Re: [exim] Exim + Yahoo Groups = Malware?

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jay Gairson
Date:  
CC: exim-users
Anciens-sujets: Re: [exim] Exim + Yahoo Groups = Malware?
Sujet: Re: [exim] Exim + Yahoo Groups = Malware?
Done, done, and done. FIXED!


First, this took me a while, because testing it out is slow and painful.
Sometimes YahooGroups will respond immediately, but most of the time it
takes 20 to 30 minutes to deliver the message to YahooGroups ("Resources
temporarily not available - Please try again later.") and then sometimes
another 1 to 2 hours before the "suspected to contain malware" message pops
through. Furthermore, too many attempts during a day would result in
YahooGroups completely blocking additional emails. As a result, I couldn't
send all permutations at the same time, but had to send things one at a
time. The end result was over three months of periodic testing as I had
time available and YahooGroups was responsive.

It is likely I could have done this in a day or two, but I rarely have
blocks of time available to keep trying this uninterrupted.


Tests --

TCP Dump: I ran TCP Dump and checked all packets being sent to
YahooGroups. I am not sending malware of any type or even malformed
packets.

Email tests:

1) Identify clients that work --

(a) Telnet: Basic email goes through. - SUCCESS

(b) Exim prompt: "exim -v address@???" - basic email goes
through. - SUCCESS

(c) Client Tests: Webmail, Mail.App, Outlook, everything else Fails. - FAIL


2) CC several other accounts with emails to YahooGroups from various
clients. Diff and identify only the common elements.

3) Craft email for sending via Telnet with only the common elements --
FAIL! Now we are getting somewhere, it is something in the headers.

4) Craft email for sending via Exim prompt same as the Telnet message --
FAIL! Now it is easier to craft messages to test.

5) Send base message, ensure it still goes through successfully via Exim -
SUCCESS!

6) Reiterate until fail: Add 5 headers from Step 2, send via Exim -
SUCCESS!

At this point literally every message went through . . . except the last
one.

7) Prune through the 5 new headers, figure out which one is the culprit --
prune one at a time.

At this point I successfully identified "X-Date: 2017-07-23 13:02:06" as
the only header that causes failure and identification as malware.

I tested everything else as well, just to make sure. Only X-Date
interferes with the message being sent.

8) Go in, eliminate "X-Date" from "exim.conf", and all emails now go
through - SUCCESS!


Just incase anyone else has this issue, the above procedure will resolve it
eventually. I recommend setting up a fake Yahoo Group to test on,
otherwise you will drive people nuts. In the end it only took me 13 test
messages.


Again, the specific header causing problems for me here was as follows
(obvious date/time changes)

"X-Date: 2017-07-23 13:02:06" - FAILED!


The resulting error message from YahooGroups was the following obscure
email:

We are unable to deliver the message from <my@???>

to <TestYahoo@???>

This message has been blocked as it is suspected to contain malware



*Can anyone explain why YahooGroups rejects messages with this header? *I
an not aware of any other service where this is a problem.


Thank you everyone for your suggestions - months ago.

Best,

Jay

On Fri, Mar 24, 2017 at 9:39 AM, Cyborg <cyborg2@???> wrote:

> Am 24.03.2017 um 17:31 schrieb Jeremy Harris:
> > On 24/03/17 07:30, Jay Gairson via Exim-users wrote:
> >> Any tips on next steps to debug this issue and remedy it?
> > Get further details from them, unfortunately.
> >
> > Try asking on the "mailop" list:
> > mailto:mailop-request@mailop.org?subject=subscribe
>
> Login as root to you server, execute
>
> tcpdump -w /tmp/logfile -s 65535 port 25
>
> in a screen session.
>
> Send Mail via Exim to Yahoo.
>
> stop tcpdump
> check the actual logfile, for ..
>
> 1. When did it get rejected, before or after data
> 2. Is it, waht you have send, or got it manipulated on the way from you
> to exim, or inside exim ?
>
> best regards,
> Marius
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>