Re: [exim] Backscatterer blocking

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMarti Markov at <-
MJeremy Harris at ->
Delete this message
Reply to this message
Author: Marti Markov
Date:  
To: exim-users
Subject: Re: [exim] Backscatterer blocking
Actually just tested from my local machine and I get this: 

host:Estate-Manager marti$ telnet mail.mydomain.com 25
Trying M.Y.I.P...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP Exim 4.84_2 Tue, 22 Nov 2016 23:36:38 +0100
HELO forged.domain.name
250 mail.mydomain.com Hello forged.domain.name [154.58.72.165]
MAIL FROM: victim@???
250 OK
RCPT TO: NoSuchUser@???
250 Accepted
DATA        
354 Enter message, ending with "." on a line by itself
Hey
.
250 OK id=1c9Ji4-0005nq-TA



Restarted exim and I started getting this:

Martis-MacBook-Pro-6:Estate-Manager marti$ telnet mail.mydomain.com 25
Trying M.Y.I.P...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP Exim 4.84_2 Tue, 22 Nov 2016 23:41:47 +0100
HELO forged.domain.name
250 mail.mydomain.com Hello forged.domain.name [154.58.72.165]
MAIL FROM: victim@???
250 OK
RCPT TO: NoSuchUser2@???
550 Unrouteable address


I guess I’ll keep monitoring but I think it might be fine although I don’t know why I was getting: 550 Unrouteable address in my logs before and it was still trying to send it back to the user of the spoofed domain:

> 2016-11-22 23:13:27 1c9JJe-0004uw-JC <= socjghi@??? <mailto:socjghi@spoffeddomain3.com> H=37-17-254-232.customer.universal.se <http://37-17-254-232.customer.universal.se/> [37.17.254.232] P=smtp S=3465 id=7035836211513-BUBRPOVZEAEOVBKMCUCMS@??? <mailto:id=7035836211513-BUBRPOVZEAEOVBKMCUCMS@dns90.artisticskylight.com>
> 2016-11-22 23:13:27 1c9JJe-0004uw-JC ** cankova@??? <mailto:cankova@mydomain.com>: Unrouteable address
> 2016-11-22 23:13:27 1c9JJf-0004v0-SP <= <> R=1c9JJe-0004uw-JC U=Debian-exim P=local S=4288
> 2016-11-22 23:13:28 1c9JJe-0004uw-JC Completed
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP ** socjghi@??? <mailto:socjghi@spoffeddomain3.com> R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<socjghi@??? <mailto:socjghi@spoffeddomain3.com>>: host mail.spoffeddomain3.com <http://mail.spoffeddomain3.com/> [72.32.90.11]: 550 5.1.1 <socjghi@??? <mailto:socjghi@spoffeddomain3.com>>... User unknown
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP Frozen (delivery error message)


If you have any answers it would be appreciated. :)



> On 22 Nov 2016, at 22:35, Marti Markov <marti1234@???> wrote:
>
> Hi all,
>
> I’m having a bit of a hard time blocking/denying/dropping emails when my user doesn’t exist. Sometimes it works, others it does not:
>
> 2016-11-22 18:36:21 no IP address found for host 138-94-193-118.spoffeddomain.com <http://138-94-193-118.spoffeddomain.com/> (during SMTP connection from [138.94.193.118])
> 2016-11-22 18:36:23 1c9EzW-0003G8-0k <= spoffeduser@??? <mailto:spoffeduser@spoffeddomain.com> H=(138-94-193-118.spoffeddomain.com <http://138-94-193-118.spoffeddomain.com/>) [138.94.193.118] P=esmtp S=7496 id=1914245745.947305.16000.ExtendedMail@??? <mailto:id=1914245745.947305.16000.ExtendedMail@mydomain.com>
> 2016-11-22 18:36:23 1c9EzW-0003G8-0k ** career@??? <mailto:career@mydomain.com>: Unrouteable address
> 2016-11-22 18:36:23 1c9EzX-0003GC-M4 <= <> R=1c9EzW-0003G8-0k U=Debian-exim P=local S=8326
> 2016-11-22 18:36:23 1c9EzW-0003G8-0k Completed
> 2016-11-22 18:36:26 1c9EzX-0003GC-M4 ** spoffeduser@??? <mailto:spoffeduser@spoffeddomain.com> <spoffeduser@??? <mailto:spoffeduser@spoffeddomain.com>> R=dnslookup T=remote_smtp X=TLS1.0:RSA_AES_128_CBC_SHA1:128 DN="OU=Domain Control Validated,OU=EssentialSSL Wildcard,CN=*.kinghost.net <http://kinghost.net/>": SMTP error from remote mail server after RCPT TO:<spoffeduser@??? <mailto:spoffeduser@spoffeddomain.com>>: host mx-vip-01-farm64.kinghost.net <http://mx-vip-01-farm64.kinghost.net/> [177.185.200.35]: 550 5.1.1 <spoffeduser@??? <mailto:spoffeduser@spoffeddomain.com>>: Recipient address rejected: User unknown in relay recipient table
> 2016-11-22 18:36:26 1c9EzX-0003GC-M4 Frozen (delivery error message)
>
> Sometimes I get this:
> 2016-11-22 18:37:20 no IP address found for host fm-dyn-118-137-20-217.spoffeddomain2.com <http://fm-dyn-118-137-20-217.spoffeddomain2.com/> (during SMTP connection from [118.137.20.217])
> 2016-11-22 18:37:26 1c9F0T-0003H3-4D <= spoffeduser2@??? <mailto:spoffeduser2@spoffeddomain2.com> H=(fm-dyn-118-137-20-217.spoffeddomain2.com <http://fm-dyn-118-137-20-217.spoffeddomain2.com/>) [118.137.20.217] P=esmtp S=7175 id=5152264962.706822.82636.ExtendedMail@??? <mailto:id=5152264962.706822.82636.ExtendedMail@mydomain.com>
> 2016-11-22 18:37:26 1c9F0T-0003H3-4D ** cekov@??? <mailto:cekov@mydomain.com>: Unrouteable address
> 2016-11-22 18:37:26 1c9F0Y-0003H8-FJ <= <> R=1c9F0T-0003H3-4D U=Debian-exim P=local S=7997
> 2016-11-22 18:37:26 1c9F0T-0003H3-4D Completed
>
> But later on in the logs I get:
>
> 2016-11-22 18:39:33 1c9F0Y-0003H8-FJ mx1.fast.net.id [202.73.97.28] Connection timed out
> 2016-11-22 18:39:33 1c9F0Y-0003H8-FJ == boone.wilton@??? <mailto:boone.wilton@fast.net.id> <Boone.Wilton@??? <mailto:Boone.Wilton@fast.net.id>> R=dnslookup T=remote_smtp defer (110): Connection timed out
>
>
> This one is the most interesting one:
> 2016-11-22 23:13:27 1c9JJe-0004uw-JC <= socjghi@??? <mailto:socjghi@spoffeddomain3.com> H=37-17-254-232.customer.universal.se <http://37-17-254-232.customer.universal.se/> [37.17.254.232] P=smtp S=3465 id=7035836211513-BUBRPOVZEAEOVBKMCUCMS@??? <mailto:id=7035836211513-BUBRPOVZEAEOVBKMCUCMS@dns90.artisticskylight.com>
> 2016-11-22 23:13:27 1c9JJe-0004uw-JC ** cankova@??? <mailto:cankova@mydomain.com>: Unrouteable address
> 2016-11-22 23:13:27 1c9JJf-0004v0-SP <= <> R=1c9JJe-0004uw-JC U=Debian-exim P=local S=4288
> 2016-11-22 23:13:28 1c9JJe-0004uw-JC Completed
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP ** socjghi@??? <mailto:socjghi@spoffeddomain3.com> R=dnslookup T=remote_smtp: SMTP error from remote mail server after RCPT TO:<socjghi@??? <mailto:socjghi@spoffeddomain3.com>>: host mail.spoffeddomain3.com <http://mail.spoffeddomain3.com/> [72.32.90.11]: 550 5.1.1 <socjghi@??? <mailto:socjghi@spoffeddomain3.com>>... User unknown
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP Frozen (delivery error message)
>
> Is this supposed to be correct? If my server says that cankova@??? <mailto:cankova@mydomain.com> is Unrouteable address then why would the server try to deliver the message 1c9JJe-0004uw-JC back to the user?
>
> Here is an output for checking deliverability:
> root@mail:~# exim -bt asd@??? <mailto:asd@mydomain.com>
> R: system_aliases for asd@??? <mailto:asd@mydomain.com>
> R: Check address using virtual_aliases for asd@??? <mailto:asd@mydomain.com>
> R: local_user LDAP lookup for asd@??? <mailto:asd@mydomain.com>
> asd@??? <mailto:asd@mydomain.com> is undeliverable: Unrouteable address
>
> My users are in LDAP storage and I started doing LDAP verification of the addresses in the routers:
>
> local_user:
> debug_print = "R: local_user LDAP lookup for $local_part@$domain"
> driver = accept
> domains = +local_domains
> #LDAP auth check
> condition = CHECK_VIRTUAL_USER
> transport = dovecot_lmtp
> cannot_route_message = Unknown user
>
> 
>     virtual_aliases:
>         driver = redirect
>         debug_print = "R: Check address using virtual_aliases for $local_part@$domain"
>         allow_fail
>         allow_defer
>         hide data = CHECK_VIRTUAL_ALIASES
>         user = vmail
>         group = mail

>
> I have ran exim -d -bhc 129.123.123.123 and this is the last part of the output:
>
> virtual_aliases router declined for asd@??? <mailto:asd@mydomain.com>
> --------> local_user router <--------
> local_part=asd domain=mydomain.com <http://mydomain.com/>
> checking domains
> cached yes match for +local_domains
> cached lookup data = NULL
> mydomain.com <http://mydomain.com/> in "+local_domains"? yes (matched "+local_domains" - cached)
> R: local_user LDAP lookup for asd@??? <mailto:asd@mydomain.com>
> checking "condition"
> search_open: ldap "NULL"
> cached open
> search_find: file="NULL"
> key="user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=LDAP_PASSWORD ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???)) <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???))>" partial=-1 affix=NULL starflags=0
> LRU list:
> :/etc/aliases
> End
> internal_search_find: file="NULL"
> type=ldap key="user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=LDAP_PASSWORD ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???)) <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???))>"
> database lookup required for user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=LDAP_PASSWORD ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???)) <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???))>
> LDAP parameters: user=cn=exim4,ou=dsa,dc=mydomain,dc=com pass=LDAP_PASSWORD size=0 time=0 connect=0 dereference=0 referrals=on
> perform_ldap_search: ldap URL = "ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???)) <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=asd@???))>" server=127.0.0.1 port=389 sizelimit=0 timelimit=0 tcplimit=0
> after ldap_url_parse: host=127.0.0.1 port=389
> re-using cached connection to LDAP server 127.0.0.1:389
> Start search
> search ended by ldap_result yielding 101
> ldap_parse_result: 0
> ldap_parse_result yielded 0: Success
> LDAP search: no results
> lookup failed
> local_user router skipped: condition failure
> --------> mail4root router <--------
> local_part=asd domain=mydomain.com <http://mydomain.com/>
> checking domains
> cached yes match for +local_domains
> cached lookup data = NULL
> mydomain.com <http://mydomain.com/> in "+local_domains"? yes (matched "+local_domains" - cached)
> checking local_parts
> asd in "root"? no (end of list)
> mail4root router skipped: local_parts mismatch
> no more routers
> ----------- end verify ------------
> require: condition test failed in ACL "acl_check_rcpt"
> SMTP>> 550 Unrouteable address
> 550 Unrouteable address
> LOG: MAIN REJECT
> H=(forged.domain.name) [129.123.123.123] F=<someuser@??? <mailto:someuser@icloud.com>> rejected RCPT asd@??? <mailto:asd@mydomain.com>: Unrouteable address
>
>
> What the hell is going on? :D
>

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Backscatterer blockingRe: [exim] DKIM signing with the i= (Identity) tag/header->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)