Menu

#106 Wildcard DNS Entry with text creating confusion

ASSP V2
closed
Thomas Eckardt
* Domain Entrys (1) _domainkey (1) _dmarc (1) _spf (1) wildcard (1)
2019-03-26
2019-03-22
Hans Carlos
No

There are some single IP Domains, defining everything in the Domain name Service with a wildcard entry to avoid future Brain activity. Example "guetersloh.de" Query for the DKIM policy or any other nonsens name like xxxxx. guetersloh.de returns the same ... in this case the SPF policy. I dont know what exact DKIM system interprets with that data, but i know i have a lot of "you are unrechebal" complains with invalid DKIM and the Postmaster did not know what it is. Yes this are bullshit domains, but this software packages is widly spreaded by VM-Hoster.

May be very helpfull to have a wildcard detection (DNS query to a completly nonsense label like EHSFGAJTES ... 4GS.example.com and compare it to the specific return) to detect and take label specific actions like

  • ignore wildcard responses.
  • use wildcard responses in the same kind like regular responses
  • Block such Mails
  • Score such Mails

carlos62@labtop3a:~> dig -t txt _domainkey.guetersloh.de

; <<>> DiG 9.11.2 <<>> -t txt _domainkey.guetersloh.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38223
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e8fc31af585f89765e684f995c95140076f7dad5f0654a32 (good)
;; QUESTION SECTION:
;_domainkey.guetersloh.de. IN TXT

;; ANSWER SECTION:
_domainkey.guetersloh.de. 3600 IN TXT "v=spf1 mx a include:ispgateway.de ~all"

;; AUTHORITY SECTION:
guetersloh.de. 62725 IN NS ns2.namespace4you.de.
guetersloh.de. 62725 IN NS ns.namespace4you.de.

;; Query time: 63 msec
;; SERVER: 192.168.244.31#53(192.168.244.31)
;; WHEN: Fri Mar 22 17:57:36 CET 2019
;; MSG SIZE rcvd: 181

Discussion

  • Thomas Eckardt

    Thomas Eckardt - 2019-03-23

    There is nothing wrong to provide the SPF record for every subdomain (it is required by RFC).
    Yes, it is nonsense to provide it for service-entries (starting with underscore like dmarc...). But this doesnt hurt. In case of false positives in the DKIM-pre-check (caused by such a DNS-config), disable the DKIM-check for such domains.

    Thomas

     

  • Hans Carlos

    Hans Carlos - 2019-03-25

    Nope ...
    ... i have looked in the SPAM Folder and dont found DKIM Header for guetersloh.de
    ... i have looked in the DKIM Cache an i found also nothing for guetersloh.de
    ... i have seen "DKIM DNS Pre Test" log entrys in relation to other Transactions

    But

    Mar-22-19 09:42:18 [Worker_1] Info: got DNS DATA answer from nameserver 192.168.244.31
    Mar-22-19 09:42:18 [Worker_1] DNS-question was: mail12.regioit-aachen.de. IN A
    Mar-22-19 09:42:18 [Worker_1] DNS-answer is: mail12.regioit-aachen.de. 25841 IN A 91.102.136.186
    Mar-22-19 09:42:18 [Worker_1] Info: got valid DNS DATA answer from nameserver 192.168.244.31 ID 38205
    Mar-22-19 09:42:18 [Worker_1] Info: destroy old single DNSresolver
    Mar-22-19 09:42:18 assp44107-06239 [Worker_1] [TLS-in] 2a02:16f0::1:3 Lars.Bartsch@regioit.de to: spogg@hally-gally-spielplatzgeraete.de ClamAV: scanned 8206 bytes in message - OK
    Mar-22-19 09:42:19 [Worker_1] Sending DNS(A)-query to 192.168.244.31[:53] on multi.surbl.org for URIBL checks on guetersloh.de
    Mar-22-19 09:42:19 [Worker_1] Sending DNS(A)-query to fd2b:1048:60dd:12f5::c0a8:f41f[:53] on black.uribl.com for URIBL checks on guetersloh.de
    Mar-22-19 09:42:19 [Worker_1] Commencing URIBL checks on 'guetersloh.de'
    Mar-22-19 09:42:19 [Worker_1] Got 2 answers, 2 replies and 0 hits after 0 seconds for URIBL checks on 'guetersloh.de'
    Mar-22-19 09:42:19 [Worker_1] Got OK replies from (multi.surbl.org black.uribl.com) - NOTOK replies from () for URIBL on 'guetersloh.de'
    Mar-22-19 09:42:19 [Worker_1] Completed URIBL checks on 'guetersloh.de'
    Mar-22-19 09:42:19 [Worker_1] Sending DNS(A)-query to 192.168.244.31[:53] on multi.surbl.org for URIBL checks on regioit.de
    Mar-22-19 09:42:19 [Worker_1] Sending DNS(A)-query to fd2b:1048:60dd:12f5::c0a8:f41f[:53] on black.uribl.com for URIBL checks on regioit.de
    Mar-22-19 09:42:19 [Worker_1] Commencing URIBL checks on 'regioit.de'
    Mar-22-19 09:42:19 [Worker_1] Got 2 answers, 2 replies and 0 hits after 0 seconds for URIBL checks on 'regioit.de'
    Mar-22-19 09:42:19 [Worker_1] Got OK replies from (multi.surbl.org black.uribl.com) - NOTOK replies from () for URIBL on 'regioit.de'
    Mar-22-19 09:42:19 [Worker_1] Completed URIBL checks on 'regioit.de'
    Mar-22-19 11:24:43 [Worker_1] 91.102.136.170 [SMTP Reply] 250 NOOP
    Mar-22-19 11:24:43 [Worker_1] 91.102.136.170 info: got STARTTLS request from 91.102.136.170
    Mar-22-19 11:24:43 [Worker_1] 91.102.136.170 info: STARTTLS is skipped for 127.0.0.1 - sent 'NOOP' to 127.0.0.1
    Mar-22-19 11:24:43 [Worker_1] 91.102.136.170 [SMTP Reply] 220 Ready to start TLS - go on
    Mar-22-19 11:24:43 [Worker_1] [TLS-in] 91.102.136.170 info: started TLS-SSL session for client 91.102.136.170 - using TLSv1_2 , ECDHE-RSA-AES128-GCM-SHA256
    Mar-22-19 11:24:43 [Worker_1] [TLS-in] 91.102.136.170 [SMTP Reply] 250 NOOP
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de info: found message size announcement: 4.22 kByte
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de Message-Score: added -20 (tlsValencePB) for SSL-TLS-connection-OK, total score for this message is now -20
    Mar-22-19 11:24:43 [Worker_1] Info: create new DNS socket for 192.168.244.31
    Mar-22-19 11:24:43 [Worker_1] Info: created new DNS (udp) socket for 192.168.244.31
    Mar-22-19 11:24:43 [Worker_1] Info: sent DNS query for 'guetersloh.de' type 'NS' to nameserver 192.168.244.31 ID 55316
    Mar-22-19 11:24:43 [Worker_1] Info: create new DNS socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:24:43 [Worker_1] Info: created new DNS (udp) socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:24:43 [Worker_1] Info: sent DNS query for 'guetersloh.de' type 'NS' to nameserver fd2b:1048:60dd:12f5::c0a8:f41f ID 24955
    Mar-22-19 11:24:43 [Worker_1] Info: DNS query time 0.005 - 192.168.244.31 fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:24:43 [Worker_1] Info: got DNS DATA answer from nameserver 192.168.244.31
    Mar-22-19 11:24:43 [Worker_1] DNS-question was: guetersloh.de. IN NS
    Mar-22-19 11:24:43 [Worker_1] DNS-answer is: guetersloh.de. 86298 IN NS ns2.namespace4you.de.
    Mar-22-19 11:24:43 [Worker_1] DNS-answer is: guetersloh.de. 86298 IN NS ns.namespace4you.de.
    Mar-22-19 11:24:43 [Worker_1] Info: got valid DNS DATA answer from nameserver 192.168.244.31 ID 55316
    Mar-22-19 11:24:43 [Worker_1] Info: destroy old single DNSresolver
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de [SMTP Reply] 250 2.1.0 Ok
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Reply] 250 2.1.5 Ok
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de ASSP_FakeMX: Plugin successful called for runlevel 'SMTP-handshake'!
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de info: allocated 32.71 kByte memory to process this mail
    Mar-22-19 11:24:43 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Reply] 354 End data with <cr><lf>.<cr><lf>
    Mar-22-19 11:24:44 [Worker_1] Info: enhanced Originated IP detection ignored IP's: 91.102.136.170 (connected IP) , 10.107.240.162 , 91.102.136.170 (connected IP) , 172.16.1.246 , 91.102.136.170 (connected IP) , 172.16.1.222 , 172.16.80.14 , fe80::394f:84b2:df94:f080
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de Message-Score: added -21 for 91.102.136.0 in griplist (0.09), total score for this message is now -41
    Mar-22-19 11:24:44 [Worker_1] Info: create new DNS socket for 192.168.244.31
    Mar-22-19 11:24:44 [Worker_1] Info: created new DNS (udp) socket for 192.168.244.31
    Mar-22-19 11:24:44 [Worker_1] Info: sent DNS query for '_adsp._domainkey.guetersloh.de' type 'TXT' to nameserver 192.168.244.31 ID 5527
    Mar-22-19 11:24:44 [Worker_1] Info: create new DNS socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:24:44 [Worker_1] Info: created new DNS (udp) socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:24:44 [Worker_1] Info: sent DNS query for '_adsp._domainkey.guetersloh.de' type 'TXT' to nameserver fd2b:1048:60dd:12f5::c0a8:f41f ID 37609
    Mar-22-19 11:24:44 [Worker_1] Info: DNS query time 0.008 - 192.168.244.31 fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:24:44 [Worker_1] Info: got DNS DATA answer from nameserver 192.168.244.31
    Mar-22-19 11:24:44 [Worker_1] DNS-question was: _adsp._domainkey.guetersloh.de. IN TXT
    Mar-22-19 11:24:44 [Worker_1] DNS-answer is: _adsp._domainkey.guetersloh.de. 3600 IN TXT (
    "v=spf1 mx a include:ispgateway.de ~all" )
    Mar-22-19 11:24:44 [Worker_1] Info: got valid DNS DATA answer from nameserver 192.168.244.31 ID 5527
    Mar-22-19 11:24:44 [Worker_1] Info: destroy old single DNSresolver
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] [DKIM] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de DKIM domain mismatch - DKIM config found in DNS for guetersloh.de, but no DKIM-Signature found in mail header
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de Message-Score: added 15 (dkimValencePB) for DKIM domain mismatch - DKIM config found in DNS for guetersloh.de, but no DKIM-Signature found in mail header, total score for this message is now -26
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] [DKIM] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [spam found] (DKIM domain mismatch - DKIM config found in DNS for guetersloh.de, but no DKIM-Signature found in mail header) [Gelesen Mail Probleme der Spogg] -> spam/19122--2031.eml;
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Error] 554 5.7.1 DKIM domain mismatch - DKIM config found in DNS for guetersloh.de, but no DKIM-Signature found in mail header .
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de info: PB-IP-Score for '91.102.136.170' is 15, added -5 in this session
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de finished message - received DATA size: 2.26 kByte - sent DATA size: 0 Byte
    Mar-22-19 11:24:44 assp50283-19122 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de disconnected: session:7FF224406B68 91.102.136.170 - command list was 'EHLO,STARTTLS,EHLO,MAIL FROM,RCPT TO,DATA' - used 7 SocketCalls - processing time 1 seconds
    Mar-22-19 11:24:53 [Main_Thread] Saving config
    Mar-22-19 11:24:53 [Main_Thread] Info: saved config to /home/assp/assp.cfg.tmp - which is now renamed to /home/assp/assp.cfg
    Mar-22-19 11:24:53 [Main_Thread] Finished saving config
    Mar-22-19 11:24:53 [Main_Thread] Info: start loading RBLCache from /home/assp/pb/pbdb.rbl.db with approximately 128 records
    Mar-22-19 11:24:53 [Main_Thread] Info: RBLCache loaded from /home/assp/pb/pbdb.rbl.db with 0 records
    Mar-22-19 11:24:53 [Main_Thread] Info: create new DNS socket for 192.168.244.31
    Mar-22-19 11:29:43 [Worker_1] 2a02:16f0::1:3 [SMTP Reply] 250 NOOP
    Mar-22-19 11:29:43 [Worker_1] 2a02:16f0::1:3 info: got STARTTLS request from 2a02:16f0::1:3
    Mar-22-19 11:29:43 [Worker_1] 2a02:16f0::1:3 info: STARTTLS is skipped for 127.0.0.1 - sent 'NOOP' to 127.0.0.1
    Mar-22-19 11:29:43 [Worker_1] 2a02:16f0::1:3 [SMTP Reply] 220 Ready to start TLS - go on
    Mar-22-19 11:29:44 [Worker_1] [TLS-in] 2a02:16f0::1:3 info: started TLS-SSL session for client 2a02:16f0::1:3 - using TLSv1_2 , ECDHE-RSA-AES128-GCM-SHA256
    Mar-22-19 11:29:44 [Worker_1] [TLS-in] 2a02:16f0::1:3 [SMTP Reply] 250 NOOP
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de info: found message size announcement: 57.59 kByte
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de Message-Score: added -20 (tlsValencePB) for SSL-TLS-connection-OK, total score for this message is now -20
    Mar-22-19 11:29:44 [Worker_1] Info: create new DNS socket for 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] Info: created new DNS (udp) socket for 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] Info: sent DNS query for 'guetersloh.de' type 'NS' to nameserver 192.168.244.31 ID 60241
    Mar-22-19 11:29:44 [Worker_1] Info: create new DNS socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:29:44 [Worker_1] Info: created new DNS (udp) socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:29:44 [Worker_1] Info: sent DNS query for 'guetersloh.de' type 'NS' to nameserver fd2b:1048:60dd:12f5::c0a8:f41f ID 5963
    Mar-22-19 11:29:44 [Worker_1] Info: DNS query time 0.000 - 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] Info: got DNS DATA answer from nameserver 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] DNS-question was: guetersloh.de. IN NS
    Mar-22-19 11:29:44 [Worker_1] DNS-answer is: guetersloh.de. 85997 IN NS ns.namespace4you.de.
    Mar-22-19 11:29:44 [Worker_1] DNS-answer is: guetersloh.de. 85997 IN NS ns2.namespace4you.de.
    Mar-22-19 11:29:44 [Worker_1] Info: got valid DNS DATA answer from nameserver 192.168.244.31 ID 60241
    Mar-22-19 11:29:44 [Worker_1] Info: destroy old single DNSresolver
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de [SMTP Reply] 250 2.1.0 Ok
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Reply] 250 2.1.5 Ok
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de recipient delayed: carlos@hchs.de
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Status] 451 4.7.1 Please try again later
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de info: PB-IP-Score for '2a02:16f0:0:0:0:0:1:3' is 0, added -20 in this session
    Mar-22-19 11:29:44 assp50584-08545 [Worker_1] [TLS-in] 2a02:16f0::1:3 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de disconnected: session:7FF2278A6510 2a02:16f0::1:3 - command list was 'EHLO,STARTTLS,EHLO,MAIL FROM,RCPT TO,DATA' - used 6 SocketCalls - processing time 1 seconds
    Mar-22-19 11:29:44 [Worker_1] Info: try to connect to server at 127.0.0.1:125
    Mar-22-19 11:29:44 [Worker_1] Info: connected to server at 127.0.0.1:125
    Mar-22-19 11:29:44 [Worker_1] Connected: session:7FF2279016D0 91.102.136.170:46824 > 37.120.162.207:25 > 127.0.0.1:59516 > 127.0.0.1:125 , 76-77
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 [SMTP Reply] 220 mailproxy1send.hchs.de ESMTP
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 [SMTP Reply] 250 NOOP
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 info: got STARTTLS request from 91.102.136.170
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 [SMTP Reply] 250 NOOP
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 info: got STARTTLS request from 91.102.136.170
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 info: STARTTLS is skipped for 127.0.0.1 - sent 'NOOP' to 127.0.0.1
    Mar-22-19 11:29:44 [Worker_1] 91.102.136.170 [SMTP Reply] 220 Ready to start TLS - go on
    Mar-22-19 11:29:44 [Worker_1] [TLS-in] 91.102.136.170 info: started TLS-SSL session for client 91.102.136.170 - using TLSv1_2 , ECDHE-RSA-AES128-GCM-SHA256
    Mar-22-19 11:29:44 [Worker_1] [TLS-in] 91.102.136.170 [SMTP Reply] 250 NOOP
    Mar-22-19 11:29:44 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de info: found message size announcement: 57.59 kByte
    Mar-22-19 11:29:44 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de Message-Score: added -20 (tlsValencePB) for SSL-TLS-connection-OK, total score for this message is now -20
    Mar-22-19 11:29:44 [Worker_1] Info: create new DNS socket for 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] Info: created new DNS (udp) socket for 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] Info: sent DNS query for 'guetersloh.de' type 'NS' to nameserver 192.168.244.31 ID 38309
    Mar-22-19 11:29:44 [Worker_1] Info: create new DNS socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:29:44 [Worker_1] Info: created new DNS (udp) socket for fd2b:1048:60dd:12f5::c0a8:f41f
    Mar-22-19 11:29:44 [Worker_1] Info: sent DNS query for 'guetersloh.de' type 'NS' to nameserver fd2b:1048:60dd:12f5::c0a8:f41f ID 19060
    Mar-22-19 11:29:44 [Worker_1] Info: DNS query time 0.000 - 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] Info: got DNS DATA answer from nameserver 192.168.244.31
    Mar-22-19 11:29:44 [Worker_1] DNS-question was: guetersloh.de. IN NS
    Mar-22-19 11:29:44 [Worker_1] DNS-answer is: guetersloh.de. 85997 IN NS ns.namespace4you.de.
    Mar-22-19 11:29:44 [Worker_1] DNS-answer is: guetersloh.de. 85997 IN NS ns2.namespace4you.de.
    Mar-22-19 11:29:44 [Worker_1] Info: got valid DNS DATA answer from nameserver 192.168.244.31 ID 38309
    Mar-22-19 11:29:44 [Worker_1] Info: destroy old single DNSresolver
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de [SMTP Reply] 250 2.1.0 Ok
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Reply] 250 2.1.5 Ok
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de ASSP_FakeMX: Plugin successful called for runlevel 'SMTP-handshake'!
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de info: allocated 219.50 kByte memory to process this mail
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Reply] 354 End data with <cr><lf>.<cr><lf>
    Mar-22-19 11:29:45 [Worker_1] Info: enhanced Originated IP detection ignored IP's: 91.102.136.170 (connected IP) , 10.107.240.162 , 91.102.136.170 (connected IP) , 172.16.1.246 , 91.102.136.170 (connected IP) , 172.16.1.222 , 172.16.80.14 , fe80::394f:84b2:df94:f080 , 172.16.65.204
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de Message-Score: added -21 for 91.102.136.0 in griplist (0.09), total score for this message is now -41
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] [DKIM] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de DKIM domain mismatch - guetersloh.de found in DKIMCache, but no DKIM-Signature found in mail header (Cache)
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de Message-Score: added 15 (dkimValencePB) for DKIM domain mismatch - guetersloh.de found in DKIMCache, but no DKIM-Signature found in mail header, total score for this message is now -26
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] [DKIM] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [spam found] (DKIM domain mismatch - guetersloh.de found in DKIMCache, but no DKIM-Signature found in mail header) [WG test] -> spam/1409--2033.eml;
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de [SMTP Error] 554 5.7.1 DKIM domain mismatch - guetersloh.de found in DKIMCache, but no DKIM-Signature found in mail header .
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de info: PB-IP-Score for '91.102.136.170' is 15, added 15 in this session
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de finished message - received DATA size: 2.26 kByte - sent DATA size: 0 Byte
    Mar-22-19 11:29:45 assp50584-01409 [Worker_1] [TLS-in] 91.102.136.170 Alfred.Meierfrankenfeld@guetersloh.de to: carlos@hchs.de disconnected: session:7FF2279016D0 91.102.136.170 - command list was 'EHLO,STARTTLS,EHLO,MAIL FROM,RCPT TO,DATA' - used 7 SocketCalls - processing time 1 seconds
    Mar-22-19 11:29:51 [Worker_1] Info: try to connect to server at 127.0.0.1:125
    Mar-22-19 11:29:51 [Worker_1] Info: connected to server at 127.0.0.1:125
    Mar-22-19 11:29:51 [Worker_1] Connected: session:7FF2278B0858 212.77.229.30:44968 > 37.120.162.207:25 > 127.0.0.1:59518 > 127.0.0.1:125 , 76-77
    Mar-22-19 11:29:51 [Worker_1] 212.77.229.30 [SMTP Reply] 220 mailproxy1send.hchs.de ESMTP
    Mar-22-19 11:29:51 [Worker_1] 212.77.229.30 [SMTP Reply] 250 NOOP
    Mar-22-19 11:29:51 [Worker_1] 212.77.229.30 info: got STARTTLS request from 212.77.229.30</lf></cr></lf></cr></lf></cr></lf></cr>

     

  • Thomas Eckardt

    Thomas Eckardt - 2019-03-25
    • status: open --> closed
    • assigned_to: Thomas Eckardt
     

  • Thomas Eckardt

    Thomas Eckardt - 2019-03-25

    What about reading my post.

    ... disable the DKIM check for those domains

    eg. noDKIMAddresses

    Thomas

     

  • Hans Carlos

    Hans Carlos - 2019-03-25

    To Manually disable DKIM in relation to the Domains in Question is a nonsense recomendation.
    In that Cases there was someone who wants me contant and can not do so because of the Bug in his Domain. A want to Avoid such cases. A negativ List does not work. Only a positive List wich means an Activation of DKIM for reviewed Domains may be work ... but that is no acceptabel work.
    The Only way to solve the Problem be Configuration is in my opinion is to disable DKIM completly ... wich is sad. Or even to improve the Programm to check for Wildcard Bullshit and disable in that cases dynamicly.

     

  • Hans Carlos

    Hans Carlos - 2019-03-25

    The Next Domain if this Kind:

    blockb:/var/log # dig -t txt _domainkey.fps-law.de

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.fps-law.de
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28278
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 81d2e2903a3c46aafb072a8e5c98f859083585725b9fe526 (good)
    ;; QUESTION SECTION:
    ;_domainkey.fps-law.de. IN TXT

    ;; ANSWER SECTION:
    **_domainkey.fps-law.de. 1811 IN TXT "v=spf1 mx a include:ispgateway.de ip4:62.206.126.138 ip4:212.91.225.101 ~all"
    **
    ;; AUTHORITY SECTION:
    fps-law.de. 80728 IN NS ns2.namespace4you.de.
    fps-law.de. 80728 IN NS ns.namespace4you.de.

    ;; Query time: 23 msec
    ;; SERVER: 192.168.244.31#53(192.168.244.31)
    ;; WHEN: Mon Mar 25 16:48:41 CET 2019
    ;; MSG SIZE rcvd: 216

     

  • Hans Carlos

    Hans Carlos - 2019-03-26

    I have turn off the DKIM :-/ ... SAD ...

    The next Domain of this Kind ....

    carlos62@labtop3a:~> dig -t txt _domainkey.einfachlecker.de

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.einfachlecker.de
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27125
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 75593bfb73205e48ca54cd7a5c99f96808faae341ee31ab9 (good)
    ;; QUESTION SECTION:
    ;_domainkey.einfachlecker.de. IN TXT

    ;; ANSWER SECTION:
    _domainkey.einfachlecker.de. 300 IN TXT "v=spf1 mx a ptr include:servers.mcsv.net include:_spf.google.com include:amazonses.com include:amazonaws.com include:mail.dms.unileverservices.com -all"

    ;; AUTHORITY SECTION:
    einfachlecker.de. 300 IN NS dns88.unilever.com.
    einfachlecker.de. 300 IN NS dns04.unilever.com.
    einfachlecker.de. 300 IN NS dns02.unilever.com.
    einfachlecker.de. 300 IN NS dns91.unilever.com.

    ;; ADDITIONAL SECTION:
    dns91.unilever.com. 168 IN A 194.60.108.80
    dns02.unilever.com. 168 IN A 204.110.160.192
    dns04.unilever.com. 168 IN A 194.60.109.74
    dns88.unilever.com. 868 IN A 162.61.225.191

    ;

     

  • Hans Carlos

    Hans Carlos - 2019-03-26

    carlos62@labtop3a:~> dig -t txt _domainkey.org.com

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.org.com
    Now i know what i must seach to find cases ....

    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10598
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 1a8bce4bfcad081c3d8247fd5c99fb65f322c30cc1426f0a (good)
    ;; QUESTION SECTION:
    ;_domainkey.org.com. IN TXT

    ;; ANSWER SECTION:
    _domainkey.org.com. ** 600 IN TXT "v=spf1 -all"**

    ;; AUTHORITY SECTION:
    org.com. 172800 IN NS ns2.digimedia.com.
    org.com. 172800 IN NS ns1.digimedia.com.

    ;; Query time: 155 msec
    ;; SERVER: 192.168.244.31#53(192.168.244.31)
    ;; WHEN: Tue Mar 26 11:13:57 CET 2019
    ;; MSG SIZE rcvd: 145

     

  • Hans Carlos

    Hans Carlos - 2019-03-26

    And the Next One ....

    carlos62@labtop3a:~> dig -t txt _domainkey.vivaldi.net

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.vivaldi.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62241
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 98da21cc4fc51c7b8bf5dbb85c9a00177c46d16dd6bc0f53 (good)
    ;; QUESTION SECTION:
    ;_domainkey.vivaldi.net. IN TXT

    ;; ANSWER SECTION:
    _domainkey.vivaldi.net. 300 IN CNAME vivaldi.net.
    vivaldi.net. 300 IN TXT "v=spf1 ip4:82.221.130.149 ip4:82.221.99.164 -all"

    ;; AUTHORITY SECTION:
    vivaldi.net. 172800 IN NS carl.ns.cloudflare.com.
    vivaldi.net. 172800 IN NS sue.ns.cloudflare.com.

    ;; ADDITIONAL SECTION:
    carl.ns.cloudflare.com. 86400 IN A 173.245.59.106
    sue.ns.cloudflare.com. 86400 IN A 173.245.58.145
    carl.ns.cloudflare.com. 86400 IN AAAA 2400:cb00:2049:1::adf5:3b6a
    sue.ns.cloudflare.com. 86400 IN AAAA 2400:cb00:2049:1::adf5:3a91

    ;; Query time: 62 msec
    ;; SERVER: 192.168.244.31#53(192.168.244.31)
    ;; WHEN: Tue Mar 26 11:33:59 CET 2019
    ;; MSG SIZE rcvd: 296

     

  • Hans Carlos

    Hans Carlos - 2019-03-26

    **Here is some thing Special, there is some other Wildecard Source for junk at the _domainkey DNS Label .... so an generalized Wildcard Trap is MANDATORY.
    **
    carlos62@labtop3a:~> dig -t txt _domainkey.shanater.us

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.shanater.us
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48418
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 8836575809494cc29ac02c415c9a00bc7a358c2b1648f0cf (good)
    ;; QUESTION SECTION:
    ;_domainkey.shanater.us. IN TXT

    ;; ANSWER SECTION:
    _domainkey.shanater.us. 271 IN CNAME shanater.us.
    shanater.us. 271 IN TXT "ca3-3453d24e05234b2a84b45df61811aebb"

    ;; AUTHORITY SECTION:
    shanater.us. 3571 IN NS heather.ns.cloudflare.com.
    shanater.us. 3571 IN NS rudy.ns.cloudflare.com.

    ;; ADDITIONAL SECTION:
    rudy.ns.cloudflare.com. 26 IN A 173.245.59.229
    heather.ns.cloudflare.com. 13139 IN A 173.245.58.161
    rudy.ns.cloudflare.com. 26 IN AAAA 2400:cb00:2049:1::adf5:3be5
    heather.ns.cloudflare.com. 13139 IN AAAA 2400:cb00:2049:1::adf5:3aa1

    ;; Query time: 55 msec
    ;; SERVER: 192.168.244.31#53(192.168.244.31)
    ;; WHEN: Tue Mar 26 11:36:44 CET 2019
    ;; MSG SIZE rcvd: 288

     

  • Hans Carlos

    Hans Carlos - 2019-03-26

    The Problem is Huge ... The next on ...

    carlos62@labtop3a:~> dig -t txt _domainkey.upmdata.pl

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.upmdata.pl
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13057
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 44b1380ecad6f05a9fb894795c9a01e8b818df12e23069f5 (good)
    ;; QUESTION SECTION:
    ;_domainkey.upmdata.pl. IN TXT

    ;; ANSWER SECTION:
    _domainkey.upmdata.pl. 3600 IN CNAME upmdata.pl.
    upmdata.pl. 3600 IN TXT "v=spf1 mx a ptr ~all"

    ;; AUTHORITY SECTION:
    upmdata.pl. 86400 IN NS dns3.home.pl.
    upmdata.pl. 86400 IN NS dns2.home.pl.
    upmdata.pl. 86400 IN NS dns.home.pl.

    ;; Query time: 114 msec
    ;; SERVER: 192.168.244.31#53(192.168.244.31)
    ;; WHEN: Tue Mar 26 11:41:44 CET 2019
    ;; MSG SIZE rcvd: 186

     

  • Hans Carlos

    Hans Carlos - 2019-03-26

    carlos62@labtop3a:~> dig -t txt _domainkey.schnelle-uebersetzungen.com

    ; <<>> DiG 9.11.2 <<>> -t txt _domainkey.schnelle-uebersetzungen.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44644
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: ff6ccc339874cec207e720795c9a0311e9d52b4d2ee9a7b4 (good)
    ;; QUESTION SECTION:
    ;_domainkey.schnelle-uebersetzungen.com. IN TXT

    ;; ANSWER SECTION:
    _domainkey.schnelle-uebersetzungen.com. 3600 IN TXT "v=spf1 mx a include:spf.tld.pl include:helpdesk.dogadamycie.pl -all"

    ;; AUTHORITY SECTION:
    schnelle-uebersetzungen.com. 28710 IN NS ns1.tld.pl.
    schnelle-uebersetzungen.com. 28710 IN NS ns2.tld.pl.

    ;; ADDITIONAL SECTION:
    ns1.tld.pl. 3600 IN A 195.149.224.10
    ns2.tld.pl. 3600 IN A 94.152.202.202

    ;; Query time: 157 msec
    ;; SERVER: 192.168.244.31#53(192.168.244.31)
    ;; WHEN: Tue Mar 26 11:46:41 CET 2019
    ;; MSG SIZE rcvd: 249

     

Log in to post a comment.

MongoDB Logo MongoDB