Re: [exim] Backscatterer blocking

[Marti Markov]

Actually just tested from my local machine and I get this:

host:Estate-Manager marti$ telnet mail.mydomain.com 25
Trying M.Y.I.P...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP Exim 4.84_2 Tue, 22 Nov 2016 23:36:38 +0100
HELO forged.domain.name
250 mail.mydomain.com Hello forged.domain.name [154.58.72.165]
MAIL FROM: vic...@victimdomain.tld
250 OK
RCPT TO: nosuchu...@mydomain.com
250 Accepted
DATA        
354 Enter message, ending with "." on a line by itself
Hey
.
250 OK id=1c9Ji4-0005nq-TA


Restarted exim and I started getting this:

Martis-MacBook-Pro-6:Estate-Manager marti$ telnet mail.mydomain.com 25
Trying M.Y.I.P...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP Exim 4.84_2 Tue, 22 Nov 2016 23:41:47 +0100
HELO forged.domain.name
250 mail.mydomain.com Hello forged.domain.name [154.58.72.165]
MAIL FROM: vic...@victimdomain.tld
250 OK
RCPT TO: nosuchus...@mydomain.com   
550 Unrouteable address


I guess I’ll keep monitoring but I think it might be fine although I don’t know 
why I was getting: 550 Unrouteable address in my logs before and it was still 
trying to send it back to the user of the spoofed domain:

> 2016-11-22 23:13:27 1c9JJe-0004uw-JC <= socj...@spoffeddomain3.com 
> <mailto:socj...@spoffeddomain3.com> H=37-17-254-232.customer.universal.se 
> <http://37-17-254-232.customer.universal.se/> [37.17.254.232] P=smtp S=3465 
> id=7035836211513-bubrpovzeaeovbkmcu...@dns90.artisticskylight.com 
> <mailto:id=7035836211513-bubrpovzeaeovbkmcu...@dns90.artisticskylight.com>
> 2016-11-22 23:13:27 1c9JJe-0004uw-JC ** cank...@mydomain.com 
> <mailto:cank...@mydomain.com>: Unrouteable address
> 2016-11-22 23:13:27 1c9JJf-0004v0-SP <= <> R=1c9JJe-0004uw-JC U=Debian-exim 
> P=local S=4288
> 2016-11-22 23:13:28 1c9JJe-0004uw-JC Completed
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP ** socj...@spoffeddomain3.com 
> <mailto:socj...@spoffeddomain3.com> R=dnslookup T=remote_smtp: SMTP error 
> from remote mail server after RCPT TO:<socj...@spoffeddomain3.com 
> <mailto:socj...@spoffeddomain3.com>>: host mail.spoffeddomain3.com 
> <http://mail.spoffeddomain3.com/> [72.32.90.11]: 550 5.1.1 
> <socj...@spoffeddomain3.com <mailto:socj...@spoffeddomain3.com>>... User 
> unknown
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP Frozen (delivery error message)


If you have any answers it would be appreciated. :)



> On 22 Nov 2016, at 22:35, Marti Markov <marti1...@gmail.com> wrote:
> 
> Hi all,
> 
> I’m having a bit of a hard time blocking/denying/dropping emails when my user 
> doesn’t exist. Sometimes it works, others it does not:
> 
> 2016-11-22 18:36:21 no IP address found for host 
> 138-94-193-118.spoffeddomain.com <http://138-94-193-118.spoffeddomain.com/> 
> (during SMTP connection from [138.94.193.118])
> 2016-11-22 18:36:23 1c9EzW-0003G8-0k <= spoffedu...@spoffeddomain.com 
> <mailto:spoffedu...@spoffeddomain.com> H=(138-94-193-118.spoffeddomain.com 
> <http://138-94-193-118.spoffeddomain.com/>) [138.94.193.118] P=esmtp S=7496 
> id=1914245745.947305.16000.extendedm...@mydomain.com 
> <mailto:id=1914245745.947305.16000.extendedm...@mydomain.com>
> 2016-11-22 18:36:23 1c9EzW-0003G8-0k ** car...@mydomain.com 
> <mailto:car...@mydomain.com>: Unrouteable address
> 2016-11-22 18:36:23 1c9EzX-0003GC-M4 <= <> R=1c9EzW-0003G8-0k U=Debian-exim 
> P=local S=8326
> 2016-11-22 18:36:23 1c9EzW-0003G8-0k Completed
> 2016-11-22 18:36:26 1c9EzX-0003GC-M4 ** spoffedu...@spoffeddomain.com 
> <mailto:spoffedu...@spoffeddomain.com> <spoffedu...@spoffeddomain.com 
> <mailto:spoffedu...@spoffeddomain.com>> R=dnslookup T=remote_smtp 
> X=TLS1.0:RSA_AES_128_CBC_SHA1:128 DN="OU=Domain Control 
> Validated,OU=EssentialSSL Wildcard,CN=*.kinghost.net <http://kinghost.net/>": 
> SMTP error from remote mail server after RCPT 
> TO:<spoffedu...@spoffeddomain.com <mailto:spoffedu...@spoffeddomain.com>>: 
> host mx-vip-01-farm64.kinghost.net <http://mx-vip-01-farm64.kinghost.net/> 
> [177.185.200.35]: 550 5.1.1 <spoffedu...@spoffeddomain.com 
> <mailto:spoffedu...@spoffeddomain.com>>: Recipient address rejected: User 
> unknown in relay recipient table
> 2016-11-22 18:36:26 1c9EzX-0003GC-M4 Frozen (delivery error message)
> 
> Sometimes I get this:
> 2016-11-22 18:37:20 no IP address found for host 
> fm-dyn-118-137-20-217.spoffeddomain2.com 
> <http://fm-dyn-118-137-20-217.spoffeddomain2.com/> (during SMTP connection 
> from [118.137.20.217])
> 2016-11-22 18:37:26 1c9F0T-0003H3-4D <= spoffedus...@spoffeddomain2.com 
> <mailto:spoffedus...@spoffeddomain2.com> 
> H=(fm-dyn-118-137-20-217.spoffeddomain2.com 
> <http://fm-dyn-118-137-20-217.spoffeddomain2.com/>) [118.137.20.217] P=esmtp 
> S=7175 id=5152264962.706822.82636.extendedm...@mydomain.com 
> <mailto:id=5152264962.706822.82636.extendedm...@mydomain.com>
> 2016-11-22 18:37:26 1c9F0T-0003H3-4D ** ce...@mydomain.com 
> <mailto:ce...@mydomain.com>: Unrouteable address
> 2016-11-22 18:37:26 1c9F0Y-0003H8-FJ <= <> R=1c9F0T-0003H3-4D U=Debian-exim 
> P=local S=7997
> 2016-11-22 18:37:26 1c9F0T-0003H3-4D Completed
> 
> But later on in the logs I get:
> 
> 2016-11-22 18:39:33 1c9F0Y-0003H8-FJ mx1.fast.net.id [202.73.97.28] 
> Connection timed out
> 2016-11-22 18:39:33 1c9F0Y-0003H8-FJ == boone.wil...@fast.net.id 
> <mailto:boone.wil...@fast.net.id> <boone.wil...@fast.net.id 
> <mailto:boone.wil...@fast.net.id>> R=dnslookup T=remote_smtp defer (110): 
> Connection timed out
> 
> 
> This one is the most interesting one:
> 2016-11-22 23:13:27 1c9JJe-0004uw-JC <= socj...@spoffeddomain3.com 
> <mailto:socj...@spoffeddomain3.com> H=37-17-254-232.customer.universal.se 
> <http://37-17-254-232.customer.universal.se/> [37.17.254.232] P=smtp S=3465 
> id=7035836211513-bubrpovzeaeovbkmcu...@dns90.artisticskylight.com 
> <mailto:id=7035836211513-bubrpovzeaeovbkmcu...@dns90.artisticskylight.com>
> 2016-11-22 23:13:27 1c9JJe-0004uw-JC ** cank...@mydomain.com 
> <mailto:cank...@mydomain.com>: Unrouteable address
> 2016-11-22 23:13:27 1c9JJf-0004v0-SP <= <> R=1c9JJe-0004uw-JC U=Debian-exim 
> P=local S=4288
> 2016-11-22 23:13:28 1c9JJe-0004uw-JC Completed
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP ** socj...@spoffeddomain3.com 
> <mailto:socj...@spoffeddomain3.com> R=dnslookup T=remote_smtp: SMTP error 
> from remote mail server after RCPT TO:<socj...@spoffeddomain3.com 
> <mailto:socj...@spoffeddomain3.com>>: host mail.spoffeddomain3.com 
> <http://mail.spoffeddomain3.com/> [72.32.90.11]: 550 5.1.1 
> <socj...@spoffeddomain3.com <mailto:socj...@spoffeddomain3.com>>... User 
> unknown
> 2016-11-22 23:13:29 1c9JJf-0004v0-SP Frozen (delivery error message)
> 
> Is this supposed to be correct? If my server says that cank...@mydomain.com 
> <mailto:cank...@mydomain.com> is Unrouteable address then why would the 
> server try to deliver the message 1c9JJe-0004uw-JC back to the user?
> 
> Here is an output for checking deliverability:
> root@mail:~# exim -bt a...@mydomain.com <mailto:a...@mydomain.com>
> R: system_aliases for a...@mydomain.com <mailto:a...@mydomain.com>
> R: Check address using virtual_aliases for a...@mydomain.com 
> <mailto:a...@mydomain.com>
> R: local_user LDAP lookup for a...@mydomain.com <mailto:a...@mydomain.com>
> a...@mydomain.com <mailto:a...@mydomain.com> is undeliverable: Unrouteable 
> address
> 
> My users are in LDAP storage and I started doing LDAP verification of the 
> addresses in the routers:
> 
> local_user:
>   debug_print = "R: local_user LDAP lookup for $local_part@$domain"
>   driver = accept
>   domains = +local_domains   
>   #LDAP auth check
>   condition = CHECK_VIRTUAL_USER
>   transport = dovecot_lmtp
>   cannot_route_message = Unknown user
> 
> 
>     virtual_aliases:
>         driver = redirect
>         debug_print = "R: Check address using virtual_aliases for 
> $local_part@$domain"
>         allow_fail
>         allow_defer
>         hide data = CHECK_VIRTUAL_ALIASES
>         user = vmail
>         group = mail
> 
> I have ran exim -d -bhc 129.123.123.123 and this is the last part of the 
> output:
> 
> virtual_aliases router declined for a...@mydomain.com 
> <mailto:a...@mydomain.com>
> --------> local_user router <--------
> local_part=asd domain=mydomain.com <http://mydomain.com/>
> checking domains
> cached yes match for +local_domains
> cached lookup data = NULL
> mydomain.com <http://mydomain.com/> in "+local_domains"? yes (matched 
> "+local_domains" - cached)
> R: local_user LDAP lookup for a...@mydomain.com <mailto:a...@mydomain.com>
> checking "condition"
> search_open: ldap "NULL"
>   cached open
> search_find: file="NULL"
>   key="user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=LDAP_PASSWORD 
> ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))
>  
> <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))>"
>  partial=-1 affix=NULL starflags=0
> LRU list:
>   :/etc/aliases
>   End
> internal_search_find: file="NULL"
>   type=ldap key="user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=LDAP_PASSWORD 
> ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))
>  
> <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))>"
> database lookup required for user="cn=exim4,ou=dsa,dc=mydomain,dc=com" 
> pass=LDAP_PASSWORD 
> ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))
>  
> <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))>
> LDAP parameters: user=cn=exim4,ou=dsa,dc=mydomain,dc=com pass=LDAP_PASSWORD 
> size=0 time=0 connect=0 dereference=0 referrals=on
> perform_ldap_search: ldap URL = 
> "ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))
>  
> <ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=a...@mydomain.com))>"
>  server=127.0.0.1 port=389 sizelimit=0 timelimit=0 tcplimit=0
> after ldap_url_parse: host=127.0.0.1 port=389
> re-using cached connection to LDAP server 127.0.0.1:389
> Start search
> search ended by ldap_result yielding 101
> ldap_parse_result: 0
> ldap_parse_result yielded 0: Success
> LDAP search: no results
> lookup failed
> local_user router skipped: condition failure
> --------> mail4root router <--------
> local_part=asd domain=mydomain.com <http://mydomain.com/>
> checking domains
> cached yes match for +local_domains
> cached lookup data = NULL
> mydomain.com <http://mydomain.com/> in "+local_domains"? yes (matched 
> "+local_domains" - cached)
> checking local_parts
> asd in "root"? no (end of list)
> mail4root router skipped: local_parts mismatch
> no more routers
> ----------- end verify ------------
> require: condition test failed in ACL "acl_check_rcpt"
> SMTP>> 550 Unrouteable address
> 550 Unrouteable address
> LOG: MAIN REJECT
>   H=(forged.domain.name) [129.123.123.123] F=<someu...@icloud.com 
> <mailto:someu...@icloud.com>> rejected RCPT a...@mydomain.com 
> <mailto:a...@mydomain.com>: Unrouteable address
> 
> 
> What the hell is going on? :D
> 

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/