[exim] Strange emails with long junk helo=... and "AAAAAA...…

Top Page

Reply to this message
Author: Vincas Dargis
Date:  
To: exim-users
Subject: [exim] Strange emails with long junk helo=... and "AAAAAA..." content..
Hi,

Today I've got ~125 emails that where.. very strange. Seems like exploit attempt or something?

Firstly, mainlog shows this:

```
2021-11-17 05:49:46 
H=(ovcuighdiuuzompjomqrulupbjyjioscqlmyhzrkywgkgrewmfhygfqomxyczggmxswfwevfqmzdsrktmvlzjadhhmcfzzzlhwkh) 
[123.30.137.221] F=<> rejected RCPT 
<rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroot@domaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomaindomain>: 
relay not permitted

2021-11-17 05:49:47 1mnBxD-00057E-AU <= <> 
H=(ovcuighdiuuzompjomqrulupbjyjioscqlmyhzrkywgkgrewmfhygfqomxyczggmxswfwevfqmzdsrktmvlzjadhhmcfzzzlhwkh) 
[123.30.137.221] P=esmtp S=1263

2021-11-17 05:49:48 1mnBxD-00057E-AU => vincas <postmaster@odroid-hc1> R=dovecot_router T=dovecot_transport
```

So it seems it was redirected to postmaster? And probably due to postmaster -> root -> my_personal_email aliases, it end 
up into my Thunderbird? This is mail source:

```
 From - Wed Nov 17 19:52:17 2021
X-Account-Key: account15
X-UIDL: 000015fc5f5514af
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <>
Envelope-to: postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1,
  postmaster@odroid-hc1
Received: from [123.30.137.221] 
(helo=ovcuighdiuuzompjomqrulupbjyjioscqlmyhzrkywgkgrewmfhygfqomxyczggmxswfwevfqmzdsrktmvlzjadhhmcfzzzlhwkh)
    by mail.<redacted>.net with esmtp (Exim 4.92)
    id 1mnBxD-00057E-AU; Wed, 17 Nov 2021 05:49:47 +0200

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

```

Not sure what's going on here. First of all, I might have something misconfigured that this kind of junk passed through 
to postmaster?

I see lot's of various "problematic" attempts, rejects, etc in the logs, but this is first time I got something strange 
into my mailbox, so due to that concern I'm writing here.

Any comments/ideas?

Thanks!

P.S. Running 4.92-8+deb10u6 on Debian 10 Buster.