OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: I'm sending "aaazzzaaazzzaaazzzaaazzzaaazzz" emails

From: /dev/rob0 (rob0gmx.co.uk)
Date: Wed Nov 23 2005 - 23:31:49 CST

Sorry Viktor, I had this one started before I saw you declare the thread
dead, and it pertains to an earlier post which does have some possibly
relevant information. I had a lot of this nitpicking work already
written when I saw that, so I am hoping you won't kick me off the list
for this.

On Wednesday 2005-November-23 20:32, Jason wrote:
> Case 1.
> With jasonchinamail mapped to jasonnewhonest.com in generic in the
> intranet postfix machine
> email sent from the chinamail intranet postfix machine by
> echo "hello1" | mail -s test1 jasonnewhonest.com
>
> Log of the intranet postfix machine (sending)
>
> Nov 24 10:11:31 chinamail postfix/pickup[28725]: 5F03D18436: uid=1028
> from=<jason>
> Nov 24 10:11:31 chinamail postfix/cleanup[29069]: 5F03D18436:
> message-id=<20051124021131.5F03D18436chinamail>

Note the Message-ID chinamail.

> Nov 24 10:11:31 chinamail postfix/qmgr[28726]: 5F03D18436:
> from=<jasonchinamail>, size=276, nrcpt=1 (queue active)
> Nov 24 10:11:31 chinamail postfix/smtp[29174]: 5F03D18436:
> to=<jasonnewhonest.com>, relay=mail.newhonest.com[202.85.165.133

Is something cut out here? I just tested with sendmail(1) and I got:

Nov 24 04:08:40 please postfix/smtp[10726]: 730583941:
to=<rob0example.org>, relay=rob.example.org[my.IP.add.ress], delay=42,
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3C2E62FC27)

You won't have the DSN without Postfix 2.3, but what about the status
and the 250 reply from the relay?

> Nov 24 10:11:31 chinamail postfix/cleanup[29069]: AB35518437:
> message-id=<20051124021131.AB35518437chinamail>

And here's that Message-ID again? No, it has a different queue ID
appended. The 20051124021131 part is the same. Ah, look, it is a GMT
time string.

> Nov 24 10:11:31 chinamail postfix/qmgr[28726]: AB35518437: from=<>,
> size=1975, nrcpt=1 (queue active)

It's a bounce!

> Nov 24 10:11:31 chinamail postfix/qmgr[28726]: 5F03D18436: removed

But where did AB35518437 go? Find that message, and all its logs.

> Log of the receiving sendmail machine (sorry that some of the
> MailScanner logs may be irrelevant) :
>
> Nov 24 10:10:43 mail sendmail[15575]: jAO2Agsd015575:
> from=<jasonnewhonest.com>, size=31, class=0, nrcpts=1,

Envelope sender is different.

> msgid=<200511240210.jAO2Agsd015575mail.newhonest.com>, proto=ESMTP,

Message-ID is different. Time stamp is 21 seconds before the Postfix
one. System clocks not in synch?

> daemon=MTA, relay=[59.36.73.215]

Sendmail is relaying this to 59.36.73.215?

> Nov 24 10:10:43 mail MailScanner[15576]: MailScanner E-Mail Virus
> Scanner version 4.38.10 starting...
> Nov 24 10:10:43 mail MailScanner[15576]: Read 2 hostnames from the
> phishing whitelist
> Nov 24 10:10:43 mail MailScanner[15576]: Enabling SpamAssassin
> auto-whitelist functionality...
> Nov 24 10:10:43 mail MailScanner[15562]: New Batch: Scanning 1
> messages, 555 bytes
> Nov 24 10:10:43 mail MailScanner[15576]: Using locktype = flock
> Nov 24 10:10:45 mail MailScanner[15562]: Virus and Content Scanning:
> Starting
> Nov 24 10:10:46 mail MailScanner[15562]: Uninfected: Delivered 1
> messages
> Nov 24 10:10:46 mail sendmail[15594]: jAO2Agsd015575:
> to=<jasonnewhonest.com>, ctladdr=<jasonnewhonest.com> (500/500),
> delay=00:00:04, xdelay=00:00:00, mailer=local, pri=120031, dsn=2.0.0,
> stat=Sent
>
> The received email :
> Return-Path: <jasonnewhonest.com>
> Received: from chinamail ([59.36.73.215])

Aha! That IP is the place where sendmail relayed to ...

> by mail.newhonest.com (8.12.11/8.12.11) with ESMTP id jAO2Agsd015575
> for <jasonnewhonest.com>; Thu, 24 Nov 2005 10:10:42 +0800
> Date: Thu, 24 Nov 2005 10:10:42 +0800

Those timestamps are strange, even judged by the rest of this thread.
Postfix accepted your mail at 10:11:31, and this being submitted via
sendmail(1) means that the header timestamp would be that. This is not
what you sent from chinamail.

> From: jasonnewhonest.com
> Message-Id: <200511240210.jAO2Agsd015575mail.newhonest.com>
> X-MailScanner-Information: Please contact the ISP for more
> information
> X-MailScanner: Found to be clean
> X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin
> (score=3.225, required 5, AWL -1.30, BAYES_40 -1.10, MISSING_HEADERS
> 0.12, MISSING_SUBJECT 1.23, MSGID_FROM_MTA_ID 1.72, NO_REAL_NAME
> 0.01, RCVD_IN_SORBS_DUL 1.99, TRACKER_ID 0.56)
> X-MailScanner-From: jasonnewhonest.com
>
> aaazzzaaazzzaaazzzaaazzzaaazzz

No evidence that this came through Postfix, as we all know by now.

> Case 2.
> After deleted the entry of jasonchinamail being mapped to
> jasonnewhonest.com in generic in the intranet postfix machine (then
> postmap)
> email sent from the chinamail intranet postfix machine by
> echo "hello1" | mail -s test1 jasonnewhonest.com

You have "echo hello1" and "-s test1" here. I think that is not copied
from the command line, right?

> Log of the intranet postfix machine
>
> Nov 24 10:11:31 chinamail postfix/local[29072]: AB35518437:
> to=<jasonchinamail>, relay=local, delay=0, status=sent (deliver

Aha, here's AB35518437, a local(8) delivery, with delivery status
information removed.

> Nov 24 10:11:31 chinamail postfix/qmgr[28726]: AB35518437: removed
> Nov 24 10:12:08 chinamail postfix/pickup[28725]: 72FDC18436: uid=1028
> from=<jason>

It took you 37 seconds to delete the generic(5) mapping and postmap(1)
the file? That is fast. If that is true, I am jealous. :)

> Nov 24 10:12:08 chinamail postfix/cleanup[29069]: 72FDC18436:
> message-id=<20051124021208.72FDC18436chinamail>
> Nov 24 10:12:08 chinamail postfix/qmgr[28726]: 72FDC18436:
> from=<jasonchinamail>, size=276, nrcpt=1 (queue active)
> Nov 24 10:12:08 chinamail postfix/smtp[29174]: table
> hash:/etc/postfix/generic(0,100) has changed -- restarting

So it appears to be true. Good job.

> Nov 24 10:12:08 chinamail postfix/smtp[29222]: 72FDC18436:
> to=<jasonnewhonest.com>, relay=mail.newhonest.com[202.85.165.133
> Nov 24 10:12:08 chinamail postfix/qmgr[28726]: 72FDC18436: removed
>
>
> Log of the receiving sendmail machine
>
> Nov 24 10:11:20 mail sendmail[15633]: jAO2BJfd015633:

Same 37-second time differential.

> from=<jasonchinamail>, size=267, class=0, nrcpts=1,
> msgid=<20051124021208.72FDC18436chinamail>, proto=ESMTP, daemon=MTA,

That's the Postfix message-ID.

> relay=[59.36.73.215]
> Nov 24 10:11:20 mail MailScanner[15552]: New Batch: Scanning 1
> messages, 668 bytes
> Nov 24 10:11:21 mail MailScanner[15552]: Virus and Content Scanning:
> Starting
> Nov 24 10:11:21 mail MailScanner[15552]: Uninfected: Delivered 1
> messages
> Nov 24 10:11:21 mail sendmail[15646]: jAO2BJfd015633:
> to=<jasonnewhonest.com>, delay=00:00:02, xdelay=00:00:00,
> mailer=local, pri=120267, dsn=2.0.0, stat=Sent
>
> The received email :
>
> Return-Path: <jasonchinamail>
> Received: from chinamail ([59.36.73.215])
> by mail.newhonest.com (8.12.11/8.12.11) with ESMTP id jAO2BJfd015633
> for <jasonnewhonest.com>; Thu, 24 Nov 2005 10:11:19 +0800
> Received: by chinamail (Postfix, from userid 1028)
> id 72FDC18436; Thu, 24 Nov 2005 10:12:08 +0800 (CST)

And that is a Postfix Received header.

> To: jasonnewhonest.com
> Subject: tes2

How would "-s test1" yield this Subject header?

> Message-Id: <20051124021208.72FDC18436chinamail>
> Date: Thu, 24 Nov 2005 10:12:08 +0800 (CST)
> From: jasonchinamail
> X-MailScanner-Information: Please contact the ISP for more
> information X-MailScanner: Found to be clean
> X-MailScanner-SpamCheck: not spam, SpamAssassin (score=-1.089,
> required 5, BAYES_40 -1.10, NO_REAL_NAME 0.01)
> X-MailScanner-From: jasonchinamail
>
> hello2

But you echo'ed "hello1"?

Anyway, I think part of the answer might lie with your Postfix queue ID
AB35518437, but it really does appear that the funny stuff is happening
at the sendmail relay, mail.newhonest.com[202.85.165.133].
--
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header