wow thank you for explaining that! I'm slowly learning more about email this
way
tonight I have to fix the Omni front door lock computer
unless someone else wants to try
-jake
On Sun, 12 Jan 2025, Sean Greenslade via sudo-sys wrote:
> On Sun, Jan 12, 2025 at 11:56:30AM -0800, Jake via sudo-sys wrote:
>> can anyone understand what's going on here? Are they trying to subscribe
>> email addresses to info@sudoroom.org or something?
>
>> From a quick look at this, I don't think the sudoroom server is
> compromised in any way. This looks like classic backscatter / joe job.
>
>> what do we do?
>
> Nothing, the error in on mail.code-works.de's server config. They
> accepted a bogus message faking our return address, the receiver of this
> spam refused it, then they sent a backscatter message telling us that
> "our" message (the spammer's message) couldn't be delivered.
>
> More analysis below for the curious...
>
>> This is the mail system at host mail.code-works.de.
>>
>> I'm sorry to have to inform you that your message could not
>> be delivered to one or more recipients. It's attached below.
>
> Here we see that this is a bounce message from the "mail.code-works.de"
> mail server. Bounce messages are generally frowned upon these days in
> mail admin circles for exactly this issue. Servers should never send
> bounces to outside users, since they shouldn't accept undeliverable
> messages from outside users.
>
>> For further assistance, please send mail to postmaster.
>>
>> If you do so, please include this problem report. You can
>> delete your own text from the attached returned message.
>>
>> The mail system
>>
>> <13291292934@163.com>: host 163mx01.mxmail.netease.com[103.129.252.43] said:
>> 550 RP:ORQ 163 gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3
>> 1736686604,please see
>> http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604
>> (in reply to RCPT TO command)
>
> Here we see that the spammer's message was being sent to 163.com's mail
> servers. Those servers did not like the message and permanently rejected
> it (550) for some sort of spam policy reason. The reason link they
> provide 404s, so who knows exactly why they rejected it.
>
>> <13694762078@163.com>: host 163mx01.mxmail.netease.com[103.129.252.43] said:
>> 550 RP:ORQ 163 gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2
>> 1736686605,please see
>> http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605
>> (in reply to RCPT TO command)
>>
>> <13876489730@163.com>: host 163mx03.mxmail.netease.com[103.129.252.43] said:
>> 550 RP:ORQ 163 gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3
>> 1736686608,please see
>> http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608
>> (in reply to RCPT TO command)
>
>> Reporting-MTA: dns; mail.code-works.de
>> X-Postcow-Queue-ID: E1B287FDCC
>> X-Postcow-Sender: rfc822; info@sudoroom.org
>> Arrival-Date: Sun, 12 Jan 2025 11:01:08 +0100 (CET)
>
> And here we get a hint at the core problem. The presence of
> "X-Postcow-*" headers suggests that this is a postcow "mail in a box"
> server. See: https://docs.mailcow.email/
>
> I really don't like these sorts of turnkey magic email systems,
> since administrating an email server correctly takes much more than a
> $ curl | sh, which is _literally_ the start of the installation
> instructions for that project.
>
>> Final-Recipient: rfc822; 13291292934@163.com
>> Original-Recipient: rfc822;13291292934@163.com
>> Action: failed
>> Status: 5.0.0
>> Remote-MTA: dns; 163mx01.mxmail.netease.com
>> Diagnostic-Code: smtp; 550 RP:ORQ 163
>> gzga-mx-mtada-g3-7,_____wDn99wIvINnsBgkAw--.14920S3 1736686604,please see
>> http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g3-7&time=1736686604
>>
>> Final-Recipient: rfc822; 13694762078@163.com
>> Original-Recipient: rfc822;13694762078@163.com
>> Action: failed
>> Status: 5.0.0
>> Remote-MTA: dns; 163mx01.mxmail.netease.com
>> Diagnostic-Code: smtp; 550 RP:ORQ 163
>> gzga-mx-mtada-g0-5,_____wDnHwsMvINnIfdVAw--.26571S2 1736686605,please see
>> http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g0-5&time=1736686605
>>
>> Final-Recipient: rfc822; 13876489730@163.com
>> Original-Recipient: rfc822;13876489730@163.com
>> Action: failed
>> Status: 5.0.0
>> Remote-MTA: dns; 163mx03.mxmail.netease.com
>> Diagnostic-Code: smtp; 550 RP:ORQ 163
>> gzga-mx-mtada-g9-2,_____wDX_00OvINn_9gSAw--.59055S3 1736686608,please see
>> http://mail.163.com/help/help_spam_16.htm?ip=88.198.193.230&hostid=gzga-mx-mtada-g9-2&time=1736686608
>
>> Date: Sun, 12 Jan 2025 18:01:08 +0800
>> From: LiDie <>
>> Subject: JiangZhengQi
>> To: JiangZhengQi <13694762078@163.com>, TanGui <13876489730@163.com>,
>> ChanYun <13291292934@163.com>
>
> Pretty clear signs of spam from this message. Null sender in the "From"
> header, unauthorized MailFrom (info@sudoroom.org), SPF softfail, no DKIM
> signature. Absolutely no reason the mail.code-works.de server should
> have accepted this message in the first place.
>
> As an extra precaution, I checked if our server had made any connections
> to 163 or code-works.de:
>
>> zootboy@sudoroom:~$ zgrep 163mx /var/log/mail* | wc -l
>> 0
>
>> zootboy@sudoroom:~$ zgrep code-works\.de /var/log/mail* | grep postfix\/smtp\\[ | wc -l
>> 0
>
> In summary, no hack, also nothing we can really do about this short of
> contacting code-works.de and asking them to fix their mail server.
>
> --Sean
>
> _______________________________________________
> sudo-sys mailing list -- sudo-sys@sudoroom.org
> To unsubscribe send an email to sudo-sys-leave@sudoroom.org
> More options at https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/
>
_______________________________________________
sudo-sys mailing list -- sudo-sys@sudoroom.org
To unsubscribe send an email to sudo-sys-leave@sudoroom.org
More options at https://sudoroom.org/lists/postorius/lists/sudo-sys.sudoroom.org/