Hello,
I have a working setup with a dedicated MX inbound which deliver via transport
to a postfix / dovecot backend server.
I found some mail, probably with forged "Delivered-To" header that make the
backend bounce with "mail forwarding loop"
Here is the log of the backend :
Feb 25 05:19:37 mut-mx-1 postfix/smtpd[9860]: connect from
mail-in-1.numeezy.com[188.165.154.163]
Feb 25 05:19:38 mut-mx-1 postfix/smtpd[9860]: 0B34B4400A0:
client=mail-in-1.numeezy.com[188.165.154.163]
Feb 25 05:19:38 mut-mx-1 postfix/cleanup[9864]: 0B34B4400A0:
message-id=<ofrfeclgtctkpalthwjctaefxrwyp_mrwifpb_qyhswspshayisgy...@mydomain.com>
Feb 25 05:19:38 mut-mx-1 postfix/qmgr[24187]: 0B34B4400A0:
from=<accu...@mtnl.net.in>, size=52696, nrcpt=1 (queue active)
Feb 25 05:19:38 mut-mx-1 postfix/smtpd[9860]: disconnect from
mail-in-1.numeezy.com[188.165.154.163]
Feb 25 05:19:39 mut-mx-1 postfix/smtpd[9894]: connect from localhost[127.0.0.1]
Feb 25 05:19:39 mut-mx-1 postfix/smtpd[9894]: 01DCB4400A2:
client=localhost[127.0.0.1]
Feb 25 05:19:39 mut-mx-1 postfix/cleanup[9864]: 01DCB4400A2:
message-id=<ofrfeclgtctkpalthwjctaefxrwyp_mrwifpb_qyhswspshayisgy...@mydomain.com>
Feb 25 05:19:39 mut-mx-1 postfix/smtpd[9894]: disconnect from
localhost[127.0.0.1]
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 01DCB4400A2:
from=<accu...@mtnl.net.in>, size=52912, nrcpt=1 (queue active)
Feb 25 05:19:39 mut-mx-1 amavis[8589]: (08589-03) Passed CLEAN
{RelayedInbound}, [188.165.154.163]:54450 [182.56.200.64] <accu...@mtnl.net.in>
-> <accu...@mydomain.com>, Queue-ID: 0B34B4400A0, Message-ID:
<ofrfeclgtctkpalthwjctaefxrwyp_mrwifpb_qyhswspshayisgy...@mydomain.com>,
mail_id: l5DBpkJG4N6C, Hits: 2.87, size: 52695, pt: 9, queued_as: 01DCB4400A2,
966 ms
Feb 25 05:19:39 mut-mx-1 postfix/smtp[9865]: 0B34B4400A0:
to=<accu...@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.1,
delays=0.17/0/0/0.97, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 01DCB4400A2)
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 0B34B4400A0: removed
Feb 25 05:19:39 mut-mx-1 postfix/pipe[9895]: 01DCB4400A2:
to=<accu...@mydomain.com>, relay=dovecot, delay=0.04, delays=0.02/0.01/0/0.02,
dsn=5.4.6, status=bounced (mail forwarding loop for accu...@mydomain.com)
Feb 25 05:19:39 mut-mx-1 postfix/cleanup[9897]: 0E3E04400A0:
message-id=<20140225041939.0e3e0440...@mail.numeezy.com>
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 0E3E04400A0: from=<>, size=3486,
nrcpt=1 (queue active)
Feb 25 05:19:39 mut-mx-1 postfix/bounce[9896]: 01DCB4400A2: sender non-delivery
notification: 0E3E04400A0
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 01DCB4400A2: removed
Feb 25 05:19:39 mut-mx-1 postfix/smtp[9898]: 0E3E04400A0:
to=<accu...@mtnl.net.in>, relay=37.59.203.171[37.59.203.171]:8025, delay=0.15,
delays=0.03/0.01/0.02/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
19D241A73BE)
Feb 25 05:19:39 mut-mx-1 postfix/qmgr[24187]: 0E3E04400A0: removed
I found 5 similar mail in my logs. Each mail is sent from a different IP but
each time the first part of sender email is the same as recipient
(from=<accu...@mtnl.net.in> to <accu...@mydomain.com> in my exemple).
I don't know if that matters, but I smell like Spam although Amavis says it's
clean
I think I'm in the case discuss here :
http://forum.spamcop.net/forums/lofiversion/index.php/t10734.html
Do you think I can be a backscatter source ?
Your advices are greatly appreciated.
Thanks.
Alexandre
