For When You Can't Have The Real Thing
[ start | index | login ]
start > Subdomain Relay Attempt

Subdomain Relay Attempt

Created by dave. Last edited by dave, 11 years and 112 days ago. Viewed 3,466 times. #4
[diff] [history] [edit] [rdf]
labels
attachments
(8 December 2012)

So this week I was getting a whole bunch of these messages:

The original message was received at Wed, 5 Dec 2012 05:23:38 -0500
from [14.216.230.206]

----- The following addresses had permanent fatal errors ----- <masako9527@pchome.com> (reason: 553 5.3.5 system config error) <rios@wx88.net> (reason: 553 5.3.5 system config error)

----- Transcript of session follows ----- 553 5.3.5 pchome.com.xdroop.com. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error 553 5.3.5 wx88.net.xdroop.com. config error: mail loops back to me (MX problem?) 554 5.3.5 Local configuration error

Final-Recipient: RFC822; masako9527@pchome.com.xdroop.com Action: failed Status: 5.3.5 Diagnostic-Code: SMTP; 553 5.3.5 system config error Last-Attempt-Date: Wed, 5 Dec 2012 05:23:59 -0500

Final-Recipient: RFC822; rios@wx88.net.xdroop.com Action: failed Status: 5.3.5 Diagnostic-Code: SMTP; 553 5.3.5 system config error Last-Attempt-Date: Wed, 5 Dec 2012 05:24:00 -0500

---------- Forwarded message ----------

Digging in deeper, it appears that this spammer had also done an end-run around my greylisting config:

Dec  5 05:23:38 voyager milter-greylist: qB5AMlj5008822: skipping greylist because this is the default action, (from=<aomgejuyty.gajhqfh@msa.hinet.net>, rcpt=<masako9527@pchome.com>, addr=[14.216.230.206][14.216.230.206]) ACL 139

I think this means that the spammer is trying to get my system to relay his spam by including an @$something.xdroop.com email address in the list of targets to relay to. My system appears to be recognizing those messages as valid xdroop.com destinations, but generates the bounce when that destination turns out to be totally bogus.

(I'm shocked that this particular scheme works anywhere, since my system obediently rejected all the other destinations as Relaying denied. IP name lookup failed [14.216.230.206].)

So there are two problems here:

  • I'm not greylisting apparent-subdomains of xdroop.com; and
  • I'm accepting mail for apparent-subdomains of xdroop.com that will never be valid in the first place.
(Also there's the problem that smtp headers can be routinely forged thus enabling spam, but that well has been soiled by others better than I, and we all live with this broken state of affairs.)

So for the first problem, I've changed my greylisting rules for subdomains:

racl greylist rcpt /.*@.*\.xdroop\.com/ delay 24h autowhite 3d

This should mean that any subdomain-bound mail should be greylisted for a whole day. So if something is really legit, it will get through. But if it isn't, it won't.

To address the second problem, I've created a DNS fake mx record with a subdomain wildcard, along with an A record for that fake mx destination:

* IN MX 999 localhost.xdroop.com.
localhost IN A 127.0.0.1

What this should do is that any subdomain-bound mail for xdroop.com will end up on the relaying mail server. It's probably anti-social of me to stick other people with the mess created by the forging of my domain on spam, but frankly if they have the message then they are relaying it for whatever reason. So, karma. And there was a lot of spam this week.

It occurs to me that with the DNS fix, I don't really need the greylisting entry -- anything legit legit will not get delivered, it will get redirected by the DNS entry -- but putting one in means that if someone tries to relay to subdomains through xdroop.com they'll be sharply slowed down. The combination of the two settings should solve most of these problems.

Like every other good idea I've had, though, I wonder what the terrible side-effects I've overlooked are.

(The third thing I did after tediously digging through the sendmail logs was to add an iptables rule that blocked the whole 14/8 subnet, since all this was coming from China and I really don't see any possibility that China will want to legitimately send me mail. Oddly enough I have a bigger problem morally with black-holing an entire /8 block of the internet than I do sticking arguably-innocent mail relay systems with bounces.)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt