Dropping email on the floor?

Jeff Kinz jkinz at kinz.org
Fri Apr 15 20:20:26 UTC 2005 

On Fri, Apr 15, 2005 at 11:33:35AM -0700, Rick Stevens wrote:
> Jeff Kinz wrote:
> > Hi Guys,
> > I've just recently started seeing large numbers of emails being dropped,
> > but only from specific sources
> > 
> > Here is what sendmail verbose mode is showing (two examples):
> > 
> > 26969 >>> 220 redline.kinz.org ESMTP Sendmail 8.11.6/8.11.6; Fri, 15 Apr
> > 2005 13:29:23 -0400
> > 26969 <<< EHLO nl-mail5.internet.com
> > 26969 >>> 250-redline.kinz.org Hello nl-mail5.internet.com [64.62.164.185], pleased to meet you
> > 26969 >>> 250-ENHANCEDSTATUSCODES
> > 26969 >>> 250-8BITMIME
> > 26969 >>> 250-SIZE
> > 26969 >>> 250-DSN
> > 26969 >>> 250-ONEX
> > 26969 >>> 250-ETRN
> > 26969 >>> 250-XUSR
> > 26969 >>> 250-AUTH GSSAPI
> > 26969 >>> 250 HELP
> > 26969 <<< MAIL FROM:<newsletter at nl.internet.com>
> > 26970 >>> 250 2.1.0 <newsletter at nl.internet.com>... Sender ok
> > 26970 <<< [EOF]
> > 26970 >>> 421 4.4.1 redline.kinz.org Lost input channel from nl-mail5.internet.com [64.62.164.185]
> > 26968 >>> 220 redline.kinz.org ESMTP Sendmail 8.11.6/8.11.6; Fri, 15 Apr 2005 13:29:25 -0400
> > 26968 <<< HELO n19a.bulk.scd.yahoo.com
> > 26968 >>> 250 redline.kinz.org Hello n19a.bulk.scd.yahoo.com [66.94.237.48], pleased to meet you
> > 26968 <<< MAIL FROM:<sentto-311578-3615-1113585173-jkinz=kinz.org at returns.groups.yahoo.com>
> > 26971 >>> 250 2.1.0 <sentto-311578-3615-1113585173-jkinz=kinz.org at returns.groups.yahoo.com>...  Sender ok
> > 26971 <<< RSET
> > 26971 >>> 250 2.0.0 Reset state
> > 26968 <<< QUIT
> > 26968 >>> 221 2.0.0 redline.kinz.org closing connection
> > 
> > 
> > There seem to be two failure modes, one is the "Lost input channel" and
> > the other is getting a SMTP "RSET" command from the MTA of the sending
> > side.
> 
> The first one is a fairly common probe by machines looking for open
> relays--especially MS Exchange servers.  I'd consider that an attack.
> The second one looks like a similar attack, but more along the lines of
> an attempted SMTP DOS attack.  I'm willing to bet that the IP addresses
> are spoofed as well.

It seems I forgot some essential information, er, um, these two email
sources, internet.com and bulk.scd.yahoo.com are legitimate email
sources trying to send me email for various email lists that I signed up 
for.  I have been happily receiving email from them for some time but I
noticed that at some point in the past it was becoming unreliable and
recently they all started just failing.


> 
> > NOTE: "<<<" seems to indicate messages sent by the external SMTP party and
> > ">>>" seems to indicate responses by my side (the "inside")
> 
> Yes, "<<<" refers to INCOMING traffic TO your machine, ">>>" refers to
> OUTGOING traffic FROM your machine (think of the arrows as relative
> to your system).
> 
> > NOTE:  Comcast is having DNS server problems, Can that be affecting
> > this? and if so, why only for internet.com and yahoo groups bulk mail
> > servers?
> 
> No, these are not DNS issues (otherwise you'd get only the IP address
> of the remote machines and not a reverse DNS resolution giving the host
> names).  The reverse resolution is correct, BTW, but the IPs are
> probably spoofed.

It seems the IP's are not spoofed, I did some lookups and correlated my
tcpdump captures to those ip-domain-name pairs.  The ips and domain
names are correct as read in from the Internet IP traffic before
entering the sendmail conversation and they match the info given in the
sendmail conversation, and - even more disconcerting, the online archives of
those email lists are providing live traffic info which matches these
failed deliveries.

I am dumbfounded.

Any suggestions on what steps I can take to try to diagnose the
problems?  Also, is there any command line option for sendmail to report
its version number (or any other mechanism?)?



> 
> > ONEMORENOTE:
> > I have turned off all my sorbs style email blocking while trying to
> > figure this out.  It seems to make no difference.  FPIA
> 
> As I said, these look like probes to see if YOU are an open relay.
> Welcome to the world of mail administration.  Remember, I get this
> crap every day and we process over 1M legitimate messages per day (and
> reject about 2M due to spam, viruses or probes such as you're seeing).
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -           What is a "free" gift?  Aren't all gifts free?           -
> ----------------------------------------------------------------------
> 
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
> 

-- 
"The only system which is truly secure, is one which is switched off
and unplugged, locked in a titanium lined safe, buried in a concrete
bunker, surrounded by nerve gas and very highly paid armed guards. Even
then, I wouldn't stake my life on it" - Gene Spafford 
(Good thing. the law of unintended consequences: A laptop, w/wireless
NIC and wake on "date" set in the BIOS)

Jargon file, abrgd.: The September that never ended. On the Internet,
every September's freshmen influx got their first accounts and, not
knowing how to post/email, always made a nuisance of themselves. Usually
they were trained in a few months. But in September 1993, AOL users
became able to post, overwhelming the capacity to acculturate them; to
those who recall the period before, this triggered a decline in the
quality of online communications. Syn. eternal September.

http://kinz.org
http://www.fedoranews.org
Jeff Kinz, Emergent Research, Hudson, MA.

More information about the Redhat-install-list mailing list