OK, who's the idiot using tcwireless.us?

Somebody on the NANOG mailing list has their mail pointing to tcwireless.us,
which is throwing challenge/response mail like the following:

Your message

i doubt that that person will see it, as you have yet to authenticate thyself.


  I agree with Howard here, I don't think this is a mis-configuration, but a harvest attempt. The "mailserver" is in different messages, and I can't see how that could get misconfigured in a honest validation server. My guess is that someone is trolling the archives, and sending this back? Why, I have no idea, given they already can see the sending address.


Active address validation, perhaps?


The person responsible already posted about this about 4 hours ago, BTW; further speculation is obsolete. :slight_smile:

- S

Turns out it was indeed a C/R system rather than a harvest attempt, and
after seeing several other people's versions of the message, it was pretty
obvious what was wrong - some fool programmer coded:

printf("has just been received by %s mailserver\n", from->domain);

when they wanted our->domain instead. So that's a double-whammy - (a) they
didn't use their own server's domain, and (b) they used the From: address
rather than the Return-Path: address (which is why it showed up as the poster's
mailserver rather than nanog.org as the source).

When you test it from your own domain, source->domain and from->domain are the
same as our->domain so you don't notice. Presumably, nobody ever carefully
tested from outside the local domain, which means their QA process isn't the
strictest either - makes one wonder what other bugs and vulnerabilities are in