Re: [exim] Hit with some kind of hidden multiple recipients …

Top Page
Delete this message
Reply to this message
Author: Henry S. Thompson
Date:  
To: Jeremy Harris
CC: exim-users
Subject: Re: [exim] Hit with some kind of hidden multiple recipients relay hack?
Jeremy Harris via Exim-users <exim-users@???> writes:

> Start with your log. How was 1nKNYR-000bDv-0w submitted?


022-02-16 16:53:23
1nKNYR-000bDv-0w <= test@??? H=(ogcb16c7f19.openstack local) [103.104.169.173] P=esmtp S=1313
1nKNYR-000bDv-0w H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] Network is unreachable
1nKNYR-000bDw-KG <= test@??? H=(ogcb16c7f19.openstacklocal) [103.104.169.173] P=esmtp S=1313
1nKNYR-000bDw-KG H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] Network is unreachable
1nKNYS-000bDx-CY <= test@??? H=(ogcb16c7f19.openstacklocal) [103.104.169.173] P=esmtp S=1313
1nKNYS-000bDx-CY H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] Network is unreachable
1nKNYR-000bDv-0w => 0002arun@??? R=dnslookup_relay_bounce_to_domains T=remote_smtp H=gmail-smtp-in.l.google.com [108.177.15.27] TFO XTLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com" K C="250 2.0.0 OK d9si10846477wmq.126 - gsmtp"
[12 more to other gmail addresses, otherwise identical]
1nKNYR-000bDv-0w ** 003garciab1@??? R=dnslookup_relay_bounce_to_domains T=remote_smtp H=gmail-smtp-in.l.google.com [108.177.15.27] X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com": SMTP error from remote mail server after RCPT TO:<003garciab1@???>: 550-5.1.1 The email account that you tried to reach does not exist. Please try\n550-5.1.1 double-checking the recipient's email address for typos or\n550-5.1.1 unnecessary spaces. Learn more at\n550 5.1.1 https://support.google.com/mail/?p=NoSuchUser d9si10846477wmq.126 - gsmtp
1nKNYR-000bDv-0w -> 0069kh@??? R=dnslookup_relay_bounce_to_domains T=remote_smtp H=gmail-smtp-in.l.google.com [108.177.15.27] TFO X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com" K C="250 2.0.0 OK d9si10846477wmq.126 - gsmtp"
1nKNYR-000bDv-0w -> 007forme@??? R=dnslookup_relay_bounce_to_domains T=remote_smtp H=gmail-smtp-in.l.google.com [108.177.15.27] TFO X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes DN="CN=mx.google.com" K C="250 2.0.0 OK d9si10846477wmq.126 - gsmtp"
1nKNYT-000bE6-2E 1nKNYT-000bE6-2E no recipients found in headers
1nKNYT-000bE6-2E Error while reading message with no usable sender address (R=1nKNYR-000bDv-0w): no recipient addresses
1nKNYR-000bDv-0w Process failed (2) when writing error message to (frozen)

> From the headers:
> Is "home.hst.name" your system?


Yes.

> (PS: Obfuscation makes it harder to help). Is [103.104.169.173] on
> your net?


No obfuscation, the log lines above (and in original message, copied
below) are exactly as dumped by exim4. And no, my local net is a
small NATed network, all 192.168....

Thanks for helping,

ht

>    : mailq | head -20
>     6d  1.3K 1nKNYR-000bDv-0w <test@???> *** frozen ***
>            D 0002arun@???
>            D 0005ace@???
>            D 00076alek@???
>            D 0007sd@???
>            D 000top@???
>            D 001adline@???
>            D 001andrecarter@???
>            D 001mayer@???
>            D 001ndumiso@???
>            D 001ontu@???
>            D 001oricom@???
>            D 002samudra@???
>            D 002xyz@???
>              003garciab1@???
>            D 0069kh@???
>            D 007forme@???

>
> And here's what that item looks like in detail:
>
>    : exim4 -Mvc 1nKNYR-000bDv-0w|head -20
>    Received: from [103.104.169.173] (helo=ogcb16c7f19.openstacklocal)
>            by home.hst.name with esmtp (Exim 4.94.2)
>            (envelope-from <test@???>)
>            id 1nKNYR-000bDv-0w; Wed, 16 Feb 2022 16:53:23 +0000
>    Content-Type: text/plain; charset="utf-8"
>    MIME-Version: 1.0
>    Content-Transfer-Encoding: quoted-printable
>    Content-Description: Mail message body
>    Subject: From The Commissioner Debt Management Service
>    To: Recipients <test@???>
>    From: "Mr. Timothy Gribben" <test@???>
>    Date: Thu, 17 Feb 2022 00:53:15 +0800
>    Reply-To: timothygribs00@???

--
Henry S. Thompson