Bombarded with e-mails "Undelivered Return To Sender"

Discussion in 'General' started by DantePasquale, Feb 26, 2011.

  1. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Urgent help needed. My server is getting bombarded with e-mails with the subject "Undelivered Return To Sender".

    I checked for open relay and it comes back negative. Has my smtp auth been compromised?

    What is the recommended course of action for these when running ISPConfig 3.0.3 and Ubuntu 10.04-64???


    Here's one of the e-mails (viewed with Thunderbird):
    Code:
    Return-Path: <MAILER-DAEMON>
    Delivered-To: webadmin@cocoanet.us
    Received: by inferno.cocoanet.us (Postfix)
    	id C8F78F6751; Sat, 26 Feb 2011 09:54:22 -0500 (EST)
    Date: Sat, 26 Feb 2011 09:54:22 -0500 (EST)
    From: MAILER-DAEMON@inferno.cocoanet.us (Mail Delivery System)
    Subject: Undelivered Mail Returned to Sender
    To: webmaster@cocoanet.us
    Auto-Submitted: auto-replied
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    	boundary="76FD4F675F.1298732062/inferno.cocoanet.us"
    Content-Transfer-Encoding: 8bit
    Message-Id: <20110226145422.C8F78F6751@inferno.cocoanet.us>
    
    This is a MIME-encapsulated message.
    
    --76FD4F675F.1298732062/inferno.cocoanet.us
    Content-Description: Notification
    Content-Type: text/plain; charset=us-ascii
    
    This is the mail system at host inferno.cocoanet.us.
    
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    
    For further assistance, please send mail to postmaster.
    
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
    
                       The mail system
    
    <"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com>:
        host inspector2.fsafood.com[206.221.20.97] said: 554 5.7.1
        <teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig@fsafood.com>:
        Relay access denied (in reply to RCPT TO command)
    
    --76FD4F675F.1298732062/inferno.cocoanet.us
    Content-Description: Delivery report
    Content-Type: message/delivery-status
    
    Reporting-MTA: dns; inferno.cocoanet.us
    X-Postfix-Queue-ID: 76FD4F675F
    X-Postfix-Sender: rfc822; webmaster@cocoanet.us
    Arrival-Date: Sat, 26 Feb 2011 09:54:20 -0500 (EST)
    
    Final-Recipient: rfc822; "teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com
    Original-Recipient: rfc822;"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com
    Action: failed
    Status: 5.7.1
    Remote-MTA: dns; inspector2.fsafood.com
    Diagnostic-Code: smtp; 554 5.7.1
        <teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig@fsafood.com>:
        Relay access denied
    
    --76FD4F675F.1298732062/inferno.cocoanet.us
    Content-Description: Undelivered Message
    Content-Type: message/rfc822
    Content-Transfer-Encoding: 8bit
    
    Return-Path: <webmaster@cocoanet.us>
    Received: from localhost (inferno.cocoanet.us [127.0.0.1])
    	by inferno.cocoanet.us (Postfix) with ESMTP id 76FD4F675F;
    	Sat, 26 Feb 2011 09:54:20 -0500 (EST)
    X-Virus-Scanned: Debian amavisd-new at inferno.cocoanet.us
    X-Amavis-Alert: BAD HEADER SECTION, Improper use of control character (char 0D
    	hex): Message-ID: <6B0E5B538F21819EE718A5A0A2A6A477@www.cocoanet.us>\r
    Received: from inferno.cocoanet.us ([127.0.0.1])
    	by localhost (inferno.cocoanet.us [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id RlnvqP0nyvCt; Sat, 26 Feb 2011 09:54:20 -0500 (EST)
    Received: by inferno.cocoanet.us (Postfix, from userid 33)
    	id 64925F6761; Sat, 26 Feb 2011 09:54:20 -0500 (EST)
    To: lindayoo@comcast.net
    Subject: Health Women and Men {erection, weight loss}. +Discounts for big order!
    Message-ID: <6B0E5B538F21819EE718A5A0A2A6A477@www.cocoanet.us>
    From: <17739834187@www.cocoanet.us>
    To: <"teamropin@juno.com;jppotg@lantic.net;trevor_trevorpetford@yahoo.ca;yazzy_baby@live.com;joker.poker@blueyonder.co.uk;tranquility1015@aol.com;stanleyhalpern@aol.com;wallyolson1@aol.com;richhollenshead@aol.com;lvfreedman@comcast.net;vaneesa1@sbcglobal.net;lindayoo@comcast.net;tjwhitten@charter.net;elisebjax@aol.com;george.sandoval@usa.dupont.com;joe_blumenzweig"@fsafood.com>
    Subject: Health Women and Men {erection, weight loss}. +Discounts for big order!
    Date: Sat, 26 Feb 2011 09:54:17 -0500
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_000_0064_5B925BDB.8DC1E69D"
    
    
    ------=_NextPart_000_0064_5B925BDB.8DC1E69D
    Content-Type: text/html;
    	charset="utf-8"
    Content-Transfer-Encoding: 8bit
    
    <HTML>
    <HEAD>
    <META http-equiv=Content-Type content="text/html; charset=utf-8">
    </HEAD>
    <BODY>
    <DIV align=center><font face="Arial, Helvetica, sans-serif" size=5 color=980001>Reputed pharmstore </font><!-- A x==qsU G.(
    CV   ZoJC(wzQ
    gBZ h .Y  NB=  Q)BR )UJ=C= lsEoI. KD X sxbcF.B
    a .cUkm F(lxT_
    blah, blah, blah...
    
    
    
    ------=_NextPart_000_0064_5B925BDB.8DC1E69D--
    
    
    --76FD4F675F.1298732062/inferno.cocoanet.us--
    
    
    
    Here's a slice of the mail log:
    Code:
    Feb 26 17:44:17 inferno postfix/smtp[11547]: 400AFF686F: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, delay=14, delays=0.01/7.3/5.8/0.58, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
    Feb 26 17:44:18 inferno postfix/smtp[11520]: B97F7F6880: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=13, delays=0.01/8.5/4.3/0.55, dsn=5.0.0, status=bounced (host gateway-f1.isp.att.net[204.127.217.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
    Feb 26 17:44:18 inferno postfix/smtp[11511]: 0EE34F684A: host mailin-02.mx.aol.com[205.188.155.110] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)
    Feb 26 17:44:18 inferno postfix/smtp[11515]: C9BCFF6888: to=, relay=gateway-f2.isp.att.net[207.115.11.16]:25, conn_use=2, delay=8.6, delays=0.01/5.7/2.3/0.57, dsn=5.0.0, status=bounced (host gateway-f2.isp.att.net[207.115.11.16] said: 501 local part too long near "kingdomheartz0x@aol.com;bernwag@roadrunner.com;m (in reply to RCPT TO command))
    Feb 26 17:44:18 inferno postfix/smtp[11546]: 400AFF686F: host mailin-02.mx.aol.com[205.188.103.1] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command)
    Feb 26 17:44:18 inferno postfix/cleanup[11465]: CADD0F687C: message-id=<20110226224418.CADD0F687C@inferno.cocoanet.us>
    Feb 26 17:44:18 inferno postfix/bounce[11569]: C9BCFF6888: sender non-delivery notification: CADD0F687C
    Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: from=<>, size=10725, nrcpt=1 (queue active)
    Feb 26 17:44:18 inferno postfix/qmgr[4094]: C9BCFF6888: removed
    Feb 26 17:44:18 inferno postfix/pipe[11548]: CADD0F687C: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service)
    Feb 26 17:44:18 inferno postfix/qmgr[4094]: CADD0F687C: removed
    Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08)
    Feb 26 17:44:19 inferno postfix/smtp[11555]: D2084F6884: to=, relay=gateway-f1.isp.att.net[204.127.217.16]:25, delay=15, delays=0.01/8.5/6.3/0, dsn=4.0.0, status=deferred (host gateway-f1.isp.att.net[204.127.217.16] refused to talk to me: 450 74.1.46.169 has too many connections ( 3 ) on frfwmxc08)
    Feb 26 17:44:20 inferno postfix/smtp[11523]: D2213F6845: to=, relay=mailin-03.mx.aol.com[64.12.137.169]:25, delay=16, delays=0.01/0.01/14/2.5, dsn=4.2.1, status=deferred (host mailin-03.mx.aol.com[64.12.137.169] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
    Feb 26 17:44:20 inferno postfix/cleanup[11465]: 118A5F6875: message-id=<20110226224420.118A5F6875@inferno.cocoanet.us>
    Feb 26 17:44:20 inferno postfix/bounce[11545]: D2213F6845: sender non-delivery notification: 118A5F6875
    Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: from=<>, size=10720, nrcpt=1 (queue active)
    Feb 26 17:44:20 inferno postfix/pipe[11548]: 118A5F6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
    Feb 26 17:44:20 inferno postfix/qmgr[4094]: 118A5F6875: removed
    Feb 26 17:44:22 inferno postfix/smtp[11546]: 400AFF686F: to=, relay=mailin-01.mx.aol.com[205.188.59.194]:25, delay=18, delays=0.01/7.2/8.4/2.6, dsn=4.2.1, status=deferred (host mailin-01.mx.aol.com[205.188.59.194] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
    Feb 26 17:44:22 inferno postfix/cleanup[11465]: 8B91DF6875: message-id=<20110226224422.8B91DF6875@inferno.cocoanet.us>
    Feb 26 17:44:22 inferno postfix/bounce[11569]: 400AFF686F: sender non-delivery notification: 8B91DF6875
    Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: from=<>, size=10725, nrcpt=1 (queue active)
    Feb 26 17:44:22 inferno postfix/pipe[11548]: 8B91DF6875: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
    Feb 26 17:44:22 inferno postfix/qmgr[4094]: 8B91DF6875: removed
    Feb 26 17:44:22 inferno postfix/smtp[11511]: 0EE34F684A: to=, relay=mailin-04.mx.aol.com[205.188.103.2]:25, delay=19, delays=0.01/7.4/8.3/2.9, dsn=4.2.1, status=deferred (host mailin-04.mx.aol.com[205.188.103.2] said: 421 4.2.1 MSG=: (RLY:NW) http://postmaster.info.aol.com/errors/421rlynw.html (in reply to end of DATA command))
    Feb 26 17:44:22 inferno postfix/cleanup[11465]: C0B53F67E9: message-id=<20110226224422.C0B53F67E9@inferno.cocoanet.us>
    Feb 26 17:44:22 inferno postfix/bounce[11545]: 0EE34F684A: sender non-delivery notification: C0B53F67E9
    Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: from=<>, size=10719, nrcpt=1 (queue active)
    Feb 26 17:44:22 inferno postfix/pipe[11548]: C0B53F67E9: to=, orig_to=, relay=maildrop, delay=0.02, delays=0/0/0/0.01, dsn=2.0.0, status=sent (delivered via maildrop service)
    Feb 26 17:44:22 inferno postfix/qmgr[4094]: C0B53F67E9: removed
    Feb 26 17:44:26 inferno postfix/smtp[11540]: B97F7F6880: to=, relay=mx01.windstream.net[162.39.147.49]:25, delay=22, delays=0.01/0.01/7.4/14, dsn=2.0.0, status=sent (250 OK B6/F7-07924-C32896D4)
    Feb 26 17:44:26 inferno postfix/cleanup[11465]: 61566F67C6: message-id=<20110226224426.61566F67C6@inferno.cocoanet.us>
    Feb 26 17:44:26 inferno postfix/bounce[11569]: B97F7F6880: sender non-delivery notification: 61566F67C6
    Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: from=<>, size=10726, nrcpt=1 (queue active)
    Feb 26 17:44:26 inferno postfix/qmgr[4094]: B97F7F6880: removed
    Feb 26 17:44:26 inferno postfix/pipe[11548]: 61566F67C6: to=, orig_to=, relay=maildrop, delay=0.02, delays=0.01/0/0/0.02, dsn=2.0.0, status=sent (delivered via maildrop service)
    Feb 26 17:44:26 inferno postfix/qmgr[4094]: 61566F67C6: removed
    Feb 26 17:45:02 inferno imapd: Connection, ip=[::1]
    Feb 26 17:45:02 inferno imapd: Disconnected, ip=[::1], time=0
    
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Are you sure the mails really oroginated from your server? It is possible that spammers sent from another server, but used one of your domains, so that all bounces go to your server.

    Did you check if your server is blacklisted?
     
  3. DantePasquale

    DantePasquale Member HowtoForge Supporter

    Hi Falko, I'm pretty sure these didn't originate at my server. As far as I can tell from analyzing the logs, I think you are correct taht some spammer is usning one of my domains. I checked blacklist/greylist yesterday and the domain(s) I have are not blacklisted (yet).

    My immediate problem is how can I use a mail script to dump these as they are filling up my admin mailbox? I tried setting email blacklist with the IPs as sender and client filters, and that helped. Do you have any other ideas to try?

    Thanks, Danté
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    There is not much that you can do against them as they do not come from your server. You can only make it easier to handle them by e.g. creating a filter in the mailbox that deletes these emails automatically. Normally such a problem ends after a few days.
     

Share This Page