(I patched the domain to example.org for this posting) 2009/5/27 Carlos Williams <carlosw...@gmail.com>: > So today I had another user ask me why he is getting an email stating > the following: > > ************************************************************************* > > -----Original Message----- > From: Content-filter at example.org [mailto:postmas...@example.org] > Sent: Tuesday, May 26, 2009 2:31 AM > To: u...@example.org > Subject: Considered UNSOLICITED BULK EMAIL, apparently from you > > A message from <u...@example.org> to: > -> u...@example.org > > was considered unsolicited bulk e-mail (UBE). > > Our internal reference code for your message is 32327-14/D0TUWjRKayvy > > The message carried your return address, so it was either a genuine mail > from you, or a sender address was faked and your e-mail address abused by > third party, in which case we apologize for undesired notification.
That is probably it; a spamtrap somewhere (yours?) is incorrectly notifying your users that they sent something bad. The headers below seem a bit unclear and I can't really tell where the beginning of "here's part of the message that we rejected" is. It sounds like someone is faking your user's address and using it to send spam; this is kind of hard to prevent, though SPF and DKIM attempt to address that issue. In this case it sounds like spam might be coming from diakiroda1.banki.hu, but using your user's address for the sender and recipient. Even though you know spam is coming from a particular domain or IP address, you don't have a meaningful return address to notify anyone, which is annoying. > We do try to minimize backscatter for more prominent cases of UBE and for > infected mail, but for less obvious cases of UBE some balance between losing > genuine mail and sending undesired backscatter is sought, and there can be > some collateral damage on both sides. > > First upstream SMTP client IP address: [193.225.225.19] diakiroda1.banki.hu > According to a 'Received:' trace, the message originated at: > [193.225.225.19], > diakiroda1.banki.hu diakiroda1.banki.hu [193.225.225.19] > > Return-Path: <u...@example.org> > Message-ID: <369381672084099.ohgqefvlvdcq...@diakiroda1.banki.hu> > Subject: My new phone > > Delivery of the email was stopped! I do note that that IP address is on one of the spamhaus block-lists: http://www.spamhaus.org/query/bl?ip=193.225.225.19 If you were using spamhaus I believe it would have blocked the mail that triggered the spamtrap to send a false notification. > Does the headers above indicate my Postfix is an open relay as it sits > now? I don't want my server to be an open relay > and users are becoming frustrated with these same emails sent to them > when they know they're not initiating them. It's unlikely you're an open relay, this looks more like regular abuse. You need copies of the message from the spamtrap so you can see where they're coming from.
