Hey Jean,

Just to be sure:
Are we talking about postfix+srs-miler ie
https://github.com/emsearcy/srs-milter

?

I must admit it's a very weird bug!!
It's maybe one of the small things which big minds miss when working on such
products.

Thanks for the details,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-----Original Message-----
From: nznog-boun...@list.waikato.ac.nz
[mailto:nznog-boun...@list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus
Sent: Wednesday, May 17, 2017 1:25 AM
Cc: nznog@list.waikato.ac.nz
Subject: Re: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam
filter

(Sorry I should learn to read before sending)

Hi, Thanks for the suggestions.

As the traffic was not using TLS, I was able to grab the 'probe'

This is it:

HELO canit-scanner-2.DOMAIN.co.nz
MAIL From:<canit-pr...@roaringpenguin.com>
RCPT To:<postmaster>
QUIT

And this does crash the milter (I've checked). I'm setting up VM so I 
can debug the milter.

Current theories are
- It does not like a "rcpt to" without a domain.
- It expects there will be more after the RCPT.

PS: weirdly, <postmaster> is valid.

On 09/05/17 08:43, Jordan Roff wrote:
>       "The reserved mailbox name "postmaster" may be used in a RCPT
>       command without domain qualification (see Section 4.1.1.3) and
>       MUST be accepted if so used."
>
> https://tools.ietf.org/html/rfc5321#section-2.3.5
>


On 17/05/17 06:47, Eliezer  Croitoru wrote:
> Hey Jean,
>
> The first thing I would suggest is to dump this traffic even if it's a bit
> "heavy" thing to do since it what you can do yourself before doing other
> things.
> I don't know what exact mail software you are using and what OS but on
Linux
> OS you can try to run a tiny logging proxy that will help you analyze the
> issue.
> On Linux you can use iptables REDIRECT to redirect all traffic from
> canit-scanner-2.slingshot.co.nz[60.234.4.40] and
> canit-slingshot-mx-2.t3.nz[IP?] towards your server  into the tiny proxy.
> Once you might have a clue on what is in the wire\connection you can
defend
> yourself from it in other ways.
> It might be a bug but it also might be another more simple issue.
> Let say the connection is a bogus one which can be blocked before harming
> the system, you might still have a chance.
>
> You do have the timing and the source ip addresses.
> Try to verify how much traffic do you have from these servers and move on
> from there to see if you can use tcpdump+wireshark to clear your mind from
> certain things about this traffic.
>
> And as a side note if you do know the timing I can lend you my 421 tiny
mail
> service which I use on my systems.
> You can redirect the traffic from these two(or more) servers towards the
25
> port into a 1421 port(for example) every day at the annoying hours and see
> if it makes a change.
> This might not be the best solution but any smtp delivery server should
obey
> the basic laws of 421(come back or try later).
>
> Hope It Helps,
> Eliezer
>
> * let me know if you want the 421 service code\binaries
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: elie...@ngtech.co.il
>
>
>
> -----Original Message-----
> From: nznog-boun...@list.waikato.ac.nz
> [mailto:nznog-boun...@list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus
> Sent: Saturday, May 6, 2017 2:06 PM
> To: nznog@list.waikato.ac.nz
> Subject: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam
> filter
>
>
> Hi all, I have an interesting issue. Just upgraded our mail server to
handle
> srs-milter.
>
> Since the upgrade we found that the srs-milter would crash around 05:50
and
> 22:20 everyday. (Obviously it's got a bug)
>
> Turns out everyday around 05:50 we get a connection from
> canit-1.iserve.net.nz[202.191.33.141]
> And every night around 20:20 we get a connection from
> canit-scanner-2.slingshot.co.nz[60.234.4.40]
>
> They both seem to be running CanIt-Domain-PRO anti-spam filter.
>
> I cannot just block the scanner as the address is shared with MX's (ie:
> canit-scanner-2.slingshot.co.nz[60.234.4.40] and
canit-slingshot-mx-2.t3.nz)
>
> Seems like the scanner is sending 'unusual' data once a day on a schedule.
>
> Any ideas what that single daily connection is about? or workarounds?
>
> Thanks.
>
> PS: Apart from fixing the bug myself...
>
> --
> Jean-Francois Pirus | Technical Manager
> franc...@clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401
>
> Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> https://list.waikato.ac.nz/mailman/listinfo/nznog
>

-- 
Jean-Francois Pirus | Technical Manager
franc...@clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog

Reply via email to