[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Trash mails to nonexistent users?

> 
> > The mail is being accepted for delivery as if it were a valid
> > user.  In other words, the server thinks this came from a 
> > valid user and therefore tries to send on the mail (relay).  
> > We see this with customers that have a static or semi-static 
> > IP address, mainly businesses with large internal networks.  
> > A valid user authenticates through the server creating a 
> > valid IP for realying (popauth).  Then, anyone from that IP 
> > can send for however wide the POPAuth window is set for.  
> > Usually the customer has a virus or hacked computer that is 
> > acting as a SPAMbot.
> > 
> > Unfortunately, because they trash the header and it all comes
> > from the same IP, it's hard to track down where it originated from.
> > 
> > The mail is destined for a non-existant domain.  It sits on
> > the server as the server tries to send and re-send the same 
> > junk email over and over. Worse yet is when it is a valid 
> > domain name and the "reply to" is someone on your server.  
> > Then that person receives all the responses, bounces and 
> > angry replies.
> 
> If this is a RaQ4 you could look in /var/spool/mqueue for q1 
> - q4 and do an ls and then remove the offending meesages from 
> the queue by their ID number. rm /var/spool/mqueue/q*/xxxxxxx 
> q* being the number and xxxxxxx being the ID number you find 
> in the ls.
> 
> A lot of the bounce messages your customers are seeing would 
> be coming from virus email that has forged your customer 
> email address. Not much you can do about that unless you use 
> Procmail or check subjects in Sendmail to block some of the 
> "Your system sent a virus" messages.
> 
> If you have an infected user connecting to your SMTP that 
> would be another problem you need to address and block that 
> user until they are clean.

Thanks for the comments.

To better describe what's going on. Yes, this is a Raq4.
Here's a typical email that gets sent to the postmaster for the server
from the MAILER-DAEMON on our server:
------------------------------------------------------------------------
-
The original message was received at Thu, 12 Feb 2004 07:43:43 -0800
from localhost with id i1CFhh011243

   ----- The following addresses had permanent fatal errors -----
<llbackfalsel@xxxxxxxxxx>
    (reason: 550 <>: No thank you rejected: Account unavailable.
Possible forgery)

   ----- Transcript of session follows -----
... while talking to hsuchi-net-bk.mr.outblaze.com.:
>>> RCPT To:<llbackfalsel@xxxxxxxxxx>
<<< 550 <>: No thank you rejected: Account unavailable. Possible forgery
550 5.1.1 <llbackfalsel@xxxxxxxxxx>... User unknown
------------------------------------------------------------------------
--

Note that our server does not serve mail for hsuchi.net or outblaze.com.
Opening up the transcript (an attachment to this email) shows:
------------------------------------------------------------------------
--
The original message was received at Thu, 12 Feb 2004 07:43:29 -0800
from [218.155.196.13]

   ----- The following addresses had permanent fatal errors -----
<qnlhnwm@xxxxxxxx>

   ----- Transcript of session follows -----
553 5.3.0 <qnlhnwm@xxxxxxxx>... No such user here
------------------------------------------------------------------------
----

Note that jbgn.com is a domain that we host, but that there is no user
qnlhnwm. There is also an attachment to this message that is an obvious
spam message ("Get Sexy Girls Now!
" hoo hoo!).

Perhaps I'm deciphering this incorrectly. The story I'm getting is that
the original spam was sent to qnlhnwm@xxxxxxxx, and our server is trying
to respond "no such user" to the sender. Unfortunately, the sender
doesn't exist, so the postmaster gets notified.

I get about 200 of these on an average day, and would like to just throw
out any mails addressed to a user that does not exist on our server.

Any suggestions?
Thanks
Doug