[108553] in North American Network Operators' Group
Re: OK, who's the idiot using tcwireless.us?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Oct 8 17:30:55 2008
To: Christopher LILJENSTOLPE <cdl@asgaard.org>
In-Reply-To: Your message of "Tue, 07 Oct 2008 15:05:20 PDT."
<B293DBF3-18FC-4881-B4D0-41519F68E1BD@asgaard.org>
From: Valdis.Kletnieks@vt.edu
Date: Wed, 08 Oct 2008 17:30:38 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1223501438_21306P
Content-Type: text/plain; charset=us-ascii
On Tue, 07 Oct 2008 15:05:20 PDT, Christopher LILJENSTOLPE said:
> I agree with Howard here, I don't think this is a mis-configuration,
> but a harvest attempt. The "mailserver" is in different messages, and
> I can't see how that could get misconfigured in a honest validation
> server.
Turns out it was indeed a C/R system rather than a harvest attempt, and
after seeing several other people's versions of the message, it was pretty
obvious what was wrong - some fool programmer coded:
printf("has just been received by %s mailserver\n", from->domain);
when they wanted our->domain instead. So that's a double-whammy - (a) they
didn't use their own server's domain, and (b) they used the From: address
rather than the Return-Path: address (which is why it showed up as the poster's
mailserver rather than nanog.org as the source).
When you test it from your own domain, source->domain and from->domain are the
same as our->domain so you don't notice. Presumably, nobody ever carefully
tested from outside the local domain, which means their QA process isn't the
strictest either - makes one wonder what other bugs and vulnerabilities are in
there.
--==_Exmh_1223501438_21306P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFI7SZ+cC3lWbTT17ARAtkXAJ9hn15aCoKTyvazgBclMfHSvGmuIQCgsKX4
KyZ865azyECtTV0Y8S7DULI=
=Oknu
-----END PGP SIGNATURE-----
--==_Exmh_1223501438_21306P--
