Project

General

Profile

tickets #123775

Mailman: ups-7qw@dealsopinionrequestedpttpmluow.com

Added by pjessen 2 months ago. Updated about 2 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Mailing lists
Target version:
-
Start date:
2023-01-29
Due date:
% Done:

0%

Estimated time:

Description

On mailman3, at least since December 2022, the postfix queue has a number of mails from the project list to addresses such as:

ace-kng@acehardwareopinionrequestedulhfkbmoc.com
ace-nlq@acehardwareopinionrequestedsllxokrbe.com
ace-ux1@acehardwareopinionrequestedphybtqxkf.com
airlines-5nb@airlinesopinionrequestedhecdcyfke.com
airlines-wrb@airlinesopinionrequestedhcmkknqkb.com
camera-khn@cameravideosurveillancebammzfhzo.com
camera-vra@cameravideosurveillancezjkuiflvm.com
camera-yzl@cameravideosurveillanceuwogypnte.com
chainsaw-uaf@minichainsawminisawtacrightxfqelyixv.com
chainsaw-xwd@minichainsawminisawtacrightkwdwcmtnq.com
comcast-rpx@comcastopinionrequestedxldbgdmli.com
cstc-loj@newscostcoshopperopportunityqdypkespo.com
cstc-o5l@shoppergiftopportunitynghjrayai.com
fungus-lw8@healthynailsfunguseliminatorruudmimhm.com
fungus-rgq@healthynailsfunguseliminatorickzwoirk.com
gift-0qm@sweepstakesalertwalmartjuyqrcwio.com
heater-azl@miniheatingbillwinterbsabcfkyf.com
info-11t@untdstatdropromuniflamtionsjebzlucy.com
info-2tr@untdstatdropromuniflamtionhucpiadbq.com
info-4ji@untdstatdropromuniflamtionqeoucwaxf.com
info-4mg@untdstatdropromuniflamtionitbqyxdop.com
info-4um@untdstatdropromuniflamtionctdutmsfc.com
info-8la@untdstatdropromuniflamtionqvhgizwfh.com
info-9ld@untdstatdropromuniflamtionwiysjnisa.com
info-bqp@untdstatdropromuniflamtionzhgwghlnv.com
info-d0i@untdstatdropromuniflamtioniepjoakap.com
info-dar@untdstatdropromuniflamtionbnwdaejfc.com
info-fpz@untdstatdropromuniflamtioncxlrzdftb.com
info-g8c@untdstatdropromuniflamtionrtefnhvvs.com
info-hb8@untdstatdropromuniflamtionngunxcuud.com
info-ifi@untdstatdropromuniflamtionwjfpstwkq.com
info-ktp@untdstatdropromuniflamtioneeukfnupx.com
info-kwp@untdstatdropromuniflamtionisrdtlgat.com
info-n3m@untdstatdropromuniflamtionxhgwfthhf.com
info-ril@untdstatdropromuniflamtioneazoxqjwa.com
info-tkx@untdstatdropromuniflamtioncbgksxsas.com
info-ul5@untdstatdropromuniflamtionckejqthuv.com
info-unm@untdstatdropromuniflamtionhtabvxtbz.com
info-uqe@untdstatdropromuniflamtionbbtgibvij.com
info-xcm@untdstatdropromuniflamtionbbcbbycet.com
info-xwu@untdstatdropromuniflamtioneolgthvjd.com
info-ysm@untdstatdropromuniflamtionytmuxgtup.com
novawave-wtk@cablenovawavepartnersbbdywvbf.com
pain-r3u@quantumtechnologypainkillersmaqsaikfi.com
pain-tdo@quantumtechnologypainkillersznbqibbzl.com
pain-zaz@quantumtechnologypainkillersxsbzdajah.com
samples-qey@samplesandsweepstakessygeryqls.com
southwest-tmf@southwestairlinesopinionrequestedqbftwvbnl.com
sporting-jnj@dickssportinggoodsopinionrequestedsiwvxhwto.com
sweeps-pwg@sweepstakesbossplatinumgrilljrenofgcj.com
sweeps-so2@milwaukeepowerdrillsweepsentrymqgvqbqfn.com
sweeps-wtf@milwaukeepowerdrillsweepsentryaovgqdwdf.com
ups-7qw@dealsopinionrequestedpttpmluow.com
ups-xrg@dealsopinionrequestedgfdceroxm.com

They are queued because the domains do not resolve, so mx12 refuses to accept them. Not a big problem, they'll remain in the queue and eventually bounce.
The messages are 

Your message to the openSUSE Project mailing-list was rejected for the following
reasons:

The message is not from a list member

The original message as received by Mailman is attached.

I was curious though, how does an unresolvable domain even get to send a mail to mailman? I took a look at a recent one "ups-7qw@dealsopinionrequestedpttpmluow.com" and there is no trace in the mail logs. (apart from deferred mail).

History

#1 Updated by pjessen 2 months ago

  • Private changed from Yes to No

It looks like they are indeed emails, but with no envelope sender:

2023-01-28T15:50:46.714033+00:00 mailman3 postfix/smtpd[4283]: connect from mx1.infra.opensuse.org[192.168.47.95]
2023-01-28T15:50:46.728956+00:00 mailman3 postfix/smtpd[4283]: B1DFD87D: client=mx1.infra.opensuse.org[192.168.47.95]
2023-01-28T15:50:46.730722+00:00 mailman3 postfix/cleanup[4284]: B1DFD87D: message-id=<XP88KxjnJGmiTPLp1HFm6zkXSig-jTPpOHMJOLmGVjsXUYJBDdPdiBx-cadf-4b64-ba5d
-13abc51dd070-000000@.amazonses.com>
2023-01-28T15:50:46.735330+00:00 mailman3 postfix/smtpd[4283]: disconnect from mx1.infra.opensuse.org[192.168.47.95] ehlo=1 mail=1 rcpt=1 data=1 quit=1 comma
nds=5
2023-01-28T15:50:46.735848+00:00 mailman3 postfix/qmgr[605]: B1DFD87D: from=<>, size=54328, nrcpt=1 (queue active)
2023-01-28T15:50:46.856890+00:00 mailman3 postfix/lmtp[4285]: B1DFD87D: to=<project@lists.opensuse.org>, relay=localhost[127.0.0.1]:8024, delay=0.14, delays=
0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 Ok)
2023-01-28T15:50:46.857262+00:00 mailman3 postfix/qmgr[605]: B1DFD87D: removed
2023-01-28T15:50:48.062482+00:00 mailman3 postfix/smtpd[4283]: connect from localhost[127.0.0.1]
2023-01-28T15:50:48.089567+00:00 mailman3 postfix/smtpd[4283]: 15C5C87D: client=localhost[127.0.0.1]
2023-01-28T15:50:48.091894+00:00 mailman3 postfix/cleanup[4284]: 15C5C87D: message-id=<167492104720.11482.9685059075489170493@mailman3.infra.opensuse.org>
2023-01-28T15:50:48.106329+00:00 mailman3 postfix/smtpd[4283]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2023-01-28T15:50:48.106934+00:00 mailman3 postfix/qmgr[605]: 15C5C87D: from=<project-bounces@lists.opensuse.org>, size=56267, nrcpt=1 (queue active)
2023-01-28T15:50:48.170408+00:00 mailman3 postfix/smtp[4179]: 15C5C87D: to=<ups-7qw@dealsopinionrequestedpttpmluow.com>, relay=relay.infra.opensuse.org[192.168.47.4]:25, delay=0.08, delays=0.02/0.01/0/0.05, dsn=4.1.2, status=deferred (host relay.infra.opensuse.org[192.168.47.4] said: 450 4.1.2 <ups-7qw@dealsopinionrequestedpttpmluow.com>: Recipient address rejected: Domain not found (in reply to RCPT TO command))

While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.

I wonder if it is worth doing much about and if so, what might we do?

#2 Updated by pjessen 2 months ago

pjessen wrote:

While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.

I wonder if it is worth doing much about and if so, what might we do?

Anything being sent directly to a list address (instead of to a bounce address) really must have a proper envelope, I think. We already discard automated delivery delay messages from mx12, maybe we can do the same with these fakes?

#3 Updated by cboltz 2 months ago

pjessen wrote:

pjessen wrote:

While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.

I wonder if it is worth doing much about and if so, what might we do?

Anything being sent directly to a list address (instead of to a bounce address) really must have a proper envelope, I think. We already discard automated delivery delay messages from mx12, maybe we can do the same with these fakes?

Agreed, sending with the bounce envelope to a list doesn't make sense, and rejecting that as <> is not subscribed is even more pointless.

As a short-term solution, I'd indeed discard these mails.

For a longer-term solution, maybe open a bugreport upstream so that mailman ignores these mails itsself. (I hope nobody seriously wants to use mailman to distribute <> mails ;-) - but then, what about admin-auto?)

#4 Updated by pjessen 2 months ago

cboltz wrote:

Agreed, sending with the bounce envelope to a list doesn't make sense, and rejecting that as <> is not subscribed is even more pointless.
As a short-term solution, I'd indeed discard these mails.

Thanks for the extra pair of eyes :-) I have set up a SpamAssassin rule to see if I can catch some of these, and it's already triggering. 

header   __KK991       EnvelopeFrom =~ //
header   __KK992       To:addr =~ /-bounces\@lists.opensuse.org$/
meta     OSU_KK99      __KK991 && !__KK992
score    OSU_KK99      10
describe OSU_KK99      https://progress.opensuse.org/issues/123775
  • but then, what about admin-auto?)

Ah, nice catch - I think. Yes, we should probably exclude admin-auto from this rule. 

header   __KK991       EnvelopeFrom =~ //
header   __KK992       To:addr =~ /-bounces\@lists.opensuse.org$/
header   __KK993       To:addr =~ /^admin-auto/
meta     OSU_KK99      __KK991 && !__KK992 && !__KK993
score    OSU_KK99      10
describe OSU_KK99      https://progress.opensuse.org/issues/123775

#5 Updated by crameleon 2 months ago

  • Subject changed from ups-7qw@dealsopinionrequestedpttpmluow.com to Mailman: ups-7qw@dealsopinionrequestedpttpmluow.com
  • Category set to Mailing lists

#6 Updated by pjessen 2 months ago

  • Category deleted (Mailing lists)

Better :

header   __KK991       EnvelopeFrom =~ /^$/
header   __KK992       To:addr =~ /\@lists.opensuse.org$/
header   __KK993       To:addr =~ /-bounces\@lists.opensuse.org$/
header   __KK994       To:addr =~ /^admin-auto/
meta     OSU_KK99      __KK991 && __KK992 && !__KK993 && !__KK994
score    OSU_KK99      10
describe OSU_KK99      https://progress.opensuse.org/issues/123775

#7 Updated by pjessen 2 months ago

  • Category set to Mailing lists
  • Assignee set to pjessen
  • % Done changed from 0 to 50

#8 Updated by pjessen about 2 months ago

There are currently 66 such emails in the queue on mailman3. Of these, 16 arrived yesterday which is clearly Not Good (R).

#9 Updated by pjessen about 2 months ago

pjessen wrote:

There are currently 66 such emails in the queue on mailman3. Of these, 16 arrived yesterday which is clearly Not Good (R).

Unfortunately, due to the way our SpamAssassin is implemented, there is no way of telling if the rule hit anything that was not rejected. When a mail is not rejected, there is no log entry. IOW, it is not possible to tell if the rule is hitting anything innocent. I'm going to adjust the score to 10 and see if we're hitting anything innocent.

#10 Updated by pjessen about 2 months ago

I think this was a false positive: 

2023-01-31T09:16:04.402244+00:00 mx1 postfix/cleanup[22959]: CCC118BF: reject: header X-Spam-Status: Yes, score=10.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,??DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,??MIME_HTML_ONLY,OSU_KK99,RCVD_IN_DNSWL_NONE,RCVD_IN_ZEN_BLOCK from mail-pl1-x643.google.com[2607:f8b0:4864:20::643]; from=<SRS0=zvm8=54=gmail.com=fentonyjl36@opensuse.org> to=<obs-commits@lists.opensuse.org> proto=ESMTP helo=<mail-pl1-x643.google.com>: 5.7.1 Spam identified (10.6/5.0)

#11 Updated by pjessen about 2 months ago

Hmm. "fentonyjl36@gmail.com" is not a member of the obs-commits list nor a non-member. I.e. has never posted to that list. I think the message-id was '508753879.49076.1675156591759@localhost.localdomain' which is also highly dodgy or least evidence of a poorly configured MUA/MTA. However, the log shows no evidence of a from=<> which I think there ought to be. Continuing to monitor.

#12 Updated by pjessen about 2 months ago

  • Assignee deleted (pjessen)
  • % Done changed from 50 to 0

Yesterdays hits:

2023-01-31T09:16:04.402244+00:00 mx1 postfix/cleanup[22959]: CCC118BF: reject: header X-Spam-Status: Yes, score=10.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,??DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,??MIME_HTML_ONLY,OSU_KK99,RCVD_IN_DNSWL_NONE,RCVD_IN_ZEN_BLOCK from mail-pl1-x643.google.com[2607:f8b0:4864:20::643]; from=<SRS0=zvm8=54=gmail.com=fentonyjl36@opensuse.org> to=<obs-commits@lists.opensuse.org> proto=ESMTP helo=<mail-pl1-x643.google.com>: 5.7.1 Spam identified (10.6/5.0)

2023-01-31T10:40:05.585281+00:00 mx1 postfix/cleanup[352]: 6B3678C5: reject: header X-Spam-Status: Yes, score=12.4 required=5.0 tests=BITCOIN_DEADLINE,??BITCOIN_SPAM_07,BITCOIN_YOUR_INFO,HTML_MESSAGE,MIME_HTML_ONLY,??NO_FM_NAME_IP_HOSTN,OSU_KK99,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,??RC from unknown[141.98.10.22]; from=<SRS0=mUQ/=54=lists.opensuse.org=factory@opensuse.org> to=<factory@lists.opensuse.org> proto=ESMTP helo=<[141.98.10.22]>: 5.7.1 Spam identified (12.4/5.0)

2023-01-31T17:42:01.437108+00:00 mx1 postfix/cleanup[15855]: 87BAAA70: reject: header X-Spam-Status: Yes, score=10.8 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_RPBL,R from unknown[60.208.107.114]; from=<SRS0=Gsq7=54=bcbook.cn=5hdxcw@opensuse.org> to=<selinux@lists.opensuse.org> proto=ESMTP helo=<mail.bcbook.cn>: 5.7.1 Spam identified (10.8/5.0)

2023-01-31T20:11:09.253268+00:00 mx2 postfix/cleanup[27698]: 62D1D1A0B: reject: header X-Spam-Status: Yes, score=12.8 required=5.0 tests=DKIM_ADSP_ALL,DKIM_INVALID,??DKIM_SIGNED,DMARC_REJECT,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,??MIME_HTML_ONLY,MISSING_MIME_HB_SEP,OSU_KK99,RCVD_IN_BL_SPA from rdns0.politecnicasedili-it.com[185.174.102.171]; from=<SRS0=Yo+3=54=politecnicasedili-it.com=sharepoint@opensuse.org> to=<project@lists.opensuse.org> proto=ESMTP helo=<rdns0.politecnicasedili-it.com>: 5.7.1 Spam identified (12.8/5.0)

2023-01-31T20:33:57.689484+00:00 mx2 postfix/cleanup[30398]: 8C4DF1EB: reject: header X-Spam-Status: Yes, score=5.0 required=5.0 tests=DMARC_NONE,FREEMAIL_FROM,??NICE_REPLY_A,OSU_KK99,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,??URIBL_ZEN_BLOCKED_OPENDNS autolearn=disabled version=3.4.5 from relayout04-q01.e.movistar.es[86.109.101.171]; from=<SRS0=N21O=54=telefonica.net=robin.listas@opensuse.org> to=<users@lists.opensuse.org> proto=ESMTP helo=<relayout04-q01.e.movistar.es>: 5.7.1 Spam identified (5.0/5.0)

2023-01-31T21:28:01.903498+00:00 mx2 postfix/cleanup[4197]: 5CE8D6E9: reject: header X-Spam-Status: Yes, score=7.7 required=5.0 tests=FROM_EXCESS_BASE64,??HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,OSU_KK99,??RCVD_IN_DNSWL_HI,RCVD_IN_VALIDITY_RPBL,RDNS_NONE,SPF_HELO_NONE,??URIBL_ from unknown[223.27.50.213]; from=<SRS0=5pyb=54=green.pumo.com.tw=mark0308@opensuse.org> to=<translation-commit@lists.opensuse.org> 
proto=ESMTP helo=<mg2.dns168.com.tw>: 5.7.1 Spam identified (7.7/5.0)

2023-01-31T22:13:55.152054+00:00 mx2 postfix/cleanup[9265]: A5F756E9: reject: header X-Spam-Status: Yes, score=22.0 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED, from unknown[222.240.200.130]; from=<SRS0=oc+N=54=cmie.cn=yangchenwei@opensuse.org> to=<xfce@lists.opensuse.org> proto=ESMTP helo=<mail.cmie.cn>: 5.7.1 Spam identified (22.0/5.0)

2023-01-31T22:48:02.826367+00:00 mx2 postfix/cleanup[13506]: 621536E9: reject: header X-Spam-Status: Yes, score=11.0 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_HI,??RCV from unknown[222.240.200.130]; from=<SRS0=oc+N=54=cmie.cn=yangchenwei@opensuse.org> to=<opensuse-project-request@lists.opensuse.org> proto=ESMTP helo=<mail.cmie.cn>: 5.7.1 Spam identified (11.0/5.0)

There are some more hits between midnight and now and I am fairly certain I see some false positives. That really should not be possible with :

header   __KK991       EnvelopeFrom =~ /^$/

Well, I should have taken my own advice not to try to optimize our SpamAssassin setup. I have removed that rule.

#13 Updated by pjessen about 2 months ago

  • Status changed from New to Rejected

Also available in: Atom PDF