Received-SPF: pass (Last token {+ip4:69.164.206.25} (res=PASS)) client-ip=69.164.206.25; envelope-from=<lyle@lcrcomputer.info>; x-ip-name=ns2.lcrcomputer.net;
X-Received: from ns2.lcrcomputer.net (ns2.lcrcomputer.net [69.164.206.25])
by netwin.co.nz (SurgeMail 7.4k) with ESMTP (TLS) id 21163501-1391920
for <surgemail-list@netwinsite.com>; Wed, 25 Mar 2020 21:39:21 +0000
X-Return-Path: lyle
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=73.247.42.107; envelope-from=<lyle@lcrcomputer.info>;
X-Received: from mail3.lcrcomputer.net (unverified [73.247.42.107])
by ns2.lcrcomputer.net (SurgeMail 7.4e) with ESMTP (TLS) id 592-1260698
for <surgemail-list@netwinsite.com>; Wed, 25 Mar 2020 21:39:19 +0000
X-Return-Path: lyle
X-DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=default; d=lcrcomputer.info;
h=From:Subject:Date;
b=tzhqsbeM+5tWrg/SK4aR8ACDs0l5ieEa3p11iXwA6z58RdFVIYnCKVcXTZklqY+Kb1htwua25HtmKCpcbBW1njySCec/U4gK60TKt3dJ7gZepjnuysh067YYDcLTSSqBBKSJaYSqVlDWImj3y7cxLWv7t5oBt9yGJO+G5CBdPGk=;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lcrcomputer.info;
s=default; t=1585172359;
bh=jQqKEuRSUcrwr3ZNmAstjGLN4NAhM/BC9tyN7khSKGc=;
h=X-Default-Received-SPF:Received:Return-Path:To:From:Subject:
Message-ID:Date:User-Agent:MIME-Version:Content-Type:
Content-Transfer-Encoding:Content-Language:X-Authenticated-User;
b=QkMhK+VD+6E7ISMYZP2mc0FhDXAGiaLTJc83+MR7M36P3zqb3Z1dbPM4HDF3NyaYq
4SFlFyDaBc2vSD2vKH80wD3FiyyyuqLDG6+6Vc6qXe5MMIPuhI+4n+TNg95Pj/A/Cf
k9l2UrfwylAjKaeCyjOb77+BEqYUwQ8pXoI0+eFs=
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=192.168.250.197; envelope-from=<lyle@lcrcomputer.info>;
X-Received: from [192.168.250.197] (unverified [192.168.250.197])
by mail3.lcrcomputer.net (SurgeMail 7.3p) with ESMTP (TLS) id 8389330-1794114
for <surgemail-list@netwinsite.com>; Wed, 25 Mar 2020 16:39:19 -0500
X-Return-Path: lyle
To: surgemail-list@netwinsite.com
From: Lyle Giese
Subject: [SurgeMail List] atrn and port 366 Plus logging admin password fails
Message-ID: <7b24b0fb-52a1-4963-6509-33304190e0a7@lcrcomputer.info>
Date: Wed, 25 Mar 2020 16:39:14 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.6.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-X-Authenticated-User: lyle@lcrcomputer.info
X-X-Authenticated-User: auth_admin@ns2.lcrcomputer.net
X-Originating-IP: 69.164.206.25
X-Country: code=US country="United States" ip=69.164.206.25
X-Rcpt-To: <surgemail-list@netwinsite.com>
X-Kann: +OK 0.633 0.962 1/4
X-SpamDetect: **: 2.2 sd=2.2 lv=0.00 nok=18/2 m=16 nf=0 Close 0.04(X-myrbl:Color=white) 0.90(X-Phrase:isspam) 0.12(X-SpamContent:clean) 0.32(X-Verify-Helo:+OK) 0.33(X-NotAscii:utf) 0.38(X-Verify-MX present) 0.41(spfpass) 0.45(StandardTLD) 0.49(X-LangGuess:English) Saned 5.0 Sval 2.2 bsan 5.0 Moved 5.0->2.2 Sval 2.2
X-NotAscii: charset=utf-8;
X-SpamContent: Clean
X-LangGuess: English
X-Phrase: IsSpam score=1.00
X-Verify-Helo: +OK ns2.lcrcomputer.net
Authentication-Results: netwin.co.nz header.from=lyle@lcrcomputer.info; dkim=fail (Bad signature)
X-Verify-MX: <lyle@lcrcomputer.info> senders ip (ch=69.164.206.25 msg=69.164.206.25, net=69.164.) not in mx data dom=lcrcomputer.info ipname=ns2.lcrcomputer.net (209.222.82.150 209.222.82.147 209.222.82)
X-Encryption: SSL encrypted
X-MyRbl: Color=White Age=22 Spam=0 Notspam=0 Stars=0 Good=7 Friend=12 Surbl=0 Catch=0 r=0 ip=69.164.206.25
X-IP-stats: Incoming Last 0, First 22, in=66, out=0, spam=0 ip=69.164.206.25
List-Unsubscribe: <mailto:surgemail-list-leave@netwin.co.nz?subject=unsubscribe>
X-Mailing-List: surgemail-list@netwin.co.nz
List-ID: <surgemail-list@netwin.co.nz>
Precedence: bulk
Reply-To: surgemail-list@netwin.co.nz
I have an instance of Surgemail installed on a virtual server at
Linode. I have most stuff turned off and the attack surface seems to be
small but missing a couple of details.
I see I have a listener open on TCP 366. From what I have found this is
for atrn( I know what atrn is and have used it in the past) but I don't
see a switch to turn that off to drop that listener.
The other thing I have not looked at in detail is failed logins to the
admin interface to Surgemail. I don't know where those are logged so I
can at least monitor hacker failures trying to break in on that
interface. Any pointers would be appreciated.
Thanks,
Lyle Giese
LCR Computer Services, Inc.
|