On Sun, Jan 12, 2025 at 11:56:30AM -0800, Jake via sudo-sys wrote: > can anyone understand what's going on here? Are they trying to subscribe > email addresses to [email protected] or something?
>From a quick look at this, I don't think the sudoroom server is compromised in any way. This looks like classic backscatter / joe job. > what do we do? Nothing, the error in on mail.code-works.de's server config. They accepted a bogus message faking our return address, the receiver of this spam refused it, then they sent a backscatter message telling us that "our" message (the spammer's message) couldn't be delivered. More analysis below for the curious... > This is the mail system at host mail.code-works.de. > > I'm sorry to have to inform you that your message could not > be delivered to one or more recipients. It's attached below. Here we see that this is a bounce message from the "mail.code-works.de" mail server. Bounce messages are generally frowned upon these days in mail admin circles for exactly this issue. Servers should never send bounces to outside users, since they shouldn't accept undeliverable messages from outside users. > For further assistance, please send mail to postmaster. > > If you do so, please include this problem report. You can > delete your own text from the attached returned message. > > The mail system > > <[email protected]>: host 163mx01.mxmail.netease.com[103.129.252.43] said: > 550 RP:ORQ 163 gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 > 1736686604,please see > > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604 > (in reply to RCPT TO command) Here we see that the spammer's message was being sent to 163.com's mail servers. Those servers did not like the message and permanently rejected it (550) for some sort of spam policy reason. The reason link they provide 404s, so who knows exactly why they rejected it. > <[email protected]>: host 163mx01.mxmail.netease.com[103.129.252.43] said: > 550 RP:ORQ 163 gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2 > 1736686605,please see > > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605 > (in reply to RCPT TO command) > > <[email protected]>: host 163mx03.mxmail.netease.com[103.129.252.43] said: > 550 RP:ORQ 163 gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3 > 1736686608,please see > > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608 > (in reply to RCPT TO command) > Reporting-MTA: dns; mail.code-works.de > X-Postcow-Queue-ID: E1B287FDCC > X-Postcow-Sender: rfc822; [email protected] > Arrival-Date: Sun, 12 Jan 2025 11:01:08 +0100 (CET) And here we get a hint at the core problem. The presence of "X-Postcow-*" headers suggests that this is a postcow "mail in a box" server. See: https://docs.mailcow.email/ I really don't like these sorts of turnkey magic email systems, since administrating an email server correctly takes much more than a $ curl | sh, which is _literally_ the start of the installation instructions for that project. > Final-Recipient: rfc822; [email protected] > Original-Recipient: rfc822;[email protected] > Action: failed > Status: 5.0.0 > Remote-MTA: dns; 163mx01.mxmail.netease.com > Diagnostic-Code: smtp; 550 RP:ORQ 163 > gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 1736686604,please see > > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604 > > Final-Recipient: rfc822; [email protected] > Original-Recipient: rfc822;[email protected] > Action: failed > Status: 5.0.0 > Remote-MTA: dns; 163mx01.mxmail.netease.com > Diagnostic-Code: smtp; 550 RP:ORQ 163 > gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2 1736686605,please see > > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605 > > Final-Recipient: rfc822; [email protected] > Original-Recipient: rfc822;[email protected] > Action: failed > Status: 5.0.0 > Remote-MTA: dns; 163mx03.mxmail.netease.com > Diagnostic-Code: smtp; 550 RP:ORQ 163 > gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3 1736686608,please see > > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608 > Date: Sun, 12 Jan 2025 18:01:08 +0800 > From: LiDie <> > Subject: JiangZhengQi > To: JiangZhengQi <[email protected]>, TanGui <[email protected]>, > ChanYun <[email protected]> Pretty clear signs of spam from this message. Null sender in the "From" header, unauthorized MailFrom ([email protected]), SPF softfail, no DKIM signature. Absolutely no reason the mail.code-works.de server should have accepted this message in the first place. As an extra precaution, I checked if our server had made any connections to 163 or code-works.de: > zootboy@sudoroom:~$ zgrep 163mx /var/log/mail* | wc -l > 0 > zootboy@sudoroom:~$ zgrep code-works\.de /var/log/mail* | grep > postfix\/smtp\\[ | wc -l > 0 In summary, no hack, also nothing we can really do about this short of contacting code-works.de and asking them to fix their mail server. --Sean _______________________________________________ sudo-sys mailing list -- [email protected] To unsubscribe send an email to [email protected] More options at https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/
