Everyday i get 1000's of these emails trying to go out, not sure if its just someone using that as a return address or somehow spam is going through the server? Any suggestions? Thanks... Dec 12 09:21:47 mail2 postfix/error[19680]: D72B7B000A3: to=<[email protected]>, relay=none, delay=302888, delays=302887/0.35/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to static.vnpt.vn[203.162.0.78]:25: Connection refused) Dec 12 09:21:47 mail2 postfix/smtp[19674]: EB9F2B000BB: to=<[email protected]>, relay=none, delay=281901, delays=281900/0.02/0.34/0, dsn=4.4.1, status=deferred (connect to static.vdc.vn[203.162.0.78]:25: Connection refused) Dec 12 09:26:47 mail2 postfix/smtp[19674]: connect to static.vdc.vn[203.162.0.78]:25: Connection refused Dec 12 09:26:47 mail2 postfix/smtp[19674]: 3FD79B00115: to=<[email protected]>, relay=none, delay=1089, delays=1089/0.02/0.42/0, dsn=4.4.1, status=deferred (connect to static.vdc.vn[203.162.0.78]:25: Connection refused) Dec 12 09:26:54 mail2 postfix/smtp[20167]: connect to static.vnpt.vn[203.162.0.78]:25: Connection refused Dec 12 09:26:54 mail2 postfix/smtp[20167]: 46650B000F0: to=<[email protected]>, relay=none, delay=269228, delays=269221/0.01/7.4/0, dsn=4.4.1, status=deferred (connect to static.vnpt.vn[203.162.0.78]:25: Connection refused)
Check your mailqueue with the command: postqueue -p If it contains a lot of mails, then your server is probably sending spam. To find out which account or website is spamming, use the postcat command: postcat -q QUEUEID replace QUEUEID with the ID of the email that you can see in the outpot of the postqueue command.
Wow, i never used postcat before, that helps, silly me! Looks like someone sent spam, it got refused due to SA rules and tried to let send know which is a bogus email address. Do you think its ok to just drop this type of message? Thanks again Till P.S. Sorry for the many questions in the last couple weeks, its just we have had the time now to more fully use our ISPCONFIG setup, and we are trying to get down any anomalies, like spam to a bare min. *** ENVELOPE RECORDS deferred/6/63576B000E2 *** message_size: 4669 667 1 0 4669 message_arrival_time: Tue Dec 13 16:41:03 2016 create_time: Tue Dec 13 16:41:03 2016 named_attribute: log_ident=63576B000E2 named_attribute: rewrite_context=local named_attribute: envelope_id=[email protected] sender: named_attribute: log_client_name=localhost named_attribute: log_client_address=127.0.0.1 named_attribute: log_client_port=54210 named_attribute: log_message_origin=localhost[127.0.0.1] named_attribute: log_helo_name=localhost named_attribute: log_protocol_name=ESMTP named_attribute: client_name=localhost named_attribute: reverse_client_name=localhost named_attribute: client_address=127.0.0.1 named_attribute: client_port=54210 named_attribute: helo_name=localhost named_attribute: protocol_name=ESMTP named_attribute: client_address_type=2 named_attribute: dsn_orig_rcpt=rfc822;[email protected] original_recipient: [email protected] recipient: [email protected] *** MESSAGE CONTENTS deferred/6/63576B000E2 *** Received: from localhost (localhost [127.0.0.1]) by mail2.domain.ca (Postfix) with ESMTP id 63576B000E2 for <[email protected]>; Tue, 13 Dec 2016 16:41:03 -0500 (EST) Content-Type: multipart/report; report-type=delivery-status; boundary="----------=_1481665263-23650-5" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Subject: BANNED contents from you (.asc,~_4Z5GIJ_~.wsf) In-Reply-To: <[email protected]> Message-ID: <[email protected]> From: "Content-filter at mail2.domain.ca" <[email protected]> To: <[email protected]> Date: Tue, 13 Dec 2016 16:41:03 -0500 (EST) This is a multi-part message in MIME format... ------------=_1481665263-23650-5 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 7bit BANNED CONTENTS ALERT Our content checker found banned name: .asc,~_4Z5GIJ_~.wsf in email presumably from you <[email protected]> to the following recipient: -> [email protected] Our internal reference code for your message is 23650-17/RSCqty4t5AAm First upstream SMTP client IP address: [216.xxx.xxx.xxx] miffy.domain.ca According to a 'Received:' trace, the message apparently originated at: [14.169.90.25], static.vnpt.vn unknown [14.169.90.25] Return-Path: <[email protected]> From: "Alta Leach" <[email protected]> Message-ID: <[email protected]> Subject: Fixed invoices Delivery of the email was stopped! The message has been blocked because it contains a component (as a MIME part or nested within) with declared name or MIME type or contents type violating our access policy. To transfer contents that may be considered risky or unwanted by site policies, or simply too large for mailing, please consider publishing your content on the web, and only sending an URL of the document to the recipient. Depending on the recipient and sender site policies, with a little effort it might still be possible to send any contents (including viruses) using one of the following methods: - encrypted using pgp, gpg or other encryption methods; - wrapped in a password-protected or scrambled container or archive (e.g.: zip -e, arj -g, arc g, rar -p, or other methods) Note that if the contents is not intended to be secret, the encryption key or password may be included in the same message for recipient's convenience. We are sorry for inconvenience if the contents was not malicious. The purpose of these restrictions is to cut the most common propagation methods used by viruses and other malware. These often exploit automatic mechanisms and security holes in more popular mail readers (Microsoft mail readers and browsers are a common target). By requiring an explicit and decisive action from the recipient to decode mail, the danger of automatic malware propagation is largely reduced. ------------=_1481665263-23650-5 Content-Type: message/delivery-status; name="dsn_status" Content-Disposition: inline; filename="dsn_status" Content-Transfer-Encoding: 7bit Content-Description: Delivery error report Reporting-MTA: dns; mail2.domain.ca Received-From-MTA: smtp; mail2.domain.ca ([127.0.0.1]) Arrival-Date: Tue, 13 Dec 2016 16:41:03 -0500 (EST) Original-Recipient: rfc822;[email protected] Final-Recipient: rfc822;[email protected] Action: failed Status: 5.7.0 Diagnostic-Code: smtp; 554-5.7.0 Bounce, id=23650-17 - BANNED: 554 5.7.0 .asc,~_4Z5GIJ_~.wsf Last-Attempt-Date: Tue, 13 Dec 2016 16:41:03 -0500 (EST) Final-Log-ID: 23650-17/RSCqty4t5AAm ------------=_1481665263-23650-5 Content-Type: text/rfc822-headers; name="header" Content-Disposition: inline; filename="header" Content-Transfer-Encoding: 7bit Content-Description: Message header section Return-Path: <[email protected]> Received: from miffy.domain.ca (miffy.domain.ca [216.xxx.xxx.xxx]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.domain.ca (Postfix) with ESMTPS id 3B3C5B000DF for <[email protected]>; Tue, 13 Dec 2016 16:41:03 -0500 (EST) Received: from static.vnpt.vn (unknown [14.169.90.25]) by miffy.domain.ca (Postfix) with ESMTP id 5A6A44E30B0 for <[email protected]>; Tue, 13 Dec 2016 16:41:01 -0500 (EST) From: "Alta Leach" <[email protected]> To: <[email protected]> Subject: Fixed invoices Date: Wed, 14 Dec 2016 04:40:58 +0700 MIME-Version: 1.0 Content-Type: multipart/related; boundary="943a9d68d22a25628bf94adab6c9a0be" Message-Id: <[email protected]> ------------=_1481665263-23650-5-- *** HEADER EXTRACTED deferred/6/63576B000E2 *** *** MESSAGE FILE END deferred/6/63576B000E2 ***
Sure, you can discard mails with viruses. The problem with that can just be when you have a false positive, e.g. company A sends an email with a word document that is falsely detected as virus to company B. When you discard the virus, then company A will not get notified that his document never arrived, if you have business customers then this might cause trouble when e.g. business deals don't happen due to the lost email (without informing the sender).
I did a quick count in the mail.log file, since midnight there has been 4650 emails banned due to virus, since i changed to discard 30 mins ago 75 banned content emails have been discarded rather than being stuck in the queue... Since we get so many, i think its worth it.... Thanks till!
