Quantcast

Possible bug in handling IPv6 mapped IPv4

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Possible bug in handling IPv6 mapped IPv4

William L. Thomson Jr.-4
For some time I had in my acceptall, ::ffff:x.x.x.x, where x.x.x.x is a
specific IP address of mine. It seems that ASSP has a potential bug in how it
matches that address. It seems to match via wildcard vs the actual address.

This ended up causing a gaping hole, and made my mail server an open relay,
bypassing smtp auth, SPF, etc. Hundreds of spam emails... It did not stop till
I removed the entry from my accept all.

After which I noticed something quite interesting that I think shows the
problem.

assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] ::ffff:87.100.250.136 info: PB-
IP-Score for '0:0:0:0:0:0:0:0' is 600, added 60 in this session
assp.pl[2670]: [Worker_1] [SSL-in] ::ffff:79.100.72.131 info: PB-IP-Score for
'0:0:0:0:0:0:0:0' is 675, added 60 in this session
assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] [MaxAUTHErrors] ::ffff:
159.148.200.200 too many (5) AUTH errors from 0:0:0:0:0:0:0:0

For some reason it turns ::ffff:x.x.x.x into 0:0:0:0:0:0:0:0. Which explains
why email from any ::ffff: address was being allowed. It was not matching my
entry, but instead considered my entry to be a wildcard. This was making the
penalty box go crazy. As any  ::ffff: address was triggering that and
increasing the score for 0:0:0:0:0:0:0:0
 
Now this is not the case in all places. The first below is rejected per the
IPv4 address being in denySMTPConnectionsFromAlways.

::ffff:77.70.127.148 <[hidden email]> to: [hidden email] blocked by
denySMTPConnectionsFromAlways strict: 77.70.0.0/17

http://dpaste.com/3N6X04G ( will remain for 1 yr )

However the next comes through. So in some places it is matching the IPv4
portion. In other places it becomes a wildcard.

http://dpaste.com/3BJPRQN ( will remain for 1 yr )

I have closed my hole by removing the one ::ffff:x.x.x.x entry I had in my
acceptall. I think I should be able to have that address there and it should
match the IPv4 portion. Which presently it does not seem to.

If you need further information to look into this let me know. I cannot
replicate how the spam was sent. That alone is quite interesting and still
looking into how it reached my servers that way. I have ASSP listening on both
IPv4 and IPv6. Seems like the connection came as IPv6 mapped IPv4. But that
should not be routable or seen. Other software that listens on only IPv6,
never has the ::ffff: portion.

Pretty odd!

--
William L. Thomson Jr.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible bug in handling IPv6 mapped IPv4

Thomas Eckardt/eck
This is fixed in the current development release.

Thomas





Von:        "William L. Thomson Jr." <[hidden email]>
An:        [hidden email]
Datum:        10.02.2017 17:34
Betreff:        [Assp-user] Possible bug in handling IPv6 mapped IPv4




For some time I had in my acceptall, ::ffff:x.x.x.x, where x.x.x.x is a
specific IP address of mine. It seems that ASSP has a potential bug in how it
matches that address. It seems to match via wildcard vs the actual address.

This ended up causing a gaping hole, and made my mail server an open relay,
bypassing smtp auth, SPF, etc. Hundreds of spam emails... It did not stop till
I removed the entry from my accept all.

After which I noticed something quite interesting that I think shows the
problem.

assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] ::ffff:87.100.250.136 info: PB-
IP-Score for '0:0:0:0:0:0:0:0' is 600, added 60 in this session
assp.pl[2670]: [Worker_1] [SSL-in] ::ffff:79.100.72.131 info: PB-IP-Score for
'0:0:0:0:0:0:0:0' is 675, added 60 in this session
assp.pl[2670]: [Worker_1] [SSL-in] [TLS-out] [MaxAUTHErrors] ::ffff:
159.148.200.200 too many (5) AUTH errors from 0:0:0:0:0:0:0:0

For some reason it turns ::ffff:x.x.x.x into 0:0:0:0:0:0:0:0. Which explains
why email from any ::ffff: address was being allowed. It was not matching my
entry, but instead considered my entry to be a wildcard. This was making the
penalty box go crazy. As any  ::ffff: address was triggering that and
increasing the score for 0:0:0:0:0:0:0:0

Now this is not the case in all places. The first below is rejected per the
IPv4 address being in denySMTPConnectionsFromAlways.

::ffff:77.70.127.148 <[hidden email]> to: [hidden email] blocked by
denySMTPConnectionsFromAlways strict: 77.70.0.0/17

http://dpaste.com/3N6X04G ( will remain for 1 yr )

However the next comes through. So in some places it is matching the IPv4
portion. In other places it becomes a wildcard.

http://dpaste.com/3BJPRQN ( will remain for 1 yr )

I have closed my hole by removing the one ::ffff:x.x.x.x entry I had in my
acceptall. I think I should be able to have that address there and it should
match the IPv4 portion. Which presently it does not seem to.

If you need further information to look into this let me know. I cannot
replicate how the spam was sent. That alone is quite interesting and still
looking into how it reached my servers that way. I have ASSP listening on both
IPv4 and IPv6. Seems like the connection came as IPv6 mapped IPv4. But that
should not be routable or seen. Other software that listens on only IPv6,
never has the ::ffff: portion.

Pretty odd!

--
William L. Thomson Jr.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Possible bug in handling IPv6 mapped IPv4

William L. Thomson Jr.-4
On Saturday, February 11, 2017 6:47:23 AM EST Thomas Eckardt wrote:
> This is fixed in the current development release.

Excellent thank you!

--
William L. Thomson Jr.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-user
Loading...