Sign in to follow this  
Followers 0
Wulfman

[Resolved] possable new postfix delivered-to header exploit in debian

7 posts in this topic

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.

I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

here is a returned email from a random server

_____________________________________________________________________________

Return-Path: <wulfman[at]wulfman.com>

Received: from localhost (wulfman [127.0.0.1])

by wulfman.com (Postfix) with ESMTP id C6A991FA41

for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:33 -0800 (PST)

X-Virus-Scanned: by amavisd-new-2.5.4 (20080312) (Debian) at wulfman.com

Received: from wulfman.com ([127.0.0.1])

by localhost (wulfman.com [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id TIvQt3AJHznZ for <25-131-807-2043[at]phone.com>;

Wed, 25 Dec 2013 10:13:32 -0800 (PST)

Received: from wulfman.com (NS29.NAXZA.com [61.19.251.188])

by wulfman.com (Postfix) with ESMTPA id D18F11FA3F

for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:31 -0800 (PST)

Date: Thu, 26 Dec 2013 1:13:29 +0700

From: "=?utf-8?Q?Dina_Knisely?=" <wulfman[at]wulfman.com>

Organization: gcxn

X-Priority: 3 (Normal)

Message-ID: <1370481270.20131226011329[at]wulfman.com>

To: 25-131-807-2043[at]phone.com

Subject: =?utf-8?Q?=D1=B5=C3=AE=E1=BA=A1=E1=B8=A0=C5=97=E1=BA=A1?=

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 8bit

http://palmedic.org/engineercharitypeterscott/musicnews/zcount.php?uid5520731

________________________________________________________________________________

as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem

I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these

bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

Share this post


Link to post
Share on other sites

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.

I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem

I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these

bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

http://www.senderbase.org/senderbase_queri...g=61.19.251.188

Volume Change 16652% ↑

Use the force Wulfman open a SpamCop account and report it

or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com

http://www.naxza.com/contact_hosting.php

They need to block port 25 outgoing

Looks like a DoS attack

Edited by petzl

Share this post


Link to post
Share on other sites

http://www.senderbase.org/senderbase_queri...g=61.19.251.188

Volume Change 16652% ↑

Use the force Wulfman open a SpamCop account and report it

or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com

http://www.naxza.com/contact_hosting.php

They need to block port 25 outgoing

Looks like a DoS attack

Well i have 1000s of IPs like that in the mails causing my server to be blacklisted

Am i really sending these or is this phony and is my server just being blamed

I think it is the bounce problem but i am unsure

Share this post


Link to post
Share on other sites

Well i have 1000s of IPs like that in the mails causing my server to be blacklisted

Am i really sending these or is this phony and is my server just being blamed

I think it is the bounce problem but i am unsure

Try reading

Bounces are likley to get your email blocked

http://forum.spamcop.net/scwik/Bounce

A search on SC Wiki gives

http://tinyurl.com/mmlc5zg

Share this post


Link to post
Share on other sites

Try reading

Bounces are likley to get your email blocked

http://forum.spamcop.net/scwik/Bounce

A search on SC Wiki gives

http://tinyurl.com/mmlc5zg

i realize that i will get blocked if my server is sending these but am i really sending them

I have stopped my mail server till i can resolve this

I am looking at some kind of anti bounce but not sure how to go about it

this seems to be a new exploit for this version of postfix as i have never had this issue before

Share this post


Link to post
Share on other sites

i realize that i will get blocked if my server is sending these but am i really sending them

I have stopped my mail server till i can resolve this

I am looking at some kind of anti bounce but not sure how to go about it

this seems to be a new exploit for this version of postfix as i have never had this issue before

Good luck Google comes with

http://www.postfix.org/BACKSCATTER_README.html

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0