HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Bombarded with e-mails "Undelivered Return To Sender" (http://www.howtoforge.com/forums/showthread.php?t=51648)

DantePasquale 26th February 2011 23:55

Bombarded with e-mails "Undelivered Return To Sender"
 
Urgent help needed. My server is getting bombarded with e-mails with the subject "Undelivered Return To Sender".

I checked for open relay and it comes back negative. Has my smtp auth been compromised?

What is the recommended course of action for these when running ISPConfig 3.0.3 and Ubuntu 10.04-64???


Here's one of the e-mails (viewed with Thunderbird):
Code:

Return-Path: <MAILER-DAEMON>
Delivered-To: webadmin@cocoanet.us
Received: by inferno.cocoanet.us (Postfix)
        id C8F78F6751; Sat, 26 Feb 2011 09:54:22 -0500 (EST)
Date: Sat, 26 Feb 2011 09:54:22 -0500 (EST)
From: MAILER-DAEMON@inferno.cocoanet.us (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: webmaster@cocoanet.us
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="76FD4F675F.1298732062/inferno.cocoanet.us"
Content-Transfer-Encoding: 8bit
Message-Id: <20110226145422.C8F78F6751@inferno.cocoanet.us>

This is a MIME-encapsulated message.

--76FD4F675F.1298732062/inferno.cocoanet.us
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host inferno.cocoanet.us.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

<"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com>:
    host inspector2.fsafood.com[206.221.20.97] said: 554 5.7.1
    <teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig@fsafood.com>:
    Relay access denied (in reply to RCPT TO command)

--76FD4F675F.1298732062/inferno.cocoanet.us
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; inferno.cocoanet.us
X-Postfix-Queue-ID: 76FD4F675F
X-Postfix-Sender: rfc822; webmaster@cocoanet.us
Arrival-Date: Sat, 26 Feb 2011 09:54:20 -0500 (EST)

Final-Recipient: rfc822; "teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com
Original-Recipient: rfc822;"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; inspector2.fsafood.com
Diagnostic-Code: smtp; 554 5.7.1
    <teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig@fsafood.com>:
    Relay access denied

--76FD4F675F.1298732062/inferno.cocoanet.us
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <webmaster@cocoanet.us>
Received: from localhost (inferno.cocoanet.us [127.0.0.1])
        by inferno.cocoanet.us (Postfix) with ESMTP id 76FD4F675F;
        Sat, 26 Feb 2011 09:54:20 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at inferno.cocoanet.us
X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D
        hex): Message-ID: <6B0E5B538F21819EE718A5A0A2A6A477@www.cocoanet.us>\r
Received: from inferno.cocoanet.us ([127.0.0.1])
        by localhost (inferno.cocoanet.us [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id RlnvqP0nyvCt; Sat, 26 Feb 2011 09:54:20 -0500 (EST)
Received: by inferno.cocoanet.us (Postfix, from userid 33)
        id 64925F6761; Sat, 26 Feb 2011 09:54:20 -0500 (EST)
To: lindayoo@comcast.net
Subject: Health Women and Men {erection, weight loss}. +Discounts for big order!
Message-ID: <6B0E5B538F21819EE718A5A0A2A6A477@www.cocoanet.us>
From: <17739834187@www.cocoanet.us>
To: <"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com>
Subject: Health Women and Men {erection, weight loss}. +Discounts for big order!
Date: Sat, 26 Feb 2011 09:54:17 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0064_5B925BDB.8DC1E69D"


------=_NextPart_000_0064_5B925BDB.8DC1E69D
Content-Type: text/html;
        charset="utf-8"
Content-Transfer-Encoding: 8bit

<HTML>
<HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
</HEAD>
<BODY>
<DIV align=center><font face="Arial, Helvetica, sans-serif" size=5 color=980001>Reputed pharmstore </font><!-- A x==qsU G.(
CV  ZoJC(wzQ
gBZ h .Y  NB=  Q)BR )UJ=C= lsEoI. KD X sxbcF.B
a .cUkm F(lxT_
blah, blah, blah...



------=_NextPart_000_0064_5B925BDB.8DC1E69D--


--76FD4F675F.1298732062/inferno.cocoanet.us--

Here's a slice of the mail log:
Code:

Feb 26 17:44:17 inferno postfix/smtp[11547]: 400AFF686F: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, delay=14, delays=0.01/7.3/5.8/0.58, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
Feb 26 17:44:18 inferno postfix/smtp[11520]: B97F7F6880: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=13, delays=0.01/8.5/4.3/0.55, dsn=5.0.0, status=bounced (host gateway-f1.isp.att.net[204.127.217.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
Feb 26 17:44:18 inferno postfix/smtp[11511]: 0EE34F684A: host mailin-02.mx.aol.com[205.188.155.110] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)
Feb 26 17:44:18 inferno postfix/smtp[11515]: C9BCFF6888: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, conn_use=2, delay=8.6, delays=0.01/5.7/2.3/0.57, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
Feb 26 17:44:18 inferno postfix/smtp[11546]: 400AFF686F: host mailin-02.mx.aol.com[205.188.103.1] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)
Feb 26 17:44:18 inferno postfix/cleanup[11465]: CADD0F687C: message-id=<20110226224418.CADD0F687C@inferno.cocoanet.us>
Feb 26 17:44:18 inferno postfix/bounce[11569]: C9BCFF6888: sender non-delivery notification: CADD0F687C
Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: from=<>, size=10725, nrcpt=1 (queue active)
Feb 26 17:44:18 inferno postfix/qmgr[4094]: C9BCFF6888: removed
Feb 26 17:44:18 inferno postfix/pipe[11548]: CADD0F687C: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: removed
Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08)
Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08)
Feb 26 17:44:20 inferno postfix/smtp[11523]: D2213F6845: to=, relay=mailin-03.mx.aol.com[64.12.137.169]:25, delay=16, delays=0.01/0.01/14/2.5, dsn=4.2.1, status=deferred (host mailin-03.mx.aol.com[64.12.137.169] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
Feb 26 17:44:20 inferno postfix/cleanup[11465]: 118A5F6875: message-id=<20110226224420.118A5F6875@inferno.cocoanet.us>
Feb 26 17:44:20 inferno postfix/bounce[11545]: D2213F6845: sender non-delivery notification: 118A5F6875
Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: from=<>, size=10720, nrcpt=1 (queue active)
Feb 26 17:44:20 inferno postfix/pipe[11548]: 118A5F6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: removed
Feb 26 17:44:22 inferno postfix/smtp[11546]: 400AFF686F: to=, relay=mailin-01.mx.aol.com[205.188.59.194]:25, delay=18, delays=0.01/7.2/8.4/2.6, dsn=4.2.1, status=deferred (host mailin-01.mx.aol.com[205.188.59.194] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
Feb 26 17:44:22 inferno postfix/cleanup[11465]: 8B91DF6875: message-id=<20110226224422.8B91DF6875@inferno.cocoanet.us>
Feb 26 17:44:22 inferno postfix/bounce[11569]: 400AFF686F: sender non-delivery notification: 8B91DF6875
Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: from=<>, size=10725, nrcpt=1 (queue active)
Feb 26 17:44:22 inferno postfix/pipe[11548]: 8B91DF6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: removed
Feb 26 17:44:22 inferno postfix/smtp[11511]: 0EE34F684A: to=, relay=mailin-04.mx.aol.com[205.188.103.2]:25, delay=19, delays=0.01/7.4/8.3/2.9, dsn=4.2.1, status=deferred (host mailin-04.mx.aol.com[205.188.103.2] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
Feb 26 17:44:22 inferno postfix/cleanup[11465]: C0B53F67E9: message-id=<20110226224422.C0B53F67E9@inferno.cocoanet.us>
Feb 26 17:44:22 inferno postfix/bounce[11545]: 0EE34F684A: sender non-delivery notification: C0B53F67E9
Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: from=<>, size=10719, nrcpt=1 (queue active)
Feb 26 17:44:22 inferno postfix/pipe[11548]: C0B53F67E9: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: removed
Feb 26 17:44:26 inferno postfix/smtp[11540]: B97F7F6880: to=, relay=mx01.windstream.net[162.39.147.49]:25, delay=22, delays=0.01/0.01/7.4/14, dsn=2.0.0, status=sent (250 OK B6/F7-07924-C32896D4)
Feb 26 17:44:26 inferno postfix/cleanup[11465]: 61566F67C6: message-id=<20110226224426.61566F67C6@inferno.cocoanet.us>
Feb 26 17:44:26 inferno postfix/bounce[11569]: B97F7F6880: sender non-delivery notification: 61566F67C6
Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: from=<>, size=10726, nrcpt=1 (queue active)
Feb 26 17:44:26 inferno postfix/qmgr[4094]: B97F7F6880: removed
Feb 26 17:44:26 inferno postfix/pipe[11548]: 61566F67C6: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: removed
Feb 26 17:45:02 inferno imapd: Connection, ip=[::1]
Feb 26 17:45:02 inferno imapd: Disconnected, ip=[::1], time=0


falko 27th February 2011 20:56

Are you sure the mails really oroginated from your server? It is possible that spammers sent from another server, but used one of your domains, so that all bounces go to your server.

Did you check if your server is blacklisted?

DantePasquale 27th February 2011 21:22

Hi Falko, I'm pretty sure these didn't originate at my server. As far as I can tell from analyzing the logs, I think you are correct taht some spammer is usning one of my domains. I checked blacklist/greylist yesterday and the domain(s) I have are not blacklisted (yet).

My immediate problem is how can I use a mail script to dump these as they are filling up my admin mailbox? I tried setting email blacklist with the IPs as sender and client filters, and that helped. Do you have any other ideas to try?

Thanks, Danté

till 27th February 2011 23:13

There is not much that you can do against them as they do not come from your server. You can only make it easier to handle them by e.g. creating a filter in the mailbox that deletes these emails automatically. Normally such a problem ends after a few days.


All times are GMT +2. The time now is 15:45.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.