Hey Sean, thanks for the explanation. Useful for folks like me that don’t know much about email DNS server configuration.
BTW, out of curiosity I ran a health and security check on the domain and it says that the DKIM is not configured: https://www.itechtics.com/tool/ed/?domain=Sudoroom.org Wouldn’t this potentially marks our emails untrustworthy and be marked as spam? Just wondering. Daniel On Sun, Jan 12, 2025 at 8:29 PM Jake via sudo-sys <[email protected]> wrote: > wow thank you for explaining that! I'm slowly learning more about email > this > way > > tonight I have to fix the Omni front door lock computer > > unless someone else wants to try > > -jake > > > On Sun, 12 Jan 2025, Sean Greenslade via sudo-sys wrote: > > > On Sun, Jan 12, 2025 at 11:56:30AM -0800, Jake via sudo-sys wrote: > >> can anyone understand what's going on here? Are they trying to > subscribe > >> email addresses to [email protected] or something? > > > >> From a quick look at this, I don't think the sudoroom server is > > compromised in any way. This looks like classic backscatter / joe job. > > > >> what do we do? > > > > Nothing, the error in on mail.code-works.de's server config. They > > accepted a bogus message faking our return address, the receiver of this > > spam refused it, then they sent a backscatter message telling us that > > "our" message (the spammer's message) couldn't be delivered. > > > > More analysis below for the curious... > > > >> This is the mail system at host mail.code-works.de. > >> > >> I'm sorry to have to inform you that your message could not > >> be delivered to one or more recipients. It's attached below. > > > > Here we see that this is a bounce message from the "mail.code-works.de" > > mail server. Bounce messages are generally frowned upon these days in > > mail admin circles for exactly this issue. Servers should never send > > bounces to outside users, since they shouldn't accept undeliverable > > messages from outside users. > > > >> For further assistance, please send mail to postmaster. > >> > >> If you do so, please include this problem report. You can > >> delete your own text from the attached returned message. > >> > >> The mail system > >> > >> <[email protected]>: host 163mx01.mxmail.netease.com[103.129.252.43] > said: > >> 550 RP:ORQ 163 gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 > >> 1736686604,please see > >> > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604 > >> (in reply to RCPT TO command) > > > > Here we see that the spammer's message was being sent to 163.com's mail > > servers. Those servers did not like the message and permanently rejected > > it (550) for some sort of spam policy reason. The reason link they > > provide 404s, so who knows exactly why they rejected it. > > > >> <[email protected]>: host 163mx01.mxmail.netease.com[103.129.252.43] > said: > >> 550 RP:ORQ 163 gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2 > >> 1736686605,please see > >> > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605 > >> (in reply to RCPT TO command) > >> > >> <[email protected]>: host 163mx03.mxmail.netease.com[103.129.252.43] > said: > >> 550 RP:ORQ 163 gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3 > >> 1736686608,please see > >> > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608 > >> (in reply to RCPT TO command) > > > >> Reporting-MTA: dns; mail.code-works.de > >> X-Postcow-Queue-ID: E1B287FDCC > >> X-Postcow-Sender: rfc822; [email protected] > >> Arrival-Date: Sun, 12 Jan 2025 11:01:08 +0100 (CET) > > > > And here we get a hint at the core problem. The presence of > > "X-Postcow-*" headers suggests that this is a postcow "mail in a box" > > server. See: https://docs.mailcow.email/ > > > > I really don't like these sorts of turnkey magic email systems, > > since administrating an email server correctly takes much more than a > > $ curl | sh, which is _literally_ the start of the installation > > instructions for that project. > > > >> Final-Recipient: rfc822; [email protected] > >> Original-Recipient: rfc822;[email protected] > >> Action: failed > >> Status: 5.0.0 > >> Remote-MTA: dns; 163mx01.mxmail.netease.com > >> Diagnostic-Code: smtp; 550 RP:ORQ 163 > >> gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 > 1736686604,please see > >> > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604 > >> > >> Final-Recipient: rfc822; [email protected] > >> Original-Recipient: rfc822;[email protected] > >> Action: failed > >> Status: 5.0.0 > >> Remote-MTA: dns; 163mx01.mxmail.netease.com > >> Diagnostic-Code: smtp; 550 RP:ORQ 163 > >> gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2 > 1736686605,please see > >> > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605 > >> > >> Final-Recipient: rfc822; [email protected] > >> Original-Recipient: rfc822;[email protected] > >> Action: failed > >> Status: 5.0.0 > >> Remote-MTA: dns; 163mx03.mxmail.netease.com > >> Diagnostic-Code: smtp; 550 RP:ORQ 163 > >> gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3 > 1736686608,please see > >> > http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608 > > > >> Date: Sun, 12 Jan 2025 18:01:08 +0800 > >> From: LiDie <> > >> Subject: JiangZhengQi > >> To: JiangZhengQi <[email protected]>, TanGui <[email protected]>, > >> ChanYun <[email protected]> > > > > Pretty clear signs of spam from this message. Null sender in the "From" > > header, unauthorized MailFrom ([email protected]), SPF softfail, no DKIM > > signature. Absolutely no reason the mail.code-works.de server should > > have accepted this message in the first place. > > > > As an extra precaution, I checked if our server had made any connections > > to 163 or code-works.de: > > > >> zootboy@sudoroom:~$ zgrep 163mx /var/log/mail* | wc -l > >> 0 > > > >> zootboy@sudoroom:~$ zgrep code-works\.de /var/log/mail* | grep > postfix\/smtp\\[ | wc -l > >> 0 > > > > In summary, no hack, also nothing we can really do about this short of > > contacting code-works.de and asking them to fix their mail server. > > > > --Sean > > > > _______________________________________________ > > sudo-sys mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > More options at > https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/ > > > _______________________________________________ > sudo-sys mailing list -- [email protected] > To unsubscribe send an email to [email protected] > More options at > https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/ >
_______________________________________________ sudo-sys mailing list -- [email protected] To unsubscribe send an email to [email protected] More options at https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/
