| gabriel rosenkoetter on 21 Oct 2003 18:14:02 -0400 |
|
I think you're misreading your logs, Jon. On Tue, Oct 21, 2003 at 10:54:39AM -0400, Jon Nelson wrote: > Oct 20 17:02:51 muffin postfix/smtpd[26958]: connect from > 218-172-206-249.HINET-IP.hinet.net[218.172.206.249] > > Oct 20 17:02:52 muffin postfix/smtpd[26958]: 1864324122: > client=218-172-206-249.HINET-IP.hinet.net[218.172.206.249] > > Oct 20 17:02:54 muffin postfix/cleanup[26959]: 1864324122: > message-id=<AlE@seed.net.tw> > > Oct 20 17:02:54 muffin postfix/nqmgr[1080]: 1864324122: > from=<IIhBJUcUr@iris.seed.net.tw>, size=2654, nrcpt=2 (queue active) Oct > 20 17:02:54 muffin postfix/nqmgr[1080]: 1864324122: > to=<--quincy@linuxnotes.net>, relay=none, delay=2, status=bounced (invalid > recipient syntax: "--quincy@linuxnotes.net") > > **Above I get the email from seed.net.tw w/ 2 recipients and one gets > bounced. What makes you think it had two recipients? I only see one attempted delivery here... > Oct 20 17:02:55 muffin postfix/pipe[26963]: 1864324122: > to=<quincy@linuxnotes.net>, relay=cyrus, delay=3, status=sent > (muffin.linuxnotes.net) > > **Then next one is recieved (probably spam) Oh, there's the other one. Did you actually *see* this spam? > Oct 20 17:02:55 muffin postfix/cleanup[26959]: 0AA16244F5: > message-id=<20031020210255.0AA16244F5@muffin.linuxnotes.net> > > Oct 20 17:02:55 muffin postfix/nqmgr[1080]: 0AA16244F5: from=<>, > size=4322, nrcpt=1 (queue active) > > **Mail accepted from ? (seed.net.tw) w/ 1 recipient No, that's your MAILER-DAEMON saying "--quincy" is invalid syntax. That's an outgoing email. Note the message ID indicates that this message was generated on muffin.linuxnotes.net, not on seed.net.tw. > Oct 20 17:02:55 muffin postfix/smtpd[26958]: disconnect from > 218-172-206-249.HINET-IP.hinet.net[218.172.206.249] > > Oct 20 17:02:56 muffin postfix/smtp[26966]: 0AA16244F5: > to=<IIhBJUcUr@iris.seed.net.tw>, relay=mx.seed.net.tw[139.175.54.239], > delay=1, status=bounced (host mx.seed.net.tw[139.175.54.239] said: 55 0 > unknown user) > > **Relay attempted and bounced only because of unknown user at > mx.seed.net.tw. That's their MAILER-DAEMON saying "I've never heard of that user name" probably because it was forged. Or maybe it rejected the mail because it claims that <> is an invalid source address (which is against the relevant RFCs; you're supposed to have to accept that mail, but rejecting it is a good way for spammers to not get a lot of bounces). > My question is why did this happen? Because whoever sent that spam email from 218-172-206-249.HINET-IP.hinet.net forged the return-path as IIhBJUcUr@iris.seed.net.tw. Your mail server's only fault was to believe that was a legitimate mail, and it should legitimately tell the sender (which it has no way of knowing except by the return-path listed in the message) that there was a problem. You could configure Postfix not to send a bounce in this case (or, if you want to get extreme, in ANY case), but then you'll be making your mailserver harder to use (people won't know that you didn't receive the email if they typo your email address(es)). In any case, you didn't relay anything, don't worry. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgp90g0dmiUyh.pgp
|
|