Jump to content

Odd Report


daringone

Recommended Posts

Greetings:

My ISP account received a complaint against it, and lo and behold it was actually out of one of my SMTP servers. When I looked at the header information, I found something quite odd:

Return-Path: <<y>[at]sssnet.com>

Delivered-To: x

Received: (qmail 11368 invoked from network); 22 Mar 2004 02:51:40 -0000

Received: from unknown (192.168.1.101)

by blade4.cesmail.net with QMQP; 22 Mar 2004 02:51:40 -0000

Received: from mangalore.zipworld.com.au (203.12.97.48)

by mailgate.cesmail.net with SMTP; 22 Mar 2004 02:51:39 -0000

Received: from mailin2.pacific.net.au (mailin2.pacific.net.au [61.8.0.81])

by mangalore.zipworld.com.au (8.12.3/8.12.3/Debian-6.6) with ESMTP id i2M2pYjT004181

for <x>; Mon, 22 Mar 2004 13:51:34 +1100

Received: from smtp-1.sssnet.com (nat-121.sssnet.com [24.140.1.121])

by mailin2.pacific.net.au (8.12.3/8.12.3/Debian-6.6) with SMTP id i2M2pWo6021744

for <x>; Mon, 22 Mar 2004 13:51:33 +1100

Message-Id: <2004___________________1744[at]mailin2.pacific.net.au>

Received: (qmail 28167 invoked by uid 507); 22 Mar 2004 02:51:31 -0000

Received: from <y>[at]sssnet.com by localhost.localdomain by uid 0 with qmail-scanner-1.20rc3

(uvscan: v4.2.40/v4339. Clear:RC:1:.

Processed in 1.020501 secs); 22 Mar 2004 02:51:31 -0000

Received: from unknown (HELO COMMPADD) (24.140.82.250)

by 0 with SMTP; 22 Mar 2004 02:51:30 -0000

From: "x" <<y>[at]sssnet.com>

Subject: Money for You

As you'll note, the actual source was the address 24.140.82.250 on the first "received" line. However, an IP in our NAT pool that the mail servers use (24.140.1.121) was the one listed in the BL. Why was my mail server listed instead of the correct source? An interesting note... in my two years at this job, this appears to be the first actual spammer on our service. He's about to not like me at all :-)

Link to comment
Share on other sites

This appears to be happening because "nat-121.sssnet.com looks like a dynamic host, untrusted as relay". A contributing factor may be "bozotic qmail configuration (0 = nat-121.sssnet.com)", indicating that your mailserver smtp-1.sssnet.com is identifying itself in the Received header it creates as "0" rather than "smtp-1.sssnet.com". Details are here.

Details on exactly what criteria trigger "looks like a dynamic host, untrusted as relay" are sketchy, but having "nat" in the name is probably a criterion.

Deputies, please consider trusting "nat-121.sssnet.com". Thanks!

Link to comment
Share on other sites

Just a note on why that appears that way. We have a load balancer in our configuration. The IP that the world sees just forwards the mail to our clusters. The balancer then gives an IP in that NAT pool to the server that wants to talk to the outside world and all is finished. This could REALLY cause some havoc with the new mailhost system, because it will go in to our system as mailout.sssnet.com (24.140.1.50), but come out as 24.140.1.121 - 150 with a different host name. (nat-xxx-sssnet.com) This same configuration applies to our incoming mail as well, but I don't think that matters nearly as much given that it ends at our domain and is directly delivered to our storage servers.

Link to comment
Share on other sites

Is it technically feasible to give your mail clusters their own dynamic NAT pool, or even their own static NAT addresses for outgoing purposes, named to not trigger "looks like a dynamic host, untrusted as relay"?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...