A few days ago, I mentioned that I saw some weird behavior in Postfix
that made it look like it was being abused to act as a relay.  The trick
seemed to be:

 Connect from real IP, "bad-guys.r.us", say (to invent one for concreteness).

 Send email to invalid user (nobody@olib.org, say).

 Tell Postfix that it came from someone else (nooneelse@somewhere.else)

Postfix should reject that at the RCPT TO:, shouldn't it?  There is no
such user.  Instead, it accepts the email, then decides that it can't
deliver it after all, and opens a new SMTP connection to send the bounce.
My understanding of SMTP is that it is legal to return an error code
at the RCPT TO: if there is no such user.  That is what I would most
prefer.

The present case appears to be a virus or worm.  I received two copies
to my real address, and about 35 to 40 to numerous bogus addresses at my
mail server.  The bogus ones bounced off to random places (except for
one that got trapped because the bounce-to address didn't resolve).
From the virus-writer's perspective, the bounce-to effect may be partly
to sow confusion, and partly to snare a few extra hits.  (I also received
one extra bogus-bounce claiming to be from my system; the form in which
it came back was mostly-dead, but a naive-but-determined user might take
the time to extract and run the program, presumably infecting themselves.)

(This virus or worm is new to me.  It's a .pif file wrapped in a .zip
archive.  The attach is about 30K in size.  Given zip compression
efficacy, it may be that this is Sven born again.  I haven't installed
unzip to examine the archive to say if it expands to ~100K or not.)


Again, this seems like a viable way for spammers to send out spam.  Using
some random mail servers as springboards to "bounce" the messages to anyone
else in the Internet, the spammer would cause a lot more grief to their
springboards and slow down tracking the spam back to its source (one extra
hop, and possibly a much-abused hop if tons of people come back to complain).

I would *really* like to close Postfix to being used this way by
other systems.  As far as I know, I have done nothing to enable accepting
mail for non-existant users, and as far as I know, there is no reason not
to flag an error when RCPT TO: is bogus.

How can I do this?  Or can I?  (I'm using Postfix as shipped with NetBSD 1.6.)

As far as I remember SMTP, responsibility for the delivered mail is only
taken if one generates an "OK" (200? 250?) response to the "\r\n.\r\n"
end-of-DATA line.  Up to that point, the server is free to discard the
email with an error code at any time.


Below are some of the Postfix maillog lines.  The "anna" one is still in my
Postfix "deferred" queue last I checked.  The "netmagicians" is the bogus
bounce *to* me that I mentioned.  (Someone, I forget who since they did not
reply to me, suggested that I send a fragment of the maillog the next time
that this happens.  Please, as always, include me in the Cc: or To: lines
of any replies, as I do not subscribe to these lists.  I read them at
mail-index.netbsd.org.)

...note that 203.199.55.24 is not remote.com.  Nor are they orbitech.com.
Nor dce.dlsun685.us.oracle.com.  203.199.55.24 seems to be the source of all
~35 to ~40 of the emails that were pumped through my system to numerous
fake-bounce targets.  The source of the message bounced off of netmagicians
is unknown to me, as insufficient headers were provided.  (But as far as I
can tell, the first time my system touched that email was when netmagicians
(a.k.a. root@postmaster.akshay.co.in) sent it to me.)


 /~~~ maillog excerpt

Jan 27 00:17:31 prometheus postfix/smtp[7850]: 6CF4E71C9: to=<dce-ptgt@dce.dlsun685.us.oracle.com>, relay=none, delay=1, status=bounced (Name service error for dce.dlsun685.us.oracle.com: Host not found)
Jan 27 00:19:17 prometheus postfix/smtpd[7851]: connect from unknown[203.199.55.24]
Jan 27 00:19:18 prometheus postfix/smtpd[7851]: 7EBA671B0: client=unknown[203.199.55.24]
Jan 27 00:19:19 prometheus postfix/cleanup[7852]: 7EBA671B0: message-id=<20040127061918.7EBA671B0@prometheus.olib.org>
Jan 27 00:19:20 prometheus postfix/qmgr[282]: 7EBA671B0: from=<remote@remote.com>, size=31996, nrcpt=1 (queue active)
Jan 27 00:19:20 prometheus postfix/local[7853]: 7EBA671B0: to=<john@olib.org>, relay=local, delay=2, status=bounced (unknown user: "john")
Jan 27 00:19:20 prometheus postfix/cleanup[7852]: C492071E6: message-id=<20040127061920.C492071E6@prometheus.olib.org>
Jan 27 00:19:20 prometheus postfix/qmgr[282]: C492071E6: from=<>, size=33553, nrcpt=1 (queue active)
Jan 27 00:19:20 prometheus postfix/smtpd[7851]: disconnect from unknown[203.199.55.24]
Jan 27 00:19:34 prometheus postfix/smtp[7855]: C492071E6: to=<remote@remote.com>, relay=a.mailarmory.net[216.17.222.224], delay=14, status=sent (250 Ok: queued as 91749120B9B)
Jan 27 00:21:58 prometheus postfix/smtpd[7859]: connect from unknown[203.199.55.24]
Jan 27 00:21:58 prometheus postfix/smtpd[7859]: A651371B0: client=unknown[203.199.55.24]
Jan 27 00:21:59 prometheus postfix/cleanup[7860]: A651371B0: message-id=<20040127062158.A651371B0@prometheus.olib.org>
Jan 27 00:22:00 prometheus postfix/qmgr[282]: A651371B0: from=<jack@orbitech.com>, size=32002, nrcpt=1 (queue active)
Jan 27 00:22:00 prometheus postfix/local[7861]: A651371B0: to=<anna@olib.org>, relay=local, delay=2, status=bounced (unknown user: "anna")
Jan 27 00:22:00 prometheus postfix/cleanup[7860]: C875F71C9: message-id=<20040127062200.C875F71C9@prometheus.olib.org>
Jan 27 00:22:00 prometheus postfix/qmgr[282]: C875F71C9: from=<>, size=33559, nrcpt=1 (queue active)
Jan 27 00:22:00 prometheus postfix/smtpd[7859]: disconnect from unknown[203.199.55.24]
Jan 27 00:23:22 prometheus postfix/smtp[7863]: C875F71C9: to=<jack@orbitech.com>, relay=none, delay=82, status=deferred (Name service error for orbitech.com: Host not found, try again)
Jan 27 00:25:04 prometheus postfix/smtpd[7867]: connect from ns3.netmagicians.com[202.87.39.13]
Jan 27 00:25:05 prometheus postfix/smtpd[7867]: 022CB71B0: client=ns3.netmagicians.com[202.87.39.13]
Jan 27 00:25:20 prometheus postfix/cleanup[7868]: 022CB71B0: message-id=<20040127063749.17151.qmail@ns3.netmagicians.com>
Jan 27 00:25:53 prometheus postfix/qmgr[282]: 022CB71B0: from=<root@postmaster.akshay.co.in>, size=32509, nrcpt=1 (queue active)
Jan 27 00:25:53 prometheus postfix/local[7869]: 022CB71B0: to=<rkr@olib.org>, relay=local, delay=48, status=sent (mailbox)
Jan 27 00:25:57 prometheus postfix/smtpd[7867]: disconnect from ns3.netmagicians.com[202.87.39.13]
Jan 27 00:27:10 prometheus postfix/smtpd[7867]: connect from unknown[203.199.55.24]
Jan 27 00:27:11 prometheus postfix/smtpd[7867]: 3379471B0: client=unknown[203.199.55.24]

 \___ maillog excerpt


-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/