Urgent help needed. My server is getting bombarded with e-mails with the subject "Undelivered Return To Sender". I checked for open relay and it comes back negative. Has my smtp auth been compromised? What is the recommended course of action for these when running ISPConfig 3.0.3 and Ubuntu 10.04-64??? Here's one of the e-mails (viewed with Thunderbird): Code: Return-Path: <MAILER-DAEMON> Delivered-To: [email protected] Received: by inferno.cocoanet.us (Postfix) id C8F78F6751; Sat, 26 Feb 2011 09:54:22 -0500 (EST) Date: Sat, 26 Feb 2011 09:54:22 -0500 (EST) From: [email protected] (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: [email protected] Auto-Submitted: auto-replied MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="76FD4F675F.1298732062/inferno.cocoanet.us" Content-Transfer-Encoding: 8bit Message-Id: <[email protected]> This is a MIME-encapsulated message. --76FD4F675F.1298732062/inferno.cocoanet.us Content-Description: Notification Content-Type: text/plain; charset=us-ascii This is the mail system at host inferno.cocoanet.us. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system <"[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];joe_blumenzweig"@fsafood.com>: host inspector2.fsafood.com[206.221.20.97] said: 554 5.7.1 <[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected]>: Relay access denied (in reply to RCPT TO command) --76FD4F675F.1298732062/inferno.cocoanet.us Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; inferno.cocoanet.us X-Postfix-Queue-ID: 76FD4F675F X-Postfix-Sender: rfc822; [email protected] Arrival-Date: Sat, 26 Feb 2011 09:54:20 -0500 (EST) Final-Recipient: rfc822; "[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];joe_blumenzweig"@fsafood.com Original-Recipient: rfc822;"[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];joe_blumenzweig"@fsafood.com Action: failed Status: 5.7.1 Remote-MTA: dns; inspector2.fsafood.com Diagnostic-Code: smtp; 554 5.7.1 <[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected]>: Relay access denied --76FD4F675F.1298732062/inferno.cocoanet.us Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Return-Path: <[email protected]> Received: from localhost (inferno.cocoanet.us [127.0.0.1]) by inferno.cocoanet.us (Postfix) with ESMTP id 76FD4F675F; Sat, 26 Feb 2011 09:54:20 -0500 (EST) X-Virus-Scanned: Debian amavisd-new at inferno.cocoanet.us X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D hex): Message-ID: <[email protected]>\r Received: from inferno.cocoanet.us ([127.0.0.1]) by localhost (inferno.cocoanet.us [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RlnvqP0nyvCt; Sat, 26 Feb 2011 09:54:20 -0500 (EST) Received: by inferno.cocoanet.us (Postfix, from userid 33) id 64925F6761; Sat, 26 Feb 2011 09:54:20 -0500 (EST) To: [email protected] Subject: Health Women and Men {erection, weight loss}. +Discounts for big order! Message-ID: <[email protected]> From: <[email protected]> To: <"[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];[email protected];joe_blumenzweig"@fsafood.com> Subject: Health Women and Men {erection, weight loss}. +Discounts for big order! Date: Sat, 26 Feb 2011 09:54:17 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0064_5B925BDB.8DC1E69D" ------=_NextPart_000_0064_5B925BDB.8DC1E69D Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 8bit <HTML> <HEAD> <META http-equiv=Content-Type content="text/html; charset=utf-8"> </HEAD> <BODY> <DIV align=center><font face="Arial, Helvetica, sans-serif" size=5 color=980001>Reputed pharmstore </font><!-- A x==qsU G.( CV ZoJC(wzQ gBZ h .Y NB= Q)BR )UJ=C= lsEoI. KD X sxbcF.B a .cUkm F(lxT_ blah, blah, blah... ------=_NextPart_000_0064_5B925BDB.8DC1E69D-- --76FD4F675F.1298732062/inferno.cocoanet.us-- Here's a slice of the mail log: Code: Feb 26 17:44:17 inferno postfix/smtp[11547]: 400AFF686F: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, delay=14, delays=0.01/7.3/5.8/0.58, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "[email protected];[email protected];m (in reply to RCPT TO command)) Feb 26 17:44:18 inferno postfix/smtp[11520]: B97F7F6880: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=13, delays=0.01/8.5/4.3/0.55, dsn=5.0.0, status=bounced (host gateway-f1.isp.att.net[204.127.217.16] said: 501 local part too long near "[email protected];[email protected];m (in reply to RCPT TO command)) Feb 26 17:44:18 inferno postfix/smtp[11511]: 0EE34F684A: host mailin-02.mx.aol.com[205.188.155.110] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command) Feb 26 17:44:18 inferno postfix/smtp[11515]: C9BCFF6888: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, conn_use=2, delay=8.6, delays=0.01/5.7/2.3/0.57, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "[email protected];[email protected];m (in reply to RCPT TO command)) Feb 26 17:44:18 inferno postfix/smtp[11546]: 400AFF686F: host mailin-02.mx.aol.com[205.188.103.1] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command) Feb 26 17:44:18 inferno postfix/cleanup[11465]: CADD0F687C: message-id=<[email protected]> Feb 26 17:44:18 inferno postfix/bounce[11569]: C9BCFF6888: sender non-delivery notification: CADD0F687C Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: from=<>, size=10725, nrcpt=1 (queue active) Feb 26 17:44:18 inferno postfix/qmgr[4094]: C9BCFF6888: removed Feb 26 17:44:18 inferno postfix/pipe[11548]: CADD0F687C: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service) Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: removed Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08) Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08) Feb 26 17:44:20 inferno postfix/smtp[11523]: D2213F6845: to=, relay=mailin-03.mx.aol.com[64.12.137.169]:25, delay=16, delays=0.01/0.01/14/2.5, dsn=4.2.1, status=deferred (host mailin-03.mx.aol.com[64.12.137.169] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)) Feb 26 17:44:20 inferno postfix/cleanup[11465]: 118A5F6875: message-id=<[email protected]> Feb 26 17:44:20 inferno postfix/bounce[11545]: D2213F6845: sender non-delivery notification: 118A5F6875 Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: from=<>, size=10720, nrcpt=1 (queue active) Feb 26 17:44:20 inferno postfix/pipe[11548]: 118A5F6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service) Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: removed Feb 26 17:44:22 inferno postfix/smtp[11546]: 400AFF686F: to=, relay=mailin-01.mx.aol.com[205.188.59.194]:25, delay=18, delays=0.01/7.2/8.4/2.6, dsn=4.2.1, status=deferred (host mailin-01.mx.aol.com[205.188.59.194] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)) Feb 26 17:44:22 inferno postfix/cleanup[11465]: 8B91DF6875: message-id=<[email protected]> Feb 26 17:44:22 inferno postfix/bounce[11569]: 400AFF686F: sender non-delivery notification: 8B91DF6875 Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: from=<>, size=10725, nrcpt=1 (queue active) Feb 26 17:44:22 inferno postfix/pipe[11548]: 8B91DF6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service) Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: removed Feb 26 17:44:22 inferno postfix/smtp[11511]: 0EE34F684A: to=, relay=mailin-04.mx.aol.com[205.188.103.2]:25, delay=19, delays=0.01/7.4/8.3/2.9, dsn=4.2.1, status=deferred (host mailin-04.mx.aol.com[205.188.103.2] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)) Feb 26 17:44:22 inferno postfix/cleanup[11465]: C0B53F67E9: message-id=<[email protected]> Feb 26 17:44:22 inferno postfix/bounce[11545]: 0EE34F684A: sender non-delivery notification: C0B53F67E9 Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: from=<>, size=10719, nrcpt=1 (queue active) Feb 26 17:44:22 inferno postfix/pipe[11548]: C0B53F67E9: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service) Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: removed Feb 26 17:44:26 inferno postfix/smtp[11540]: B97F7F6880: to=, relay=mx01.windstream.net[162.39.147.49]:25, delay=22, delays=0.01/0.01/7.4/14, dsn=2.0.0, status=sent (250 OK B6/F7-07924-C32896D4) Feb 26 17:44:26 inferno postfix/cleanup[11465]: 61566F67C6: message-id=<[email protected]> Feb 26 17:44:26 inferno postfix/bounce[11569]: B97F7F6880: sender non-delivery notification: 61566F67C6 Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: from=<>, size=10726, nrcpt=1 (queue active) Feb 26 17:44:26 inferno postfix/qmgr[4094]: B97F7F6880: removed Feb 26 17:44:26 inferno postfix/pipe[11548]: 61566F67C6: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service) Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: removed Feb 26 17:45:02 inferno imapd: Connection, ip=[::1] Feb 26 17:45:02 inferno imapd: Disconnected, ip=[::1], time=0
Are you sure the mails really oroginated from your server? It is possible that spammers sent from another server, but used one of your domains, so that all bounces go to your server. Did you check if your server is blacklisted?
Hi Falko, I'm pretty sure these didn't originate at my server. As far as I can tell from analyzing the logs, I think you are correct taht some spammer is usning one of my domains. I checked blacklist/greylist yesterday and the domain(s) I have are not blacklisted (yet). My immediate problem is how can I use a mail script to dump these as they are filling up my admin mailbox? I tried setting email blacklist with the IPs as sender and client filters, and that helped. Do you have any other ideas to try? Thanks, Danté
There is not much that you can do against them as they do not come from your server. You can only make it easier to handle them by e.g. creating a filter in the mailbox that deletes these emails automatically. Normally such a problem ends after a few days.
