Re: [vchkpw] vchkpw@inter7.com ezmlm warning
On Sunday, October 19, 2003 12:42 AM, Gregory Kuhn wrote: message_is_looping_/home/vpopmail/domains/ctch.net/gkuhn/Maildir// ah ha! :) this would explain why: grep 'is looping' /var/log/qmail/current bore no fruit :) s/\s+/_/g; sigh. after resolving the PEBKAC error, I do see the entries in my logs. since we're on the topic of guaranteed bouncing (since the Delivered-To: header can still easily be forged), is it worth investing some crypto into it ? or even appending some Site-Unique level string to the end of Delivered-To like the domain name -- instead of: Delivered-To: [EMAIL PROTECTED] it'd be: Delivered-To-nntx.net: [EMAIL PROTECTED] or some such. Whatever the annex is, it'd have to be static (at the site/domain level), because many people use the Delivered-To header for processing via procmail/etc. Forging the Delivered-To line could be to Mr. Spammer's advantage, because he could send millions+ of messages to addresses that use vpopmail, and could depend on the bouncing to deliver his mail; just spoof the envelope recipient/from and wala. Jeremy Kister www.jeremykister.com Argus: The World's Most Advanced Monitoring Software: http://argus.tcp4me.com
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
Adam Hooper wrote: Forging the Delivered-To line could be to Mr. Spammer's advantage, because he could send millions+ of messages to addresses that use vpopmail, and could depend on the bouncing to deliver his mail; just spoof the envelope recipient/from and wala. Not only that, but it gives information about the system's directory structure, which I always thought was a BAD thing. (As an entirely separate bug: could the directory structure *not* be given to people who shouldn't see it?) This could be done in vdelivermail code. It would just return a message_is_looping: [EMAIL PROTECTED]
[vchkpw] vchkpw@inter7.com ezmlm warning
I received the below bounce from the [EMAIL PROTECTED] mailing list tonight, at about 10PM EST. please note i have obfuscated all email addresses slightly. also note that I have been receiving mail fine from vchkpw, and havnt modified my configuration recently. the bounce my system sent was: user does not exist, but will deliver to /home/vpopmail/domains/jeremykister.co/jeremy/ message is looping /home/vpopmail/domains/jeremykister.co/jeremy/Maildir/ mail is looping I am quite stumped on why my mailserver bounce this. I immediately sent an email to [EMAIL PROTECTED] from an outside account, and it was received perfectly -- the fact that I've received this double-bounce shows that my configuration is working. I keep 8 rotations of 1MB qmail-send logs, and I dont have any record of 'mail is looping' in any of them. the only [probable] record i have of this message is: max grep 129277 /var/log/qmail/current | tai64nlocal 2003-10-18 21:58:08.502764500 starting delivery 129277: msg 30572 to local [EMAIL PROTECTED] 2003-10-18 21:58:09.792902500 delivery 129277: success: user_does_not_exist,_but_will_deliver_to_/home/vpopmail/domains/jeremykister .co/jeremy//did_0+0+1/ which seems to say that the delivery was successful. i have a .qmail-vpopmail file which places mail in my jeremy maildir. my .qmail-default also does this (among other things). I do not have a jeremy/.qmail file. max ls -ld .qmail-vpopmail .qmail-default jeremy/.qmail jeremy/.qmail: No such file or directory -rw-r- 1 vpopmail vchkpw 133 Oct 1 03:58 .qmail-default -rw-r- 1 vpopmail vchkpw 107 Mar 26 2003 .qmail-vpopmail before receiving this bounce, the last message my MUA has received from the vpopmail list was 2003/10/18 4:18AM EST from Sigmund Gudvangen titled Re: [vchkpw] Multi domain bounce message handling the best working theory i had was that since qmail-02.nntx.net NFS mounts /home/vpopmail/domains, then perhaps the share was unavailable for some time, but that theory was quickly proven not to hold water because: 1] the system would have sat and waited until the share did come on-line before doing anything 2] not only would the .qmail-vpopmail not be available, but .qmail-default wouldnt have been either any ideas? this greatly worries me. Jeremy Kister www.jeremykister.com/jeremy/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, October 18, 2003 11:12 PM To: [EMAIL PROTECTED] Subject: ezmlm warning Return-Path: vchkpw-return-warn-1066533111.lckkgknfdjclbddjoahf-vpopmail=jeremykister.co @inter7.com Delivered-To: [EMAIL PROTECTED] Received: (qmail 14139 invoked by uid 1010); 19 Oct 2003 01:58:07 - Received: from unknown (HELO ns1.inter7.com) (209.218.8.2) by max.nntx.net with SMTP; 19 Oct 2003 01:58:07 - Received: (qmail 7722 invoked by uid 511); 19 Oct 2003 03:12:06 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Date: 19 Oct 2003 03:12:06 - Message-ID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Content-type: text/plain; charset=us-ascii Subject: ezmlm warning Hi! This is the ezmlm program. I'm managing the [EMAIL PROTECTED] mailing list. I'm working for my owner, who can be reached at [EMAIL PROTECTED] Messages to you from the vchkpw mailing list seem to have been bouncing. I've attached a copy of the first bounce message I received. If this message bounces too, I will send you a probe. If the probe bounces, I will remove your address from the vchkpw mailing list, without further notice. I've kept a list of which messages from the vchkpw mailing list have bounced from your address. Here are the message numbers: 23631 --- Enclosed is a copy of the bounce message I received. Return-Path: Received: from unknown (HELO qmail-02.nntx.net) (64.115.47.41) by evanston.inter7.com with SMTP; 7 Oct 2003 09:27:59 - Received: (qmail 25216 invoked for bounce); 7 Oct 2003 08:13:56 - Date: 7 Oct 2003 08:13:56 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at qmail-02.nntx.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: user does not exist, but will deliver to /home/vpopmail/domains/jeremykister.co/jeremy/ message is looping /home/vpopmail/domains/jeremykister.co/jeremy/Maildir/ mail is looping --- Below this line is a copy of the message. [...]
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
Jeremy Kister wrote: I received the below bounce from the [EMAIL PROTECTED] mailing list tonight, at about 10PM EST. please note i have obfuscated all email addresses slightly. also note that I have been receiving mail fine from vchkpw, and havnt modified my configuration recently. the bounce my system sent was: user does not exist, but will deliver to /home/vpopmail/domains/jeremykister.co/jeremy/ message is looping /home/vpopmail/domains/jeremykister.co/jeremy/Maildir/ mail is looping I am quite stumped on why my mailserver bounce this. I immediately sent an email to [EMAIL PROTECTED] from an outside account, and it was received perfectly -- the fact that I've received this double-bounce shows that my configuration is working. I keep 8 rotations of 1MB qmail-send logs, and I dont have any record of 'mail is looping' in any of them. the only [probable] record i have of this message is: max grep 129277 /var/log/qmail/current | tai64nlocal 2003-10-18 21:58:08.502764500 starting delivery 129277: msg 30572 to local [EMAIL PROTECTED] 2003-10-18 21:58:09.792902500 delivery 129277: success: user_does_not_exist,_but_will_deliver_to_/home/vpopmail/domains/jeremykister .co/jeremy//did_0+0+1/ which seems to say that the delivery was successful. i have a .qmail-vpopmail file which places mail in my jeremy maildir. my .qmail-default also does this (among other things). I do not have a jeremy/.qmail file. max ls -ld .qmail-vpopmail .qmail-default jeremy/.qmail jeremy/.qmail: No such file or directory -rw-r- 1 vpopmail vchkpw 133 Oct 1 03:58 .qmail-default -rw-r- 1 vpopmail vchkpw 107 Mar 26 2003 .qmail-vpopmail before receiving this bounce, the last message my MUA has received from the vpopmail list was 2003/10/18 4:18AM EST from Sigmund Gudvangen titled Re: [vchkpw] Multi domain bounce message handling snip Ah it seems i am not the only one with this problem. It seems that more people are seeing this then. I also got the same message, and as far as i can see its in no way looping, no matter how i look at it. So basically, its on their side, unless something is looping on my side, of which i know nothing.
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
On Saturday, October 18, 2003 11:18 PM, X-Istence wrote: So basically, its on their side, unless something is looping on my side, of which i know nothing. It cannot be on their side; how would their MTA know my maildir is in /home/vpopmail/domains/jeremykister.co/jeremy/ ? they also clearly attach the bounce which my system sent to them: from qmail-02.nntx.net (which is mine) did you receive the message at the same time I did ? Jeremy Kister www.jeremykister.com Argus: The World's Most Advanced Monitoring Software: http://argus.tcp4me.com
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
At 11:10 PM 10/18/2003 -0400, Jeremy Kister wrote: I received the below bounce from the [EMAIL PROTECTED] mailing list tonight, at about 10PM EST. I've kept a list of which messages from the vchkpw mailing list have bounced from your address. Here are the message numbers: 23631 Interestingly I got the same error message from the vchkpw list concerning the same message number 23631. I think that this is a bug within the vchkpw list, not your system. Greg Gregory Kuhn Coast to Coast Hosting http://www.ctch.net 303-333-8947 303-726-4855 (Cell)
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
Jeremy Kister wrote: On Saturday, October 18, 2003 11:18 PM, X-Istence wrote: So basically, its on their side, unless something is looping on my side, of which i know nothing. It cannot be on their side; how would their MTA know my maildir is in /home/vpopmail/domains/jeremykister.co/jeremy/ ? they also clearly attach the bounce which my system sent to them: from qmail-02.nntx.net (which is mine) did you receive the message at the same time I did ? Jeremy Kister www.jeremykister.com Argus: The World's Most Advanced Monitoring Software: http://argus.tcp4me.com I got it at 11:35 PM Eastern Standard Time, so i got it an hour and a half later than you, but that could be a delay because of the amount of emails their server has to send out if everyone were to get one of these. X-Istence
Fw: [vchkpw] vchkpw@inter7.com ezmlm warning
Upon examining the original message that my MTA bounced, I know this is not a coincidence. I trimmed the original message because I thought it was non-relevant, but it clearly is. something in the original message confused some part of my MTA; This _is_ a bug; im just not sure if it's qmail or vpopmail below is the original email message that my system bounced due to message is looping Tom!? Ken!? :) Jeremy Kister www.jeremykister.com/jeremy Return-Path: [EMAIL PROTECTED] Received: (qmail 25209 invoked by uid 1010); 7 Oct 2003 08:13:55 - Received: from unknown (HELO ns1.inter7.com) (209.218.8.2) by max.nntx.net with SMTP; 7 Oct 2003 08:13:55 - Received: (qmail 27027 invoked by uid 511); 7 Oct 2003 09:27:02 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Received: from unknown (HELO rous.redbarn.org) (204.152.188.41) by evanston.inter7.com with SMTP; 7 Oct 2003 09:27:01 - To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] (Eric Ziegast) In-reply-to: Your message of Tue, 07 Oct 2003 00:55:40 PDT. [EMAIL PROTECTED] Date: Tue, 07 Oct 2003 01:12:40 -0700 Sender: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Subject: Re: [vchkpw] unexpected Delivered-To How can this happen? *Any* header can be forged. :^) Ok, but I'm not clear on one thing. qmail+vpopmail is going to route locally based on the to field of the incoming message, right? So you are saying this message was forged locally, meaning a hacked server? The envelope recipient (RCPT TO:) is what qmail mostly cares about. The normal message headers are fluffy bits of superfluous information that could help it detect a mail loop. Your message appears to have had a To: header of [EMAIL PROTECTED] (forged) and an envelope recipient of [EMAIL PROTECTED] (not forged) or maybe even some other address that aliases itself to kurt. Curiously your off-list reply cased my server to generate this message: message is looping /var/vpopmail/domains/breathsense.com/kkb/Maildir/ Why would your server bounce it in the first place? Fix that! -- Eric Ziegast [EMAIL PROTECTED] (aka [EMAIL PROTECTED]) (aka [EMAIL PROTECTED])
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
I received a bounce like this as well I believe this is a bug vdelivermail looks in the message headers for any Delivered-To entries. If it sees the same address popping up more than once, then this indicates a loop. I believe that the bug occurred with this particular message because the subject ended in Delivered-To Since only a EOL followed the Delivered-To string, I think it is likely that vdelivermail fails to handle this occurrence correctly, and it incorrectly detects this as a loop Michael. - Original Message - From: Gregory Kuhn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 19, 2003 1:27 PM Subject: Re: [vchkpw] [EMAIL PROTECTED] ezmlm warning At 11:10 PM 10/18/2003 -0400, Jeremy Kister wrote: I received the below bounce from the [EMAIL PROTECTED] mailing list tonight, at about 10PM EST. I've kept a list of which messages from the vchkpw mailing list have bounced from your address. Here are the message numbers: 23631 Interestingly I got the same error message from the vchkpw list concerning the same message number 23631. I think that this is a bug within the vchkpw list, not your system. Greg Gregory Kuhn Coast to Coast Hosting http://www.ctch.net 303-333-8947 303-726-4855 (Cell)
Re: Fw: [vchkpw] vchkpw@inter7.com ezmlm warning
Jeremy Kister wrote: Upon examining the original message that my MTA bounced, I know this is not a coincidence. I trimmed the original message because I thought it was non-relevant, but it clearly is. something in the original message confused some part of my MTA; This _is_ a bug; im just not sure if it's qmail or vpopmail below is the original email message that my system bounced due to message is looping Tom!? Ken!? :) Jeremy Kister www.jeremykister.com/jeremy Return-Path: [EMAIL PROTECTED] Received: (qmail 25209 invoked by uid 1010); 7 Oct 2003 08:13:55 - Received: from unknown (HELO ns1.inter7.com) (209.218.8.2) by max.nntx.net with SMTP; 7 Oct 2003 08:13:55 - Received: (qmail 27027 invoked by uid 511); 7 Oct 2003 09:27:02 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Post: mailto:[EMAIL PROTECTED] List-Help: mailto:[EMAIL PROTECTED] List-Unsubscribe: mailto:[EMAIL PROTECTED] List-Subscribe: mailto:[EMAIL PROTECTED] Delivered-To: mailing list [EMAIL PROTECTED] Received: from unknown (HELO rous.redbarn.org) (204.152.188.41) by evanston.inter7.com with SMTP; 7 Oct 2003 09:27:01 - To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] (Eric Ziegast) In-reply-to: Your message of Tue, 07 Oct 2003 00:55:40 PDT. [EMAIL PROTECTED] Date: Tue, 07 Oct 2003 01:12:40 -0700 Sender: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Subject: Re: [vchkpw] unexpected Delivered-To How can this happen? *Any* header can be forged. :^) Ok, but I'm not clear on one thing. qmail+vpopmail is going to route locally based on the to field of the incoming message, right? So you are saying this message was forged locally, meaning a hacked server? The envelope recipient (RCPT TO:) is what qmail mostly cares about. The normal message headers are fluffy bits of superfluous information that could help it detect a mail loop. Your message appears to have had a To: header of [EMAIL PROTECTED] (forged) and an envelope recipient of [EMAIL PROTECTED] (not forged) or maybe even some other address that aliases itself to kurt. Curiously your off-list reply cased my server to generate this message: message is looping /var/vpopmail/domains/breathsense.com/kkb/Maildir/ Why would your server bounce it in the first place? Fix that! -- Eric Ziegast [EMAIL PROTECTED] (aka [EMAIL PROTECTED]) (aka [EMAIL PROTECTED]) The envelope recipient (RCPT TO:) is what qmail mostly cares about. The normal message headers are fluffy bits of superfluous information that could help it detect a mail loop. Your message appears to have had a To: header of [EMAIL PROTECTED] (forged) and an envelope recipient of [EMAIL PROTECTED] (not forged) Test. or maybe even some other address that aliases itself to kurt.
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
I found you can replicate this bug simply by sending yourself a message with a subject like this : test Delivered-Tospace Where space is a space char I wonder if this effects all versions of vpopmail, or only the later devel versions I am running vpopmail-5.3.28 I have opened a tracker [826231] on sourceforge for this bug Michael. - Original Message - From: Michael Bowe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 19, 2003 2:12 PM Subject: Re: [vchkpw] [EMAIL PROTECTED] ezmlm warning I received a bounce like this as well I believe this is a bug vdelivermail looks in the message headers for any Delivered-To entries. If it sees the same address popping up more than once, then this indicates a loop. I believe that the bug occurred with this particular message because the subject ended in Delivered-To Since only a EOL followed the Delivered-To string, I think it is likely that vdelivermail fails to handle this occurrence correctly, and it incorrectly detects this as a loop Michael. - Original Message - From: Gregory Kuhn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, October 19, 2003 1:27 PM Subject: Re: [vchkpw] [EMAIL PROTECTED] ezmlm warning At 11:10 PM 10/18/2003 -0400, Jeremy Kister wrote: I received the below bounce from the [EMAIL PROTECTED] mailing list tonight, at about 10PM EST. I've kept a list of which messages from the vchkpw mailing list have bounced from your address. Here are the message numbers: 23631 Interestingly I got the same error message from the vchkpw list concerning the same message number 23631. I think that this is a bug within the vchkpw list, not your system. Greg Gregory Kuhn Coast to Coast Hosting http://www.ctch.net 303-333-8947 303-726-4855 (Cell)
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
At 02:31 PM 10/19/2003 +1000, Michael Bowe wrote: I found you can replicate this bug simply by sending yourself a message with a subject like this : test Delivered-Tospace Where space is a space char I wonder if this effects all versions of vpopmail, or only the later devel versions I am running vpopmail-5.3.28 I have opened a tracker [826231] on sourceforge for this bug I just tried and succeeded at duplicating this error using the methor you descibed and I got the same result with this showing up in my qmail-smtpd log; @40003f9215690f97728c new msg 916709 @40003f9215690fa950c4 info msg 916709: bytes 644 from [EMAIL PROTECTED] qp 81663 uid 1003 @40003f921569102fbaec starting delivery 26386: msg 916709 to local [EMAIL PROTECTED] @40003f9215691030ff24 status: local 1/40 remote 1/40 @40003f9215691220c904 delivery 26386: failure: message_is_looping_/home/vpopmail/domains/ctch.net/gkuhn/Maildir// @40003f921569127d0a34 status: local 0/40 remote 1/40 @40003f92156913b69ba4 bounce msg 916709 qp 81667 @40003f92156913d98cf4 end msg 916709 @40003f921569163c0e04 new msg 916741 @40003f921569164ca804 info msg 916741: bytes 1187 from qp 81667 uid 1008 @40003f92156916d11a44 starting delivery 26387: msg 916741 to local [EMAIL PROTECTED] @40003f92156916d2fea4 status: local 1/40 remote 1/40 @40003f9215691d37b6a4 delivery 26387: success: did_0+0+1/ @40003f9215691d6598bc status: local 0/40 remote 1/40 @40003f9215691d79ff64 end msg 916741 I am running vpopmail version 5.3.20 so it would seem at first glance that it affects all versions. Greg Gregory Kuhn Coast to Coast Hosting http://www.ctch.net 303-333-8947 303-726-4855 (Cell)
Re: [vchkpw] vchkpw@inter7.com ezmlm warning
On Saturday, October 18, 2003, at 09:31 PM, Michael Bowe wrote:
I have opened a tracker [826231] on sourceforge for this bug
Can someone try this out on a development machine before I post it to
CVS. It seems to make sense to me and it compiles. vdelivermail could
definitely use a rewrite in the next development cycle. I think that
the looping code could be simplified greatly.
Index: vdelivermail.c
===
RCS file: /cvsroot/vpopmail/vpopmail/vdelivermail.c,v
retrieving revision 1.4
diff -u -r1.4 vdelivermail.c
--- vdelivermail.c 2 Oct 2003 16:12:20 - 1.4
+++ vdelivermail.c 19 Oct 2003 05:44:04 -
@@ -877,7 +877,7 @@
while(fgets(loop_buf,sizeof(loop_buf),stdin)!=NULL){
/* if we find the line, return error (looping) */
-if (strstr(loop_buf, Delivered-To)!= 0
+if (strncmp(loop_buf, Delivered-To: , 14) == 0
is_loop_match(loop_buf, address)==1 ) {
/* return the loop found */
@@ -1313,6 +1313,7 @@
/* walk forward in dt line for @ character */
while ( *dt != '@' *dt != 0 ) ++dt;
+if (*dt == 0) return 0; /* no @ character found */
/* now walk back to first space */
while ( *dt != ' ' dt != startdt) --dt;
===
The first change makes sure the line STARTS with 'Delivered-To: '
instead of just containing the words.
The second change aborts the loop checker if the line doesn't contain
an @.
--
Tom Collins - [EMAIL PROTECTED]
Note: The Tom Logic offices will be closed October 23 to November 18.
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/
