Software, technology, sysadmin war stories, and more. Feed
Wednesday, August 15, 2012

Short tales of running mail servers for other people

I saw a lot of dumb things happen when I used to run mail servers for a bunch of users. None of them warrant a story of their own, but together it winds up being a nice little collection.


One fine December day, I had a user report that the principal at her school wasn't getting her e-mail regularly. Some mails would arrive, and some wouldn't. Everyone swore up and down that they had done everything correctly and that the mails were just "disappearing".

I had a look at my POP server logs and found the problem right away: someone else was polling mail for her account. The two systems were interleaving their fetches, and each one would delete mails after retrieving them. That basically meant whichever one got there first "won".

The second system wasn't even on our network. It was somewhere else... at some company elsewhere in town... where her husband worked. For some reason, someone there, possibly him, was reading her mail remotely. I never did find out the story behind that one.


As the rest of the world got into greylisting (or as I called it at the time in my implementation, "forced delays"), some people didn't quite get it. I'd frequently see the results of this in my mail logs. My system would try to deliver mail outbound to some domain and would get back a message which tipped its hand, like "Greylisting in use, retry in 00:03:00".

The whole point of a scheme like this, particularly back when it was brand new, was that the spammers didn't know about it! Why would you ever come right out and tell them exactly what you were doing? Sending something meaningless like "421 Not now, I have a headache" or "421 Disk full" or something like that would keep them guessing.

In the case of one of these systems, my sendmail got that message when hitting their primary mail exchangers. It then dutifully fell back to one of their secondary MXs, which promptly allowed the message through. It hadn't been anywhere close to 3 minutes. Clearly, their mail exchangers were not on the same page.


We had some e-mail addresses which had never been valid and had been generating "user unknown" returns for years. There was a fairly limited mapping of who was mailing who: account A would get hit by idiot spammer A, account B by idiot spammer B, and so on. They were obviously spammers since never-valid accounts can't confirm a subscription! If you're not confirming things, you're an evil spammer. Simple as that.

After putting up with this for far too long, I finally decided to have some fun with them one day and looked up who the admins were for the sending netblock. Then I just created an alias which would send all mail to that account to them.

The garbage mail stopped rather quickly. All you have to do is redirect where the poop lands and suddenly the pooper starts caring about it. It's funny how that works.


Speaking of spammers, there were some who made a business of spewing their garbage through a variety of open relays and proxies, but always used their real domain name when sending. I can't imagine who'd be stupid enough to abuse hundreds of systems and leave an unambiguous calling card, but they did it.

I just used this as a "signal" for my antispam stuff. Any host which passed us mail from that domain was clearly an open relay and needed to be quarantined. It was great, since they did all the hard work of finding vulnerable hosts for me. I just had to pay attention and use that information appropriately.


I had some help from my friend the webmaster when it came time to catch some of these web page scrapers who would mail anything remotely resembling a user@host.domain. I asked him to bury strings in his pages which would match a particular regex. No real user would ever have an account name like that, and it was trivial for my filtering stuff to detect mail attempts to it.

He did that, and not long after those pages went live, we started getting bunches of hits from all sorts of broken hosts. A lot of them turned out to be infected systems which tried to spread by scouring the local hard drive for e-mail addresses. Upon visiting one of our pages, they would wind up in an on-disk browser cache for some time, and sooner or later the worm/virus/whatever would find it. Then it would try to mail it and we'd catch it.

We found a whole bunch of broken machines that way, including more than a couple inside our network. It's like I keep telling people: when it comes to network security, the ones who want to destroy you the most are probably already inside your firewall.