Received spam from localhost?

[ENFRXB]

Today we received some spam that was strangely whitelisted.

On closer inspection the report states that it was received from and via 127.0.0.1 but that doesn't seem to be the case? Only a few of the same emails were tagged as spam and EFA did not report them as coming from 127.0.0.1.

Here are the headers for the spam that EFA reports coming from 127.0.0.1 and was whitelisted:

Code: Select all

Received: from out208-127.dm.aliyun.com (4S00JX0yDtz4x8Mx)
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (no client certificate requested)
     by efa.mydomain.com (MailScanner Milter) with SMTP id 4S00JZ3TLWz4x8Mx
     for <recipient@mydomain.com>; Tue, 3 Oct 2023 04:16:15 +0300 (EEST)
DMARC-Filter: OpenDMARC Filter v1.4.1 efa.mydomain.com 4S00JZ3TLWz4x8Mx
Authentication-Results: efa.mydomain.com; dmarc=none (p=none dis=none) header.from=alln.cn
Authentication-Results: efa.mydomain.com; spf=fail smtp.mailfrom=alln.cn
DKIM-Filter: OpenDKIM Filter v2.11.0 efa.mydomain.com 4S00JZ3TLWz4x8Mx
X-AliDM-RcptTo: amFhbmEucGF1bm9uZW5AcmFzZWtvLmZp
Feedback-ID: default:sales03@alln.cn:batch:263576
Received: from chitu-hsf(mailfrom:sales03@alln.cn fp:ma_600000039466237807)
by smtp.aliyun-inc.com(127.0.0.1);
Tue, 03 Oct 2023 09:14:39 +0800
Date: Tue, 03 Oct 2023 09:14:39 +0800
From: "cncparts@gmail.com" <sales03@alln.cn>
To: <recipient@mydomain.com>
Message-ID: <def0938c-51e2-469d-8a9a-be13f0ad1b81@alibaba.com>
Subject: Inquiry for machined components
X-Priority: 3
X-Mailer: Alimail-Mailagent
MIME-Version: 1.0
X-EnvId: 600000039466237810
X-Mailer: Alimail-Mailagent
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

And here is the the same spam that was not reported coming from 127.0.0.1 and was not whitelisted:

Code: Select all

Received: from out208-127.dm.aliyun.com (out208-127.dm.aliyun.com [140.205.208.127])
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (no client certificate requested)
     by efa.mydomain.com (MailScanner Milter) with SMTP id 4S00Hz6QHwz4x8NR
     for <recipient@mydomain.com>; Tue, 3 Oct 2023 04:15:44 +0300 (EEST)
DMARC-Filter: OpenDMARC Filter v1.4.1 efa.mydomain.com 4S00Hz6QHwz4x8NR
Authentication-Results: efa.mydomain.com; dmarc=none (p=none dis=none) header.from=alln.cn
Authentication-Results: efa.mydomain.com; spf=fail smtp.mailfrom=alln.cn
DKIM-Filter: OpenDKIM Filter v2.11.0 efa.mydomain.com 4S00Hz6QHwz4x8NR
X-AliDM-RcptTo: aGFrZW11a3NldEByYXNla28uZmk=
Feedback-ID: default:sales03@alln.cn:batch:263576
Received: from chitu-hsf(mailfrom:sales03@alln.cn fp:ma_600000039466237807)
by smtp.aliyun-inc.com(127.0.0.1);
Tue, 03 Oct 2023 09:14:39 +0800
Date: Tue, 03 Oct 2023 09:14:39 +0800
From: "cncparts@gmail.com" <sales03@alln.cn>
To: <recipient@mydomain.com>
Message-ID: <def0938c-51e2-469d-8a9a-be13f0ad1b81@alibaba.com>
Subject: Inquiry for machined components
X-Priority: 3
X-Mailer: Alimail-Mailagent
MIME-Version: 1.0
X-EnvId: 600000039466237810
X-Mailer: Alimail-Mailagent
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

The only thing that catches my eye is the very first line, Received: from part. The spam that was not reported coming from 127.0.0.1 has an IP address while the other whitelisted doesn't.

[shawniverson]

This definitely looks like a bug.

The Received line should always look like this:

Code: Select all

Received: from out208-127.dm.aliyun.com (out208-127.dm.aliyun.com [140.205.208.127])

and never like this:

Code: Select all

Received: from out208-127.dm.aliyun.com (4S00JX0yDtz4x8Mx)

The "4S00JX0yDtz4x8Mx" is a smtp queue ID. This should never happen because the helo callback is supposed to be preceded by the connect callback, which populates the hostname and ip address. Somehow a helo callback was called at the wrong time in the smtp conversation.

The result was that it confused mailscanner and the message was treated as coming from localhost because of the subsequent Received line in the email.

[shawniverson]

https://github.com/MailScanner/v5/issues/670