[Resolved] possable new postfix delivered-to header exploit in debian

[Wulfman 0]

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.

I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

here is a returned email from a random server

_____________________________________________________________________________

Return-Path: <wulfman[at]wulfman.com>

Received: from localhost (wulfman [127.0.0.1])

by wulfman.com (Postfix) with ESMTP id C6A991FA41

for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:33 -0800 (PST)

X-Virus-Scanned: by amavisd-new-2.5.4 (20080312) (Debian) at wulfman.com

Received: from wulfman.com ([127.0.0.1])

by localhost (wulfman.com [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id TIvQt3AJHznZ for <25-131-807-2043[at]phone.com>;

Wed, 25 Dec 2013 10:13:32 -0800 (PST)

Received: from wulfman.com (NS29.NAXZA.com [61.19.251.188])

by wulfman.com (Postfix) with ESMTPA id D18F11FA3F

for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:31 -0800 (PST)

Date: Thu, 26 Dec 2013 1:13:29 +0700

From: "=?utf-8?Q?Dina_Knisely?=" <wulfman[at]wulfman.com>

Organization: gcxn

X-Priority: 3 (Normal)

Message-ID: <1370481270.20131226011329[at]wulfman.com>

To: 25-131-807-2043[at]phone.com

Subject: =?utf-8?Q?=D1=B5=C3=AE=E1=BA=A1=E1=B8=A0=C5=97=E1=BA=A1?=

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 8bit

http://palmedic.org/engineercharitypeterscott/musicnews/zcount.php?uid5520731

________________________________________________________________________________

as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem

I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these

bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

[petzl 0]

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.

I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem

I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these

bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

http://www.senderbase.org/senderbase_queri...g=61.19.251.188

Volume Change 16652% ↑

Use the force Wulfman open a SpamCop account and report it

or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com

http://www.naxza.com/contact_hosting.php

They need to block port 25 outgoing

Looks like a DoS attack

Edited December 26, 2013 by petzl

[Wulfman 0]

http://www.senderbase.org/senderbase_queri...g=61.19.251.188

Volume Change 16652% ↑

Use the force Wulfman open a SpamCop account and report it

or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com

http://www.naxza.com/contact_hosting.php

They need to block port 25 outgoing

Looks like a DoS attack

Well i have 1000s of IPs like that in the mails causing my server to be blacklisted

Am i really sending these or is this phony and is my server just being blamed

I think it is the bounce problem but i am unsure

[petzl 0]

Well i have 1000s of IPs like that in the mails causing my server to be blacklisted

Am i really sending these or is this phony and is my server just being blamed

I think it is the bounce problem but i am unsure

Try reading

Bounces are likley to get your email blocked

http://forum.spamcop.net/scwik/Bounce

A search on SC Wiki gives

http://tinyurl.com/mmlc5zg

[Wulfman 0]

Try reading

Bounces are likley to get your email blocked

http://forum.spamcop.net/scwik/Bounce

A search on SC Wiki gives

http://tinyurl.com/mmlc5zg

i realize that i will get blocked if my server is sending these but am i really sending them

I have stopped my mail server till i can resolve this

I am looking at some kind of anti bounce but not sure how to go about it

this seems to be a new exploit for this version of postfix as i have never had this issue before

[petzl 0]

i realize that i will get blocked if my server is sending these but am i really sending them

I have stopped my mail server till i can resolve this

I am looking at some kind of anti bounce but not sure how to go about it

this seems to be a new exploit for this version of postfix as i have never had this issue before

Good luck Google comes with

http://www.postfix.org/BACKSCATTER_README.html

Edited December 26, 2013 by petzl

[Wulfman 0]

Good luck Google comes with

http://www.postfix.org/BACKSCATTER_README.html

well after pouring over things i seem to have it fixed

the upgrade to wheezy was not so smooth

thanks for the heads up on things here