[Rspamd-Users] Why does rspamd try to dkmim sign incoming mail?

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Aug 22 16:46:26 UTC 2024


Hi there,

I think now I have more questions than you do... :)

On Thu, 22 Aug 2024, Johannes Rohr wrote:
> Am 22.08.24 um 14:31 schrieb G.W. Haywood:
> 
>> Do you mean mail from 'mailman' which you receive because you're a
>> subscriber to mailing lists operated by mailman, or do you mean to say
>> that you're running mailman yourself to operate mailing lists?
>
> The latter. We run a mailman3 instance on the same server. However, the mail 
> in question did NOT come from mailman. My suspicion was wrong. There is no 
> trace of it in the mailman logs. In the postfix and dovecot log I see:
>
> Aug 21 19:44:35 ida postfix/bounce[3085023]: 95BE63937124C: sender non-delivery notification: 43F553937124F
> Aug 21 19:44:35 ida postfix/qmgr[3026741]: 43F553937124F: from=<>, size=5334, nrcpt=1 (queue active)
> Aug 21 19:44:35 ida postfix/qmgr[3026741]: 95BE63937124C: removed
> Aug 21 19:44:35 ida postfix/smtp[3085020]: 43F553937124F: to=<upnulxk at folowaunt.de>, relay=mail.folowaunt.de[217.79.178.57]:25, delay=0.08, delays=0.01/0/0.04/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4F3848126737)
> Aug 21 19:44:35 ida postfix/qmgr[3026741]: 43F553937124F: removed
> Aug 21 19:44:36 ida dovecot: imap-login: Login: user=<*****@*****>, method=PLAIN, rip=2a01:4f8:10a:2758::2, lip=2a01:4f8:10a:2758::2, mpid=3085045, TLS, session=<hjN8GDUg7OAqAQT4AQonWAAAAAAAAAAC>
> Aug 21 19:44:36 ida dovecot: imap(******@*****)<3085045><hjN8GDUg7OAqAQT4AQonWAAAAAAAAAAC>: Disconnected: Logged out in=320 out=1707 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
>
> So mailman isn't involved. This message was delivered to a regular mail 
> account.
>
> So I remain at a loss why rspamd seems to receive it two times

It's difficult for me to see exactly what's going on from the very
short log extracts you've posted.  I'm unfamiliar with Postfix logs
but I do see a couple of things above which interest me.

Firstly, looking at mail.folowaunt.de[217.79.178.57].

That IP is part of a /29:

8<-------------------------------------------------------------------------------------------------------------------
milter=> SELECT * FROM xm_geo2 where network && '217.79.178.57' ORDER BY as_name ;
      network      |      asnet      |      geonet      | asnum |       as_name       | geoname_id | country_iso_code 
------------------+-----------------+------------------+-------+---------------------+------------+------------------
  217.79.178.56/29 | 217.79.176.0/20 | 217.79.178.56/29 | 24961 | myLoc managed IT AG |    2921044 | DE
(1 row)
8<-------------------------------------------------------------------------------------------------------------------

I assume that this is not one of your IPs?  It is currently listed at
abuseipdb.com 88 times:

https://www.abuseipdb.com/check/217.79.178.57

A reverse lookup makes the hairs on the back of my neck bristle:

8<----------------------------------
$ dig +short mail.folowaunt.de
217.79.178.57
$ dig +short -x 217.79.178.57
in.визион.биз.рус.
$ 
8<----------------------------------

Secondly, there's 2a01:4f8:10a:2758::2 in the dovecot log:

> Aug 21 19:44:36 ida dovecot: imap-login: Login: user=<*****@*****>, method=PLAIN, rip=2a01:4f8:10a:2758::2, lip=2a01:4f8:10a:2758::2, mpid=3085045, TLS, session=<hjN8GDUg7OAqAQT4AQonWAAAAAAAAAAC>

Is the IP 2a01:4f8:10a:2758::2 intended to be accessible to the world?

> In the rspamd log with debug turned on I see:
> ...
> 2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; rspamd_protocol_handle_headers: read IP header, value: 127.0.0.1:0
> ...
> What is this "IP header"? Asking because there is no standard email header by 
> that name.

No, there's no "IP" header in mail but there are "Received" headers
for example, and it's just about possible that this is taken from one
of those, but more likely I would guess is that the author of rspamd
has his own ideas about headers.  It might help me if I could see the
offending message complete (with *full* headers) if you can allow it.

Again guessing, I guess the "IP header" is fabricated by rspamd when
the connection is made by rspamd's client.  Presumably in this case
that would be localhost, your own machine.  That would be normal for
connections between separate processes communication with each other
over TCP.  But I can't guarantee it.  Many attackers try to spoof IPs
and hostnames.  Hostnames are easy to spoof and it's easy to spot it
when it happens.  IPs are harder to spoof and it might not be so easy
to spot that when it happens.  I don't think I've ever seen it.

> What also surprises me is this:
>
> 2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
> rspamd_protocol_handle_headers: read user-agent header, value: Postfix 3.6.4
> 2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
> rspamd_protocol_handle_headers: read MTA-Name header, value: mail.[myserver]
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Does this indicate, that this mail was really sent by my server or can this 
> be spoofed as well?

Spoofed as well as what? :)

What in that snippet leads you to suspect that it might have been sent
by your server?  I wouldn't normally think of Postfix as a user agent.
Lots of people run Postfix so there's nothing about that which would
unambiguously point to any one machine in particular.  Apart from that
I don't understand what I'm seeing there.  But if you have to ask if
your server sent a message or not I think you need to spend much more
quality time with your logs until it's second nature for you to know
the answer - almost without thinking about it.  Sometimes I watch my
Sendmail logs scroll past in 'less' for an hour or more in the day.

Do you recognize "[myserver]"?  Is that exactly what was in the log or
is there something that you redacted from the log?  It certainly isn't
a FQDN, there is no 'myserver' top-level domain.  Many spammers will
try to send mail using bogus names like localhost.localdomain but that
doesn't mean there isn't a legitimate reason for this name.  The fact
that it in square brackets puzzles me, but as I said I'm unfamiliar
with Postfix logs so I don't know if it's something Postfix might do.

Maybe someone more familiar with the Postfix/rspamd interface would be
able to help, but I would need more context to make more sense of it.

> And then, there is this:
>
> 2024-08-21 19:44:34 #3011551(normal) <63b6c2>; protocol; 
> rspamd_protocol_handle_headers: read hostname header, value: localhost
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> Again, is this taken from the header of the actual email or where does this 
> come from?

I don't know.  If I could see the email in question complete with all
headers - preferably after it has reached the recipient's mailbox -
then I could probably help you more with this.

There are a lot of questions in my mind right now, but one of the most
important things I think to establish before we finish this thread is,
if you are seeing mail that you can't be sure you expect to see, that
your system has not been compromised by criminals to sent their mail.

-- 

73,
Ged.


More information about the Users mailing list