Re: [PLUG] mail relay?

Jon Nelson on 21 Oct 2003 20:44:02 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] mail relay?

From: "Jon Nelson" <quincy@linuxnotes.net>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] mail relay?

Date: Tue, 21 Oct 2003 20:44:17 -0400 (EDT)

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: SquirrelMail/1.4.2

gabriel rosenkoetter said: > I think you're misreading your logs, Jon. I very well could be. > > On Tue, Oct 21, 2003 at 10:54:39AM -0400, Jon Nelson wrote: >> Oct 20 17:02:51 muffin postfix/smtpd[26958]: connect from >> 218-172-206-249.HINET-IP.hinet.net[218.172.206.249] >> >> Oct 20 17:02:52 muffin postfix/smtpd[26958]: 1864324122: >> client=218-172-206-249.HINET-IP.hinet.net[218.172.206.249] >> >> Oct 20 17:02:54 muffin postfix/cleanup[26959]: 1864324122: >> message-id=<AlE@seed.net.tw> >> >> Oct 20 17:02:54 muffin postfix/nqmgr[1080]: 1864324122: >> from=<IIhBJUcUr@iris.seed.net.tw>, size=2654, nrcpt=2 (queue active) Oct >> 20 17:02:54 muffin postfix/nqmgr[1080]: 1864324122: >> to=<--quincy@linuxnotes.net>, relay=none, delay=2, status=bounced >> (invalid >> recipient syntax: "--quincy@linuxnotes.net") >> >> **Above I get the email from seed.net.tw w/ 2 recipients and one gets >> bounced. > > What makes you think it had two recipients? I only see one attempted > delivery here... According to: http://logreport.org/doc/gen/email/postfix.php "nrcpt=2" means there are 2 recipients. > >> Oct 20 17:02:55 muffin postfix/pipe[26963]: 1864324122: >> to=<quincy@linuxnotes.net>, relay=cyrus, delay=3, status=sent >> (muffin.linuxnotes.net) >> >> **Then next one is recieved (probably spam) > > Oh, there's the other one. Did you actually *see* this spam? No, I saw the logs after the fact. > >> Oct 20 17:02:55 muffin postfix/cleanup[26959]: 0AA16244F5: >> message-id=<20031020210255.0AA16244F5@muffin.linuxnotes.net> >> >> Oct 20 17:02:55 muffin postfix/nqmgr[1080]: 0AA16244F5: from=<>, >> size=4322, nrcpt=1 (queue active) >> >> **Mail accepted from ? (seed.net.tw) w/ 1 recipient > > No, that's your MAILER-DAEMON saying "--quincy" is invalid syntax. > That's an outgoing email. Note the message ID indicates that this > message was generated on muffin.linuxnotes.net, not on seed.net.tw. > >> Oct 20 17:02:55 muffin postfix/smtpd[26958]: disconnect from >> 218-172-206-249.HINET-IP.hinet.net[218.172.206.249] >> >> Oct 20 17:02:56 muffin postfix/smtp[26966]: 0AA16244F5: >> to=<IIhBJUcUr@iris.seed.net.tw>, relay=mx.seed.net.tw[139.175.54.239], >> delay=1, status=bounced (host mx.seed.net.tw[139.175.54.239] said: 55 0 >> unknown user) >> >> **Relay attempted and bounced only because of unknown user at >> mx.seed.net.tw. > > That's their MAILER-DAEMON saying "I've never heard of that user > name" probably because it was forged. Or maybe it rejected the mail > because it claims that <> is an invalid source address (which is > against the relevant RFCs; you're supposed to have to accept that > mail, but rejecting it is a good way for spammers to not get a lot > of bounces). > >> My question is why did this happen? > > Because whoever sent that spam email from > 218-172-206-249.HINET-IP.hinet.net forged the return-path as > IIhBJUcUr@iris.seed.net.tw. Your mail server's only fault was to > believe that was a legitimate mail, and it should legitimately tell > the sender (which it has no way of knowing except by the return-path > listed in the message) that there was a problem. OK, so if I got this right...I got spammed by someone who forged the return path. The mail to "--quincy" got bounced and my server tried to send a bounce msg to the forged address. Jon > > You could configure Postfix not to send a bounce in this case (or, > if you want to get extreme, in ANY case), but then you'll be making > your mailserver harder to use (people won't know that you didn't > receive the email if they typo your email address(es)). > > In any case, you didn't relay anything, don't worry. > > -- > gabriel rosenkoetter > gr@eclipsed.net > -- Trooper Jon S. Nelson, Linux Certified Admin., CCNA Pa. State Police, Bureau of Criminal Investigation Computer Crimes Unit Work: 610.344.4471 Cell/Page: 866.284.1603 jonelson@state.pa.us ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] mail relay?
From: gabriel rosenkoetter <gr@eclipsed.net>

References:

[PLUG] mail relay?
From: "Jon Nelson" <quincy@linuxnotes.net>

Re: [PLUG] mail relay?
From: gabriel rosenkoetter <gr@eclipsed.net>

Prev by Date: Re: [PLUG] telephony

Next by Date: Re: [PLUG] mail relay?

Previous by thread: Re: [PLUG] mail relay?

Next by thread: Re: [PLUG] mail relay?

Index(es):

Date

Thread