(Sorry I should learn to read before sending) Hi, Thanks for the suggestions. As the traffic was not using TLS, I was able to grab the 'probe' This is it: HELO canit-scanner-2.DOMAIN.co.nz MAIL From: RCPT To:<postmaster> QUIT And this does crash the milter (I've checked). I'm setting up VM so I can debug the milter. Current theories are - It does not like a "rcpt to" without a domain. - It expects there will be more after the RCPT. PS: weirdly, <postmaster> is valid. On 09/05/17 08:43, Jordan Roff wrote:

"The reserved mailbox name "postmaster" may be used in a RCPT command without domain qualification (see Section 4.1.1.3) and MUST be accepted if so used."

https://tools.ietf.org/html/rfc5321#section-2.3.5

On 17/05/17 06:47, Eliezer Croitoru wrote:

Hey Jean,

The first thing I would suggest is to dump this traffic even if it's a bit "heavy" thing to do since it what you can do yourself before doing other things. I don't know what exact mail software you are using and what OS but on Linux OS you can try to run a tiny logging proxy that will help you analyze the issue. On Linux you can use iptables REDIRECT to redirect all traffic from canit-scanner-2.slingshot.co.nz[60.234.4.40] and canit-slingshot-mx-2.t3.nz[IP?] towards your server into the tiny proxy. Once you might have a clue on what is in the wire\connection you can defend yourself from it in other ways. It might be a bug but it also might be another more simple issue. Let say the connection is a bogus one which can be blocked before harming the system, you might still have a chance.

You do have the timing and the source ip addresses. Try to verify how much traffic do you have from these servers and move on from there to see if you can use tcpdump+wireshark to clear your mind from certain things about this traffic.

And as a side note if you do know the timing I can lend you my 421 tiny mail service which I use on my systems. You can redirect the traffic from these two(or more) servers towards the 25 port into a 1421 port(for example) every day at the annoying hours and see if it makes a change. This might not be the best solution but any smtp delivery server should obey the basic laws of 421(come back or try later).

Hope It Helps, Eliezer

* let me know if you want the 421 service code\binaries

---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer(a)ngtech.co.il

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus Sent: Saturday, May 6, 2017 2:06 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam filter

Hi all, I have an interesting issue. Just upgraded our mail server to handle srs-milter.

Since the upgrade we found that the srs-milter would crash around 05:50 and 22:20 everyday. (Obviously it's got a bug)

Turns out everyday around 05:50 we get a connection from canit-1.iserve.net.nz[202.191.33.141] And every night around 20:20 we get a connection from canit-scanner-2.slingshot.co.nz[60.234.4.40]

They both seem to be running CanIt-Domain-PRO anti-spam filter.

I cannot just block the scanner as the address is shared with MX's (ie: canit-scanner-2.slingshot.co.nz[60.234.4.40] and canit-slingshot-mx-2.t3.nz)

Seems like the scanner is sending 'unusual' data once a day on a schedule.

Any ideas what that single daily connection is about? or workarounds?

Thanks.

PS: Apart from fixing the bug myself...

-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com

Nearly, It's postfix and vokac/srs-milter vokac/srs-milter is a 2nd gen fork of emsearcy/srs-milter from the original author... :-) https://github.com/vokac/srs-milter forked from driskell/srs-milter https://github.com/driskell/srs-milter forked from emsearcy/srs-milter https://github.com/emsearcy/srs-milter from http://kmlinux.fjfi.cvut.cz/~vokacpet/activities/srs-milter/ On 19/05/17 20:57, Eliezer Croitoru wrote:

Hey Jean,

Just to be sure: Are we talking about postfix+srs-miler ie https://github.com/emsearcy/srs-milter

?

I must admit it's a very weird bug!! It's maybe one of the small things which big minds miss when working on such products.

Thanks for the details, Eliezer

---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer(a)ngtech.co.il

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus Sent: Wednesday, May 17, 2017 1:25 AM Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam filter

(Sorry I should learn to read before sending)

Hi, Thanks for the suggestions.

As the traffic was not using TLS, I was able to grab the 'probe'

This is it:

HELO canit-scanner-2.DOMAIN.co.nz MAIL From: RCPT To:<postmaster> QUIT

And this does crash the milter (I've checked). I'm setting up VM so I can debug the milter.

Current theories are - It does not like a "rcpt to" without a domain. - It expects there will be more after the RCPT.

PS: weirdly, <postmaster> is valid.

On 09/05/17 08:43, Jordan Roff wrote:

...

"The reserved mailbox name "postmaster" may be used in a RCPT command without domain qualification (see Section 4.1.1.3) and MUST be accepted if so used."

https://tools.ietf.org/html/rfc5321#section-2.3.5

On 17/05/17 06:47, Eliezer Croitoru wrote:

...

Hey Jean,

The first thing I would suggest is to dump this traffic even if it's a bit "heavy" thing to do since it what you can do yourself before doing other things. I don't know what exact mail software you are using and what OS but on Linux OS you can try to run a tiny logging proxy that will help you analyze the issue. On Linux you can use iptables REDIRECT to redirect all traffic from canit-scanner-2.slingshot.co.nz[60.234.4.40] and canit-slingshot-mx-2.t3.nz[IP?] towards your server into the tiny proxy. Once you might have a clue on what is in the wire\connection you can defend yourself from it in other ways. It might be a bug but it also might be another more simple issue. Let say the connection is a bogus one which can be blocked before harming the system, you might still have a chance.

You do have the timing and the source ip addresses. Try to verify how much traffic do you have from these servers and move on from there to see if you can use tcpdump+wireshark to clear your mind from certain things about this traffic.

And as a side note if you do know the timing I can lend you my 421 tiny mail service which I use on my systems. You can redirect the traffic from these two(or more) servers towards the 25 port into a 1421 port(for example) every day at the annoying hours and see if it makes a change. This might not be the best solution but any smtp delivery server should obey the basic laws of 421(come back or try later).

Hope It Helps, Eliezer

* let me know if you want the 421 service code\binaries

---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer(a)ngtech.co.il

-----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Jean-Francois Pirus Sent: Saturday, May 6, 2017 2:06 PM To: nznog(a)list.waikato.ac.nz Subject: [nznog] Issue with connections from CanIt-Domain-PRO anti-spam filter

Hi all, I have an interesting issue. Just upgraded our mail server to handle srs-milter.

Since the upgrade we found that the srs-milter would crash around 05:50 and 22:20 everyday. (Obviously it's got a bug)

Turns out everyday around 05:50 we get a connection from canit-1.iserve.net.nz[202.191.33.141] And every night around 20:20 we get a connection from canit-scanner-2.slingshot.co.nz[60.234.4.40]

They both seem to be running CanIt-Domain-PRO anti-spam filter.

I cannot just block the scanner as the address is shared with MX's (ie: canit-scanner-2.slingshot.co.nz[60.234.4.40] and canit-slingshot-mx-2.t3.nz)

Seems like the scanner is sending 'unusual' data once a day on a schedule.

Any ideas what that single daily connection is about? or workarounds?

Thanks.

PS: Apart from fixing the bug myself...

-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401

Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz https://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com