|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: "mail forwarding loop" exploit? -- Not likely...
From: Pierre Fortin (pf
pfortin.com)
Date: Tue Oct 05 2004 - 13:41:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 5 Oct 2004 12:45:09 -0400 Victor wrote:
> On Tue, Oct 05, 2004 at 10:26:04AM -0400, Rob Foehl wrote:
>
> > On Tue, 5 Oct 2004, Pierre Fortin wrote:
> >
> > >Oct 4 18:08:25 bones postfix/local[27027]: BDC00C553:
> > >to=<pfortinpfortin.com>, relay=local, delay=5, status=bounced (mail
> > >forwarding loop for pfortinpfortin.com)
> > [...]
> > >Is this an indication of a possible exploit..?
> >
> > No, it's an indication of a forwarding loop. Provide postconf -n and
> >
> > details on where you expect the above address to be delivered
> > (aliases, etc).
Rob, I'd be quite pleased if you could find a forwarding loop in my
config... I was going to include the info (lengthy); but I think I see
what must've happened based on Victor's comment...
> Not necessarily. The "Delivered-To:" header can be forged. Whether
> protecting against this "attack" warrants new code is not quite clear
> yet.
Victor, the message which found its way into my outbound queue is included
below... The original is available on request...
> The attacker could for example push the mailbox over quota, and then
> send
Did not happen in this case... just the single message arriving during an
otherwise quiet period...
> a flood of mail that will bounce. Postfix would then need an over quota
> cache that rate limits over-quota bounces to 1 per TTL (with rejects
> between TTL expiration). This would (hypothetically) work with local(8)
> but cannot solve over-quota problems with 3rd party MDAs, because there
> is no standard (sysexits.h) error code for mailbox over quota.
>
> So if someone is hell-bent on getting your system to generate a bounce,
> they can probably find a way to do it... If this becomes a major
> problem, defending against it requires more than just "fixing"
> Delivered-To.
Looks like it was most likely a forged header that triggered the "loop"...
unless I misinterpreted the message below...
It's kinda hard to decide whether this should be left to loop avoidance or
simply handled by the "I can break rules too" error handler... :^)
Thanks for the feedback,
Pierre
----------------------------------------------
The message.... I expect it may be mangled on its way to y'all... the
raw message did not have returns -- I added those to make it more
readable.... my comments are prefixed with ###
# cat -v /root/SPAMRELAYING/7D64AC57D
C/ 3182 177 1T
1096927705A
^T
message_origin=local
S^O^[
Andrea.Wilkesdiplender.com
R^[
Andrea.Wilkesdiplender.com
W^O 0M^O 3359N"
Received: by pfortin.com (Postfix)N4 id 7D64AC57D;
Mon, 4 Oct 2004 18:08:25 -0400 (EDT)
N+
Date: Mon, 4 Oct 2004 18:08:25 -0400 (EDT)
N6
From: MAILER-DAEMONpfortin.com (Mail Delivery System)
N,
Subject: Undelivered Mail Returned to Sender
N^_
To: Andrea.Wilkesdiplender.com
N^Q
MIME-Version: 1.0
N<
Content-Type: multipart/report;
report-type=delivery-status
;N,
boundary="BDC00C553.1096927705/pfortin.com"
N^_
Content-Transfer-Encoding: 8bit
N2
Message-Id: <20041004220825.7D64AC57Dpfortin.com>
N^N$
This is a MIME-encapsulated message.
N^N
"--BDC00C553.1096927705/pfortin.com
N!
Content-Description: Notification
N^X
Content-Type: text/plain
N^N0
This is the Postfix program at host pfortin.com.
N^N9
I'm sorry to have to inform you that the message returned
N9
below could not be delivered to one or more destinations.
N^N8
For further assistance, please send mail to <postmaster>
N^N9
If you do so, please include this problem report. You can
N5
delete your own text from the message returned below.
N^N^V
The Postfix program
N^NC
<pfortinpfortin.com>: mail forwarding loop for pfortinpfortin.com
N^N
"--BDC00C553.1096927705/pfortin.com
N*
Content-Description: Delivery error report
N%
Content-Type: message/delivery-status
N^N^_
Reporting-MTA: dns; pfortin.com
N3
Arrival-Date: Mon, 4 Oct 2004 18:08:20 -0400 (EDT)
N^N,
Final-Recipient: rfc822; pfortinpfortin.com
N^N
Action: failed
N^M
Status: 5.0.0
NH
Diagnostic-Code: X-Postfix;
mail forwarding loop for pfortinpfortin.com
N^N
"--BDC00C553.1096927705/pfortin.com
N(
Content-Description: Undelivered Message
N^\
Content-Type: message/rfc822
N^_
Content-Transfer-Encoding: 8bit
N^NY
###
### The following must be the original message...
###
### Note the lack of "Delivered-To" here... makes sense since
### loop code prevented its delivery...
###
Received: from 81-203-160-118.user.ono.com
(81-203-160-118.user.ono.com [81.203.160.118])
N0
by pfortin.com (Postfix) with SMTP id BDC00C553
NA
for <pfortinpfortin.com>;
Mon, 4 Oct 2004 18:08:20 -0400 (EDT)
N"
X-Original-To: pfortinpfortin.com
N!
###
### Isn't this "Delivered-To" out of sequence...?
### Hence, the cause for the 'apparent' loop...?
### If so, then this was forged...
###
Delivered-To: pfortinpfortin.com
NI
Received: from mail.altavista.com
(mail.altavista.com [66.218.204.155])
N4
by fep4.medsyn.fr (Postfix) with ESMTP id 9D76D00A5NA
for <pfortinpfortin.com>;
Mon, 04 Oct 2004 20:09:37 -0300 (EDT)
N6
Received: from fusemail.com (unknown [69.31.169.55])
N4
by mail.medsyn.fr (mailer) with SMTP id 5FE2016DBA0NA
for <pfortinpfortin.com>;
Tue, 05 Oct 2004 03:12:37 +0400 (EDT)
N%
Date: Mon, 04 Oct 2004 22:14:37 -0100
N^_
From: Pierre.Chappellmedsyn.fr
N^W
To: pfortinpfortin.com
N^T
Subject: Final Offer
N.
Message-Id: <15513B45.5F6C9D4588184medsyn.fr>
N^Q
MIME-Version: 1.0
N^Y
Content-Type: text/plain;
N^S
charset="us-ascii"
N^_
Content-Transfer-Encoding: 8bit
N^N^N^N^F
Hello,
N^NF
###
### [snipped mortgage spam]
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]