OK, who's the idiot using tcwireless.us?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Oct 8 16:30:38 CDT 2008


On Tue, 07 Oct 2008 15:05:20 PDT, Christopher LILJENSTOLPE said:
> 	I agree with Howard here, I don't think this is a mis-configuration,
> but a harvest attempt.  The "mailserver" is in different messages, and
> I can't see how that could get misconfigured in a honest validation
> server.

Turns out it was indeed a C/R system rather than a harvest attempt, and
after seeing several other people's versions of the message, it was pretty
obvious what was wrong - some fool programmer coded:

printf("has just been received by %s mailserver\n", from->domain);

when they wanted our->domain instead. So that's a double-whammy - (a) they
didn't use their own server's domain, and (b) they used the From: address
rather than the Return-Path: address (which is why it showed up as the poster's
mailserver rather than nanog.org as the source).

When you test it from your own domain, source->domain and from->domain are the
same as our->domain so you don't notice.  Presumably, nobody ever carefully
tested from outside the local domain, which means their QA process isn't the
strictest either - makes one wonder what other bugs and vulnerabilities are in
there.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20081008/b358026d/attachment.bin>


More information about the NANOG mailing list