[sudo-sys] Re: shit we're being used to spam again

On Sun, Jan 12, 2025 at 11:56:30AM -0800, Jake via sudo-sys wrote: From a quick look at this, I don't think the sudoroom server is compromised in any way. This looks like classic backscatter / joe job. Nothing, the error in on mail.code-works.de's server config. They accepted a bogus message faking our return address, the receiver of this spam refused it, then they sent a backscatter message telling us that "our" message (the spammer's message) couldn't be delivered. More analysis below for the curious... Here we see that this is a bounce message from the "mail.code-works.de" mail server. Bounce messages are generally frowned upon these days in mail admin circles for exactly this issue. Servers should never send bounces to outside users, since they shouldn't accept undeliverable messages from outside users. Here we see that the spammer's message was being sent to 163.com's mail servers. Those servers did not like the message and permanently rejected it (550) for some sort of spam policy reason. The reason link they provide 404s, so who knows exactly why they rejected it. And here we get a hint at the core problem. The presence of "X-Postcow-*" headers suggests that this is a postcow "mail in a box" server. See: https://docs.mailcow.email/ I really don't like these sorts of turnkey magic email systems, since administrating an email server correctly takes much more than a $ curl | sh, which is _literally_ the start of the installation instructions for that project. Pretty clear signs of spam from this message. Null sender in the "From" header, unauthorized MailFrom (info(a)sudoroom.org), SPF softfail, no DKIM signature. Absolutely no reason the mail.code-works.de server should have accepted this message in the first place. As an extra precaution, I checked if our server had made any connections to 163 or code-works.de: In summary, no hack, also nothing we can really do about this short of contacting code-works.de and asking them to fix their mail server. --Sean