On 1/24/2017 9:32 AM, Mark Van Crombrugge wrote: > Hi, > > > > We use Postfix - Dovecot ā Sympa ā spamassassin ā clamav on an > Ubuntu 14.04 server. > > Last week we sent out a message to a Sympa mailing list and one of > the e-mail addresses was in Costa-Rica. (@ucr.ac.cr) > > Since then we keep receiving an e-mail from their Cisco Iron Port > system about every 10 seconds and we are unable to stop it, even > after installing spamassassin and clamav. >
You can't block the sender; this is a bounce and uses the empty sender address <>. Don't block bounces! Add the client IP to your blocklist, or to your firewall. -- Noel Jones > > > This is the message: > > - - quote - - - - - - - > > From: SYMPA <sy...@sympa.iode.org> > > To: Listmaster listmas...@sympa.iode.org > <mailto:listmas...@sympa.iode.org> > > Subject: Listmaster: internal server error. > > > > User "Iron Port Bounce Messages" <ironp...@ucr.ac.cr > <mailto:ironp...@ucr.ac.cr>> has encountered an > > internal server error > > (message diffusion - MSG_ID: <c4992b$cf...@ironportvirtual.ucr.ac.cr > <mailto:c4992b$cf...@ironportvirtual.ucr.ac.cr>> - LIST: > > oceandocscommun...@sympa.iode.org > <mailto:oceandocscommun...@sympa.iode.org>): > > > > Impossible to forward a message to oceandocscommunity-owner : > undefined in > > this list > > > > See the logs for more details. > > - - unquote - - - - - - - > > > > > > > > This it the original message as it gets stopped by the mailing list > server because the sender is not a list member. > > At this point I receive the above e-mail. > > In the e-mail details below, I can find that the message is sent by > ironp...@ucr.ac.cr <mailto:ironp...@ucr.ac.cr> but even adding this > e-mail address to the Postfix blacklist has no effect. > > > > This is new to me so any advise about what Iām doing wrong and how > to stop this is very welcome. > > > > Have a nice weekend, > > Mark > > > > > > - - quote - - - - > > root@mail:/home/sympa/spool/msg# more > oceandocscommunity-ow...@sympa.iode.org.1484660591.438 > > X-Sympa-To: oceandocscommunity-ow...@sympa.iode.org > > Return-Path: <MAILER-DAEMON> > > Received: from localhost (localhost [127.0.0.1]) > > by mail.iode.org (Postfix) with ESMTP id F04F71CAB > > for > <oceandocscommunity-owner+sympa.iode.org@sympalist>; Tue, 17 Jan > 2017 14:43:11 +0100 (CET) > > X-Virus-Scanned: Debian amavisd-new at mail.iode.org > > Received: from mail.iode.org ([127.0.0.1]) > > by localhost (mail.iode.org [127.0.0.1]) > (amavisd-new, port 10024) > > with ESMTP id 40K8jY3dGAFm > > for <oceandocscommunity-owner+sympa.iode.org@sympalist>; > > Tue, 17 Jan 2017 14:43:02 +0100 (CET) > > Received: from relay.vliz.be (unknown [192.168.5.217]) > > by mail.iode.org (Postfix) with ESMTPS id 026047C0B > > for <oceandocscommunity-ow...@sympa.iode.org>; Tue, > 17 Jan 2017 14:42:57 +0100 (CET) > > X-ASG-Debug-ID: 1484660575-0ab9595f3b144d50001-JGkER2 > > Received: from litio.ucr.ac.cr (litio.ucr.ac.cr [163.178.174.20]) by > relay.vliz.be with ESMTP id 4HXbovzmQeqq83KP (version=TLSv1.2 > cipher=RC4-SHA bits=128 veri > > fy=NO) for <oceandocscommunity-ow...@sympa.iode.org>; Tue, 17 Jan > 2017 14:42:58 +0100 (CET) > > X-Barracuda-Envelope-From: > > X-Barracuda-Effective-Source-IP: litio.ucr.ac.cr[163.178.174.20] > > X-Barracuda-Apparent-Source-IP: 163.178.174.20 > > Received: from localhost by litio.ucr.ac.cr; > > 17 Jan 2017 07:42:58 -0600 > > Message-Id: <c4992b$cq...@ironportvirtual.ucr.ac.cr> > > Date: 17 Jan 2017 07:42:58 -0600 > > To: oceandocscommunity-ow...@sympa.iode.org > > From: "Iron Port Bounce Messages" <ironp...@ucr.ac.cr> > > Subject: Delivery Status Notification (Failure) > > MIME-Version: 1.0 > > X-ASG-Orig-Subj: Delivery Status Notification (Failure) > > Content-Type: multipart/report; report-type=delivery-status; > boundary="pMHD.5HafwOhEa.5lmdOk+/TUE.COVHwLW" > > X-Barracuda-Connect: litio.ucr.ac.cr[163.178.174.20] > > X-Barracuda-Start-Time: 1484660577 > > X-Barracuda-Encrypted: RC4-SHA > > X-Barracuda-URL: https://relay.vliz.be:443/cgi-mod/mark.cgi > > X-Barracuda-Scan-Msg-Size: 230 > > X-Virus-Scanned: by bsmtpd at vliz.be > > X-Barracuda-BRTS-Status: 1 > > X-Barracuda-Spam-Score: 0.20 > > X-Barracuda-Spam-Status: No, SCORE=0.20 using global scores of > TAG_LEVEL=3.0 QUARANTINE_LEVEL=4.0 KILL_LEVEL=5.0 > tests=ANY_BOUNCE_MESSAGE, BOUNCE_MESSAGE, BSF_ > > SC0_SA590, EMPTY_ENV_FROM > > X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.35864 > > Rule breakdown below > > pts rule name description > > ---- ---------------------- > -------------------------------------------------- > > 0.00 EMPTY_ENV_FROM Empty Envelope From Address > > 0.20 BSF_SC0_SA590 Custom Rule SA590 > > 0.00 BOUNCE_MESSAGE MTA bounce message > > 0.00 ANY_BOUNCE_MESSAGE Message is some kind of > bounce message > > > > --pMHD.5HafwOhEa.5lmdOk+/TUE.COVHwLW > > content-type: text/plain; > > charset="utf-8" > > Content-Transfer-Encoding: quoted-printable > > > > The following message to <ironp...@ucr.ac.cr> was undeliverable. > > The reason for the problem: > > 5.1.0 - Unknown address error 550-'5.1.1 <ironp...@ucr.ac.cr>: > Recipient ad= > > dress rejected: User unknown in virtual mailbox table' > > > > --pMHD.5HafwOhEa.5lmdOk+/TUE.COVHwLW > > content-type: message/delivery-status > > > > Reporting-MTA: dns; litio.ucr.ac.cr > > > > Final-Recipient: rfc822;ironp...@ucr.ac.cr > > Action: failed > > Status: 5.0.0 (permanent failure) > > Remote-MTA: dns; [163.178.163.178] > > Diagnostic-Code: smtp; 5.1.0 - Unknown address error 550-'5.1.1 > <ironp...@ucr.ac.cr>: Recipient address rejected: User unknown in > virtual mailbox table' (deliv > > ery attempts: 0) > > > > --pMHD.5HafwOhEa.5lmdOk+/TUE.COVHwLW > > content-type: message/rfc822 > > > > IronPort-PHdr: > =?us-ascii?q?9a23=3ABBkzixKmSHBBlHKHbdmcpTZWNBhigK39O0sv0rFi?= > > =?us-ascii?q?tYgRLP3xwZ3uMQTl6Ol3ixeRBMOAuq4C0LWd7/2ocFdDyK7JiGoFfp1IWk1Nou?= > > =?us-ascii?q?QttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZr?= > > =?us-ascii?q?KeTpAI7SiNm82/yv95HJbQhFgDWwbal8IRi0ogncuckbipZ+J6gszRfEvmFGcP?= > > =?us-ascii?q?lMy2NyIlKTkRf85sOu85Nm7i9dpfEv+dNeXKvjZ6g3QqBWAzogM2Au+c3krgLD?= > > =?us-ascii?q?QheV5nsdSWoZjBxFCBXY4R7gX5fxtiz6tvdh2CSfIMb7Q6w4VSik4qx2UxLjlj?= > > =?us-ascii?q?sJOCAl/2HWksxwjbxUoBS9pxxk3oXYZJiZOOdicq/BeN8XQ3dKUMRMWCxbGo6y?= > > =?us-ascii?q?bIUBAOUBM+hGsofyu1QAoxylCAmpB+7i0CVFi2Xq0aEk1ekqDAHI3BYnH9ILqH?= > > =?us-ascii?q?nasdf6OqAIX+2p0aLFyi7DbvNT2Tfl8ofFaQshoPGJXbJoa8Xd00gvFwTYgVqO?= > > =?us-ascii?q?s4DlOCmV1usUvmWd8uFuVvqvhnY6pwx1rDWj3Nogh43Uio4P11zJ+yp0zJwxKN?= > > =?us-ascii?q?C+VUV1e8SrEIFKuCGfL4Z2Qt0tQ2VvuCsiz70Jo5+7fCwQxJQmwB7QduKIf5KP?= > > =?us-ascii?q?4hL5W+adOTZ4hHR7d7Kjnxu+7Eytx+PmWsWp1FtGszBJnsTCu30CzRDe7tCLSv?= > > =?us-ascii?q?5n8Ueg3TaP2RrT6uZBIU0skqrUN4AuzaQ2lpUOtkTMAjT2l1nxjK+Tc0Uk5+6o?= > > =?us-ascii?q?6+X7YrTmv5OcMIF1igfgPaQ0gcG/GuQ5Mg0WX2eB4+i81brj8lDnT7lQif02iK?= > > =?us-ascii?q?bZvIjAJcsHvq65HxNV0oE75ha+FTem19IYnWEALFJfZBKKlJXpNE3UIPziF/iw?= > > =?us-ascii?q?n06gnytxx6OOArq0SLTXKX6LqLD7Yf5X7FNawwd76N1E/JtbB6pLaKbyQEj3rN?= > > =?us-ascii?q?vCEjckOBbyyu2hA88rha0EXmfaOZ68CIqa5USZ4/omC/KdYZcc/jf6J/Vj4OTh?= > > =?us-ascii?q?2yxq0WQBdLWkiMNEIEuzGe5rdgDAOSLh?= > > X-IronPort-Anti-Spam-Filtered: true > > X-IronPort-Anti-Spam-Result: > =?us-ascii?q?A0GuIgBOE35YlwmGv8FdDg4BAQQBAQoBA?= > > =?us-ascii?q?RcBAQQBAQoBAYMOAQEBAQGCB4MDTpwAiFCMfIpBSA8BAQEBAQEBAQEBAQIQAQE?= > > =?us-ascii?q?BAQEIFghNQhIBgV4bAYJEDwGBFQ4CIQ0xE4kHnx6QAYIhBIo/hkSCC4cGCYMcg?= > > =?us-ascii?q?l4FiHMYh16KPRQbgTCBBY8PG4FchQ6JaJJsSQKBXgiELoIDPD01hVlRgi4BAQE?= > > X-IPAS-Result: > =?us-ascii?q?A0GuIgBOE35YlwmGv8FdDg4BAQQBAQoBARcBAQQBAQoBAYM?= > > =?us-ascii?q?OAQEBAQGCB4MDTpwAiFCMfIpBSA8BAQEBAQEBAQEBAQIQAQEBAQEIFghNQhIBg?= > > =?us-ascii?q?V4bAYJEDwGBFQ4CIQ0xE4kHnx6QAYIhBIo/hkSCC4cGCYMcgl4FiHMYh16KPRQ?= > > =?us-ascii?q?bgTCBBY8PG4FchQ6JaJJsSQKBXgiELoIDPD01hVlRgi4BAQE?= > > X-IronPort-AV: E=Sophos;i="5.33,244,1477980000"; > > d="scan'208";a="13460557" > > Received: from mail.iode.org ([193.191.134.9]) > > by litio.ucr.ac.cr with ESMTP; 17 Jan 2017 07:42:55 -0600 > > Received: by mail.iode.org (Postfix, from userid 1001) > > id B109A20F3; Tue, 17 Jan 2017 14:42:49 +0100 (CET) > > Message-Id: <sympa.1484660569.32128....@sympa.iode.org> > > Date: Tue, 17 Jan 2017 14:42:49 +0100 > > MIME-Version: 1.0 > > Auto-Submitted: auto-replied > > From: SYMPA <sy...@sympa.iode.org> > > To: "Iron Port Bounce Messages" <ironp...@ucr.ac.cr> > > Subject: Message distribution: Internal server error > > Content-Type: multipart/mixed; > boundary="----------=_<sympa.1484660569.32128...@sympa.iode.org>" > > Content-Transfer-Encoding: 8bit > > X-Mailer: Sympa 6.1.19 > > > > --pMHD.5HafwOhEa.5lmdOk+/TUE.COVHwLW-- > > - - unquote - - - - > > > > >
