daringone Posted March 22, 2004 Share Posted March 22, 2004 Greetings: My ISP account received a complaint against it, and lo and behold it was actually out of one of my SMTP servers. When I looked at the header information, I found something quite odd: Return-Path: <<y>[at]sssnet.com> Delivered-To: x Received: (qmail 11368 invoked from network); 22 Mar 2004 02:51:40 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 22 Mar 2004 02:51:40 -0000 Received: from mangalore.zipworld.com.au (203.12.97.48) by mailgate.cesmail.net with SMTP; 22 Mar 2004 02:51:39 -0000 Received: from mailin2.pacific.net.au (mailin2.pacific.net.au [61.8.0.81]) by mangalore.zipworld.com.au (8.12.3/8.12.3/Debian-6.6) with ESMTP id i2M2pYjT004181 for <x>; Mon, 22 Mar 2004 13:51:34 +1100 Received: from smtp-1.sssnet.com (nat-121.sssnet.com [24.140.1.121]) by mailin2.pacific.net.au (8.12.3/8.12.3/Debian-6.6) with SMTP id i2M2pWo6021744 for <x>; Mon, 22 Mar 2004 13:51:33 +1100 Message-Id: <2004___________________1744[at]mailin2.pacific.net.au> Received: (qmail 28167 invoked by uid 507); 22 Mar 2004 02:51:31 -0000 Received: from <y>[at]sssnet.com by localhost.localdomain by uid 0 with qmail-scanner-1.20rc3 (uvscan: v4.2.40/v4339. Clear:RC:1:. Processed in 1.020501 secs); 22 Mar 2004 02:51:31 -0000 Received: from unknown (HELO COMMPADD) (24.140.82.250) by 0 with SMTP; 22 Mar 2004 02:51:30 -0000 From: "x" <<y>[at]sssnet.com> Subject: Money for You As you'll note, the actual source was the address 24.140.82.250 on the first "received" line. However, an IP in our NAT pool that the mail servers use (24.140.1.121) was the one listed in the BL. Why was my mail server listed instead of the correct source? An interesting note... in my two years at this job, this appears to be the first actual spammer on our service. He's about to not like me at all :-) Link to comment Share on other sites More sharing options...
Jeff G. Posted March 22, 2004 Share Posted March 22, 2004 This appears to be happening because "nat-121.sssnet.com looks like a dynamic host, untrusted as relay". A contributing factor may be "bozotic qmail configuration (0 = nat-121.sssnet.com)", indicating that your mailserver smtp-1.sssnet.com is identifying itself in the Received header it creates as "0" rather than "smtp-1.sssnet.com". Details are here. Details on exactly what criteria trigger "looks like a dynamic host, untrusted as relay" are sketchy, but having "nat" in the name is probably a criterion. Deputies, please consider trusting "nat-121.sssnet.com". Thanks! Link to comment Share on other sites More sharing options...
daringone Posted March 22, 2004 Author Share Posted March 22, 2004 Just a note on why that appears that way. We have a load balancer in our configuration. The IP that the world sees just forwards the mail to our clusters. The balancer then gives an IP in that NAT pool to the server that wants to talk to the outside world and all is finished. This could REALLY cause some havoc with the new mailhost system, because it will go in to our system as mailout.sssnet.com (24.140.1.50), but come out as 24.140.1.121 - 150 with a different host name. (nat-xxx-sssnet.com) This same configuration applies to our incoming mail as well, but I don't think that matters nearly as much given that it ends at our domain and is directly delivered to our storage servers. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 22, 2004 Share Posted March 22, 2004 Is it technically feasible to give your mail clusters their own dynamic NAT pool, or even their own static NAT addresses for outgoing purposes, named to not trigger "looks like a dynamic host, untrusted as relay"? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.