Jump to content

[Resolved] possable new postfix delivered-to header exploit in debian


Wulfman
 Share

Recommended Posts

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.

I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

here is a returned email from a random server

_____________________________________________________________________________

Return-Path: <wulfman[at]wulfman.com>

Received: from localhost (wulfman [127.0.0.1])

by wulfman.com (Postfix) with ESMTP id C6A991FA41

for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:33 -0800 (PST)

X-Virus-Scanned: by amavisd-new-2.5.4 (20080312) (Debian) at wulfman.com

Received: from wulfman.com ([127.0.0.1])

by localhost (wulfman.com [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id TIvQt3AJHznZ for <25-131-807-2043[at]phone.com>;

Wed, 25 Dec 2013 10:13:32 -0800 (PST)

Received: from wulfman.com (NS29.NAXZA.com [61.19.251.188])

by wulfman.com (Postfix) with ESMTPA id D18F11FA3F

for <25-131-807-2043[at]phone.com>; Wed, 25 Dec 2013 10:13:31 -0800 (PST)

Date: Thu, 26 Dec 2013 1:13:29 +0700

From: "=?utf-8?Q?Dina_Knisely?=" <wulfman[at]wulfman.com>

Organization: gcxn

X-Priority: 3 (Normal)

Message-ID: <1370481270.20131226011329[at]wulfman.com>

To: 25-131-807-2043[at]phone.com

Subject: =?utf-8?Q?=D1=B5=C3=AE=E1=BA=A1=E1=B8=A0=C5=97=E1=BA=A1?=

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: 8bit

http://palmedic.org/engineercharitypeterscott/musicnews/zcount.php?uid5520731

________________________________________________________________________________

as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem

I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these

bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

Link to comment
Share on other sites

Today as i opened my mail i was flooded with Undelivered Mail Returned to Sender emails about 3000 of them.

I read a post here from someone back a few years ago about an exploit that sounds like what i am getting now.

http://forum.spamcop.net/forums/index.php?showtopic=10734

Now i ran a open relay check on my server and it passed clean.

as you can see NS29.NAXZA.com [61.19.251.188] is not my ip address

I added the fix that was in the older post but i do not think it has taken care of the problem

I can not find this problem anywhere. After looking in the mail logs my server is being hit hard with these

bounce attempts with the forged headers

I am using the latest version of postfix from debian which is not the latest from postfix

postfix mail_version = 2.9.6

i just upgraded 3 days ago via an apt-get update and upgrade

maybe somebody can help me out on this one or has just started seeing this behavior on their server today

http://www.senderbase.org/senderbase_queri...g=61.19.251.188

Volume Change 16652% ↑

Use the force Wulfman open a SpamCop account and report it

or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com

http://www.naxza.com/contact_hosting.php

They need to block port 25 outgoing

Looks like a DoS attack

Edited by petzl
Link to comment
Share on other sites

http://www.senderbase.org/senderbase_queri...g=61.19.251.188

Volume Change 16652% ↑

Use the force Wulfman open a SpamCop account and report it

or contact support[at]idc.cattelecom.com abuse[at]idc.cattelecom.com

http://www.naxza.com/contact_hosting.php

They need to block port 25 outgoing

Looks like a DoS attack

Well i have 1000s of IPs like that in the mails causing my server to be blacklisted

Am i really sending these or is this phony and is my server just being blamed

I think it is the bounce problem but i am unsure

Link to comment
Share on other sites

Well i have 1000s of IPs like that in the mails causing my server to be blacklisted

Am i really sending these or is this phony and is my server just being blamed

I think it is the bounce problem but i am unsure

Try reading

Bounces are likley to get your email blocked

http://forum.spamcop.net/scwik/Bounce

A search on SC Wiki gives

http://tinyurl.com/mmlc5zg

Link to comment
Share on other sites

Try reading

Bounces are likley to get your email blocked

http://forum.spamcop.net/scwik/Bounce

A search on SC Wiki gives

http://tinyurl.com/mmlc5zg

i realize that i will get blocked if my server is sending these but am i really sending them

I have stopped my mail server till i can resolve this

I am looking at some kind of anti bounce but not sure how to go about it

this seems to be a new exploit for this version of postfix as i have never had this issue before

Link to comment
Share on other sites

i realize that i will get blocked if my server is sending these but am i really sending them

I have stopped my mail server till i can resolve this

I am looking at some kind of anti bounce but not sure how to go about it

this seems to be a new exploit for this version of postfix as i have never had this issue before

Good luck Google comes with

http://www.postfix.org/BACKSCATTER_README.html

Edited by petzl
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...