When wcsap rejects a msg, does smtp/WINS close the connection with the client, or can/is the cip/cdn/hdn allowed to continue to send data to smtpin
the same connection/transaction session? Should that session end at thegiven
time it is rejected?
The messsage was rejected for [I think] spoofing our domain (CIP/CDN mismatch - spoofed our domain) although the sap log result showed reject
(0) but not reason 'HELO/EHLO mismatch' as set in the filter file, smtp code was 554.
I had what essentially is 'logfile spam' in my smtptrace log, wherein a
message/session had been rejected by wcsap, but the sender/callerstarted
sending data anyway (the message w/headers).WC,
wcsmtp indicated "503 Need MAIL command." then caller evidently started sending the data stream anyway.
wcsmtp sent back echos of the data '500 (data here) : command not understood' followed by the caller sending the next line of data/line of the message.
This continued until the caller 'quit' the session, then WINS closed the connection '211 closing connection, **Completed.
Is this normal? Never seen the log files get 'spammed' in 10 years running
figured I should ask. Am I missing something in the SAP ini or filter files?and
Caller IP is now firewalled, is listed with CBL (http://cbl.abuseat.org/),
reported to abuse at rr.com
wcsmtp here is latest AUP (451.7).
**wcsap log snippet (local user munged)**
20060428 18:28:11 00000446 -------------------------------------
20060428 18:28:11 00000446 version : 2.06 / 1.62
20060428 18:28:11 00000446 calltype : SMTP
20060428 18:28:11 00000446 state : rcpt
20060428 18:28:11 00000446 cip : 71.75.124.244
20060428 18:28:11 00000446 cdn : foxriver.net
20060428 18:28:11 00000446 from : conrad0xsierra@rr.com
20060428 18:28:11 00000446 hdn : cpe-071-075-124- 244.carolina.res.rr.com
20060428 18:28:11 00000446 rcpt : john.doe@foxriver.net
20060428 18:28:11 00000446 ruid : 60
20060428 18:28:12 00000446 sapfilter : reject (time:687)
20060428 18:28:12 00000446 result : reject (0)
20060428 18:28:12 00000446 smtp code : 554
20060428 18:28:12 00000446 wcsap finish (797 msecs)
**wcsmtp log snippet**host:
20060428 18:28:11 (0A88) HELO: Incoming connection: foxriver.net [71.75.124.244]
20060428 18:28:11 (0A88) Note: DNS says IP 71.75.124.244 belongs to
cpe-071-075-124-244.carolina.res.rr.comSender
20060428 18:28:11 (0A88) MAIL FROM: <Conrad0XSierra@rr.com>...
validation pending. Continue.
20060428 18:28:12 (0A88) RCPT: Return Path not verifiable: <Conrad0XSierra@rr.com> (Rejected by WCSAP Filter)!
**wcsmtptrace snippet (local user munged)**
****************ONLY!
Wildcat! SMTP Server v6.1.451.7
SMTP log started at Fri, 28 Apr 2006 18:28:11
Connection Time: 20060428 18:28:11 cid: 00000446
SSL Enabled: NO
Client IP: 71.75.124.244 (cpe-071-075-124-244.carolina.res.rr.com)
18:28:11 S: 220-foxriver.net Wildcat! ESMTP Server v6.1.451.7 ready
18:28:11 S: 220-************** WARNING: FOR AUTHORIZED USE
**********************
18:28:11 S: 220-* THIS SYSTEM DO NOT AUTHORIZE THE USE OF ITS
PROPRIETARY COMPUTERS *
18:28:11 S: 220-* AND COMPUTER NETWORKS TO ACCEPT, TRANSMIT, OR
DISTRIBUTE UNSOLICITED *
18:28:11 S: 220-* BULK E-MAIL SENT FROM THE INTERNET. THIS SYSTEM
WILL RESTRICT ACCESS *
18:28:11 S: 220-* TO CAN-SPAM (US S. 877) COMPLIANT CLIENTS
ONLY. *
18:28:11 S: 220
**************244.carolina.res.rr.com,
18:28:11 C: HELO foxriver.net
18:28:11 S: 250 foxriver.net, Hello cpe-071-075-124-
why do you call yourself foxriver.net?understood.
18:28:11 C: MAIL FROM: <Conrad0XSierra@rr.com>
18:28:11 S: 250 <Conrad0XSierra@rr.com>... Sender validation pending. Continue.
18:28:11 C: RCPT TO: <john.doe@foxriver.net>
18:28:12 ** WCX Process: wcsap ret: 554 (Rejected by WCSAP Filter)
18:28:12 S: 550 Return Path not verifiable.
18:28:12 C: DATA
18:28:12 S: 503 Need MAIL command.
18:28:12 C: Received: (qmail 18448 invoked by uid 53853);
18:28:12 S: 500 'Received: (qmail 18448 invoked by uid 53853);': command
not understood.
18:28:12 C: Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>
18:28:12 S: 500 'Message-Id: <0764736_26563_38280.fodvnbkr@rr.com>':
command not understood.
18:28:12 C: Date: Fri, 29 Jul 2005 22:23:34 -0100
18:28:12 S: 500 'Date: Fri, 29 Jul 2005 22:23:34 -0100': command not understood.
18:28:12 C: Content-Type: text/plain;
18:28:12 S: 500 'Content-Type: text/plain;': command not understood. 18:28:12 C: charset="us-ascii"
18:28:12 S: 500 ' charset="us-ascii"': command not understood.
18:28:12 C: Content-Transfer-Encoding: 7bit
18:28:12 S: 500 'Content-Transfer-Encoding: 7bit': command not
18:28:12 C: To: john.doe@foxriver.netcommand
18:28:12 S: 500 'To: john.doe@foxriver.net': command not understood. 18:28:12 C: From: "Conrad Sierra" <Conrad0XSierra@rr.com>
18:28:12 S: 500 'From: "Conrad Sierra" <Conrad0XSierra@rr.com>':
not understood.limited
18:28:12 C: Subject: Reduce your monthly payments
18:28:12 S: 500 'Subject: Reduce your monthly payments': command not understood.
18:28:12 C:
18:28:12 C: Hello,
18:28:12 S: 500 'Hello,': command not understood.
18:28:12 C:
18:28:12 C: You have been chosen to participate in an invitation only
time event!mortgage?
18:28:12 S: 500 'You have been chosen to participate in an invitation only limited time event!': command not understood.
18:28:12 C: Are you currently paying over three percent for your
stop right now!approval in
18:28:12 S: 500 'Are you currently paying over three percent for your mortgage? stop right now!': command not understood.
18:28:12 C: We can help you lower that today!
18:28:12 S: 500 'We can help you lower that today!': command not
understood.
18:28:12 C: Answer only a few questions and we can give you an
under thirty seconds.It really is that simple!it.
18:28:12 S: 500 'Answer only a few questions and we can give you an
approval in under thirty seconds.It really is that simple!': command not understood.
18:28:12 C:
18:28:12 C: http://oa.r66j-fr.com/
18:28:12 S: 500 'http://oa.r66j-fr.com/': command not understood.
18:28:12 C:
18:28:12 C: And stop fighting for lenders let them fight for you! Make them work for your business by giving you the lowest rates around! You deserve
18:28:12 S: 500 'And stop fighting for lenders let them fight for you! Make them work for your business by giving you the lowest rates around! You deserve it.': command not understood.Again!
18:28:12 C:
18:28:12 C: Think your credit is too bad to get a deal like this? Think
We will have you saving your money in no time flat!with
18:28:12 S: 500 'Think your credit is too bad to get a deal like this? Think Again! We will have you saving your money in no time flat!': command not understood.
18:28:12 C:
18:28:12 C: Are you ready to save your money?
18:28:12 S: 500 'Are you ready to save your money?': command not
understood.
18:28:12 C:
18:28:12 C: http://ymv.r66j-fr.com/
18:28:12 S: 500 'http://ymv.r66j-fr.com/': command not understood.
18:28:12 C:
18:28:12 C: Regards,
18:28:12 S: 500 'Regards,': command not understood.
18:28:12 C: Conrad Sierra
18:28:12 S: 500 'Conrad Sierra': command not understood.
18:28:12 C:
18:28:12 C:
18:28:12 C:
18:28:12 C: The woman had cut off his foot with an axe and his thumb
an electric knife, and here she was with a pile of caviar big enough tochoke
a warthog."Misery tried to scream, but could no longer even breathe. 18:28:12 S: 500 'The woman had cut off his foot with an axe and histhumb
with an electric knife, and here she was with a pile of caviar big enough to choke a warthog."Misery tried to scream, but could no longer evenbreathe.':
command not understood.was
18:28:12 C: The champagne bottle hadnt been in the scenario, but that
minor compared with the womans hideous vitality and his current painful uncertainty.I have spared him, so you may shew him the way he mustgo.The
open garbage can overflowed onto the floor and emitted the warm reek of spoiling food, but that wasnt the only thing wrong, or the worstsmell..pictoria
lthat
18:28:12 S: 500 'The champagne bottle hadnt been in the scenario, but
was minor compared with the womans hideous vitality and his currentpainful
uncertainty.I have spared him, so you may shew him the way he mustgo.The
open garbage can overflowed onto the floor and emitted the warm reek of spoiling food, but that wasnt the only thing wrong, or the worst smell..pictorial': command not understood.by."s.It
18:28:12 C: He thought her illness might have been short indeed a thunderclap coronary, say, followed by a trip to Saint Joes, followed
was only after midnight, an hour after Geoffrey had ridden into thegathering
storm to try and fetch the doctor, that the midwife had grown alarmed.She approached the mattress, turned around, and squatted..by."s.It
18:28:12 S: 500 'He thought her illness might have been short indeed a thunderclap coronary, say, followed by a trip to Saint Joes, followed
was only after midnight, an hour after Geoffrey had ridden into thegathering
storm to try and fetch the doctor, that the midwife had grown alarmed.She approached the mattress, turned around, and squatted..': command not understood.the
18:28:12 C: There were perhaps seventy acres of open ground between
house and the edge of the forest the snow-cover over it was a perfectsand.
and blazing white.This was not the soothing sand of sleep but poisoned
18:28:12 S: 500 'There were perhaps seventy acres of open groundbetween
the house and the edge of the forest the snow-cover over it was a
perfect and blazing white.This was not the soothing sand of sleep but poisoned sand.': command not understood.
18:28:12 C:
18:28:12 C: .
18:28:12 S: 500 '.': command not understood.
18:28:12 C: QUIT
18:28:12 S: 221 closing connection
18:28:13 ** Completed
When wcsap rejects a msg, does smtp/WINS close the connection
with the client, or can/is the cip/cdn/hdn allowed to
continue to send data to smtp in the same
connection/transaction session? Should that session end at the
time it is rejected?
<DAVE GOURD> wrote in messagenews:1146322326.46.0@winserver.com...
250When wcsap rejects a msg, does smtp/WINS close the connection
with the client, or can/is the cip/cdn/hdn allowed to
continue to send data to smtp in the same
connection/transaction session? Should that session end at the
time it is rejected?
In general it is bad practice for the server to "DROP" the connection because the client may not understand and will try again.
SMTP has five basic commands:
EHLO or HELO sender machine name (CDN)
MAIL FROM: sender address (FROM)
RCPT TO: receiver address (TO)
DATA:
- email is transferred -
QUIT or RSET
QUIT
For each command, a server response is provided:
250 --> Command ok, continue with next command
50x --> Don't understand the command
45x --> Sorry, don't continue, but you can try again later
55x --> Sorry, don't continue and no need to try again.
The only way the client can continue from command to command is with a
server response each time.bad
WCSMTP will not drop the connection once a 45x or 55x is sent. It would
practice. You are suppose to allow the client to issue the QUIT commandand
then the socket is closed.and
WCSAP is called at RCPT TO and returns a response to RCPT TO: state to validate all the data up to the point. IP connection address, CDN, FROM
TO.commands
There is 5 minute timer to wait to the client to send the next command. No response, then a DROP is done.
The client can send a RSET command which allows him to restart the
again starting with MAIL FROM:.ignore
What you see many times, especially with bulk spammers is that they
all server responses and just continue like it was normal. That is why you see 50x errors because the client is out of sync. He is continueing with the next command but he hasn't satisfied the previous command.
Hope this helps
I understand the 'bad practice' concept. I have never seen this before inall
the years running this. Have seen lots and lots of days where there were dozens and dozens of blank entries in some sessions, but never with the spammer being so intent as to go ahead and send the BS anyway after our system politely says we don't want any.
Maybe it happens a lot to others, I have just never seen it before; probably wouldn't if I did not watch the smtptrace logs (or even have it active).
Now I just have to figure out what to do about the criminals that aresending
spam out spoofing our domain! :( - thousands of false bounces coming in from all over, 2d time they've joe job'd me this year already!now), but
Any suggestions? SPF record is in place (I think I got it set up right
that is of little consolation with so many systems out there not in tuneto the
process. Someone told me to get the FBI or feds involved, and get a lawyer cause might be able to sue the rats, but this sounds like more trouble to me than it (actually they, as in crooked spammers AND crooked lawyers - an honest guy ain't got a chance it seems) would be worth.
Thanks Hector, at least I know my WC isn't broke. Have another question but in another post...
Sysop: | Nelgin |
---|---|
Location: | Plano, TX |
Users: | 577 |
Nodes: | 10 (1 / 9) |
Uptime: | 55:13:34 |
Calls: | 9,294 |
Calls today: | 2 |
Files: | 16,016 |
Messages: | 1,046,545 |