Knowledgebase

Portal Home > Knowledgebase > Articles Database > Any ASSP gurus out there?

Any ASSP gurus out there?

Posted by ThatScriptGuy, 03-12-2008, 12:07 PM
In a nutshell, here's what's happening. Every week or so, my whitelist in ASSP is getting filled up with @*.de email addresses. Coincidentally, at that same time, I start receiving massive amounts of spam because those addresses are whitelisted. Has anyone ever had this happen to them? The list of addresses is the same every time it happens, but it really worries me that somehow my whitelist is getting modified without my permission. The assp web interface is disabled (blocked at the firewall) because I update the configuration by just editing the files. SSH access is completely disabled, save for key authentication...So my thoughts are that somehow, an external address is able to modify my whitelist...somehow. Does anyone have any thoughts or troubleshooting ideas for me? Many thanks. Kevin
Posted by ~G9~, 03-12-2008, 02:52 PM
Disable your Email Interface via ASSP Admin Control panneau. Hope it helps.
Posted by ThatScriptGuy, 03-12-2008, 02:54 PM
We need the email interface. I've got a plethora of users here who need to report spam and notspam via forwarding to spam@domain and notspam@domain But I would think that ASSP would only allow domains local to the system to contribute to the whitelist...
Posted by whmcsguru, 03-12-2008, 02:58 PM
The email interface won't allow that kind of an addition. It will only allow domain, or single email address additions. Take a look at your ASSP crons, make sure that it's not updating itself more than it should. If you're using any of the CP derivs, make sure that you don't have users ability to whitelist things enabled. The email interface to ASSP is great, that's not a problem.
Posted by ThatScriptGuy, 03-13-2008, 01:29 AM
Running ASSP-X here. Took a closer look, and there in fact was a setting that either allowed or disallowed assp-x to overwrite the white/black lists for domains. I've disabled overwriting, so hopefully that will take care of the problem. I didn't figure that assp would allow external domains to modify the lists, but I'm still puzzled as to how those domains were getting into the whitelist. Perhaps one of the external services that I've got ASSP subscribed to was updating that file? I know the blacklist was updated daily from an external site..Perhaps the same was true for the whitelist..
Posted by ThatScriptGuy, 03-13-2008, 02:02 AM
The funniest (most disturbing) thing happened a few minutes after I posted my last message. My whitelist was overwritten yet again with whitelisted domains. So I opened up my now corrupt whitelist and added all of those addresses to the blacklist in the hopes that the blacklist overrides the whitelist. However, I also did a google search for the very first address in the list (list follows below) and the very first link was to http://www.alcorn.com/temp/assp/ASSP...itedomains.txt which is nearly a duplicate of my whitelist, which leads me to believe that someone else has experienced this issue as well. I googled that URL, but I couldn't find any posts where someone had linked to it before. Is there any way that I can monitor the whitelist file to see when it gets modified and what program modifies it? This is concerning me mainly because I can't figure out how the file is getting overwritten... Any ideas? Kevin
Posted by SparkSupport, 03-13-2008, 02:18 AM
Dear kcackler, An imp note: Its always better NOT to give the entire list ( here, whitelist ) in forum posts. That will adversely affect the readability and people naturally will bypass your thread. No offense please !
Posted by ThatScriptGuy, 03-13-2008, 04:09 AM
It is there for those that wish to do something with it...Perhaps giving those domains a higher score in their anti-spam software. It's there for a reason.
Posted by Spaceh, 03-15-2008, 11:52 PM
Disalow overwriting of the files you need in this dir... /usr/local/assp/files/ This will fix it
Posted by stratasite, 06-04-2008, 08:53 PM
I am having this same issue. I had installed asspx first, but ended up going with assp deluxe since the user's control panel was so much better. I have the exact same whitelist as you. Something very strange is going on. Perhaps we need to get in touch with the author(s) of asspx and assp deluxe, though I am leaning toward asspx, since that seems to be the common thread between us. One thing of note, my problem is not showing up in my actual whitelist (usr/local/assp/whitelist), but in the whitedomains file (usr/local/assp/files/whitedomains.txt). Is it the same for you?
Posted by stratasite, 06-04-2008, 09:16 PM
Wooooa...we have a large problem here. I think we may have found a major bug in assp, asspx or assp deluxe. Logs reveal the following: May-20-08 06:42:25 Connected: 84.28.148.208:2413 -> IPHIDDEN -> 127.0.0.1:125 May-20-08 06:42:27 80147-10321 84.28.148.208 Regex:WhiteDomain 'apotheke.de' May-20-08 06:42:30 80147-10321 84.28.148.208 to: EMAILHIDDEN Whitelisted Domain: apotheke.de May-20-08 06:42:30 80147-10321 [SPF] 84.28.148.208 to: EMAILHIDDEN SPF: none ip=84.28.148.208 mailfrom=gaeac3@alte-stadtapotheke.de helo=cp183741-b.gelen1.lb.home.nl May-20-08 06:42:30 80147-10321 [Whitelisted] 84.28.148.208 to: EMAILHIDDEN whitelisted (no bad attachments) [ROLEX at unbelievable costs] -> /usr/local/assp/notspam/10321.eml May-20-08 06:42:31 Disconnected: 84.28.148.208 And a simple telnet SMTP test also reveal that by adding the regex line, they are somehow automatically getting added to the whitelist!? I'm going to get onto the cpanel forums and see if we can't get the authors involved here. If they can't solve it, we'll go straight to ASSP.
Posted by stratasite, 06-04-2008, 09:30 PM
I have messaged the author of asspx on the cPanel forums, and pointed him here, let's see what he says.
Posted by stratasite, 06-04-2008, 09:56 PM
kcackler, just out of curiosity, do you have hidden .DS_Store files in those directories as well?
Posted by whmcsguru, 06-04-2008, 10:06 PM
Not much of anythin, I'm sure. Try to actually understand what these people do here. Both ASSP-deluxe and ASSP-X are merely configuration edits, that's all. They do not, in fact modify the perl script (that which runs ASSP itself), only the configurations ASSP runs off of, and even then barely anything. However, based off of a few tests, this is a problem with your install, not the script itself: So, something else has to be authorizing this, because this isn't (at default, or in either install) allowed. Those are part of the distribution itself, remnants of the mac distribution stuff IIRC. There's nothing to worry about those at all.
Posted by ThatScriptGuy, 06-04-2008, 11:35 PM
I haven't experienced this problem since March. I have moved to a new server, fresh install, and purchased ASSP Deluxe. I haven't experienced the problem since then. I don't know where the issue lies, but it is troubling to say the least.
Posted by SHTech, 06-05-2008, 01:59 AM
Guys, calm down! It is NOT a bug. In the /usr/local/assp/files/whitedomains.txt you have entry for domain apotheke.de (and many others). This file contributed by ASSP developer in the build. Check 1.3.3.8 on official ASSP website - assp.sourceforge.net - and you would see these entries are there. You may easily get rid off this in ASSP X (NOT in ASSP Deluxe!): 1) Disable auto-updates for ASSP X "files" (via WHM); 2) Execute in the shell: cat /dev/null > /usr/local/assp/files/whitedomains.txt 3) Restart ASSP - /etc/init.d/assp restart You are done. Feel free to contact us should you need further help.
Posted by stratasite, 06-05-2008, 02:02 AM
Linux-tech, Good to know about the DS_Store files... However, you don't have a valid SMTP session there...here are my very scary results: And the mail goes through... I would be happy to find out that it's just a misconfiguration rather than a serious flaw in the system, so help me understand how the above session would be a misconfiguration.
Posted by SHTech, 06-05-2008, 02:15 AM
P.S. At the same time we will consider removing this stock whitedomains.txt file from ASSP X releases. Expect it in the next ASSP X version.
Posted by SHTech, 06-05-2008, 02:21 AM
Please, send me PM. I wish to confirm this issue.
Posted by SHTech, 06-05-2008, 02:25 AM
Our session looks like this: So on our server it works like expected. Eager to hear what is wrong on your server. Have you added entries to /usr/local/assp/rules/assp_white.txt ?
Posted by stratasite, 06-05-2008, 02:39 AM
SHTech, You are not following what I did (what I saw them doing in the log) either. Try pasting everything on the line below, exactly as posted: You will get a 501 error, then try: You will get 250 OK, which will then allow you to send to any address on the domain, as you are somehow temporarily added to the whitelist.
Posted by stratasite, 06-05-2008, 02:46 AM
Sorry, I mixed something up in both of my above sessions. Should have pasted directly in from my session or one of the logs. Here is the problematic order: Which gives a 501, to which they try the rcpt command To which we get back a 503, sender not yet given...so it tries again, this time with no hack code... results in 250 OK, so they try the again, and it works this time...allowing them to send through. I have tried this on two different servers, one not configured by me. This does appear to be a bug in assp.
Posted by SHTech, 06-05-2008, 02:49 AM
What ASSP version you run?
Posted by SHTech, 06-05-2008, 02:51 AM
Gave it another set of tries. We run ASSP 1.3.5.15.13 at this time.
Posted by stratasite, 06-05-2008, 02:56 AM
try it again, without the HELO localhost, with just
Posted by stratasite, 06-05-2008, 02:58 AM
Version 1.3.5 - unsure of minor version numbers...
Posted by SHTech, 06-05-2008, 03:28 AM
We not received error 503 like you said (sender not given). E.g. our install not accept RegexWhite in sender. What changes have you made to assp.cfg? You may see all of them in /etc/asspx/assp.cfg.override (exclude password entries and attach here). Unless you run buggy ASSP version (btw, do you use ASSP X or just manually installed ASSP?) there should not be such problems.
Posted by stratasite, 06-05-2008, 03:48 AM
Restarted ASSP, and I get a delay message with the same settings as I tried above. Bizarre, this has happened twice now where a restart stops that behavior. So I'm not sure what is going on. I don't think it's my config, or a restart wouldn't help, would it? As I said in my post on the cPanel forum...I originally installed asspx, then uninstalled it and went with assp deluxe due to the lack of a log for clients in asspx.
Posted by SHTech, 06-05-2008, 04:05 AM
Argh! Then I may not be of help for you further - we not debug Deluxe's configs. Perhaps something wrong enabled or outdated/bugged version used. Btw, interesting to know - how your logs look like when you notice whiteregex spam attempts? I may search for similar patterns on our production servers.
Posted by ThatScriptGuy, 06-05-2008, 09:40 AM
SHTech - This was MY thread, which I originally posted while running a completely UNMODIFIED version of ASSP X. I no longer have the problem, as I, too, switched to ASSP Deluxe. I don't know what caused the problem, but I don't think it's specific to ASSP X OR ASSP Deluxe.
Posted by SHTech, 06-05-2008, 05:20 PM
We may have updated ASSP X then... Well, it doesn't matter now - seems bugs (if any) gone and in the case new would appear we will be happy to address them.
Posted by whmcsguru, 06-05-2008, 06:40 PM
So, address the one you've been brushing under the carpet for months now. Oh yeah, you can't, rather you won't. You won't even acknowledge it exists, claiming I have no clue what I'm doing. My experience is quite the opposite there. Back on topic here: stratasite: IN a nutshell, this is supposed to happen. Yes, I know it sounds fishy, but it is. Here's what's what: Local connections are always accepted with Exim. Mail from "local" hosts (ie: 127.0.0.1) is going to be accepted.. An example (mind you, this is on a NON assp server, the same thing happens) Now, try it from another ip address (ie: telnet ip 25), and you get (and should get) this: See, things are handled just as they should be. No harm, no foul. Lesson to be learned? Be careful when you point out vulnerabilities, and make DAMN sure that they're actually vulnerabilities, not the way things are supposed to work. In this case, this isn't a flaw or vulnerability, merely the way that operations are supposed to be handled (at least with every cpanel / exim server I tried this afternoon). Last edited by whmcsguru; 06-05-2008 at 06:43 PM.
Posted by SHTech, 06-08-2008, 06:40 AM
Don't worry, thing you are talking about doesn't affect ASSP X until you modify it or not follow full installation route. Yes, you need Exim configuration to be installed. Enjoy!
Posted by whmcsguru, 06-08-2008, 08:42 AM
Not quite, but thanks for playing Of course, you want to , again, try to deny that your problem causes problems, but it does. How can YOUR CRON SCRIPTS causing an open relay be related to ANYTHING but YOUR CRON SCRIPTS? How many times do I have to say it here, your cron scripts have (repeatedly) caused open relays in default installations.
Posted by SHTech, 06-08-2008, 09:13 AM
Stop complaining without a proof that our scripts causing your problems.
Posted by whmcsguru, 06-08-2008, 12:10 PM
I've already GIVEN you proof, you just don't want to see it, or admit that it exists. I'm not COMPLAINING, I'm merely making individuals aware of the fact that your script CAN and WILL allow an open relay on systems, due to your own cron setup. I'm no first year newb here, I know exactly what I'm talking about, and have posted more than enough proof. On the other hand, you, as an inexperienced developer refuse to admit your script has problems, and claim anyone who says it does doesn't know what they're doing. Hey, that's fine, if that's how you want to play it, but the FACTS are that with 3 separate installs (on 2 separate servers), and a DEFAULT installation of YOUR SCRIPT, all it took was a simple run of the cron job to see mail being relayed. I'm not going to rehash this again with you, because you are ignorant enough to claim "it's not my script", even when I told you specifically how it was created, and HOW the relay was created in the first place, as a DIRECT result of YOUR CRONS running. Hrrrm, my problem? Well, let's let the logs decide: WITH your script installed: WITHOUT your script installed (which is what it SHOULD have been from the get go) Now, that's NOT due to a lack of trying: But due to a lack of proper configuration, NOT on my end by any means, but on yours. When a simple cron job causes THAT much of an insecurity, there's a problem, with the scripts run by said cron job, which are managed, created, and designed by yourself OH, and by the way, yes, they're STILL trying, thinkingg the system is still insecure: I know this, because I know what the pattern was to look for (what they were abusing to begin with). There is no doubt, whatsoever that they're being blocked now, and there is NO doubt that the problem was caused by YOUR OWN SCRIPTS. If you want to continue to live with your head in the sand and claim "This doesn't exist", then feel free, but I know what I know, and I KNOW what I did to get this replicated, fixed, and even working again. Just because you want to be ignorant and pretend that it DOESN'T exist doesn't mean that it doesn't, just that you hope it'll be brushed under the carpet and go away quietly. I'm afraid THAT'S not going to happen, because I'm just not going to let it. When you respond professionally, stating you have FOUND and FIXED the problem, then we'll talk again, but you refuse to even investigate it, because to you, there is no problem, despite logs showin otherwise.
Posted by SHTech, 06-08-2008, 03:45 PM
I won't quote your response, in fact I have no time to read your irrational logic. If you claim yourself to be a professional you should notice that there are numerous new revisions and unless you make up to dat proof stop telling that something in past had bug *if had at all*. Hey, I know a lot of past bugs in various software and this doesn't mean I could say they are still there! Stop it.
Posted by whmcsguru, 06-08-2008, 05:18 PM
Typical of you and your company -- Ignore the facts provided, which prove problems, pretend they don't exist. -- Don't acknowledge serious flaws just because you don't want to look into it -- Steal other people's code, trying to claim it as your own. You want me to "stop" ? Simple, ADMIT there's a problem and FIX IT! It's really, really easy. Want more proof? Ok, here you go. Just downloaded, FRESH out of the box configs. Because I KNOW what you're going to try to claim next, here's the exact same command run 5 minutes later after restoring the backed up Assp-deluxe configs (nothing changed THERE either): Yeah, your setup DOESN'T allow relaying, right? You've just been proven wrong again. You want me to "stop"? Find and fix your problem, and no, you don't get my logs, or my config directory. Last edited by whmcsguru; 06-08-2008 at 05:26 PM.
Posted by SHTech, 06-11-2008, 05:15 AM
Crosspost from cPanel's forum: Nice attempt! Here is our logs without hidden characters - try to get in if you feel ASSP X allows it! Note that I have used the same spam@spam.com you have initially used. As said - if your system configuration is weak it doesn't matter with what key you may unlock it. Even if anything in ASSP X (and I highly doubt it is) cause YOUR problems (no one reported similar issues, but we have asked many customers about that) it just means you have tricky source configs. Who knows, perhaps you have @spam.com in your localdomains file? Joking.
Posted by whmcsguru, 06-11-2008, 09:58 AM
Well, of course, I'm going to post a vulnerability where it will do the most good, and no, I'm NOT going to give up here. You know what it'll take to get this to stop. It's not "trashing" your product, it's making people aware of SEVERE VULNERABILITIES inside of your product. What part of "STOCK CONFIGURATION" do you not understand? What part of "DEFAULT INSTALLATION" do you not understand? What part of "LATEST RELEASE" do you not understand? This hasn't got ANYTHING to do with "tricky source configs", it has EVERYTHING to do with pathetically poor programming on your behalf. YOUR configuration, YOUR crons caused this, NOT "tricky configurations". My god, how many times must I say the same damned thing until you get it through your thick skull? I could care less if you can't (personally) duplicate it, or if you can't get OTHERS to duplicate it. The fact that it CAN be replicated by me, on my servers, with YOUR PRODUCT, and ONLY your product means that it is YOUR PRODUCT, and ONLY your product that causes this. Wow, that's reaching there too Let's see here: A> Exim by default doesn't allow it B> ASSP, by default doesn't allow it C> The PAID version doesn't allow it D> YOUR VERSION ALLOWS IT! Get over your "I'm not going to look at this" crap, stop trying to blame the "system config". The fact is that YOUR PRODUCT allows for a relay. Exim doesn't, ASSP by default doesn't, the PAID version DOES NOT. Your product does. As usual, the programmer can't figure the problem out, so, hey, let's blame the "system", make it the "system admin's" fault. My god, how stupid can you get? Your product allows for a relay. Maybe not in every install, maybe not when you have 1 or 2 domains. Maybe not when you have 100s of domains. Really, I could care LESS what the reproductability of this is, or what the circumstances are. It's not MY job to debug your product. It's not MY job to make your product more secure, that is YOUR job. MY job is to post undeniable proof (which I have multiple times) that your product is vulnerable. Admit there's a problem, find and fix it.
Posted by SHTech, 06-11-2008, 12:05 PM
You are like a kid while you aren't. If you don't like to provide reproduceable steps you just one of these bitching guys. God, I may understand someone located the bug and use it to his own benefit, but I can't understand those like you who playing games: "Hey, I guess you have a bug, but I won't show you the details". Very funny and, really, not professional at all and you claim to be professional, don't you?
Posted by whmcsguru, 06-11-2008, 12:32 PM
I've given reproducable steps. Just because YOU can't reproduce it DOESN'T mean it's not reproducable, it means you can't reproduce it. I've given you details, you reject them. I'm NOT letting you into my server, because you have no clue what you're doing in there, as is very evident by your own posts here. I'm NOT giving you my "logs", because they're already here. I'm NOT giving you my "configs", because you already have them. This is (again) a default setup. You get nothing more than you already have. See, it's not MY job, again, to code for you, or to help you out in fixing your sloppy code. That would be your job. Again, I'll say this, EXACTLY how this is reproduced. I've said this countless times before, maybe this time, you'll actually pay attention! #1: Download assp #2: Install ASSP #3: Run Cron Jobs #4: Exploit system Have I ever said this was exploitable on every server? No Have I ever said this was exploitable by default? No . What I said was exactly what I did to reproduce the exploit. Firstly, I see nothing funny about an open relay, and anyone that says there is should seriously examine their administrative principles, ESPECIALLY if they're involved in a project like this. Secondly, I've been nothing but professional here, unlike yourself who have stolen code, redistributed it, claimed it was his own, and now is refusing to address critical security concerns. What is funny is your attitude here. Well, not funny, but disgusting. I mean , you know just how I reproduced the probblem, you know just how it works, I've been through this dozens of times already,but STILL you deny there's a problem. Like someone walking around with blinders on who can't see the light claiming "there is no light", someone, some day will remove those blinders from your eyes, and you'll see there IS a problem. There's a difference between programming properly, and just blindly stabbing in the dark. You are stabbing around in the dark. You deny anything at all involving your own code just because you can't code properly, and blame it all on the "system". The only one talking like a kid here is you, the one insisting "I'm right, there's no problem", when there is, in fact a gaping security flaw in your code. Where? I don't know, and frankly, I don't care. All I know is that it CAN and DOES in situations result in an open relay. Those situations are NOT system related, they are CODE related. Until YOUR specific crons are run, the relay is not there. Once they ARE, it is not.
Posted by SHTech, 06-12-2008, 07:37 AM
You may wish to try ASSP X 1.8.6. Just as fool-proof check we now remove "bad" characters from source files. So unless you add remote domain to your localdomains and/or secondarymx file it prevent you from adding wildcard domains, etc.
Posted by freemchr, 06-26-2008, 12:12 AM
How did you uninstall ASSP X?
Posted by whmcsguru, 06-26-2008, 07:06 AM
as root (through ssh) Repeat the last step for EVERY theme you have setup in CPanel, substituting the theme name for frontend/x/asspx

Add to Favourites Print this Article

Client Navigation

Useful Pages

Support Center

About 02link

02link provides enterprise hosting and server services at an amazing price. Don't see something that suits your needs? Get a free custom quote from one of our hosting experts.