[exim-dev] [Bug 3042] EXim closes connection direct after end of DATA (.)

Exim Bugzilla via Exim-dev Mon, 30 Oct 2023 06:03:59 -0700

https://bugs.exim.org/show_bug.cgi?id=3042


--- Comment #4 from Lars Timmann <[email protected]> ---
We catched one problematic mail.

This mail hangs on our external mail server and is not delivered to our
internal mailserver. Both updated to exim-4.96.2. As it is obviously spam we
could show all data:

# exim -Mvl 1qxQSQ-0000I8-1U
2023-10-30 12:29:22.160 Received from [email protected] H=sophosxgs.domain.tld
[192.168.104.42]:45786 I=[192.168.104.33]:25 P=esmtps L.
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=4191 M8S=0 RT=0.001s
[email protected] T="Business investment"
2023-10-30 12:29:22.430 H=mail.domain.tld [192.168.9.2]:25: Remote host closed
connection in response to end of data
2023-10-30 12:29:22.644 H=mail.domain.tld [192.168.9.100]:25: Remote host
closed connection in response to end of data
2023-10-30 12:29:22.646 [email protected] R=mail_route T=remote_smtp defer (-18)
H=mail.domain.tld [192.168.9.100]:25 I=[192.168.104.33]:61120 DT=0.213s: Remote
host closed connection in response to end of data
2023-10-30 12:30:03.901 H=mail.domain.tld [192.168.9.100]:25: Remote host
closed connection in response to end of data
2023-10-30 12:30:04.201 H=mail.domain.tld [192.168.9.2]:25: Remote host closed
connection in response to end of data
2023-10-30 12:30:04.203 [email protected] R=mail_route T=remote_smtp defer (-18)
H=mail.domain.tld [192.168.9.2]:25 I=[192.168.104.33]:53387 DT=0.298s: Remote
host closed connection in response to end of data
...
And so on...

# exim -Mvh 1qxQSQ-0000I8-1U
1qxQSQ-0000I8-1U-H
exim 100 100
<[email protected]>
1698665362 0
-received_time_usec .157578
-received_time_complete 1698665362.159479
--helo_name sophosxgs.domain.tld
-host_address [192.168.104.42]:45786
--host_name sophosxgs.domain.tld
-interface_address [192.168.104.33]:25
-received_protocol esmtps
-aclm _linelength_limit 3
998
-body_linecount 10
-max_received_linelength 92
-tls_cipher TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256
-tls_ourcert -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----\n
-tls_resumption B
-tls_ver TLS1.2
XX
1
[email protected]

298P Received: from sophosxgs.domain.tld ([192.168.104.42]:45786)
        by MailExt1.domain.tld with esmtps  (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.96.2)
        (envelope-from <[email protected]>)
        id 1qxQSQ-0000I8-1U
        for [email protected];
        Mon, 30 Oct 2023 12:29:22 +0100
325P Received: from mailext.domain.tld ([192.168.104.34]:42831
helo=MailExt2.domain.tld)
        by sophosxgs.domain.tld with esmtps  (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.96)
        (envelope-from <[email protected]>)
        id 1qxQSG-0001T1-2t
        for [email protected];
        Mon, 30 Oct 2023 12:29:12 +0100
320P Received: from hwsrv-1105621.hostwindsdns.com ([192.168.216.93]:44389
helo=genarec.com)
        by MailExt2.MH-Hannover.DE with esmtps  (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.96.2)
        (envelope-from <[email protected]>)
        id 1qxQSG-0006Vl-37
        for [email protected];
        Mon, 30 Oct 2023 12:29:12 +0100
038R Reply-To: [email protected]
065F From: Password Notification <anxjf<[email protected]>
033T To: [email protected]
029  Subject: Business investment
033  Date: 30 Oct 2023 11:29:10 +0000
058I Message-ID: <[email protected]>
018  MIME-Version: 1.0
024  Content-Type: text/html
044  Content-Transfer-Encoding: quoted-printable
022  X-Sophos-IBS: success
072  X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 192.168.30.105116
018  X-SASI-RCODE: 200
028  X-SASI-SpamProbability: 30%
2142  X-SASI-Hits: BODYTEXTH_SIZE_10000_LESS 0.000000, BODY_SIZE_1000_LESS
0.000000,
 BODY_SIZE_2000_LESS 0.000000, BODY_SIZE_5000_LESS 0.000000,
 BODY_SIZE_500_599 0.000000, BODY_SIZE_7000_LESS 0.000000,
 CTE_QUOTED_PRINTABLE 0.000000, CTYPE_JUST_HTML 0.500000,
 FRAUD_WEBMAIL_R_NOT_F 0.100000, FRAUD_X3 1.000000, FROM_NAME_PHRASE 0.000000,
 HREF_LABEL_TEXT_NO_URI 0.000000, HREF_LABEL_TEXT_ONLY 0.000000,
 HTML_NO_HTTP 0.100000, KNOWN_MTA_TFX 0.000000, NO_CTA_URI_FOUND 0.000000,
 NO_URI_HTTPS 0.000000, RCVD_EXIM_IP_PORT 1.000000,
 REPLYTO_FROM_DIFF_ADDY 0.100000, SENDER_NO_AUTH 0.000000,
 SINGLE_HREF_URI_IN_BODY 0.000000, SXL_IP_TFX_WM 0.000000,
 TO_DOMAIN_IN_FROMNAME_NOT_SAME 0.000000, TO_DOMAIN_IN_FROM_NOT_SAME 0.000000,
 WEBMAIL_REPLYTO_NOT_FROM 0.500000, __ANY_URI 0.000000,
 __BODY_TEXT_X4 0.000000, __CSHC_NS_B_FN_FA 0.000000, __CT 0.000000,
 __CTE 0.000000, __CTYPE_HTML 0.000000, __CTYPE_IS_HTML 0.000000,
 __DC_PHRASE 0.000000, __FRAUD_BODY_WEBMAIL 0.000000, __FRAUD_COMMON 0.000000,
 __FRAUD_INTRO 0.000000, __FRAUD_REPLY 0.000000, __FRAUD_URGENCY 0.000000,
 __FRAUD_WEBMAIL 0.000000, __FRAUD_WEBMAIL_REPLYTO 0.000000,
 __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
 __FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000,
 __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HAS_REPLYTO 0.000000,
 __HEADER_ORDER_FROM 0.000000, __HREF_LABEL_TEXT 0.000000,
 __HTML_AHREF_TAG 0.000000, __MIME_HTML 0.000000, __MIME_HTML_ONLY 0.000000,
 __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_VERSION 0.000000,
 __MSGID_DATETIME_DOT_HEX16 0.000000, __PART_TYPE_HTML 0.000000,
 __PHISH_SPEAR_GREETING 0.000000, __RCPT_HOST_IN_FROM 0.000000,
 __RCPT_HOST_IN_FROM_NAME 0.000000, __RCVD_EXIM_IP_PORT 0.000000,
 __REPLYTO_GMAIL 0.000000, __SANE_MSGID 0.000000, __SEO_WEBSITE 0.000000,
 __SPEAR_FROM_NAME 0.000000, __STOCK_PHRASE_8 0.000000,
 __SUBJ_ALPHA_END 0.000000, __SUBJ_SHORT 0.000000, __TAG_EXISTS_HTML 0.000000,
 __TO_HOST_IN_FROM 0.000000, __TO_HOST_IN_FROM_NAME 0.000000,
 __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000, __URI_MAILTO 0.000000,
 __URI_NO_WWW 0.000000, __URI_NS 0.000000
030  X-Sophos-Firewall: smtpd v1.0

# exim -Mvb 1qxQSQ-0000I8-1U
1qxQSQ-0000I8-1U-D
<html><head>
<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge">
</head>
<body><p>Dear Sir Madam,</p><p>My name is Mohammed Al Amoudi from the Kingd=
om of Saudi Arabia.</p><p>I contacted you because of my interest in your se=
ctor.</p><p>We would like to get an idea of the chances of a successful inv=
estment in your area and for other important business discussions.</p><p>I =
await your urgent response.</p><p>Reply to email address for further discus=
sions <a href=3D"mailto:&#8220;[email protected]";>&#8220;alamoudi=
[email protected]</a>&#8221;</p></body></html>

On the internal mail server we just see:

-- 
You are receiving this mail because:
You are on the CC list for the bug.

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
##   [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim-dev] [Bug 3042] EXim closes connection direct after end of DATA (.)

Reply via email to