds.It really is that simple! -> 18:28:12 S: 500 'Answer only a few questions and we can give you an -> approval in under thirty seconds.It really is that simple!': command not -> understood. -> 18:28:12 C: -> 18:28:12 C: http://oa.r66j-fr.com/ -> 18:28:12 S: 500 'http://oa.r66j-fr.com/': command not understood. -> 18:28:12 C: -> 18:28:12 C: And stop fighting for lenders let them fight for you! Make them -> work for your business by giving you the lowest rates around! You deserve it. -> 18:28:12 S: 500 'And stop fighting for lenders let them fight for you! Make -> them work for your business by giving you the lowest rates around! You -> deserve it.': command not understood. -> 18:28:12 C: -> 18:28:12 C: Think your credit is too bad to get a deal like this? Think Again! -> We will have you saving your money in no time flat! -> 18:28:12 S: 500 'Think your credit is too bad to get a deal like this? Think -> Again! We will have you saving your money in no time flat!': command not -> understood. -> 18:28:12 C: -> 18:28:12 C: Are you ready to save your money? -> 18:28:12 S: 500 'Are you ready to save your money?': command not -> understood. -> 18:28:12 C: -> 18:28:12 C: http://ymv.r66j-fr.com/ -> 18:28:12 S: 500 'http://ymv.r66j-fr.com/': command not understood. -> 18:28:12 C: -> 18:28:12 C: Regards, -> 18:28:12 S: 500 'Regards,': command not understood. -> 18:28:12 C: Conrad Sierra -> 18:28:12 S: 500 'Conrad Sierra': command not understood. -> 18:28:12 C: -> 18:28:12 C: -> 18:28:12 C: -> 18:28:12 C: The woman had cut off his foot with an axe and his thumb with -> an electric knife, and here she was with a pile of caviar big enough to choke -> a warthog."Misery tried to scream, but could no longer even breathe. -> 18:28:12 S: 500 'The woman had cut off his foot with an axe and his thumb -> with an electric knife, and here she was with a pile of caviar big enough to -> choke a warthog."Misery tried to scream, but could no longer even breathe.': -> command not understood. -> 18:28:12 C: The champagne bottle hadnt been in the scenario, but that was -> minor compared with the womans hideous vitality and his current painful -> uncertainty.I have spared him, so you may shew him the way he must go.The -> open garbage can overflowed onto the floor and emitted the warm reek of -> spoiling food, but that wasnt the only thing wrong, or the worst smell..pictoria -> l -> 18:28:12 S: 500 'The champagne bottle hadnt been in the scenario, but that -> was minor compared with the womans hideous vitality and his current painful -> uncertainty.I have spared him, so you may shew him the way he must go.The -> open garbage can overflowed onto the floor and emitted the warm reek of -> spoiling food, but that wasnt the only thing wrong, or the worst -> smell..pictorial': command not understood. -> 18:28:12 C: He thought her illness might have been short indeed   a -> thunderclap coronary, say, followed by a trip to Saint Joes, followed by."s.It -> was only after midnight, an hour after Geoffrey had ridden into the gathering -> storm to try and fetch the doctor, that the midwife had grown alarmed.She -> approached the mattress, turned around, and squatted.. -> 18:28:12 S: 500 'He thought her illness might have been short indeed   a -> thunderclap coronary, say, followed by a trip to Saint Joes, followed by."s.It -> was only after midnight, an hour after Geoffrey had ridden into the gathering -> storm to try and fetch the doctor, that the midwife had grown alarmed.She -> approached the mattress, turned around, and squatted..': command not -> understood. -> 18:28:12 C: There were perhaps seventy acres of open ground between the -> house and the edge of the forest   the snow-cover over it was a perfect -> and blazing white.This was not the soothing sand of sleep but poisoned sand. -> 18:28:12 S: 500 'There were perhaps seventy acres of open ground between -> the house and the edge of the forest   the snow-cover over it was a -> perfect and blazing white.This was not the soothing sand of sleep but -> poisoned sand.': command not understood. -> 18:28:12 C: -> 18:28:12 C: . -> 18:28:12 S: 500 '.': command not understood. -> 18:28:12 C: QUIT -> 18:28:12 S: 221 closing connection -> 18:28:13 ** Completed --- Platinum Xpress/Win/WINServer v3.1 * Origin: Prison Board BBS Mesquite Tx //telnet.RDFIG.NET www. (1:124/5013) .