Are you sure it's even caused by the user sending mail? Keep in mind that spammers use tools to generate their email so that they fake the headers to look like "bob" sent the email, when bob (and your mail server) had nothing to do with it. However, once that email goes to a bad address in the spammers database, it will bounce to whoever the forged sender is (bob in this case).
Do they ever get multiple bounces at once? That's usually a clear sign that their email address was used as the "from:" for an entire run of spam. Aaron [EMAIL PROTECTED] said: > We are running qmail-1.03 on RH7.3 with vpopmail-5.2.1 and > qmail-scanner-1.25. We have an odd problem. It seems that sometimes when > a user sends a mail with a Cc: to himself (and it may also be the To:, > but we don't have an examples), that user sometimes gets a bounce from > our qmail server for an address that the user didn't specify. For > example, let's say that user A sends this email: > > From: bob > To: sam > Cc: bob > > (I did a lot of copy&pasting to ensure I provided a lot of detail. So > please scroll all the way down, thanks!) > > An as a note, the "unintended" recipient will be named > "[EMAIL PROTECTED]". The unintended recipient appears random though. > Sometimes it may be [EMAIL PROTECTED], etc. The addresses look > like fake spammer addresses to me. > > Then every once in a while bob will get this bounce: > > ... > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 10, 2005 2:26 AM > To: [EMAIL PROTECTED] > Subject: failure notice > > > Hi. This is the qmail-send program at server.mydomain.com. I'm > afraid I wasn't able to deliver your message to the following addresses. > This is a permanent error; I've given up. Sorry it didn't work out. > > <[EMAIL PROTECTED]>: > 64.97.131.1 does not like recipient. > Remote host said: 550 RCPT TO:<[EMAIL PROTECTED]> User unknown Giving > up on 64.97.131.1. > > --- Below this line is a copy of the message. > Return-Path: <[EMAIL PROTECTED]> > Received: (qmail 15860 invoked by uid 508); 10 Aug 2005 09:26:25 -0000 > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 15857 invoked by uid 532); 10 Aug 2005 09:26:25 -0000 > Received: from 66.60.130.50 by server.mydomain.com > (envelope-from <[EMAIL PROTECTED]>, uid 501) with > qmail-scanner-1.25 > (clamdscan: 0.84/1010. spamassassin: 2.64. > Clear:RC:0(66.60.130.50):SA:0(5.8/6.3):. > Processed in 3.417484 secs); 10 Aug 2005 09:26:25 -0000 > X-Spam-Status: No, hits=5.8 required=6.3 > X-Spam-Level: +++++ > Received: from unknown (HELO smtp1.mc.surewest.net) (66.60.130.50) > by my.ip.ad.rr with SMTP; 10 Aug 2005 09:26:21 -0000 > Received: (s3-8911); Wed, 10 Aug 2005 02:29:24 -0700 > Received: from unknown (65.78.187.126) > by smtp1.mc.surewest.net (s3-smtpd/0.90-beta3) with SMTP; Wed, 10 Aug > 2005 02:29:22 -0700 > From: "Bob" <[EMAIL PROTECTED]> > To: "'Sam'" <[EMAIL PROTECTED]> > Cc: "Bob" <[EMAIL PROTECTED]> > Subject: RE: How do you mark a call as an EDU? > Date: Wed, 10 Aug 2005 02:29:35 -0700 > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="----=_NextPart_000_001D_01C59D53.59DFE920" > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook, Build 10.0.2627 > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 > In-Reply-To: > X-TST: smtp1 SNWK3 0.31-80 ip=65.78.187.126 > > This is a multi-part message in MIME format. > ... > > Now, here is our smtpd log for [EMAIL PROTECTED]: > > /var/log/qmail/smtpd/: > > [EMAIL PROTECTED] /var/log/qmail/smtpd]# grep -i [EMAIL PROTECTED] * | > tai64nlocal > 2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg > 1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532 > 2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting > delivery 27931: msg 1540532 to remote [EMAIL PROTECTED] > 2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting > delivery 27935: msg 1540532 to remote [EMAIL PROTECTED] > 2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery > 27931: failure: > 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL > PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ > 2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery > 27935: failure: > 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL > PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ > > And the send log: > > [EMAIL PROTECTED] send]# grep -i '[EMAIL PROTECTED]' * | tai64nlocal > 2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg > 1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532 > 2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting > delivery 27931: msg 1540532 to remote [EMAIL PROTECTED] > 2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting > delivery 27935: msg 1540532 to remote [EMAIL PROTECTED] > 2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery > 27931: failure: > 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL > PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ > 2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery > 27935: failure: > 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL > PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ > > Now, there was a [EMAIL PROTECTED] that we got mail from at some point: > > [EMAIL PROTECTED] qmailscan]# grep -i [EMAIL PROTECTED] qmail-queue.log.1 > Wed, 10 Aug 2005 04:25:54 CDT:15498: g_e_h: return-path is > "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]" > Wed, 10 Aug 2005 04:25:54 CDT:15498: from="Mai Copeland" > <[EMAIL PROTECTED]>,subj=If a relaxing moment turns into the right > moment!, > x-qmail-scanner-message-id=<[EMAIL PROTECTED]> > via SMTP from 24.42.69.76 > Wed, 10 Aug 2005 04:25:58 CDT:15498: qmail-scanner: > Clear:RC:0(24.42.69.76):SA:1(9.9/6.3): 4.798779 3145 > [EMAIL PROTECTED] [EMAIL PROTECTED] If a relaxing moment > turns into the right moment! > <[EMAIL PROTECTED]> > 1123665954.15509-0.server.mydomain.com:312 > 1123665954.15509-1.server.mydomain.com:1948 > orig-server.mydomain.com112366595349315498:3145 > > So what's happening here? I can't quite figure it out. It's like qmail > or qmail-scanner or SOMETHING is trying to deliver mail to a recip that > it knew about for a previous email. > > There are two mails in qmailscan/archives/ relating to this particular > email, one for Bob and one for Sam. > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Qmail-scanner-general mailing list > Qmail-scanner-general@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general > ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Qmail-scanner-general mailing list Qmail-scanner-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
