Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th February 2011, 00:55
DantePasquale DantePasquale is offline
Senior Member
 
Join Date: Feb 2007
Location: Lakewood, OH US
Posts: 108
Thanks: 10
Thanked 3 Times in 3 Posts
Send a message via AIM to DantePasquale
Default Bombarded with e-mails "Undelivered Return To Sender"

Urgent help needed. My server is getting bombarded with e-mails with the subject "Undelivered Return To Sender".

I checked for open relay and it comes back negative. Has my smtp auth been compromised?

What is the recommended course of action for these when running ISPConfig 3.0.3 and Ubuntu 10.04-64???


Here's one of the e-mails (viewed with Thunderbird):
Code:
Return-Path: <MAILER-DAEMON>
Delivered-To: webadmin@cocoanet.us
Received: by inferno.cocoanet.us (Postfix)
	id C8F78F6751; Sat, 26 Feb 2011 09:54:22 -0500 (EST)
Date: Sat, 26 Feb 2011 09:54:22 -0500 (EST)
From: MAILER-DAEMON@inferno.cocoanet.us (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: webmaster@cocoanet.us
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="76FD4F675F.1298732062/inferno.cocoanet.us"
Content-Transfer-Encoding: 8bit
Message-Id: <20110226145422.C8F78F6751@inferno.cocoanet.us>

This is a MIME-encapsulated message.

--76FD4F675F.1298732062/inferno.cocoanet.us
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host inferno.cocoanet.us.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com>:
    host inspector2.fsafood.com[206.221.20.97] said: 554 5.7.1
    <teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig@fsafood.com>:
    Relay access denied (in reply to RCPT TO command)

--76FD4F675F.1298732062/inferno.cocoanet.us
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; inferno.cocoanet.us
X-Postfix-Queue-ID: 76FD4F675F
X-Postfix-Sender: rfc822; webmaster@cocoanet.us
Arrival-Date: Sat, 26 Feb 2011 09:54:20 -0500 (EST)

Final-Recipient: rfc822; "teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com
Original-Recipient: rfc822;"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com
Action: failed
Status: 5.7.1
Remote-MTA: dns; inspector2.fsafood.com
Diagnostic-Code: smtp; 554 5.7.1
    <teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig@fsafood.com>:
    Relay access denied

--76FD4F675F.1298732062/inferno.cocoanet.us
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <webmaster@cocoanet.us>
Received: from localhost (inferno.cocoanet.us [127.0.0.1])
	by inferno.cocoanet.us (Postfix) with ESMTP id 76FD4F675F;
	Sat, 26 Feb 2011 09:54:20 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at inferno.cocoanet.us
X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D
	hex): Message-ID: <6B0E5B538F21819EE718A5A0A2A6A477@www.cocoanet.us>\r
Received: from inferno.cocoanet.us ([127.0.0.1])
	by localhost (inferno.cocoanet.us [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id RlnvqP0nyvCt; Sat, 26 Feb 2011 09:54:20 -0500 (EST)
Received: by inferno.cocoanet.us (Postfix, from userid 33)
	id 64925F6761; Sat, 26 Feb 2011 09:54:20 -0500 (EST)
To: lindayoo@comcast.net
Subject: Health Women and Men {erection, weight loss}. +Discounts for big order!
Message-ID: <6B0E5B538F21819EE718A5A0A2A6A477@www.cocoanet.us>
From: <17739834187@www.cocoanet.us>
To: <"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com>
Subject: Health Women and Men {erection, weight loss}. +Discounts for big order!
Date: Sat, 26 Feb 2011 09:54:17 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0064_5B925BDB.8DC1E69D"


------=_NextPart_000_0064_5B925BDB.8DC1E69D
Content-Type: text/html;
	charset="utf-8"
Content-Transfer-Encoding: 8bit

<HTML>
<HEAD>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
</HEAD>
<BODY>
<DIV align=center><font face="Arial, Helvetica, sans-serif" size=5 color=980001>Reputed pharmstore </font><!-- A x==qsU G.(
CV   ZoJC(wzQ
gBZ h .Y  NB=  Q)BR )UJ=C= lsEoI. KD X sxbcF.B
a .cUkm F(lxT_
blah, blah, blah...



------=_NextPart_000_0064_5B925BDB.8DC1E69D--


--76FD4F675F.1298732062/inferno.cocoanet.us--
Here's a slice of the mail log:
Code:
Feb 26 17:44:17 inferno postfix/smtp[11547]: 400AFF686F: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, delay=14, delays=0.01/7.3/5.8/0.58, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
Feb 26 17:44:18 inferno postfix/smtp[11520]: B97F7F6880: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=13, delays=0.01/8.5/4.3/0.55, dsn=5.0.0, status=bounced (host gateway-f1.isp.att.net[204.127.217.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
Feb 26 17:44:18 inferno postfix/smtp[11511]: 0EE34F684A: host mailin-02.mx.aol.com[205.188.155.110] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)
Feb 26 17:44:18 inferno postfix/smtp[11515]: C9BCFF6888: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, conn_use=2, delay=8.6, delays=0.01/5.7/2.3/0.57, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
Feb 26 17:44:18 inferno postfix/smtp[11546]: 400AFF686F: host mailin-02.mx.aol.com[205.188.103.1] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)
Feb 26 17:44:18 inferno postfix/cleanup[11465]: CADD0F687C: message-id=<20110226224418.CADD0F687C@inferno.cocoanet.us>
Feb 26 17:44:18 inferno postfix/bounce[11569]: C9BCFF6888: sender non-delivery notification: CADD0F687C
Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: from=<>, size=10725, nrcpt=1 (queue active)
Feb 26 17:44:18 inferno postfix/qmgr[4094]: C9BCFF6888: removed
Feb 26 17:44:18 inferno postfix/pipe[11548]: CADD0F687C: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: removed
Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08)
Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08)
Feb 26 17:44:20 inferno postfix/smtp[11523]: D2213F6845: to=, relay=mailin-03.mx.aol.com[64.12.137.169]:25, delay=16, delays=0.01/0.01/14/2.5, dsn=4.2.1, status=deferred (host mailin-03.mx.aol.com[64.12.137.169] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
Feb 26 17:44:20 inferno postfix/cleanup[11465]: 118A5F6875: message-id=<20110226224420.118A5F6875@inferno.cocoanet.us>
Feb 26 17:44:20 inferno postfix/bounce[11545]: D2213F6845: sender non-delivery notification: 118A5F6875
Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: from=<>, size=10720, nrcpt=1 (queue active)
Feb 26 17:44:20 inferno postfix/pipe[11548]: 118A5F6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: removed
Feb 26 17:44:22 inferno postfix/smtp[11546]: 400AFF686F: to=, relay=mailin-01.mx.aol.com[205.188.59.194]:25, delay=18, delays=0.01/7.2/8.4/2.6, dsn=4.2.1, status=deferred (host mailin-01.mx.aol.com[205.188.59.194] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
Feb 26 17:44:22 inferno postfix/cleanup[11465]: 8B91DF6875: message-id=<20110226224422.8B91DF6875@inferno.cocoanet.us>
Feb 26 17:44:22 inferno postfix/bounce[11569]: 400AFF686F: sender non-delivery notification: 8B91DF6875
Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: from=<>, size=10725, nrcpt=1 (queue active)
Feb 26 17:44:22 inferno postfix/pipe[11548]: 8B91DF6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: removed
Feb 26 17:44:22 inferno postfix/smtp[11511]: 0EE34F684A: to=, relay=mailin-04.mx.aol.com[205.188.103.2]:25, delay=19, delays=0.01/7.4/8.3/2.9, dsn=4.2.1, status=deferred (host mailin-04.mx.aol.com[205.188.103.2] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
Feb 26 17:44:22 inferno postfix/cleanup[11465]: C0B53F67E9: message-id=<20110226224422.C0B53F67E9@inferno.cocoanet.us>
Feb 26 17:44:22 inferno postfix/bounce[11545]: 0EE34F684A: sender non-delivery notification: C0B53F67E9
Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: from=<>, size=10719, nrcpt=1 (queue active)
Feb 26 17:44:22 inferno postfix/pipe[11548]: C0B53F67E9: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: removed
Feb 26 17:44:26 inferno postfix/smtp[11540]: B97F7F6880: to=, relay=mx01.windstream.net[162.39.147.49]:25, delay=22, delays=0.01/0.01/7.4/14, dsn=2.0.0, status=sent (250 OK B6/F7-07924-C32896D4)
Feb 26 17:44:26 inferno postfix/cleanup[11465]: 61566F67C6: message-id=<20110226224426.61566F67C6@inferno.cocoanet.us>
Feb 26 17:44:26 inferno postfix/bounce[11569]: B97F7F6880: sender non-delivery notification: 61566F67C6
Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: from=<>, size=10726, nrcpt=1 (queue active)
Feb 26 17:44:26 inferno postfix/qmgr[4094]: B97F7F6880: removed
Feb 26 17:44:26 inferno postfix/pipe[11548]: 61566F67C6: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: removed
Feb 26 17:45:02 inferno imapd: Connection, ip=[::1]
Feb 26 17:45:02 inferno imapd: Disconnected, ip=[::1], time=0
Reply With Quote
Sponsored Links
  #2  
Old 27th February 2011, 21:56
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Are you sure the mails really oroginated from your server? It is possible that spammers sent from another server, but used one of your domains, so that all bounces go to your server.

Did you check if your server is blacklisted?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 27th February 2011, 22:22
DantePasquale DantePasquale is offline
Senior Member
 
Join Date: Feb 2007
Location: Lakewood, OH US
Posts: 108
Thanks: 10
Thanked 3 Times in 3 Posts
Send a message via AIM to DantePasquale
Default

Hi Falko, I'm pretty sure these didn't originate at my server. As far as I can tell from analyzing the logs, I think you are correct taht some spammer is usning one of my domains. I checked blacklist/greylist yesterday and the domain(s) I have are not blacklisted (yet).

My immediate problem is how can I use a mail script to dump these as they are filling up my admin mailbox? I tried setting email blacklist with the IPs as sender and client filters, and that helped. Do you have any other ideas to try?

Thanks, Danté
Reply With Quote
  #4  
Old 28th February 2011, 00:13
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
 
Default

There is not much that you can do against them as they do not come from your server. You can only make it easier to handle them by e.g. creating a filter in the mailbox that deletes these emails automatically. Normally such a problem ends after a few days.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Tags
ispconfig 3, smtp, spam

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Remoting bernholdt General 6 24th June 2011 14:38
Webalizer returns no output,getnameinfo didn't return any usable information! CarbonCopy Server Operation 1 11th August 2009 04:46
Opening TPC ports thehappyappy Installation/Configuration 12 7th May 2008 19:39
High Availability Samba cluster - DRBD + Heartbeat djalex Server Operation 58 25th May 2007 20:38
courier reading virtusertable? lerra Tips/Tricks/Mods 5 10th September 2006 11:12


All times are GMT +2. The time now is 04:22.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.