tickets #123775
closedMailman: ups-7qw@dealsopinionrequestedpttpmluow.com
0%
Description
On mailman3, at least since December 2022, the postfix queue has a number of mails from the project list to addresses such as:
ace-kng@acehardwareopinionrequestedulhfkbmoc.com
ace-nlq@acehardwareopinionrequestedsllxokrbe.com
ace-ux1@acehardwareopinionrequestedphybtqxkf.com
airlines-5nb@airlinesopinionrequestedhecdcyfke.com
airlines-wrb@airlinesopinionrequestedhcmkknqkb.com
camera-khn@cameravideosurveillancebammzfhzo.com
camera-vra@cameravideosurveillancezjkuiflvm.com
camera-yzl@cameravideosurveillanceuwogypnte.com
chainsaw-uaf@minichainsawminisawtacrightxfqelyixv.com
chainsaw-xwd@minichainsawminisawtacrightkwdwcmtnq.com
comcast-rpx@comcastopinionrequestedxldbgdmli.com
cstc-loj@newscostcoshopperopportunityqdypkespo.com
cstc-o5l@shoppergiftopportunitynghjrayai.com
fungus-lw8@healthynailsfunguseliminatorruudmimhm.com
fungus-rgq@healthynailsfunguseliminatorickzwoirk.com
gift-0qm@sweepstakesalertwalmartjuyqrcwio.com
heater-azl@miniheatingbillwinterbsabcfkyf.com
info-11t@untdstatdropromuniflamtionsjebzlucy.com
info-2tr@untdstatdropromuniflamtionhucpiadbq.com
info-4ji@untdstatdropromuniflamtionqeoucwaxf.com
info-4mg@untdstatdropromuniflamtionitbqyxdop.com
info-4um@untdstatdropromuniflamtionctdutmsfc.com
info-8la@untdstatdropromuniflamtionqvhgizwfh.com
info-9ld@untdstatdropromuniflamtionwiysjnisa.com
info-bqp@untdstatdropromuniflamtionzhgwghlnv.com
info-d0i@untdstatdropromuniflamtioniepjoakap.com
info-dar@untdstatdropromuniflamtionbnwdaejfc.com
info-fpz@untdstatdropromuniflamtioncxlrzdftb.com
info-g8c@untdstatdropromuniflamtionrtefnhvvs.com
info-hb8@untdstatdropromuniflamtionngunxcuud.com
info-ifi@untdstatdropromuniflamtionwjfpstwkq.com
info-ktp@untdstatdropromuniflamtioneeukfnupx.com
info-kwp@untdstatdropromuniflamtionisrdtlgat.com
info-n3m@untdstatdropromuniflamtionxhgwfthhf.com
info-ril@untdstatdropromuniflamtioneazoxqjwa.com
info-tkx@untdstatdropromuniflamtioncbgksxsas.com
info-ul5@untdstatdropromuniflamtionckejqthuv.com
info-unm@untdstatdropromuniflamtionhtabvxtbz.com
info-uqe@untdstatdropromuniflamtionbbtgibvij.com
info-xcm@untdstatdropromuniflamtionbbcbbycet.com
info-xwu@untdstatdropromuniflamtioneolgthvjd.com
info-ysm@untdstatdropromuniflamtionytmuxgtup.com
novawave-wtk@cablenovawavepartnersbbdywvbf.com
pain-r3u@quantumtechnologypainkillersmaqsaikfi.com
pain-tdo@quantumtechnologypainkillersznbqibbzl.com
pain-zaz@quantumtechnologypainkillersxsbzdajah.com
samples-qey@samplesandsweepstakessygeryqls.com
southwest-tmf@southwestairlinesopinionrequestedqbftwvbnl.com
sporting-jnj@dickssportinggoodsopinionrequestedsiwvxhwto.com
sweeps-pwg@sweepstakesbossplatinumgrilljrenofgcj.com
sweeps-so2@milwaukeepowerdrillsweepsentrymqgvqbqfn.com
sweeps-wtf@milwaukeepowerdrillsweepsentryaovgqdwdf.com
ups-7qw@dealsopinionrequestedpttpmluow.com
ups-xrg@dealsopinionrequestedgfdceroxm.com
They are queued because the domains do not resolve, so mx12 refuses to accept them. Not a big problem, they'll remain in the queue and eventually bounce.
The messages are
Your message to the openSUSE Project mailing-list was rejected for the following
reasons:
The message is not from a list member
The original message as received by Mailman is attached.
I was curious though, how does an unresolvable domain even get to send a mail to mailman? I took a look at a recent one "ups-7qw@dealsopinionrequestedpttpmluow.com" and there is no trace in the mail logs. (apart from deferred mail).
Updated by pjessen about 1 year ago
- Private changed from Yes to No
It looks like they are indeed emails, but with no envelope sender:
2023-01-28T15:50:46.714033+00:00 mailman3 postfix/smtpd[4283]: connect from mx1.infra.opensuse.org[192.168.47.95]
2023-01-28T15:50:46.728956+00:00 mailman3 postfix/smtpd[4283]: B1DFD87D: client=mx1.infra.opensuse.org[192.168.47.95]
2023-01-28T15:50:46.730722+00:00 mailman3 postfix/cleanup[4284]: B1DFD87D: message-id=<XP88KxjnJGmiTPLp1HFm6zkXSig-jTPpOHMJOLmGVjsXUYJBDdPdiBx-cadf-4b64-ba5d
-13abc51dd070-000000@.amazonses.com>
2023-01-28T15:50:46.735330+00:00 mailman3 postfix/smtpd[4283]: disconnect from mx1.infra.opensuse.org[192.168.47.95] ehlo=1 mail=1 rcpt=1 data=1 quit=1 comma
nds=5
2023-01-28T15:50:46.735848+00:00 mailman3 postfix/qmgr[605]: B1DFD87D: from=<>, size=54328, nrcpt=1 (queue active)
2023-01-28T15:50:46.856890+00:00 mailman3 postfix/lmtp[4285]: B1DFD87D: to=<project@lists.opensuse.org>, relay=localhost[127.0.0.1]:8024, delay=0.14, delays=
0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 Ok)
2023-01-28T15:50:46.857262+00:00 mailman3 postfix/qmgr[605]: B1DFD87D: removed
2023-01-28T15:50:48.062482+00:00 mailman3 postfix/smtpd[4283]: connect from localhost[127.0.0.1]
2023-01-28T15:50:48.089567+00:00 mailman3 postfix/smtpd[4283]: 15C5C87D: client=localhost[127.0.0.1]
2023-01-28T15:50:48.091894+00:00 mailman3 postfix/cleanup[4284]: 15C5C87D: message-id=<167492104720.11482.9685059075489170493@mailman3.infra.opensuse.org>
2023-01-28T15:50:48.106329+00:00 mailman3 postfix/smtpd[4283]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2023-01-28T15:50:48.106934+00:00 mailman3 postfix/qmgr[605]: 15C5C87D: from=<project-bounces@lists.opensuse.org>, size=56267, nrcpt=1 (queue active)
2023-01-28T15:50:48.170408+00:00 mailman3 postfix/smtp[4179]: 15C5C87D: to=<ups-7qw@dealsopinionrequestedpttpmluow.com>, relay=relay.infra.opensuse.org[192.168.47.4]:25, delay=0.08, delays=0.02/0.01/0/0.05, dsn=4.1.2, status=deferred (host relay.infra.opensuse.org[192.168.47.4] said: 450 4.1.2 <ups-7qw@dealsopinionrequestedpttpmluow.com>: Recipient address rejected: Domain not found (in reply to RCPT TO command))
While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.
I wonder if it is worth doing much about and if so, what might we do?
Updated by pjessen about 1 year ago
pjessen wrote:
While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.
I wonder if it is worth doing much about and if so, what might we do?
Anything being sent directly to a list address (instead of to a bounce address) really must have a proper envelope, I think. We already discard automated delivery delay messages from mx12, maybe we can do the same with these fakes?
Updated by cboltz about 1 year ago
pjessen wrote:
pjessen wrote:
While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.
I wonder if it is worth doing much about and if so, what might we do?Anything being sent directly to a list address (instead of to a bounce address) really must have a proper envelope, I think. We already discard automated delivery delay messages from mx12, maybe we can do the same with these fakes?
Agreed, sending with the bounce envelope to a list doesn't make sense, and rejecting that as <> is not subscribed is even more pointless.
As a short-term solution, I'd indeed discard these mails.
For a longer-term solution, maybe open a bugreport upstream so that mailman ignores these mails itsself. (I hope nobody seriously wants to use mailman to distribute <> mails ;-) - but then, what about admin-auto?)
Updated by pjessen about 1 year ago
cboltz wrote:
Agreed, sending with the bounce envelope to a list doesn't make sense, and rejecting that as
<> is not subscribedis even more pointless.
As a short-term solution, I'd indeed discard these mails.
Thanks for the extra pair of eyes :-) I have set up a SpamAssassin rule to see if I can catch some of these, and it's already triggering.
header __KK991 EnvelopeFrom =~ //
header __KK992 To:addr =~ /-bounces\@lists.opensuse.org$/
meta OSU_KK99 __KK991 && !__KK992
score OSU_KK99 10
describe OSU_KK99 https://progress.opensuse.org/issues/123775
- but then, what about admin-auto?)
Ah, nice catch - I think. Yes, we should probably exclude admin-auto from this rule.
header __KK991 EnvelopeFrom =~ //
header __KK992 To:addr =~ /-bounces\@lists.opensuse.org$/
header __KK993 To:addr =~ /^admin-auto/
meta OSU_KK99 __KK991 && !__KK992 && !__KK993
score OSU_KK99 10
describe OSU_KK99 https://progress.opensuse.org/issues/123775
Updated by crameleon about 1 year ago
- Subject changed from ups-7qw@dealsopinionrequestedpttpmluow.com to Mailman: ups-7qw@dealsopinionrequestedpttpmluow.com
- Category set to Mailing lists
Updated by pjessen about 1 year ago
- Category deleted (
Mailing lists)
Better :
header __KK991 EnvelopeFrom =~ /^$/
header __KK992 To:addr =~ /\@lists.opensuse.org$/
header __KK993 To:addr =~ /-bounces\@lists.opensuse.org$/
header __KK994 To:addr =~ /^admin-auto/
meta OSU_KK99 __KK991 && __KK992 && !__KK993 && !__KK994
score OSU_KK99 10
describe OSU_KK99 https://progress.opensuse.org/issues/123775
Updated by pjessen about 1 year ago
- Category set to Mailing lists
- Assignee set to pjessen
- % Done changed from 0 to 50
Updated by pjessen about 1 year ago
There are currently 66 such emails in the queue on mailman3. Of these, 16 arrived yesterday which is clearly Not Good (R).
Updated by pjessen about 1 year ago
pjessen wrote:
There are currently 66 such emails in the queue on mailman3. Of these, 16 arrived yesterday which is clearly Not Good (R).
Unfortunately, due to the way our SpamAssassin is implemented, there is no way of telling if the rule hit anything that was not rejected. When a mail is not rejected, there is no log entry. IOW, it is not possible to tell if the rule is hitting anything innocent. I'm going to adjust the score to 10 and see if we're hitting anything innocent.
Updated by pjessen about 1 year ago
I think this was a false positive:
2023-01-31T09:16:04.402244+00:00 mx1 postfix/cleanup[22959]: CCC118BF: reject: header X-Spam-Status: Yes, score=10.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,??DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,??MIME_HTML_ONLY,OSU_KK99,RCVD_IN_DNSWL_NONE,RCVD_IN_ZEN_BLOCK from mail-pl1-x643.google.com[2607:f8b0:4864:20::643]; from=<SRS0=zvm8=54=gmail.com=fentonyjl36@opensuse.org> to=<obs-commits@lists.opensuse.org> proto=ESMTP helo=<mail-pl1-x643.google.com>: 5.7.1 Spam identified (10.6/5.0)
Updated by pjessen about 1 year ago
Hmm. "fentonyjl36@gmail.com" is not a member of the obs-commits list nor a non-member. I.e. has never posted to that list. I think the message-id was '508753879.49076.1675156591759@localhost.localdomain' which is also highly dodgy or least evidence of a poorly configured MUA/MTA. However, the log shows no evidence of a from=<> which I think there ought to be. Continuing to monitor.
Updated by pjessen about 1 year ago
- Assignee deleted (
pjessen) - % Done changed from 50 to 0
Yesterdays hits:
2023-01-31T09:16:04.402244+00:00 mx1 postfix/cleanup[22959]: CCC118BF: reject: header X-Spam-Status: Yes, score=10.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,??DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,??MIME_HTML_ONLY,OSU_KK99,RCVD_IN_DNSWL_NONE,RCVD_IN_ZEN_BLOCK from mail-pl1-x643.google.com[2607:f8b0:4864:20::643]; from=<SRS0=zvm8=54=gmail.com=fentonyjl36@opensuse.org> to=<obs-commits@lists.opensuse.org> proto=ESMTP helo=<mail-pl1-x643.google.com>: 5.7.1 Spam identified (10.6/5.0)
2023-01-31T10:40:05.585281+00:00 mx1 postfix/cleanup[352]: 6B3678C5: reject: header X-Spam-Status: Yes, score=12.4 required=5.0 tests=BITCOIN_DEADLINE,??BITCOIN_SPAM_07,BITCOIN_YOUR_INFO,HTML_MESSAGE,MIME_HTML_ONLY,??NO_FM_NAME_IP_HOSTN,OSU_KK99,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,??RC from unknown[141.98.10.22]; from=<SRS0=mUQ/=54=lists.opensuse.org=factory@opensuse.org> to=<factory@lists.opensuse.org> proto=ESMTP helo=<[141.98.10.22]>: 5.7.1 Spam identified (12.4/5.0)
2023-01-31T17:42:01.437108+00:00 mx1 postfix/cleanup[15855]: 87BAAA70: reject: header X-Spam-Status: Yes, score=10.8 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_RPBL,R from unknown[60.208.107.114]; from=<SRS0=Gsq7=54=bcbook.cn=5hdxcw@opensuse.org> to=<selinux@lists.opensuse.org> proto=ESMTP helo=<mail.bcbook.cn>: 5.7.1 Spam identified (10.8/5.0)
2023-01-31T20:11:09.253268+00:00 mx2 postfix/cleanup[27698]: 62D1D1A0B: reject: header X-Spam-Status: Yes, score=12.8 required=5.0 tests=DKIM_ADSP_ALL,DKIM_INVALID,??DKIM_SIGNED,DMARC_REJECT,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,??MIME_HTML_ONLY,MISSING_MIME_HB_SEP,OSU_KK99,RCVD_IN_BL_SPA from rdns0.politecnicasedili-it.com[185.174.102.171]; from=<SRS0=Yo+3=54=politecnicasedili-it.com=sharepoint@opensuse.org> to=<project@lists.opensuse.org> proto=ESMTP helo=<rdns0.politecnicasedili-it.com>: 5.7.1 Spam identified (12.8/5.0)
2023-01-31T20:33:57.689484+00:00 mx2 postfix/cleanup[30398]: 8C4DF1EB: reject: header X-Spam-Status: Yes, score=5.0 required=5.0 tests=DMARC_NONE,FREEMAIL_FROM,??NICE_REPLY_A,OSU_KK99,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,??URIBL_ZEN_BLOCKED_OPENDNS autolearn=disabled version=3.4.5 from relayout04-q01.e.movistar.es[86.109.101.171]; from=<SRS0=N21O=54=telefonica.net=robin.listas@opensuse.org> to=<users@lists.opensuse.org> proto=ESMTP helo=<relayout04-q01.e.movistar.es>: 5.7.1 Spam identified (5.0/5.0)
2023-01-31T21:28:01.903498+00:00 mx2 postfix/cleanup[4197]: 5CE8D6E9: reject: header X-Spam-Status: Yes, score=7.7 required=5.0 tests=FROM_EXCESS_BASE64,??HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,OSU_KK99,??RCVD_IN_DNSWL_HI,RCVD_IN_VALIDITY_RPBL,RDNS_NONE,SPF_HELO_NONE,??URIBL_ from unknown[223.27.50.213]; from=<SRS0=5pyb=54=green.pumo.com.tw=mark0308@opensuse.org> to=<translation-commit@lists.opensuse.org>
proto=ESMTP helo=<mg2.dns168.com.tw>: 5.7.1 Spam identified (7.7/5.0)
2023-01-31T22:13:55.152054+00:00 mx2 postfix/cleanup[9265]: A5F756E9: reject: header X-Spam-Status: Yes, score=22.0 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED, from unknown[222.240.200.130]; from=<SRS0=oc+N=54=cmie.cn=yangchenwei@opensuse.org> to=<xfce@lists.opensuse.org> proto=ESMTP helo=<mail.cmie.cn>: 5.7.1 Spam identified (22.0/5.0)
2023-01-31T22:48:02.826367+00:00 mx2 postfix/cleanup[13506]: 621536E9: reject: header X-Spam-Status: Yes, score=11.0 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_HI,??RCV from unknown[222.240.200.130]; from=<SRS0=oc+N=54=cmie.cn=yangchenwei@opensuse.org> to=<opensuse-project-request@lists.opensuse.org> proto=ESMTP helo=<mail.cmie.cn>: 5.7.1 Spam identified (11.0/5.0)
There are some more hits between midnight and now and I am fairly certain I see some false positives. That really should not be possible with :
header __KK991 EnvelopeFrom =~ /^$/
Well, I should have taken my own advice not to try to optimize our SpamAssassin setup. I have removed that rule.