Hi Noel,
Thank you for your help!
I have searched our log for 9FE3785BA10 signature and found the beginning.
Please see below. I have searched the log for other similar signatures
with "from=<>"
and it seems each of those problematic e-mails starts with the two
lines as I have put
in the beginning of my log excerpt below. (those two lines have
different signature though)
I still however not sure what is causing this from=<>. As far as I can
understand,
somebody is trying to send e-mails to the root account.
In addition as I log as root I get in the shell "You have mail." message.
And I see that /root/Maildir/cur is pretty big in size.
In a addition in order to stop bounces I have commented in
/etc/postfix/master.cf
#bounce unix - - n - 0 bounce
I think our senders can live without nondelivery notifications I
think. Do you think this will help?
I am attaching at the end of this message some info which I think may
be relevant.
Thank you in advance
================================================================================================================
lines from the log related with 9FE3785BA10 signature
=======================================================================
...
Feb 7 10:58:53 uCpbx postfix/local[27212]: 9FE3785BA10:
to=<r...@mail.bioidentic.com>, orig_to=<m...@bioidentic.com>,
relay=local,
delay=3.9, delays=1.8/0.01/0/2.1, dsn=5.2.0, status=bounced (can't
create user output file. Command output: procmail: Couldn't creat
e "/var/spool/mail/nobody" procmail: Couldn't chdir to "/root/Maildir"
procmail: Couldn't read "// " procmail: Unable to treat as di
rectory "/root/Maildir" procmail: Lock failure on "/root/Maildir.lock"
procmail: Error while writing to "/root/Maildir" )
Feb 7 10:58:54 uCpbx postfix/local[27213]: 9FE3785BA10:
to=<r...@mail.bioidentic.com>, orig_to=<postmas...@bioidentic.com>,
relay=l
ocal, delay=5, delays=1.8/0.03/0/3.1, dsn=5.2.0, status=bounced (can't
create user output file. Command output: procmail: Couldn't c
reate "/var/spool/mail/nobody" procmail: Couldn't chdir to
"/root/Maildir" procmail: Couldn't read "// " procmail: Unable to
treat a
s directory "/root/Maildir" procmail: Lock failure on
"/root/Maildir.lock" procmail: Error while writing to "/root/Maildir"
)
Feb 7 10:58:54 uCpbx postfix/cleanup[27200]:
:message-id=<20100207085854.c69bf85b...@mail.bioidentic.com>
Feb 7 10:58:54 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
Feb 7 10:58:54 uCpbx postfix/bounce[27231]: 9FE3785BA10: sender
non-delivery notification: C69BF85BF81
Feb 7 10:58:54 uCpbx postfix/qmgr[3492]: 9FE3785BA10: removed
...
Feb 7 10:59:24 uCpbx postfix/smtp[27233]: C69BF85BF81:
to=<dogtoot...@dvb-brasil.org>, relay=none, delay=30,
delays=0.01/0.01/30/0,
dsn=4.4.1, status=deferred (connect to dvb-brasil.org[62.233.121.75]:
Connection timed out)
...
Feb 7 11:23:28 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
...
Feb 7 11:23:58 uCpbx postfix/smtp[28425]: C69BF85BF81:
to=<dogtoot...@dvb-brasil.org>, relay=none, delay=1503,
delays=1473/0.02/30/
0, dsn=4.4.1, status=deferred (connect to
dvb-brasil.org[62.233.121.75]: Connection timed out)
...
Feb 7 11:56:48 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
...
Feb 7 17:13:28 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
size=10970, nrcpt=1 (queue active)
===============================================================================================================
Additional info which I think may be relevant to my issue.
======================================================================
Do I need to send additional info so we undestand what is going on.
1. I have /root/Maildir
[r...@ucpbx ~]# ls /root/Maildir/
cur new tmp
2. We run CRM system in our server and if I grep in the
/var/www/html/crm folder
[r...@ucpbx crm]# grep root@ ./* -rs
./adodb/tests/test-active-record.php: $db =
NewADOConnection('mysql://r...@localhost/northwind');
./adodb/tests/test-active-recs2.php: $db =
NewADOConnection('mysql://r...@localhost/northwind');
./cron/class.phpmailer.php: var $From = "r...@localhost";
./modules/Emails/class.phpmailer.php: var $From =
"r...@localhost";
This CRM is sending emails as soon as our stock gets low.
3. We also have joomla instaled and in
./libraries/phpmailer/phpmailer.php there is
var $From = 'r...@localhost';
4. In our /etc/aliases we have the following line commented
#root: dpn_ucpbx
===============================================================================================================
On Wed, Feb 10, 2010 at 10:10 PM, Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 2/10/2010 12:51 PM, Dimitar Penev wrote:
>>
>> Hello All,
>>
>> I am not sure if this mailing list is the best place to ask this question.
>> If not please point me to the better one.
>>
>> I am running postfix based mailserver.
>> Few days ago however I have noticed that some of the emails I am
>> sending fall in the recipient spam filters.
>> I have discovered that my ISP IP range is in uceprotect-level3 list,
>> in addition I have found that my IP is listed in ips.backscatterer.org
>>
>> I don't have control of the ISP machines so I can not do much for the
>> first problem,
>> but at least I want to fix the backscatter issue.
>>
>> I have attached part of my mail log at the time suggested by
>> backscatterer.org
>> I indeed find the place where we see few "from=<>".
>> I see also short below that that the recipient (I guess) mailservers
>> reject my mailserver with reason
>> "rejected due to spam or virus content" or "Your PROVIDER is
>> BLACKLISTED at UCEPROTECT-LEVEL 3"
>> I don't understand however who/how is sending those messages with
>> "from=<>".
>
> Search the mail log for the QUEUEID listed in the log for one particular
> message that looks like a bounce. That will help you trace one particular
> message. Some of these messages have been in your log for several days, so
> the original entry might be in a different log file.
>
> You can also search for log entries with "status=bounced".
>
>>
>> I have setup
>> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>> So I should get local recipient reject if the recipient name is not in
>> my alias_map or not and unix user
>
> Unless you have wildcards in virtual_alias_maps or *canonical_maps.
> Wildcards defeat recipient validation.
>
>>
>> Can someone help me interpreting the log below. Or can I make the log
>> more detailed?
>> Any suggestions will be appreciated!
>
> Not much interesting in the snippit below -- the good stuff is elsewhere in
> the file, or maybe in an older log file. Don't make the log more verbose,
> everything you need is logged already.
>
>> Feb 7 21:23:28 uCpbx postfix/qmgr[3492]: 6BBD885C2BA:
>> from=<apa...@mail.bioidentic.com>, size=1237, nrcpt=1 (queue active)
>
> Maybe you have an abused web form on your web server.
>
>> Feb 7 21:23:28 uCpbx postfix/qmgr[3492]: C69BF85BF81: from=<>,
>> size=10970, nrcpt=1 (queue active)
>
> This is probably a bounced message. Search the logs for prior occurences of
> the QUEUEID, C69BF85BF81, to see where that message came from.
>
>> Feb 7 21:23:29 uCpbx postfix/smtpd[14183]: warning: support for
>> restriction "check_relay_domains" will be removed from Postfix; use
>> "reject_unauth_destination" instead
>
> That message seems pretty self-explanatory.
>
>> Feb 7 21:23:31 uCpbx postfix/smtp[14192]: 4A1FD85BA11:
>> to=<buckskinyf...@northscottsdalesoccerleague.com>,
>> relay=mailstore1.secures
>> erver.net[72.167.238.201]:25, delay=236635, delays=236632/0.06/3.1/0,
>> dsn=4.0.0, status=deferred (host mailstore1.secureserver.net[7
>> 2.167.238.201] refused to talk to me:
>> 554-p3pismtp01-006.prod.phx3.secureserver.net 554 Your access to this
>> mail system has been rej
>> ected due to spam or virus content. If you believe that this failure
>> is in error, please submit an unblock request at http://unbloc
>> k.secureserver.net)
>
>> Feb 7 21:23:31 uCpbx postfix/smtp[14195]: 5571885C34C:
>> to=<mn...@egiftplanet.com>,
>> relay=mail.egiftplanet.com[208.91.131.6]:25, del
>> ay=12844, delays=12841/0.13/1/2.4, dsn=5.0.0, status=bounced (host
>> mail.egiftplanet.com[208.91.131.6] said: 571 Your PROVIDER is BLA
>> CKLISTED at UCEPROTECT-LEVEL 3 - See:
>> http://www.uceprotect.net/rblcheck.php?ipr=77.70.97.103 (in reply to
>> RCPT TO command))
>
> These entries make it appear you have set soft_bounce=yes (remote replies
> with a 5xx "reject" response, but you treat it as a 4xx defer). Don't do
> that.
>
>
> If you need more help, see
> http://www.postfix.org/DEBUG_README.html#mail
>
> -- Noel Jones
>
