I'm not dismissing that idea. However, the bounces (as shown below)
include the email that the valid user was sending out.
This is a VERY strange problem. And it's scaring our users (naturally),
since they wonder if the wrong people are getting copies of their mail.
Aaron Carr wrote:
Are you sure it's even caused by the user sending mail?
Keep in mind that spammers use tools to generate their email so that they
fake the headers to look like "bob" sent the email, when bob (and your
mail server) had nothing to do with it. However, once that email goes to
a bad address in the spammers database, it will bounce to whoever the
forged sender is (bob in this case).
Do they ever get multiple bounces at once? That's usually a clear sign
that their email address was used as the "from:" for an entire run of
spam.
Aaron
[EMAIL PROTECTED] said:
We are running qmail-1.03 on RH7.3 with vpopmail-5.2.1 and
qmail-scanner-1.25. We have an odd problem. It seems that sometimes when
a user sends a mail with a Cc: to himself (and it may also be the To:,
but we don't have an examples), that user sometimes gets a bounce from
our qmail server for an address that the user didn't specify. For
example, let's say that user A sends this email:
From: bob
To: sam
Cc: bob
(I did a lot of copy&pasting to ensure I provided a lot of detail. So
please scroll all the way down, thanks!)
An as a note, the "unintended" recipient will be named
"[EMAIL PROTECTED]". The unintended recipient appears random though.
Sometimes it may be [EMAIL PROTECTED], etc. The addresses look
like fake spammer addresses to me.
Then every once in a while bob will get this bounce:
...
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 10, 2005 2:26 AM
To: [EMAIL PROTECTED]
Subject: failure notice
Hi. This is the qmail-send program at server.mydomain.com. I'm
afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[EMAIL PROTECTED]>:
64.97.131.1 does not like recipient.
Remote host said: 550 RCPT TO:<[EMAIL PROTECTED]> User unknown Giving
up on 64.97.131.1.
--- Below this line is a copy of the message.
Return-Path: <[EMAIL PROTECTED]>
Received: (qmail 15860 invoked by uid 508); 10 Aug 2005 09:26:25 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 15857 invoked by uid 532); 10 Aug 2005 09:26:25 -0000
Received: from 66.60.130.50 by server.mydomain.com
(envelope-from <[EMAIL PROTECTED]>, uid 501) with
qmail-scanner-1.25
(clamdscan: 0.84/1010. spamassassin: 2.64.
Clear:RC:0(66.60.130.50):SA:0(5.8/6.3):.
Processed in 3.417484 secs); 10 Aug 2005 09:26:25 -0000
X-Spam-Status: No, hits=5.8 required=6.3
X-Spam-Level: +++++
Received: from unknown (HELO smtp1.mc.surewest.net) (66.60.130.50)
by my.ip.ad.rr with SMTP; 10 Aug 2005 09:26:21 -0000
Received: (s3-8911); Wed, 10 Aug 2005 02:29:24 -0700
Received: from unknown (65.78.187.126)
by smtp1.mc.surewest.net (s3-smtpd/0.90-beta3) with SMTP; Wed, 10 Aug
2005 02:29:22 -0700
From: "Bob" <[EMAIL PROTECTED]>
To: "'Sam'" <[EMAIL PROTECTED]>
Cc: "Bob" <[EMAIL PROTECTED]>
Subject: RE: How do you mark a call as an EDU?
Date: Wed, 10 Aug 2005 02:29:35 -0700
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001D_01C59D53.59DFE920"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To:
X-TST: smtp1 SNWK3 0.31-80 ip=65.78.187.126
This is a multi-part message in MIME format.
...
Now, here is our smtpd log for [EMAIL PROTECTED]:
/var/log/qmail/smtpd/:
[EMAIL PROTECTED] /var/log/qmail/smtpd]# grep -i [EMAIL PROTECTED] * |
tai64nlocal
2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg
1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532
2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting
delivery 27931: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting
delivery 27935: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery
27931: failure:
64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL
PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./
2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery
27935: failure:
64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL
PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./
And the send log:
[EMAIL PROTECTED] send]# grep -i '[EMAIL PROTECTED]' * | tai64nlocal
2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg
1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532
2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting
delivery 27931: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting
delivery 27935: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery
27931: failure:
64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL
PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./
2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery
27935: failure:
64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL
PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./
Now, there was a [EMAIL PROTECTED] that we got mail from at some point:
[EMAIL PROTECTED] qmailscan]# grep -i [EMAIL PROTECTED] qmail-queue.log.1
Wed, 10 Aug 2005 04:25:54 CDT:15498: g_e_h: return-path is
"[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Wed, 10 Aug 2005 04:25:54 CDT:15498: from="Mai Copeland"
<[EMAIL PROTECTED]>,subj=If a relaxing moment turns into the right
moment!,
x-qmail-scanner-message-id=<[EMAIL PROTECTED]>
via SMTP from 24.42.69.76
Wed, 10 Aug 2005 04:25:58 CDT:15498: qmail-scanner:
Clear:RC:0(24.42.69.76):SA:1(9.9/6.3): 4.798779 3145
[EMAIL PROTECTED] [EMAIL PROTECTED] If a relaxing moment
turns into the right moment!
<[EMAIL PROTECTED]>
1123665954.15509-0.server.mydomain.com:312
1123665954.15509-1.server.mydomain.com:1948
orig-server.mydomain.com112366595349315498:3145
So what's happening here? I can't quite figure it out. It's like qmail
or qmail-scanner or SOMETHING is trying to deliver mail to a recip that
it knew about for a previous email.
There are two mails in qmailscan/archives/ relating to this particular
email, one for Bob and one for Sam.
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
