Spam problem from non-existent addresses

Discussion in 'ISPConfig 3 Priority Support' started by etruel, Jul 2, 2016.

  1. etruel

    etruel New Member HowtoForge Supporter

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the log part that shows all actions for such a received email. The problem with grepping is that it contains just the line which contains this email address but not the lines that show how it got delivered to your server.

    And the problem is that you receive these emails and not that others receive these email, right?
     
  3. etruel

    etruel New Member HowtoForge Supporter

    Hi Till,
    thanks for this.
    In addition to post the log, I am also attaching an email that is returned to the sender (me or the "Catch all" address)
    Log (I've cut 2 minutes of log file with the portion of email I paste below and just replaced some real e-mail addresses)
    Jun 29 05:41:45 ns1 postfix/smtpd[3047]: connect from mail-pa0-f68.google.com[209.85.220.68]
    Jun 29 05:42:05 ns1 postfix/smtpd[3047]: warning: 68.220.85.209.dnsbl.njabl.org: RBL lookup error: Host or domain name not found. Name service error for name=68.220.85.209.dnsbl.njabl.org type=A: Host not found, try again
    Jun 29 05:42:05 ns1 postfix/smtpd[3047]: DE0AE1A81711: client=mail-pa0-f68.google.com[209.85.220.68]
    Jun 29 05:42:05 ns1 postfix/cleanup[3082]: DE0AE1A81711: message-id=<[email protected]>
    Jun 29 05:42:06 ns1 postfix/qmgr[11940]: DE0AE1A81711: from=<>, size=5290, nrcpt=1 (queue active)
    Jun 29 05:42:06 ns1 postfix/smtpd[3047]: disconnect from mail-pa0-f68.google.com[209.85.220.68]
    Jun 29 05:42:06 ns1 amavis[29263]: (29263-05) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Jun 29 05:42:07 ns1 amavis[29263]: (29263-05) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Jun 29 05:42:07 ns1 amavis[29263]: (29263-05) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)
    Jun 29 05:42:13 ns1 amavis[29263]: (29263-05) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Jun 29 05:42:13 ns1 amavis[29263]: (29263-05) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 603.\n
    Jun 29 05:42:13 ns1 amavis[29263]: (29263-05) (!)WARN: all primary virus scanners failed, considering backups
    Jun 29 05:42:20 ns1 dovecot: auth-worker(3101): mysql(localhost): Connected to database dbispconfig
    Jun 29 05:42:20 ns1 dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=3103, TLS, session=<oSeZFWo2mQB/AAAB>
    Jun 29 05:42:20 ns1 dovecot: imap([email protected]): Disconnected: Logged out in=271 out=28116
    Jun 29 05:42:24 ns1 postfix/smtpd[3104]: connect from localhost.localdomain[127.0.0.1]
    Jun 29 05:42:24 ns1 postfix/smtpd[3104]: C0B871A82D78: client=localhost.localdomain[127.0.0.1]
    Jun 29 05:42:24 ns1 postfix/cleanup[3082]: C0B871A82D78: message-id=<[email protected]>
    Jun 29 05:42:24 ns1 postfix/qmgr[11940]: C0B871A82D78: from=<>, size=5746, nrcpt=1 (queue active)
    Jun 29 05:42:24 ns1 postfix/smtpd[3104]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 29 05:42:24 ns1 amavis[29263]: (29263-05) Passed CLEAN {RelayedOpenRelay}, [209.85.220.68]:36545 [209.85.220.68] <> -> <[email protected]>, Queue-ID: DE0AE1A81711, Message-ID: <[email protected]>, mail_id: ehm3KYaV9jqx, Hits: -1.577, size: 5286, queued_as: C0B871A82D78, 18787 ms
    Jun 29 05:42:24 ns1 postfix/smtp[3083]: DE0AE1A81711: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=39, delays=21/0.02/0/19, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C0B871A82D78)
    Jun 29 05:42:24 ns1 postfix/qmgr[11940]: DE0AE1A81711: removed
    Jun 29 05:42:25 ns1 postfix/pickup[25035]: 030531A82DA1: uid=5000 from=<MAILER-DAEMON>
    Jun 29 05:42:25 ns1 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: forwarded to <[email protected]>
    Jun 29 05:42:25 ns1 postfix/cleanup[3082]: 030531A82DA1: message-id=<[email protected]>
    Jun 29 05:42:25 ns1 postfix/qmgr[11940]: 030531A82DA1: from=<>, size=5966, nrcpt=1 (queue active)
    Jun 29 05:42:25 ns1 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
    Jun 29 05:42:25 ns1 postfix/pipe[3105]: C0B871A82D78: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.35, delays=0.09/0.01/0/0.25, dsn=2.0.0, status=sent (delivered via dovecot service)
    Jun 29 05:42:25 ns1 postfix/qmgr[11940]: C0B871A82D78: removed
    Jun 29 05:42:25 ns1 amavis[19770]: (19770-11) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Jun 29 05:42:26 ns1 amavis[19770]: (19770-11) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Jun 29 05:42:26 ns1 amavis[19770]: (19770-11) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2)
    Jun 29 05:42:29 ns1 dovecot: imap([email protected]): Disconnected: Logged out in=449 out=6551
    Jun 29 05:42:29 ns1 dovecot: imap([email protected]): Disconnected: Logged out in=940 out=4808
    Jun 29 05:42:32 ns1 amavis[19770]: (19770-11) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to UNIX socket /var/run/clamav/clamd.ctl: Connection refused
    Jun 29 05:42:32 ns1 amavis[19770]: (19770-11) (!)ClamAV-clamd av-scanner FAILED: run_av error: Too many retries to talk to /var/run/clamav/clamd.ctl (All attempts (1) failed connecting to /var/run/clamav/clamd.ctl) at (eval 113) line 603.\n
    Jun 29 05:42:32 ns1 amavis[19770]: (19770-11) (!)WARN: all primary virus scanners failed, considering backups
    Jun 29 05:42:42 ns1 postfix/smtpd[3104]: connect from localhost.localdomain[127.0.0.1]
    Jun 29 05:42:42 ns1 postfix/smtpd[3104]: 071501A82D78: client=localhost.localdomain[127.0.0.1]
    Jun 29 05:42:42 ns1 postfix/cleanup[3082]: 071501A82D78: message-id=<[email protected]>
    Jun 29 05:42:42 ns1 postfix/smtpd[3104]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 29 05:42:42 ns1 postfix/qmgr[11940]: 071501A82D78: from=<>, size=6412, nrcpt=1 (queue active)
    Jun 29 05:42:42 ns1 amavis[19770]: (19770-11) Passed CLEAN {RelayedOpenRelay}, [209.85.220.68] <> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: aIAraMcasgi1, Hits: -1.577, size: 5962, queued_as: 071501A82D78, 17001 ms
    Jun 29 05:42:42 ns1 postfix/smtp[3083]: 030531A82DA1: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=0.11/0/0/17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 071501A82D78)
    Jun 29 05:42:42 ns1 postfix/qmgr[11940]: 030531A82DA1: removed
    Jun 29 05:42:42 ns1 postfix/smtp[3117]: connect to gmail-smtp-in.l.google.com[2607:f8b0:400e:c04::1b]:25: Network is unreachable
    Jun 29 05:42:42 ns1 postfix/smtp[3117]: 071501A82D78: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[173.194.202.26]:25, delay=0.59, delays=0.06/0.01/0.26/0.26, dsn=2.0.0, status=sent (250 2.0.0 OK 1467204162 i68si4335020pfj.25 - gsmtp)
    Jun 29 05:42:42 ns1 postfix/qmgr[11940]: 071501A82D78: removed
    Jun 29 05:42:58 ns1 postfix/smtpd[3047]: warning: hostname 248-43-168-152.fibertel.com.ar does not resolve to address 152.168.43.248: Name or service not known
    Jun 29 05:42:58 ns1 postfix/smtpd[3047]: connect from unknown[152.168.43.248]
    Jun 29 05:42:59 ns1 postfix/smtpd[3047]: 726AF1A82D78: client=unknown[152.168.43.248], sasl_method=LOGIN, sasl_username=[email protected]

    I don't think so. I'm attaching the whole result of "See Original" given by gmail. I understand that this is sent to me because this email address ([email protected]) can't receive (or delay in this case) the email, then return to the sender. Please see the part:
    Code:
    Date: Tue, 28 Jun 2016 17:46:52 +0530
    From: "Daisy Rivera" <[email protected]>
    To: [email protected]
     
  4. etruel

    etruel New Member HowtoForge Supporter

    continue previous post

    gmail:
    Code:
    Delivered-To: [email protected]
    Received: by 10.36.143.141 with SMTP id k135csp1090307itd;
      Sun, 3 Jul 2016 07:14:25 -0700 (PDT)
    X-Received: by 10.98.112.196 with SMTP id l187mr14406077pfc.59.1467555265040;
      Sun, 03 Jul 2016 07:14:25 -0700 (PDT)
    Return-Path: <>
    Received: from ns1.etruel.com (etruel.com. [66.240.210.90])
      by mx.google.com with ESMTPS id b6si4075528pay.102.2016.07.03.07.14.24
      for <[email protected]>
      (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
      Sun, 03 Jul 2016 07:14:24 -0700 (PDT)
    Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 66.240.210.90 as permitted sender) client-ip=66.240.210.90;
    Authentication-Results: mx.google.com;
      dkim=pass [email protected];
      spf=pass (google.com: best guess record for domain of [email protected] designates 66.240.210.90 as permitted sender) smtp.helo=ns1.etruel.com;
      dmarc=pass (p=QUARANTINE dis=NONE) header.from=googlemail.com
    Received: from localhost (localhost.localdomain [127.0.0.1])
      by ns1.etruel.com (Postfix) with ESMTP id 1D82C1A82865
      for <[email protected]>; Sun,  3 Jul 2016 07:14:24 -0700 (PDT)
    X-Virus-Scanned: Debian amavisd-new at ns1.etruel.com
    Received: from ns1.etruel.com ([127.0.0.1])
      by localhost (ns1.etruel.com [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id ISi0-ls88FYz for <[email protected]>;
      Sun,  3 Jul 2016 07:14:06 -0700 (PDT)
    Received: by ns1.etruel.com (Postfix, from userid 5000)
      id 606B31A82C76; Sun,  3 Jul 2016 07:14:06 -0700 (PDT)
    X-Sieve: Pigeonhole Sieve 0.3.1
    X-Sieve-Redirected-From: [email protected]
    Delivered-To: [email protected]
    Received: from localhost (localhost.localdomain [127.0.0.1])
      by ns1.etruel.com (Postfix) with ESMTP id 31B621A82BD5
      for <[email protected]>; Sun,  3 Jul 2016 07:14:06 -0700 (PDT)
    X-Virus-Scanned: Debian amavisd-new at ns1.etruel.com
    Received: from ns1.etruel.com ([127.0.0.1])
      by localhost (ns1.etruel.com [127.0.0.1]) (amavisd-new, port 10024)
      with ESMTP id ZQ6mgQcW4mep for <[email protected]>;
      Sun,  3 Jul 2016 07:13:49 -0700 (PDT)
    Received: from mail-pa0-f66.google.com (mail-pa0-f66.google.com [209.85.220.66])
      by ns1.etruel.com (Postfix) with ESMTPS id BBA0B1A82AE3
      for <[email protected]>; Sun,  3 Jul 2016 07:13:29 -0700 (PDT)
    Received: by mail-pa0-f66.google.com with SMTP id hf6so13680069pac.2
      for <[email protected]>; Sun, 03 Jul 2016 07:13:29 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=googlemail.com; s=20120113;
      h=mime-version:from:to:subject:message-id:date;
      bh=JDKlKpelkKyguJktmc+4KAjBGtQ8f+AX5idzc6n24Tw=;
      b=lPMU53SJg9rphDx6y99mTK7jFnuAYnzXpIuqmRyHa88FttFsDPDyacC0CzqU3LDBBV
      qljt0QEgY6El8ey9GUvfUywytKKfPibkGHnZQBxivX4jZb2qOs47sorbnTUN+eayeyPM
      oT+UIVxByjHtTGkcqjaf6+H7/qCzh0jgDkclJpf8EkjuivJMa3JPVFdw9p3ss1D0KvNT
      6P/otj//EVxdDuo5qsojpxgVs6beUOru6XJ6yUehgqW2azuK8ugzCJDKADioCRoDbYep
      uNJlxRKoPYyKxh6XABEpCn3wh7UitqSzbnHcmkSQ2hw3G2Z4qJ3TVGOsWzoI/Qu9E/Ap
      u2Ug==
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=1e100.net; s=20130820;
      h=x-gm-message-state:mime-version:from:to:subject:message-id:date;
      bh=JDKlKpelkKyguJktmc+4KAjBGtQ8f+AX5idzc6n24Tw=;
      b=GNyRIJjz8E7X56CtuH+IqK5ruEoqyuUfBoOWa/tYRAuTT8YYuvmazR6KAo8YyVUK83
      QlesQxpttZCyhpx2nx4p7GgeuPgPIjLmIvD8h0nrRYaeFSe3hkLf4/TBlMKCYCsFHv7o
      BsMkP3RnHGCIDTaWuVe2PQlKIN7qSKnxU3KCSzm1qFhnb1YbESBePSVIJRoU+RdWM8PI
      /cfxv+U3FVUr/NFjJI5K5tuoXvXu/sp17a7uhFhM2Uaa416xCSUDK6ocG1z84++oIU02
      rHbhpYXKfzM036KJn7JsE3RL9FJ9GJGaKFs2dcAPJPZnWYotmtzkTc2lxsXOnNCaVjBN
      Bvjw==
    X-Gm-Message-State: ALyK8tIxERA6TUTXz02cfkZufAOGMGql7GQA9lZM48AkPe3cA6MO/NthRC1hbzAkT8AGT0L8+Rzk2P7W+MIVLrX9VbPz1tED
    X-Received: by 10.66.160.199 with SMTP id xm7mr14292345pab.78.1467555208651;
      Sun, 03 Jul 2016 07:13:28 -0700 (PDT)
    MIME-Version: 1.0
    Received: by 10.66.160.199 with SMTP id xm7mr14813962pab.78; Sun, 03 Jul 2016
    07:13:28 -0700 (PDT)
    From: Mail Delivery Subsystem <[email protected]>
    To: [email protected]
    Subject: Delivery Status Notification (Delay)
    Message-ID: <[email protected]>
    Date: Sun, 03 Jul 2016 14:13:28 +0000
    Content-Type: text/plain; charset=UTF-8
    
    This is an automatically generated Delivery Status Notification
    
    THIS IS A WARNING MESSAGE ONLY.
    
    YOU DO NOT NEED TO RESEND YOUR MESSAGE.
    
    Delivery to the following recipient has been delayed:
    
      [email protected]
    
    Message will be retried for 1 more day(s)
    
    Technical details of temporary failure:
    The recipient server did not accept our requests to connect. Learn more at https://support.google.com/mail/answer/7720
    [77.243.37.122 77.243.37.122: socket error]
    
    ----- Original message -----
    
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=1e100.net; s=20130820;
      h=x-original-authentication-results:x-gm-message-state:date:from:to
      :subject:message-id:mime-version:content-disposition:user-agent;
      bh=7gQRkQ5FogLD8WjyKG6vbgBQrmSuUAJ99gYQ21EZSIQ=;
      b=UFgDdy9O/f7CX136PqIFDc9ryMF1ElQlhbkLnNYXnzGPLXVJsTPvS70Gnu4dk0K9Iy
      izAxbj4Z/OMGERZ8prsAH0AqBnvMUukdm9TUF2UjaAItwysLkX2w1uZFXLEQalnHl1Sz
      Ap61V7V/VqPlQeYGF8ShiKnLOLlsdfzLecoXi7qwzQDZLB3Bg4cYxTrLujB4czTHRU9A
      9Lat8bGP7xzfKH8Bh6wTiW9qgB8VtVSkPIuJecWvVlxLqMNimpDwY4lp20N0h/I+nrCx
      fbKKl58bLHDYWas4f8i//UZXFjms9JQvwBy+VbTuR5Jy5NzirW6Xkh6xky19xUTTune5
      /f2g==
    X-Original-Authentication-Results: mx.google.com;  spf=neutral (google.com: 121.245.114.138 is neither permitted nor denied by domain of [email protected]) [email protected]
    X-Gm-Message-State: ALyK8tIbBkq1MTr7ObYnLXpraGMb5Ah09uNvIZuwVL/2GacCe0iD+9UklMnsqQ/MRJUQ1gUnXpMtj5nNNnOW7solmn6p9gpcsB3Lgc60eYFkdzvgw12ZZx6nFfbQTUgEIg7S3ornECH9rTOuT3i8PISS2ZTRe1iqFlro0SwzVweDCVM=
    X-Received: by 10.66.160.199 with SMTP id xm7mr1325401pab.78.1467116226568;
      Tue, 28 Jun 2016 05:17:06 -0700 (PDT)
    X-Received: by 10.66.160.199 with SMTP id xm7mr1325394pab.78.1467116226534;
      Tue, 28 Jun 2016 05:17:06 -0700 (PDT)
    Return-Path: <[email protected]>
    Received: from 121.245.114.138.cdma-delhi.vsnl.net.in ([121.245.114.138])
      by mx.google.com with ESMTP id d5si26503260pfa.86.2016.06.28.05.17.04
      for <[email protected]>;
      Tue, 28 Jun 2016 05:17:06 -0700 (PDT)
    Received-SPF: neutral (google.com: 121.245.114.138 is neither permitted nor denied by domain of [email protected]) client-ip=121.245.114.138;
    Authentication-Results: mx.google.com;
      spf=neutral (google.com: 121.245.114.138 is neither permitted nor denied by domain of [email protected]) [email protected]
    Received: by localhost (Postfix, from userid 604)
      id 12B4E4E115C; Tue, 28 Jun 2016 17:46:52 +0530
    Date: Tue, 28 Jun 2016 17:46:52 +0530
    From: "Daisy Rivera" <[email protected]>
    To: [email protected]
    Subject: report
    Message-ID: <[email protected]>
    Mime-Version: 1.0
    Content-Type: multipart/mixed; boundary="/xlnj/DcRKIGqDtL"
    Content-Disposition: inline
    User-Agent: Mutt/1.5.4i
    
    Hi 2b792e9,
    
    I've attached the report you asked me to send.
    
    
    Regards
    
    Daisy Rivera
    Technical Sales Manager Power Generation
    
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I can see, the spam emails are send by using a fake address of your domain but they are not send by your server. Therefore you receive only the nondelivery messages and you cant do that much as your server is not the sending mail server. What you can do is:

    1) Setup SPF and dkim for your domain so that other servers can verify which emails are send by you and which are send by the spammers.
    2) Remove your catchall mailbox, so that your server stops to accept the bounces for the fale addresses.
     
  6. etruel

    etruel New Member HowtoForge Supporter

  7. till

    till Super Moderator Staff Member ISPConfig Developer

  8. etruel

    etruel New Member HowtoForge Supporter

    excellent, I'll research about it

    thanks
     

Share This Page