On Sun, Jan 12, 2025 at 11:56:30AM -0800, Jake via sudo-sys wrote:
can anyone understand what's going on here? Are they trying to subscribe
email addresses to [email protected] or something?
From a quick look at this, I don't think the sudoroom server is
compromised in any way. This looks like classic backscatter / joe job.
what do we do?
Nothing, the error in on mail.code-works.de's server config. They
accepted a bogus message faking our return address, the receiver of this
spam refused it, then they sent a backscatter message telling us that
"our" message (the spammer's message) couldn't be delivered.
More analysis below for the curious...
This is the mail system at host mail.code-works.de.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
Here we see that this is a bounce message from the "mail.code-works.de"
mail server. Bounce messages are generally frowned upon these days in
mail admin circles for exactly this issue. Servers should never send
bounces to outside users, since they shouldn't accept undeliverable
messages from outside users.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<[email protected]>: host 163mx01.mxmail.netease.com[103.129.252.43] said:
550 RP:ORQ 163 gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3
1736686604,please see
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604
(in reply to RCPT TO command)
Here we see that the spammer's message was being sent to 163.com's mail
servers. Those servers did not like the message and permanently rejected
it (550) for some sort of spam policy reason. The reason link they
provide 404s, so who knows exactly why they rejected it.
<[email protected]>: host 163mx01.mxmail.netease.com[103.129.252.43] said:
550 RP:ORQ 163 gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2
1736686605,please see
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605
(in reply to RCPT TO command)
<[email protected]>: host 163mx03.mxmail.netease.com[103.129.252.43] said:
550 RP:ORQ 163 gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3
1736686608,please see
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608
(in reply to RCPT TO command)
Reporting-MTA: dns; mail.code-works.de
X-Postcow-Queue-ID: E1B287FDCC
X-Postcow-Sender: rfc822; [email protected]
Arrival-Date: Sun, 12 Jan 2025 11:01:08 +0100 (CET)
And here we get a hint at the core problem. The presence of
"X-Postcow-*" headers suggests that this is a postcow "mail in a box"
server. See: https://docs.mailcow.email/
I really don't like these sorts of turnkey magic email systems,
since administrating an email server correctly takes much more than a
$ curl | sh, which is _literally_ the start of the installation
instructions for that project.
Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.0.0
Remote-MTA: dns; 163mx01.mxmail.netease.com
Diagnostic-Code: smtp; 550 RP:ORQ 163
gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 1736686604,please see
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604
Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.0.0
Remote-MTA: dns; 163mx01.mxmail.netease.com
Diagnostic-Code: smtp; 550 RP:ORQ 163
gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2 1736686605,please see
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605
Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.0.0
Remote-MTA: dns; 163mx03.mxmail.netease.com
Diagnostic-Code: smtp; 550 RP:ORQ 163
gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3 1736686608,please see
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608
Date: Sun, 12 Jan 2025 18:01:08 +0800
From: LiDie <>
Subject: JiangZhengQi
To: JiangZhengQi <[email protected]>, TanGui <[email protected]>,
ChanYun <[email protected]>
Pretty clear signs of spam from this message. Null sender in the "From"
header, unauthorized MailFrom ([email protected]), SPF softfail, no DKIM
signature. Absolutely no reason the mail.code-works.de server should
have accepted this message in the first place.
As an extra precaution, I checked if our server had made any connections
to 163 or code-works.de:
zootboy@sudoroom:~$ zgrep 163mx /var/log/mail* | wc -l
0
zootboy@sudoroom:~$ zgrep code-works\.de /var/log/mail* | grep postfix\/smtp\\[
| wc -l
0
In summary, no hack, also nothing we can really do about this short of
contacting code-works.de and asking them to fix their mail server.
--Sean
_______________________________________________
sudo-sys mailing list -- [email protected]
To unsubscribe send an email to [email protected]
More options at
https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/
