13 Jan
2025
13 Jan
'25
1:31 a.m.
Hey Sean, thanks for the explanation. Useful for folks like me that don’t
know much about email DNS server configuration.
BTW, out of curiosity I ran a health and security check on the domain and
it says that the DKIM is not configured:
https://www.itechtics.com/tool/ed/?domain=Sudoroom.org
Wouldn’t this potentially marks our emails untrustworthy and be marked as
spam?
Just wondering.
Daniel
On Sun, Jan 12, 2025 at 8:29 PM Jake via sudo-sys <sudo-sys(a)sudoroom.org>
wrote:
wow thank you for explaining that! I'm slowly
learning more about email
this
way
tonight I have to fix the Omni front door lock computer
unless someone else wants to try
-jake
On Sun, 12 Jan 2025, Sean Greenslade via sudo-sys wrote:
said:
said:
1736686604,please see
postfix\/smtp\\[ | wc -l
https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/
_______________________________________________
sudo-sys mailing list -- sudo-sys(a)sudoroom.org
To unsubscribe send an email to sudo-sys-leave(a)sudoroom.org
More options at
https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/
On Sun, Jan 12, 2025 at 11:56:30AM -0800, Jake
via sudo-sys wrote:
> can anyone understand what's going on here? Are they trying to
subscribe
email
addresses to info(a)sudoroom.org or something?
From a quick look at this, I don't think the
sudoroom server is
compromised in any way. This looks like classic backscatter /
joe job.
what do we do?
Nothing, the error in on mail.code-works.de's server config. They
accepted a bogus message faking our return address, the receiver of this
spam refused it, then they sent a backscatter message telling us that
"our" message (the spammer's message) couldn't be delivered.
More analysis below for the curious...
This is the mail system at host
mail.code-works.de.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
Here we see that this is a bounce message from the "mail.code-works.de"
mail server. Bounce messages are generally frowned upon these days in
mail admin circles for exactly this issue. Servers should never send
bounces to outside users, since they shouldn't accept undeliverable
messages from outside users.
> For further assistance, please send mail to postmaster.
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
> The mail system
>
> <13291292934(a)163.com>om>: host 163mx01.mxmail.netease.com[103.129.252.43] > 550 RP:ORQ 163
gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3
> 1736686604,please see
>
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga…
(in
reply to RCPT TO command)
Here we see that the spammer's message was being sent to 163.com's mail
servers. Those servers did not like the message and permanently rejected
it (550) for some sort of spam policy reason. The reason link they
provide 404s, so who knows exactly why they rejected it.
> <13694762078(a)163.com>om>: host 163mx01.mxmail.netease.com[103.129.252.43] > 550 RP:ORQ 163
gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2
> 1736686605,please see
>
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga…
> (in reply to RCPT TO command)
>
> <13876489730(a)163.com>om>: host 163mx03.mxmail.netease.com[103.129.252.43]
said:
> 550 RP:ORQ 163
gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3
> 1736686608,please see
>
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga…
(in
reply to RCPT TO command)
Reporting-MTA: dns; mail.code-works.de
X-Postcow-Queue-ID: E1B287FDCC
X-Postcow-Sender: rfc822; info(a)sudoroom.org
Arrival-Date: Sun, 12 Jan 2025 11:01:08 +0100 (CET)
And here we get a hint at the core problem. The presence of
"X-Postcow-*" headers suggests that this is a postcow "mail in a
box"
server. See: https://docs.mailcow.email/
I really don't like these sorts of turnkey magic email systems,
since administrating an email server correctly takes much more than a
$ curl | sh, which is _literally_ the start of the installation
instructions for that project.
> Final-Recipient: rfc822; 13291292934(a)163.com
> Original-Recipient: rfc822;13291292934(a)163.com
> Action: failed
> Status: 5.0.0
> Remote-MTA: dns; 163mx01.mxmail.netease.com
> Diagnostic-Code: smtp; 550 RP:ORQ 163
> gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 >
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga…
>
>> Final-Recipient: rfc822;
13694762078(a)163.com
>> Original-Recipient: rfc822;13694762078(a)163.com
>> Action: failed
>> Status: 5.0.0
>> Remote-MTA: dns; 163mx01.mxmail.netease.com
>> Diagnostic-Code: smtp; 550 RP:ORQ 163
>> gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2
1736686605,please see
>
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga…
>
>> Final-Recipient: rfc822;
13876489730(a)163.com
>> Original-Recipient: rfc822;13876489730(a)163.com
>> Action: failed
>> Status: 5.0.0
>> Remote-MTA: dns; 163mx03.mxmail.netease.com
>> Diagnostic-Code: smtp; 550 RP:ORQ 163
>> gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3
1736686608,please see
>
http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga…
Date: Sun, 12 Jan 2025 18:01:08 +0800
From: LiDie <>
Subject: JiangZhengQi
To: JiangZhengQi <13694762078(a)163.com>om>, TanGui <13876489730(a)163.com>om>,
ChanYun <13291292934(a)163.com>
Pretty clear signs of spam from this message. Null sender in the "From"
header, unauthorized MailFrom (info(a)sudoroom.org), SPF softfail, no DKIM
signature. Absolutely no reason the mail.code-works.de server should
have accepted this message in the first place.
As an extra precaution, I checked if our server had made any connections
to 163 or code-works.de:
zootboy@sudoroom:~$ zgrep 163mx /var/log/mail* |
wc -l
0
> zootboy@sudoroom:~$ zgrep code-works\.de /var/log/mail* | grep 0
In summary, no hack, also nothing we can really do about this short of
contacting code-works.de and asking them to fix their mail server.
--Sean
_______________________________________________
sudo-sys mailing list -- sudo-sys(a)sudoroom.org
To unsubscribe send an email to sudo-sys-leave(a)sudoroom.org
More options at