Re: Backscatter with forged return-path

Mon, 26 Jan 2009 08:13:26 -0800 

Jim Wright pisze:

On Jan 26, 2009, at 7:41 AM, Paweł Leśniak wrote:
One of our users is getting lots of returned mails because his email address is used as return-path by spammer(s).
I would guess that your system accepting mail from unknown servers? Start blocking those, and you'll find that these bounces will drop significantly. Hard to tell from your sanitized error report...
Well, I have no idea what is missing in my previous post. Could you please tell me what's missing? 

Here's excerpt from logs:
Jan 26 13:05:41 mail postfix/smtpd[2432]: connect from static-ip-114-118-134-202.rev.dyxnet.com[202.134.118.114] Jan 26 13:05:42 mail postgrey[1086]: action=pass, reason=triplet found, delay=727, client_name=static-ip-114-118-134-202.rev.dyxnet.com, client_address=202.134.118.114, recipient=u...@example.com Jan 26 13:05:42 mail postfix/policy-spf[2500]: handler sender_policy_framework: is decisive. Jan 26 13:05:42 mail postfix/policy-spf[2500]: : Policy action=PREPEND Received-SPF: none (server.hipwah.com: No applicable sender policy available) receiver=mail.example.com; identity=helo; helo=SERVER.hipwah.com; client-ip=202.134.118.114 Jan 26 13:05:42 mail postgrey[1086]: action=pass, reason=triplet found, client_name=static-ip-114-118-134-202.rev.dyxnet.com, client_address=202.134.118.114, recipient=u...@example.com Jan 26 13:05:42 mail postfix/smtpd[2432]: B02B3C4E69: client=static-ip-114-118-134-202.rev.dyxnet.com[202.134.118.114] Jan 26 13:05:43 mail postfix/cleanup[1895]: B02B3C4E69: message-id=<bsqwy6yhk00000...@server.hipwah.com> Jan 26 13:05:43 mail postfix/qmgr[29447]: B02B3C4E69: from=<>, size=3464, nrcpt=1 (queue active) Jan 26 13:05:43 mail amavis[28992]: (28992-06) ESMTP::10024 /var/amavis/tmp/amavis-20090126T122953-28992: <> -> <u...@example.com> SIZE=3464 Received: from mail.example.com ([127.0.0.1]) by localhost (mail.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <u...@example.com>; Mon, 26 Jan 2009 13:05:43 +0100 (CET) Jan 26 13:05:43 mail amavis[28992]: (28992-06) Checking: RddKfnGyz5HQ [202.134.118.114] <> -> <u...@example.com> Jan 26 13:05:43 mail amavis[28992]: (28992-06) p004 1 Content-Type: multipart/report Jan 26 13:05:43 mail amavis[28992]: (28992-06) p001 1/1 Content-Type: text/plain, size: 286 B, name: Jan 26 13:05:43 mail amavis[28992]: (28992-06) p002 1/2 Content-Type: message/delivery-status, size: 607 B, name: Jan 26 13:05:43 mail amavis[28992]: (28992-06) p005 1/3 Content-Type: message/rfc822 Jan 26 13:05:43 mail amavis[28992]: (28992-06) p003 1/3/1 Content-Type: text/plain, size: 459 B, name: Jan 26 13:05:43 mail postfix/smtpd[2432]: disconnect from static-ip-114-118-134-202.rev.dyxnet.com[202.134.118.114] Jan 26 13:05:44 mail amavis[28992]: (28992-06) SPAM-TAG, <> -> <u...@example.com>, Yes, score=6.86 tagged_above=-999 required=5 tests=[URIBL_AB_SURBL=1.86, URIBL_BLACK=5] 
Jan 26 13:05:44 mail postfix/smtpd[1899]: connect from unknown[127.0.0.1]
Jan 26 13:05:44 mail postfix/smtpd[1899]: 588D6C5070: client=unknown[127.0.0.1] Jan 26 13:05:44 mail postfix/cleanup[1895]: 588D6C5070: message-id=<bsqwy6yhk00000...@server.hipwah.com> Jan 26 13:05:44 mail postfix/qmgr[29447]: 588D6C5070: from=<>, size=4129, nrcpt=1 (queue active) 
Jan 26 13:05:44 mail postfix/smtpd[1899]: disconnect from unknown[127.0.0.1]
Jan 26 13:05:44 mail amavis[28992]: (28992-06) FWD via SMTP: <> -> <u...@example.com>,BODY=7BIT 250 2.6.0 Ok, id=28992-06, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 588D6C5070 Jan 26 13:05:44 mail amavis[28992]: (28992-06) Passed SPAMMY, [202.134.118.114] [202.134.118.114] <> -> <u...@example.com>, Message-ID: <bsqwy6yhk00000...@server.hipwah.com>, mail_id: RddKfnGyz5HQ, Hits: 6.86, size: 3462, queued_as: 588D6C5070, 913 ms Jan 26 13:05:44 mail postfix/smtp[1896]: B02B3C4E69: to=<u...@example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=1.4/0/0/0.92, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 588D6C5070) 
Jan 26 13:05:44 mail postfix/qmgr[29447]: B02B3C4E69: removed
Jan 26 13:05:44 mail amavis[28992]: (28992-06) TIMING [total 921 ms] - SMTP greeting: 3 (0%)0, SMTP EHLO: 1 (0%)0, SMTP pre-MAIL: 1 (0%)0, SMTP pre-DATA-flush: 3 (0%)1, SMTP DATA: 36 (4%)5, check_init: 1 (0%)5, digest_hdr: 1 (0%)5, digest_body: 0 (0%)5, gen_mail_id: 1 (0%)5, mime_decode: 24 (3%)8, get-file-type3: 26 (3%)11, decompose_part: 1 (0%)11, decompose_part: 1 (0%)11, decompose_part: 1 (0%)11, parts_decode: 0 (0%)11, check_header: 2 (0%)11, AV-scan-1: 6 (1%)12, spam-wb-list: 2 (0%)12, SA parse: 4 (0%)12, SA check: 752 (82%)94, update_cache: 8 (1%)95, decide_mail_destiny: 1 (0%)95, fwd-connect: 8 (1%)96, fwd-mail-pip: 2 (0%)96, fwd-rcpt-pip: 0 (0%)96, fwd-data-chkpnt: 0 (0%)96, write-header: 1 (0%)96, fwd-data-contents: 0 (0%)96, fwd-end-chkpnt: 18 (2%)98, prepare-dsn: 1 (0%)98, main_log_entry: 11 (1%)99, update_snmp: 2 (0%)100, SMTP pre-response: 1 (0%)100, SMTP response: 0 (0%)100, unlink-3-files: 1 (0%)100, rundown: 1 (0%)100 Jan 26 13:05:44 mail postfix/local[1900]: 588D6C5070: to=<localu...@example.com>, orig_to=<u...@example.com>, relay=local, delay=0.05, delays=0.01/0/0/0.03, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail -a "$EXTENSION" DEFAULT=$HOME/Maildir/ MAILDIR=$HOME/Maildir)
What I understand, my mailserver, mail.example.com, accepts mailer delivery report from another mail server (IMHO using broken configuration) SERVER.hipwah.com (static-ip-114-118-134-202.rev.dyxnet.com [202.134.118.114]), which is not included in zen.spamhuas.org, so my mailserver accepts this report, because there's no reason to reject it. As far as we don't look inside message enveloped in report which is sent From: "Tasha Dunn" <hip...@hipwah.com> To: "Camille Mason" <hip...@hipwah.com> (here I'm talking about message header, not SMTP session - of course I have no idea what values had MAIL FROM and RCPT TO) by Received: from 212-95-32-105.internetserviceteam.com ([200.232.187.171]) by SERVER.hipwah.com with Microsoft SMTPSVC(6.0.3790.3959); with X-Originating-IP: 108.30.184.78 by smtp.212.95.32.105; Sun, 25 Jan 2009 16:41:53 -0700 
and Message-ID: <mam7rj.0309g198hip...@hipwah.com>
I think that this server should not permit this message (rather than bouncing it), but this is just a guess, as I have no idea about SMTP session which permitted that mail (which was later bounced to my server). 
The only place where I can see address from my domain is in return-path.
Still I believe this happens (at least partly) because of wrong configuration of SERVER.hipwah.com. 
At lease looking at zen.spamhaus.org I can see:
   200.232.187.171 is not listed in the SBL
   200.232.187.171 is listed in the PBL, in the following records:
       * PBL065609
   200.232.187.171 is listed in the XBL, because it appears in:
       * CBL
which tells me that SERVER.hipwah.com is not using zen.spamhaus.org or is open relay for hipwah.com addresses and/or 200.232.187.171 ip, but these are just blind guesses - no idea about configuration on remote server. 


Regards,
Pawel Lesniak

Reply via email to