Re: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam filter

Fri, 19 May 2017 03:26:13 -0700 


Nearly, It's postfix and vokac/srs-milter
vokac/srs-milter is a 2nd gen fork of emsearcy/srs-milter from the original author... :-) 


https://github.com/vokac/srs-milter forked from driskell/srs-milter
https://github.com/driskell/srs-milter forked from emsearcy/srs-milter
https://github.com/emsearcy/srs-milter from http://kmlinux.fjfi.cvut.cz/~vokacpet/activities/srs-milter/ 



On 19/05/17 20:57, Eliezer  Croitoru wrote:

Hey Jean,

Just to be sure:
Are we talking about postfix+srs-miler ie
https://github.com/emsearcy/srs-milter

?

I must admit it's a very weird bug!!
It's maybe one of the small things which big minds miss when working on such
products.

Thanks for the details,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il


-----Original Message-----
From: nznog-boun...@list.waikato.ac.nz
[mailto:nznog-boun...@list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus
Sent: Wednesday, May 17, 2017 1:25 AM
Cc: nznog@list.waikato.ac.nz
Subject: Re: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam
filter

(Sorry I should learn to read before sending)

Hi, Thanks for the suggestions.

As the traffic was not using TLS, I was able to grab the 'probe'

This is it:

HELO canit-scanner-2.DOMAIN.co.nz
MAIL From:<canit-pr...@roaringpenguin.com>
RCPT To:<postmaster>
QUIT

And this does crash the milter (I've checked). I'm setting up VM so I
can debug the milter.

Current theories are
- It does not like a "rcpt to" without a domain.
- It expects there will be more after the RCPT.

PS: weirdly, <postmaster> is valid.

On 09/05/17 08:43, Jordan Roff wrote:

      "The reserved mailbox name "postmaster" may be used in a RCPT
      command without domain qualification (see Section 4.1.1.3) and
      MUST be accepted if so used."

https://tools.ietf.org/html/rfc5321#section-2.3.5




On 17/05/17 06:47, Eliezer  Croitoru wrote:

Hey Jean,

The first thing I would suggest is to dump this traffic even if it's a bit
"heavy" thing to do since it what you can do yourself before doing other
things.
I don't know what exact mail software you are using and what OS but on

Linux

OS you can try to run a tiny logging proxy that will help you analyze the
issue.
On Linux you can use iptables REDIRECT to redirect all traffic from
canit-scanner-2.slingshot.co.nz[60.234.4.40] and
canit-slingshot-mx-2.t3.nz[IP?] towards your server  into the tiny proxy.
Once you might have a clue on what is in the wire\connection you can

defend

yourself from it in other ways.
It might be a bug but it also might be another more simple issue.
Let say the connection is a bogus one which can be blocked before harming
the system, you might still have a chance.

You do have the timing and the source ip addresses.
Try to verify how much traffic do you have from these servers and move on
from there to see if you can use tcpdump+wireshark to clear your mind from
certain things about this traffic.

And as a side note if you do know the timing I can lend you my 421 tiny

mail

service which I use on my systems.
You can redirect the traffic from these two(or more) servers towards the

25

port into a 1421 port(for example) every day at the annoying hours and see
if it makes a change.
This might not be the best solution but any smtp delivery server should

obey

the basic laws of 421(come back or try later).

Hope It Helps,
Eliezer

* let me know if you want the 421 service code\binaries

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il



-----Original Message-----
From: nznog-boun...@list.waikato.ac.nz
[mailto:nznog-boun...@list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus
Sent: Saturday, May 6, 2017 2:06 PM
To: nznog@list.waikato.ac.nz
Subject: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam
filter


Hi all, I have an interesting issue. Just upgraded our mail server to

handle

srs-milter.

Since the upgrade we found that the srs-milter would crash around 05:50

and

22:20 everyday. (Obviously it's got a bug)

Turns out everyday around 05:50 we get a connection from
canit-1.iserve.net.nz[202.191.33.141]
And every night around 20:20 we get a connection from
canit-scanner-2.slingshot.co.nz[60.234.4.40]

They both seem to be running CanIt-Domain-PRO anti-spam filter.

I cannot just block the scanner as the address is shared with MX's (ie:
canit-scanner-2.slingshot.co.nz[60.234.4.40] and

canit-slingshot-mx-2.t3.nz)


Seems like the scanner is sending 'unusual' data once a day on a schedule.

Any ideas what that single daily connection is about? or workarounds?

Thanks.

PS: Apart from fixing the bug myself...

--
Jean-Francois Pirus | Technical Manager
franc...@clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog





--
Jean-Francois Pirus | Technical Manager
franc...@clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog

Reply via email to