tickets #123775
Mailman: ups-7qw@dealsopinionrequestedpttpmluow.com
0%
Description
On mailman3, at least since December 2022, the postfix queue has a number of mails from the project list to addresses such as:
ace-kng@acehardwareopinionrequestedulhfkbmoc.com ace-nlq@acehardwareopinionrequestedsllxokrbe.com ace-ux1@acehardwareopinionrequestedphybtqxkf.com airlines-5nb@airlinesopinionrequestedhecdcyfke.com airlines-wrb@airlinesopinionrequestedhcmkknqkb.com camera-khn@cameravideosurveillancebammzfhzo.com camera-vra@cameravideosurveillancezjkuiflvm.com camera-yzl@cameravideosurveillanceuwogypnte.com chainsaw-uaf@minichainsawminisawtacrightxfqelyixv.com chainsaw-xwd@minichainsawminisawtacrightkwdwcmtnq.com comcast-rpx@comcastopinionrequestedxldbgdmli.com cstc-loj@newscostcoshopperopportunityqdypkespo.com cstc-o5l@shoppergiftopportunitynghjrayai.com fungus-lw8@healthynailsfunguseliminatorruudmimhm.com fungus-rgq@healthynailsfunguseliminatorickzwoirk.com gift-0qm@sweepstakesalertwalmartjuyqrcwio.com heater-azl@miniheatingbillwinterbsabcfkyf.com info-11t@untdstatdropromuniflamtionsjebzlucy.com info-2tr@untdstatdropromuniflamtionhucpiadbq.com info-4ji@untdstatdropromuniflamtionqeoucwaxf.com info-4mg@untdstatdropromuniflamtionitbqyxdop.com info-4um@untdstatdropromuniflamtionctdutmsfc.com info-8la@untdstatdropromuniflamtionqvhgizwfh.com info-9ld@untdstatdropromuniflamtionwiysjnisa.com info-bqp@untdstatdropromuniflamtionzhgwghlnv.com info-d0i@untdstatdropromuniflamtioniepjoakap.com info-dar@untdstatdropromuniflamtionbnwdaejfc.com info-fpz@untdstatdropromuniflamtioncxlrzdftb.com info-g8c@untdstatdropromuniflamtionrtefnhvvs.com info-hb8@untdstatdropromuniflamtionngunxcuud.com info-ifi@untdstatdropromuniflamtionwjfpstwkq.com info-ktp@untdstatdropromuniflamtioneeukfnupx.com info-kwp@untdstatdropromuniflamtionisrdtlgat.com info-n3m@untdstatdropromuniflamtionxhgwfthhf.com info-ril@untdstatdropromuniflamtioneazoxqjwa.com info-tkx@untdstatdropromuniflamtioncbgksxsas.com info-ul5@untdstatdropromuniflamtionckejqthuv.com info-unm@untdstatdropromuniflamtionhtabvxtbz.com info-uqe@untdstatdropromuniflamtionbbtgibvij.com info-xcm@untdstatdropromuniflamtionbbcbbycet.com info-xwu@untdstatdropromuniflamtioneolgthvjd.com info-ysm@untdstatdropromuniflamtionytmuxgtup.com novawave-wtk@cablenovawavepartnersbbdywvbf.com pain-r3u@quantumtechnologypainkillersmaqsaikfi.com pain-tdo@quantumtechnologypainkillersznbqibbzl.com pain-zaz@quantumtechnologypainkillersxsbzdajah.com samples-qey@samplesandsweepstakessygeryqls.com southwest-tmf@southwestairlinesopinionrequestedqbftwvbnl.com sporting-jnj@dickssportinggoodsopinionrequestedsiwvxhwto.com sweeps-pwg@sweepstakesbossplatinumgrilljrenofgcj.com sweeps-so2@milwaukeepowerdrillsweepsentrymqgvqbqfn.com sweeps-wtf@milwaukeepowerdrillsweepsentryaovgqdwdf.com ups-7qw@dealsopinionrequestedpttpmluow.com ups-xrg@dealsopinionrequestedgfdceroxm.com
They are queued because the domains do not resolve, so mx12 refuses to accept them. Not a big problem, they'll remain in the queue and eventually bounce.
The messages are
Your message to the openSUSE Project mailing-list was rejected for the following reasons: The message is not from a list member The original message as received by Mailman is attached.
I was curious though, how does an unresolvable domain even get to send a mail to mailman? I took a look at a recent one "ups-7qw@dealsopinionrequestedpttpmluow.com" and there is no trace in the mail logs. (apart from deferred mail).
History
#1
Updated by pjessen 2 months ago
- Private changed from Yes to No
It looks like they are indeed emails, but with no envelope sender:
2023-01-28T15:50:46.714033+00:00 mailman3 postfix/smtpd[4283]: connect from mx1.infra.opensuse.org[192.168.47.95] 2023-01-28T15:50:46.728956+00:00 mailman3 postfix/smtpd[4283]: B1DFD87D: client=mx1.infra.opensuse.org[192.168.47.95] 2023-01-28T15:50:46.730722+00:00 mailman3 postfix/cleanup[4284]: B1DFD87D: message-id=<XP88KxjnJGmiTPLp1HFm6zkXSig-jTPpOHMJOLmGVjsXUYJBDdPdiBx-cadf-4b64-ba5d -13abc51dd070-000000@.amazonses.com> 2023-01-28T15:50:46.735330+00:00 mailman3 postfix/smtpd[4283]: disconnect from mx1.infra.opensuse.org[192.168.47.95] ehlo=1 mail=1 rcpt=1 data=1 quit=1 comma nds=5 2023-01-28T15:50:46.735848+00:00 mailman3 postfix/qmgr[605]: B1DFD87D: from=<>, size=54328, nrcpt=1 (queue active) 2023-01-28T15:50:46.856890+00:00 mailman3 postfix/lmtp[4285]: B1DFD87D: to=<project@lists.opensuse.org>, relay=localhost[127.0.0.1]:8024, delay=0.14, delays= 0.02/0.01/0.01/0.1, dsn=2.0.0, status=sent (250 Ok) 2023-01-28T15:50:46.857262+00:00 mailman3 postfix/qmgr[605]: B1DFD87D: removed 2023-01-28T15:50:48.062482+00:00 mailman3 postfix/smtpd[4283]: connect from localhost[127.0.0.1] 2023-01-28T15:50:48.089567+00:00 mailman3 postfix/smtpd[4283]: 15C5C87D: client=localhost[127.0.0.1] 2023-01-28T15:50:48.091894+00:00 mailman3 postfix/cleanup[4284]: 15C5C87D: message-id=<167492104720.11482.9685059075489170493@mailman3.infra.opensuse.org> 2023-01-28T15:50:48.106329+00:00 mailman3 postfix/smtpd[4283]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 2023-01-28T15:50:48.106934+00:00 mailman3 postfix/qmgr[605]: 15C5C87D: from=<project-bounces@lists.opensuse.org>, size=56267, nrcpt=1 (queue active) 2023-01-28T15:50:48.170408+00:00 mailman3 postfix/smtp[4179]: 15C5C87D: to=<ups-7qw@dealsopinionrequestedpttpmluow.com>, relay=relay.infra.opensuse.org[192.168.47.4]:25, delay=0.08, delays=0.02/0.01/0/0.05, dsn=4.1.2, status=deferred (host relay.infra.opensuse.org[192.168.47.4] said: 450 4.1.2 <ups-7qw@dealsopinionrequestedpttpmluow.com>: Recipient address rejected: Domain not found (in reply to RCPT TO command))
While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.
I wonder if it is worth doing much about and if so, what might we do?
#2
Updated by pjessen 2 months ago
pjessen wrote:
While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.
I wonder if it is worth doing much about and if so, what might we do?
Anything being sent directly to a list address (instead of to a bounce address) really must have a proper envelope, I think. We already discard automated delivery delay messages from mx12, maybe we can do the same with these fakes?
#3
Updated by cboltz 2 months ago
pjessen wrote:
pjessen wrote:
While no envelope sender is perfectly legitimate, it is usually only used for NDRs (non delivery reports) and similar.
I wonder if it is worth doing much about and if so, what might we do?Anything being sent directly to a list address (instead of to a bounce address) really must have a proper envelope, I think. We already discard automated delivery delay messages from mx12, maybe we can do the same with these fakes?
Agreed, sending with the bounce envelope to a list doesn't make sense, and rejecting that as <> is not subscribed
is even more pointless.
As a short-term solution, I'd indeed discard these mails.
For a longer-term solution, maybe open a bugreport upstream so that mailman ignores these mails itsself. (I hope nobody seriously wants to use mailman to distribute <>
mails ;-) - but then, what about admin-auto?)
#4
Updated by pjessen 2 months ago
cboltz wrote:
Agreed, sending with the bounce envelope to a list doesn't make sense, and rejecting that as
<> is not subscribed
is even more pointless.
As a short-term solution, I'd indeed discard these mails.
Thanks for the extra pair of eyes :-) I have set up a SpamAssassin rule to see if I can catch some of these, and it's already triggering.
header __KK991 EnvelopeFrom =~ // header __KK992 To:addr =~ /-bounces\@lists.opensuse.org$/ meta OSU_KK99 __KK991 && !__KK992 score OSU_KK99 10 describe OSU_KK99 https://progress.opensuse.org/issues/123775
- but then, what about admin-auto?)
Ah, nice catch - I think. Yes, we should probably exclude admin-auto from this rule.
header __KK991 EnvelopeFrom =~ // header __KK992 To:addr =~ /-bounces\@lists.opensuse.org$/ header __KK993 To:addr =~ /^admin-auto/ meta OSU_KK99 __KK991 && !__KK992 && !__KK993 score OSU_KK99 10 describe OSU_KK99 https://progress.opensuse.org/issues/123775
#6
Updated by pjessen 2 months ago
- Category deleted (
Mailing lists)
Better :
header __KK991 EnvelopeFrom =~ /^$/ header __KK992 To:addr =~ /\@lists.opensuse.org$/ header __KK993 To:addr =~ /-bounces\@lists.opensuse.org$/ header __KK994 To:addr =~ /^admin-auto/ meta OSU_KK99 __KK991 && __KK992 && !__KK993 && !__KK994 score OSU_KK99 10 describe OSU_KK99 https://progress.opensuse.org/issues/123775
#8
Updated by pjessen about 2 months ago
There are currently 66 such emails in the queue on mailman3. Of these, 16 arrived yesterday which is clearly Not Good (R).
#9
Updated by pjessen about 2 months ago
pjessen wrote:
There are currently 66 such emails in the queue on mailman3. Of these, 16 arrived yesterday which is clearly Not Good (R).
Unfortunately, due to the way our SpamAssassin is implemented, there is no way of telling if the rule hit anything that was not rejected. When a mail is not rejected, there is no log entry. IOW, it is not possible to tell if the rule is hitting anything innocent. I'm going to adjust the score to 10 and see if we're hitting anything innocent.
#10
Updated by pjessen about 2 months ago
I think this was a false positive:
2023-01-31T09:16:04.402244+00:00 mx1 postfix/cleanup[22959]: CCC118BF: reject: header X-Spam-Status: Yes, score=10.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,??DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,??MIME_HTML_ONLY,OSU_KK99,RCVD_IN_DNSWL_NONE,RCVD_IN_ZEN_BLOCK from mail-pl1-x643.google.com[2607:f8b0:4864:20::643]; from=<SRS0=zvm8=54=gmail.com=fentonyjl36@opensuse.org> to=<obs-commits@lists.opensuse.org> proto=ESMTP helo=<mail-pl1-x643.google.com>: 5.7.1 Spam identified (10.6/5.0)
#11
Updated by pjessen about 2 months ago
Hmm. "fentonyjl36@gmail.com" is not a member of the obs-commits list nor a non-member. I.e. has never posted to that list. I think the message-id was '508753879.49076.1675156591759@localhost.localdomain' which is also highly dodgy or least evidence of a poorly configured MUA/MTA. However, the log shows no evidence of a from=<>
which I think there ought to be. Continuing to monitor.
#12
Updated by pjessen about 2 months ago
- Assignee deleted (
pjessen) - % Done changed from 50 to 0
Yesterdays hits:
2023-01-31T09:16:04.402244+00:00 mx1 postfix/cleanup[22959]: CCC118BF: reject: header X-Spam-Status: Yes, score=10.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,??DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,??MIME_HTML_ONLY,OSU_KK99,RCVD_IN_DNSWL_NONE,RCVD_IN_ZEN_BLOCK from mail-pl1-x643.google.com[2607:f8b0:4864:20::643]; from=<SRS0=zvm8=54=gmail.com=fentonyjl36@opensuse.org> to=<obs-commits@lists.opensuse.org> proto=ESMTP helo=<mail-pl1-x643.google.com>: 5.7.1 Spam identified (10.6/5.0) 2023-01-31T10:40:05.585281+00:00 mx1 postfix/cleanup[352]: 6B3678C5: reject: header X-Spam-Status: Yes, score=12.4 required=5.0 tests=BITCOIN_DEADLINE,??BITCOIN_SPAM_07,BITCOIN_YOUR_INFO,HTML_MESSAGE,MIME_HTML_ONLY,??NO_FM_NAME_IP_HOSTN,OSU_KK99,PDS_BTC_ID,RCVD_IN_BL_SPAMCOP_NET,??RC from unknown[141.98.10.22]; from=<SRS0=mUQ/=54=lists.opensuse.org=factory@opensuse.org> to=<factory@lists.opensuse.org> proto=ESMTP helo=<[141.98.10.22]>: 5.7.1 Spam identified (12.4/5.0) 2023-01-31T17:42:01.437108+00:00 mx1 postfix/cleanup[15855]: 87BAAA70: reject: header X-Spam-Status: Yes, score=10.8 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_RPBL,R from unknown[60.208.107.114]; from=<SRS0=Gsq7=54=bcbook.cn=5hdxcw@opensuse.org> to=<selinux@lists.opensuse.org> proto=ESMTP helo=<mail.bcbook.cn>: 5.7.1 Spam identified (10.8/5.0) 2023-01-31T20:11:09.253268+00:00 mx2 postfix/cleanup[27698]: 62D1D1A0B: reject: header X-Spam-Status: Yes, score=12.8 required=5.0 tests=DKIM_ADSP_ALL,DKIM_INVALID,??DKIM_SIGNED,DMARC_REJECT,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,??MIME_HTML_ONLY,MISSING_MIME_HB_SEP,OSU_KK99,RCVD_IN_BL_SPA from rdns0.politecnicasedili-it.com[185.174.102.171]; from=<SRS0=Yo+3=54=politecnicasedili-it.com=sharepoint@opensuse.org> to=<project@lists.opensuse.org> proto=ESMTP helo=<rdns0.politecnicasedili-it.com>: 5.7.1 Spam identified (12.8/5.0) 2023-01-31T20:33:57.689484+00:00 mx2 postfix/cleanup[30398]: 8C4DF1EB: reject: header X-Spam-Status: Yes, score=5.0 required=5.0 tests=DMARC_NONE,FREEMAIL_FROM,??NICE_REPLY_A,OSU_KK99,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,??URIBL_ZEN_BLOCKED_OPENDNS autolearn=disabled version=3.4.5 from relayout04-q01.e.movistar.es[86.109.101.171]; from=<SRS0=N21O=54=telefonica.net=robin.listas@opensuse.org> to=<users@lists.opensuse.org> proto=ESMTP helo=<relayout04-q01.e.movistar.es>: 5.7.1 Spam identified (5.0/5.0) 2023-01-31T21:28:01.903498+00:00 mx2 postfix/cleanup[4197]: 5CE8D6E9: reject: header X-Spam-Status: Yes, score=7.7 required=5.0 tests=FROM_EXCESS_BASE64,??HTML_IMAGE_RATIO_02,HTML_MESSAGE,MIME_HTML_ONLY,OSU_KK99,??RCVD_IN_DNSWL_HI,RCVD_IN_VALIDITY_RPBL,RDNS_NONE,SPF_HELO_NONE,??URIBL_ from unknown[223.27.50.213]; from=<SRS0=5pyb=54=green.pumo.com.tw=mark0308@opensuse.org> to=<translation-commit@lists.opensuse.org> proto=ESMTP helo=<mg2.dns168.com.tw>: 5.7.1 Spam identified (7.7/5.0) 2023-01-31T22:13:55.152054+00:00 mx2 postfix/cleanup[9265]: A5F756E9: reject: header X-Spam-Status: Yes, score=22.0 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED, from unknown[222.240.200.130]; from=<SRS0=oc+N=54=cmie.cn=yangchenwei@opensuse.org> to=<xfce@lists.opensuse.org> proto=ESMTP helo=<mail.cmie.cn>: 5.7.1 Spam identified (22.0/5.0) 2023-01-31T22:48:02.826367+00:00 mx2 postfix/cleanup[13506]: 621536E9: reject: header X-Spam-Status: Yes, score=11.0 required=5.0 tests=DIGEST_MULTIPLE,HTML_MESSAGE,??MIME_HTML_ONLY,OSU_KK99,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,??RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_HI,??RCV from unknown[222.240.200.130]; from=<SRS0=oc+N=54=cmie.cn=yangchenwei@opensuse.org> to=<opensuse-project-request@lists.opensuse.org> proto=ESMTP helo=<mail.cmie.cn>: 5.7.1 Spam identified (11.0/5.0)
There are some more hits between midnight and now and I am fairly certain I see some false positives. That really should not be possible with :
header __KK991 EnvelopeFrom =~ /^$/
Well, I should have taken my own advice not to try to optimize our SpamAssassin setup. I have removed that rule.
#13
Updated by pjessen about 2 months ago
- Status changed from New to Rejected