Problem (Potential bug ??) With Spamblocker3

tdldp

Verified User
Joined
May 9, 2005
Messages
169
Hi jeff and all DA community...

I have a problem which could be a potential bug i do not explain...

I have a client, which is experiencing system error return messages due to users unknown or to defer due to policy infringement at yahoo and nate.com

let me show you logs :
Here is log for yahoo...

2008-02-13 10:35:18 1JNluV-0006K2-UE SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3b.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE SMTP error from remote mail server after initial connection: host mx3a.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3a.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3a.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3a.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE == [email protected] R=lookuphost T=remote_smtp defer (0): SMTP error from remote mail server after initial connection: host mx3a.mail.yahoo.co.kr [202.165.108.248]: 421 4.7.0 [TS01] Messages from 87.252.2.45 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE ** [email protected]: retry timeout exceeded
2008-02-13 10:35:18 1JNluV-0006K2-UE Completed
2008-02-13 10:35:18 1JPE1O-0007Fu-PB <= <> R=1JNluV-0006K2-UE U=mail P=local S=6893 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2008-02-13 10:35:18 1JPE1O-0007Fu-PB => admin <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=6993
2008-02-13 10:35:18 1JPE1O-0007Fu-PB Completed

and nate.com

2008-02-13 10:27:48 1JPDu8-000717-Io <= [email protected] H=(nlueuph.net) [211.208.187.130] P=smtp S=1067 T="¢º±ÝÀ¶±Ç´ë~Ãâ(³â7.5~12%)49595" from <[email protected]> for [email protected]
2008-02-13 10:27:50 1JPDu8-000717-Io ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after end of data: host smtp.nate.com [203.226.255.61]: 541 5.6.0 Your message was rejected by PATTERN FILTER
2008-02-13 10:27:50 1JPDuA-00071I-RI <= <> R=1JPDu8-000717-Io U=mail P=local S=2005 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2008-02-13 10:27:50 1JPDu8-000717-Io Completed
2008-02-13 10:27:50 1JPDuA-00071I-RI => info <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=2104
2008-02-13 10:27:50 1JPDuA-00071I-RI Completed


Problem is following :
Account [email protected] doesn't exist on our servers.... But apparently there seems to be activity on this email...

Account [email protected] exists but has passwords changed every 2 days... latest set this morning is 13 caracteres long alpha-numerical... It is technically impossible this password could get hacked in less than 5 minutes...

Where is the problem...
What acl should i use to block these mail sendings from our servers ???
(i've check rbl status, and server ip seems still to be clean... Only considered as problem on yahoo filtering system)


Edit : I've tested adding domains and sender email [email protected] in blacklist senders, and this doesn't solve anything...
User has experienced 549 system error messages that he shouldn't have to receive...
This is very weird...
Thks for urgent response

Tdldp
 
Last edited:
To complete... I tested mail relay tools...

Weirdly it accepts mail sent in relay ... this would mean this server acts as an open relay server...

there is there a real problem....

Here is exim.conf relay relatives
domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
hostlist auth_relay_hosts = lsearch;/etc/virtual/auth_relay
#hostlist auth_relay_hosts = *
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
message = "Unknown User"
verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify=recipient

# accept if message comes for a host for which we are an outgoing relay
# recipient verification is omitted because many MUA clients don't cope
# well with SMTP error responses. If you are actually relaying from MTAs
# then you should probably add recipient verify here

accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *


What must i configure to shut down this open relay thing...
 
If you whitelist any domain on your server, or any sender with an address on your server, anyone spoofing your address (or any address on that domain) can relay through your server. Don't whitelist either your own hosted domains or your own server.

If you whitelist your hostname, your IP# or any hostname which resolves to any IP# on your server, then anyone can relay through your server.

If none of these are true, then you'll have to look for an open or hackable script allowing spam to be sent from your server, or a user on your server doing the spammer.

Good Luck.

Jeff
 
Follow UP

Hi jeff....

So indeed, i have this domain added in whitelist domains...
Reason for this : my user gets his mail blocked when he sends mail with other collaborates in copy...
In France, Wanadoo (Orange) is not a reliable ISP and often has his dynamic ips that get listed... And above this, our clients often fall on these ips...

In result they can't send message to their internal domains, as it gets automatically stopped...

What i am wondering on this problem is that normally whitelist_domains which is file i use to cope the wanadoo problem, is normally only used on recipient verify....Why is it applying on sender ACL's ???

2nd question, which acl can i use or do you have hints on a valuable acl that will force all mail transit via our servers to be first identified by authenticated users only, or will allow relay mail from servers with ip's specifically identified in file whitelist_ip ???
 
If you whitelist you go around all the authentication. Don't whitelist domains/addresses on your servers if you don't want an open relay.

You can't really have both.

Jeff
 
Problem

Thks jeff, for your answer, yet in this case i have a major problem...
80 % of my clients, can't potentially send email to their collaborates, and to certains of their own clients who happen to be hosted on our servers...

My question is therefore the following :

Users use port 587 for authenticated smtp mail sending...
Login /password is to be given on this port...

How can i bypass all security settings on our server for an identified client sending his emails, and assure i do not get 'relay not permitted' or other refusal messages (block list and others) for our "identified clients"...

Yours..

Tdldp
 
Continuing problems...

Hi jeff,

Still big problems with exim....

Since these spam problems i've changed rules on whitelist domains / sender, removing local domains from whitelists...

I've added for authenticated users following rule just before : 550 : Relay not permitted in final block rules...

Code:
accept  authenticated = *
        control       = submission

################################
# FINAL DENY EMAIL BEGINS HERE #
################################

# default at end of acl causes a "deny", but line below will give
# an explicit error message:
  deny    message = relay not permitted, Aucune autorisation de relay

# ACL that is used after the DATA command
check_message:

Since then, i get this strange error :
Email adress get an @venus.cardiff.fr and most of all original email adresse is quoted.
In example below, you can see original email adress : [email protected]
and modified from : "[email protected]"@venus.cardiff.fr

Code:
2008-02-25 10:18:05 1JTZTH-0001Ee-7c <= "[email protected]"@venus.cardiff.fr H=anantes-252-1-28-45.w82-126.abo.wanadoo.fr (Carserve) [82.126.83.45] P=esmtpa A=login:[email protected] S=116146 id=003701c8778f$0c39c380$c8c809c0@Carserve T="TR: OFFRE KIA SPORTAGE" from <[email protected]> for [email protected]
2008-02-25 10:18:05 1JTZTH-0001Ee-7c ** [email protected] F=<"[email protected]"@venus.cardiff.fr> R=lookuphost T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<"[email protected]"@venus.cardiff.fr> SIZE=119388: host av.mgp.neufgp.fr [84.96.92.100]: 550 5.1.0 <"[email protected]"@venus.cardiff.fr> sender rejected
2008-02-25 10:18:05 1JTZTJ-0001Eh-B0 <= <> R=1JTZTH-0001Ee-7c U=mail P=local S=108550 T="Mail delivery failed: returning message to sender" from <> for "[email protected]"@venus.cardiff.fr
2008-02-25 10:18:05 1JTZTJ-0001Eh-B0 ** [email protected]@venus.cardiff.fr <"[email protected]"@venus.cardiff.fr> F=<>: Unrouteable address
2008-02-25 10:18:05 1JTZTJ-0001Eh-B0 Frozen (delivery error message)
2008-02-25 10:18:05 1JTZTH-0001Ee-7c Completed

How do i solve this new one ???

EDITED : it seems to come from rule :
accept authenticated = *
control = submission

which adds @server footer...
Question is : How do i solve this so that it doesn't add @server postfix and if not possible, how do i activated rules that will allow port 587 authenticated local_domains users to send mail without prior controls...

Thks...
 
Last edited:
How can i bypass all security settings on our server for an identified client sending his emails, and assure i do not get 'relay not permitted' or other refusal messages (block list and others) for our "identified clients"...
Our exim.conf files accept authenticated users early in the ACLs; if you're having a problem and have not modified exim.conf, and if you're sure your user's ISP isn't blocking your server, then try using the exim -bh command (see man exim to see how exim is reacting to the user's attempt to send email.
it seems to come from rule :
accept authenticated = *
control = submission
I don't know, because I don't know anything about that control line; it's not in any of our exim.conf files. I don't know what it does.

Jeff
 
Back
Top