Mailing List SIMS@mail.stalker.com Message #12717
From: Global Homes Webmaster <webmaster@globalhomes.com>
Subject: Re: Spam and NULL
Date: Thu, 3 Apr 2003 10:53:10 -0800
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Mailsmith 1.5.4 (Blindsider)
On 04/03/03 at 06:17, Dene Stringfellow opined:

> I would be grateful if somebody could clarify the following for me.
>
> I originally had the following router blocks in place in an effort to
> block spam:
>
> *@ucc.ie = null
> <*@ucc.ie> = null

'*@ucc.ie' is a local alias, so it needs to be enclosed in angle brackets,
so the first line uses invalid syntax. You should only need the second
line. An equivalent to the second line, which seems cleaner to me, is to
use domain level routing as in:

ucc.ie = null

You might also want to catch sub-domains of ucc.ie with:

*.ucc.ie = null

> The resulting log displayed the following:
>
> 06:18:04 4 SMTP-003([192.168.4.220]) Sending 220-ridgedale.co.uk Stalker
> Internet Mail Server V.1.8b9d14 is ready.\r\n220 ESMTP is spoken here.
> You are very welcome\r\n
> 06:18:04 5 SMTP-003([192.168.4.220]) OT 119 of 119 bytes sent, Flags=0
> 06:18:04 5 SMTP-003([192.168.4.220]) *Status=22
> 06:18:04 5 SMTP-003([192.168.4.220]) Received 20 bytes
> 06:18:04 4 SMTP-003([192.168.4.220]) Input Line: HELO 192.168.4.220\r
> 06:18:04 5 SMTP-003([192.168.4.220]) *Status=21
> 06:18:04 4 SMTP-003(192.168.4.220) Looking for 192.168.4.220
> 06:18:04 4 SMTP-003(192.168.4.220) Sending 250 ridgedale.co.uk is
> pleased to meet you\r\n
> 06:18:04 5 SMTP-003(192.168.4.220) OT 44 of 44 bytes sent, Flags=0
> 06:18:04 5 SMTP-003(192.168.4.220) *Status=22
> 06:18:04 5 SMTP-003(192.168.4.220) Received 6 bytes
> 06:18:04 4 SMTP-003(192.168.4.220) Input Line: RSET\r
> 06:18:04 4 SMTP-003(192.168.4.220) Sending 250 SMTP state reset\r\n
> 06:18:04 5 SMTP-003(192.168.4.220) OT 22 of 22 bytes sent, Flags=0
> 06:18:04 5 SMTP-003(192.168.4.220) *Status=22
> 06:18:05 5 SMTP-003(192.168.4.220) Received 34 bytes
> 06:18:05 4 SMTP-003(192.168.4.220) Input Line: MAIL
> FROM:<moviekliypirg@ucc.ie>\r
> 06:18:05 5 SMTP-003(192.168.4.220) *Status=25
> 06:18:05 1 SMTP-003(192.168.4.220) Return-Path '<moviekliypirg@ucc.ie>'
> rejected: routed to ERROR
> 06:18:05 4 SMTP-003(192.168.4.220) Sending 572 <moviekliypirg@ucc.ie>
> address is blacklisted.\r\n
> 06:18:05 5 SMTP-003(192.168.4.220) OT 52 of 52 bytes sent, Flags=0
> 06:18:05 5 SMTP-003(192.168.4.220) *Status=24
> 06:18:06 5 SMTP-003(192.168.4.220) Received 6 bytes
> 06:18:06 4 SMTP-003(192.168.4.220) Input Line: RSET\r
> 06:18:06 5 SMTP-003(192.168.4.220) *Status=22
> 06:18:06 4 SMTP-003(192.168.4.220) Sending 250 SMTP state reset\r\n
> 06:18:06 5 SMTP-003(192.168.4.220) OT 22 of 22 bytes sent, Flags=0
> 06:18:06 5 SMTP-003(192.168.4.220) *Status=22
>
> - the mail server appearing to respond to the spam mail and routing to
> ERROR!

If the only relevant entries in your router are (or were) what you showed
above, then yes, it is very odd that SIMS would route
<moviekliypirg@ucc.ie> to ERROR and reject the message. Given the entries
routing ucc.ie addresses to NULL, SIMS should accept the message and
deliver it to the void. Are you certain that there are no entries in your
router, occuring above the two lines you've shown us, that would route
<moviekliypirg@ucc.ie> to ERROR?

> Having read through some of the threads in the mail list, I
> changed the router setting to the following:
>
> *@ucc.ie = null
> <*@ucc.ie> = null
> <moviekliypirg@ucc.ie> = null

I'm not certain, but I think that first line might be mucking up the works.
The third (new) line is superfluous since the address
<moviekliypirg@ucc.ie> will (should) be matched by the line above it and
never compared to the '<moviekliypirg@ucc.ie> = null' line.

> The resulting log then displayed the following:
>
> 10:42:24 2 SYSTEM [S.0000013112]
> <1041193274.825@mail198.mistlebranch.com> 0+1 From:moviekliypirg@ucc.ie
> 10:42:24 2 SYSTEM(POP) [S.0000013112] delivered to (spacemonkey)
> 10:42:24 5 SMTP-009(192.168.4.220) Received 34 bytes
> 10:42:24 4 SMTP-009(192.168.4.220) Input Line: MAIL
> FROM:<moviekliypirg@ucc.ie>\r
> 10:42:24 5 SMTP-009(192.168.4.220) *Status=25
> 10:42:24 4 SMTP-009(192.168.4.220) Sending 250 <moviekliypirg@ucc.ie>
> sender accepted\r\n
> 10:42:24 5 SMTP-009(192.168.4.220) OT 44 of 44 bytes sent, Flags=0
> 10:42:24 5 SMTP-009(192.168.4.220) *Status=23
> 10:42:25 5 SMTP-009(192.168.4.220) Received 36 bytes
> 10:42:25 4 SMTP-009(192.168.4.220) Input Line: RCPT
> TO:<spacemonkey@gofree.co.uk>\r
> 10:42:25 5 SMTP-009(192.168.4.220) *Status=33
> 10:42:25 2 SYSTEM [S.0000013112] deleted
> 10:42:25 4 SMTP-009(192.168.4.220) Sending 250
> <spacemonkey@gofree.co.uk> recipient accepted\r\n
> 10:42:25 5 SMTP-009(192.168.4.220) OT 51 of 51 bytes sent, Flags=0
> 10:42:25 5 SMTP-009(192.168.4.220) *Status=23
> 10:42:25 5 SMTP-009(192.168.4.220) Received 6 bytes
> 10:42:25 4 SMTP-009(192.168.4.220) Input Line: DATA\r
> 10:42:25 4 SMTP-009(192.168.4.220) Sending 354 Enter mail, end with "."
> on a line by itself\r\n
> 10:42:25 5 SMTP-009(192.168.4.220) OT 50 of 50 bytes sent, Flags=0
> 10:42:25 5 SMTP-009(192.168.4.220) *Status=27
> 10:42:25 5 SMTP-009(192.168.4.220) Received 606 bytes
> 10:42:25 5 SMTP-009(192.168.4.220) Received 449 bytes
> 10:42:25 5 SMTP-009(192.168.4.220) Writing 1327 byte at 0
> 10:42:25 5 SMTP-009(192.168.4.220) *Status=28
> 10:42:25 2 SMTP-009(192.168.4.220) {S.0000013113} received, 1327 bytes
> 10:42:25 4 SMTP-009(192.168.4.220) Sending 250 S.0000013113 message
> accepted for delivery\r\n
> 10:42:25 5 SMTP-009(192.168.4.220) OT 48 of 48 bytes sent, Flags=0
> 10:42:25 5 SMTP-009(192.168.4.220) *Status=22
> 10:42:26 5 SMTP-009(192.168.4.220) Received 6 bytes
> 10:42:26 4 SMTP-009(192.168.4.220) Input Line: RSET\r
> 10:42:26 4 SMTP-009(192.168.4.220) Sending 250 SMTP state reset\r\n
> 10:42:26 5 SMTP-009(192.168.4.220) OT 22 of 22 bytes sent, Flags=0
> 10:42:26 5 SMTP-009(192.168.4.220) *Status=22
> 10:42:26 5 SMTP-009(192.168.4.220) Received 34 bytes
> 10:42:26 4 SMTP-009(192.168.4.220) Input Line: MAIL
> FROM:<hornyporjwdul@ucc.ie>\r
> 10:42:26 5 SMTP-009(192.168.4.220) *Status=25
> 10:42:26 4 SMTP-009(192.168.4.220) Sending 250 <hornyporjwdul@ucc.ie>
> sender accepted\r\n
> 10:42:26 5 SMTP-009(192.168.4.220) OT 44 of 44 bytes sent, Flags=0
> 10:42:26 5 SMTP-009(192.168.4.220) *Status=23
> 10:42:27 2 SYSTEM [S.0000013113]
> <1041193274.825@mail198.mistlebranch.com> 0+1 From:moviekliypirg@ucc.ie
> 10:42:27 2 SYSTEM(POP) [S.0000013113] delivered to (spacemonkey)
> 10:42:27 5 SMTP-009(192.168.4.220) Received 36 bytes
> 10:42:27 4 SMTP-009(192.168.4.220) Input Line: RCPT
> TO:<spacemonkey@gofree.co.uk>\r
> 10:42:27 5 SMTP-009(192.168.4.220) *Status=33
> 10:42:27 2 SYSTEM [S.0000013113] deleted
>
> The emails from moviekliypirg@ucc.ie were then found to have arrived in
> the user mailbox! The SIMS server still apears to be responding to this
> spam!
> I understood that when routing to null the mail would be automatically
> deleted, and not delivered to the user! Or am I misinterpreting these
> logs?

Routing to NULL causes SIMS to accept the message and then deliver it to
nowhere (i.e. to the NULL account). So, your understanding is essentially
correct. It is arguably better to route to ERROR rather than to NULL,
though, because routing to ERROR will cause SIMS to reject the messages and
tell that to the sending MTA, so a bounce message will be generated back to
the message's sender. When a message is routed to NULL, since the message
is accepted, the sending MTA thinks that it has relayed it successfully,
and there is no bounce generated -- as far as the sender can see, the
message was delivered successfully. At any rate, I'd recommend that you
change your router entries to either:

ucc.ie = null
*.ucc.ie = null

OR

ucc.ie = error
*.ucc.ie = error

--
                   Christopher Bort | cbort@globalhomes.com
            Webmaster, Global Homes | webmaster@globalhomes.com
                      <http://www.globalhomes.com/>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster