Hello List We had an incident where one of our users got completely flooded by 'delivery error' for emails he did not send.
The source were about a hundred different ip addresses. It turned out, most (if not all) bounces were generated by outlook.com customers. When does outlook.com stop sending backscatter? (Also verifying SPF would solve the issue!) It can't be that hard to either locally configure valid recipients or doing a forward connection to the destination SMTP server to verify the recipient exists to prevent delayed bounces. Example: cqsb.qc.ca mail is handled by 0 cqsb-qc-ca.mail.protection.outlook.com. teleport.ch descriptive text "v=spf1 ip6:2001:4060:1:1001::/64 ip4:157.161.9.0/24 ip4:157.161.12.0/22 -all" ============================================== $ telnet cqsb-qc-ca.mail.protection.outlook.com smtp Trying 23.103.157.10... Connected to cqsb-qc-ca.mail.protection.outlook.com. Escape character is '^]'. 220 QB1CAN01FT005.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 15 Feb 2018 11:53:21 +0000 ehlo teleport.ch 250-QB1CAN01FT005.mail.protection.outlook.com Hello [157.161.4.160] 250-SIZE 157286400 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 SMTPUTF8 mail from:<[email protected]> 250 2.1.0 Sender OK rcpt to:<[email protected]> 250 2.1.5 Recipient OK data 354 Start mail input; end with <CRLF>.<CRLF> Subject: I am going to DDOS you: [email protected] Big Huge PayLoad! . 250 2.6.0 <39fa7bc5-9f6f-45d7-9ee5-c5819c859...@qb1can01ft005.eop-can01.prod.protection.outlook.com> [InternalId=20267950671486, Hostname=YTOPR0101MB0844.CANPRD01.PROD.OUTLOOK.COM] 7282 bytes in 8.908, 0.798 KB/sec Queued mail for delivery ============================================================= Note, the source IP of my email is not covered by SPF, so it should be rejected right away after the From: Line. Well no, the destination server throws the full payload back to the victim, which luckily for this test is an invalid address. Feb 15 12:55:14 obelix postfix/smtpd[20164]: NOQUEUE: reject: RCPT from mail.cqsb.qc.ca[206.167.67.10]: 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table; from=<> to=<[email protected]> proto=ESMTP helo=<mail.cqsb.qc.ca> Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
