Mail header parsing bug / NDR reflection spam

[JasonE]

Mail sent to Plesk servers running Postfix with a "Delivered-To:" header will bounce to sender with a "mail forwarding loop" message.

For example, if a message with the following headers is sent to Plesk:

Delivered-To: [email protected]
Return-Path: <[email protected]>
From: <[email protected]>
Subject: test
To: <[email protected]>

It will bounce with the following:

Reporting-MTA: dns; host.domain.com
X-Postfix-Queue-ID: EABA02A10C9
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Wed,  5 Dec 2012 17:09:46 -0500 (EST)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail forwarding loop for [email protected]

This assumes "[email protected]" is a valid user on the server. I imagine a malicious third-party could manipulate the Return-Path/From headers in order to send NDR reflection spam.

 

[IgorG]

Have you checked that recipient.com hostname is resolvable from Plesk server?

 

[JasonE]

recipient.com resolves to the Plesk server, and is resolvable from the Plesk server. This is not relevant to the problem.

I became aware of this when I noticed unusual bounces queued up in one of our servers. I used a packet analyzer to capture and dissect new messages as they came in, which allowed me to isolate the problem to the errant header.