Hi, I have seen strange things like this before when I had a corrupted queue in qmail.
Bye, Joost de Niet [EMAIL PROTECTED] wrote: > I guess my next question would be on any advice for debugging this > problem. We can't tell if it's qmail, qmail-scanner, or something else, > but we can tell that we have a very angry hosting client. :-) > > Aaron Carr wrote: > >> Are you sure it's even caused by the user sending mail? >> >> Keep in mind that spammers use tools to generate their email so that they >> fake the headers to look like "bob" sent the email, when bob (and your >> mail server) had nothing to do with it. However, once that email goes to >> a bad address in the spammers database, it will bounce to whoever the >> forged sender is (bob in this case). >> >> Do they ever get multiple bounces at once? That's usually a clear sign >> that their email address was used as the "from:" for an entire run of >> spam. >> >> Aaron >> >> >> [EMAIL PROTECTED] said: >> >> >>> We are running qmail-1.03 on RH7.3 with vpopmail-5.2.1 and >>> qmail-scanner-1.25. We have an odd problem. It seems that sometimes when >>> a user sends a mail with a Cc: to himself (and it may also be the To:, >>> but we don't have an examples), that user sometimes gets a bounce from >>> our qmail server for an address that the user didn't specify. For >>> example, let's say that user A sends this email: >>> >>> From: bob >>> To: sam >>> Cc: bob >>> >>> (I did a lot of copy&pasting to ensure I provided a lot of detail. So >>> please scroll all the way down, thanks!) >>> >>> An as a note, the "unintended" recipient will be named >>> "[EMAIL PROTECTED]". The unintended recipient appears random though. >>> Sometimes it may be [EMAIL PROTECTED], etc. The addresses look >>> like fake spammer addresses to me. >>> >>> Then every once in a while bob will get this bounce: >>> >>> ... >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >>> [mailto:[EMAIL PROTECTED] >>> Sent: Wednesday, August 10, 2005 2:26 AM >>> To: [EMAIL PROTECTED] >>> Subject: failure notice >>> >>> >>> Hi. This is the qmail-send program at server.mydomain.com. I'm >>> afraid I wasn't able to deliver your message to the following addresses. >>> This is a permanent error; I've given up. Sorry it didn't work out. >>> >>> <[EMAIL PROTECTED]>: >>> 64.97.131.1 does not like recipient. >>> Remote host said: 550 RCPT TO:<[EMAIL PROTECTED]> User unknown Giving >>> up on 64.97.131.1. >>> >>> --- Below this line is a copy of the message. >>> Return-Path: <[EMAIL PROTECTED]> >>> Received: (qmail 15860 invoked by uid 508); 10 Aug 2005 09:26:25 -0000 >>> Delivered-To: [EMAIL PROTECTED] >>> Received: (qmail 15857 invoked by uid 532); 10 Aug 2005 09:26:25 -0000 >>> Received: from 66.60.130.50 by server.mydomain.com >>> (envelope-from <[EMAIL PROTECTED]>, uid 501) with >>> qmail-scanner-1.25 >>> (clamdscan: 0.84/1010. spamassassin: 2.64. >>> Clear:RC:0(66.60.130.50):SA:0(5.8/6.3):. >>> Processed in 3.417484 secs); 10 Aug 2005 09:26:25 -0000 >>> X-Spam-Status: No, hits=5.8 required=6.3 >>> X-Spam-Level: +++++ >>> Received: from unknown (HELO smtp1.mc.surewest.net) (66.60.130.50) >>> by my.ip.ad.rr with SMTP; 10 Aug 2005 09:26:21 -0000 >>> Received: (s3-8911); Wed, 10 Aug 2005 02:29:24 -0700 >>> Received: from unknown (65.78.187.126) >>> by smtp1.mc.surewest.net (s3-smtpd/0.90-beta3) with SMTP; Wed, 10 Aug >>> 2005 02:29:22 -0700 >>> From: "Bob" <[EMAIL PROTECTED]> >>> To: "'Sam'" <[EMAIL PROTECTED]> >>> Cc: "Bob" <[EMAIL PROTECTED]> >>> Subject: RE: How do you mark a call as an EDU? >>> Date: Wed, 10 Aug 2005 02:29:35 -0700 >>> Message-ID: <[EMAIL PROTECTED]> >>> MIME-Version: 1.0 >>> Content-Type: multipart/alternative; >>> boundary="----=_NextPart_000_001D_01C59D53.59DFE920" >>> X-Priority: 3 (Normal) >>> X-MSMail-Priority: Normal >>> X-Mailer: Microsoft Outlook, Build 10.0.2627 >>> Importance: Normal >>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 >>> In-Reply-To: >>> X-TST: smtp1 SNWK3 0.31-80 ip=65.78.187.126 >>> >>> This is a multi-part message in MIME format. >>> ... >>> >>> Now, here is our smtpd log for [EMAIL PROTECTED]: >>> >>> /var/log/qmail/smtpd/: >>> >>> [EMAIL PROTECTED] /var/log/qmail/smtpd]# grep -i [EMAIL PROTECTED] * | >>> tai64nlocal >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg >>> 1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532 >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting >>> delivery 27931: msg 1540532 to remote [EMAIL PROTECTED] >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting >>> delivery 27935: msg 1540532 to remote [EMAIL PROTECTED] >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery >>> 27931: failure: >>> 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL >>> PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ >>> >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery >>> 27935: failure: >>> 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL >>> PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ >>> >>> >>> And the send log: >>> >>> [EMAIL PROTECTED] send]# grep -i '[EMAIL PROTECTED]' * | tai64nlocal >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg >>> 1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532 >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting >>> delivery 27931: msg 1540532 to remote [EMAIL PROTECTED] >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting >>> delivery 27935: msg 1540532 to remote [EMAIL PROTECTED] >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery >>> 27931: failure: >>> 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL >>> PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ >>> >>> 2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery >>> 27935: failure: >>> 64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL >>> PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ >>> >>> >>> Now, there was a [EMAIL PROTECTED] that we got mail from at some point: >>> >>> [EMAIL PROTECTED] qmailscan]# grep -i [EMAIL PROTECTED] qmail-queue.log.1 >>> Wed, 10 Aug 2005 04:25:54 CDT:15498: g_e_h: return-path is >>> "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]" >>> Wed, 10 Aug 2005 04:25:54 CDT:15498: from="Mai Copeland" >>> <[EMAIL PROTECTED]>,subj=If a relaxing moment turns into the right >>> moment!, >>> x-qmail-scanner-message-id=<[EMAIL PROTECTED]> >>> >>> via SMTP from 24.42.69.76 >>> Wed, 10 Aug 2005 04:25:58 CDT:15498: qmail-scanner: >>> Clear:RC:0(24.42.69.76):SA:1(9.9/6.3): 4.798779 3145 >>> [EMAIL PROTECTED] [EMAIL PROTECTED] If a relaxing moment >>> turns into the right moment! >>> <[EMAIL PROTECTED]> >>> 1123665954.15509-0.server.mydomain.com:312 >>> 1123665954.15509-1.server.mydomain.com:1948 >>> orig-server.mydomain.com112366595349315498:3145 >>> >>> So what's happening here? I can't quite figure it out. It's like qmail >>> or qmail-scanner or SOMETHING is trying to deliver mail to a recip that >>> it knew about for a previous email. >>> >>> There are two mails in qmailscan/archives/ relating to this particular >>> email, one for Bob and one for Sam. >>> >>> >>> >>> ------------------------------------------------------- >>> SF.Net email is Sponsored by the Better Software Conference & EXPO >>> September 19-22, 2005 * San Francisco, CA * Development Lifecycle >>> Practices >>> Agile & Plan-Driven Development * Managing Projects & Teams * Testing >>> & QA >>> Security * Process Improvement & Measurement * >>> http://www.sqe.com/bsce5sf >>> _______________________________________________ >>> Qmail-scanner-general mailing list >>> Qmail-scanner-general@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general >>> >>> >> >> >> >> >> >> ------------------------------------------------------- >> SF.Net email is Sponsored by the Better Software Conference & EXPO >> September 19-22, 2005 * San Francisco, CA * Development Lifecycle >> Practices >> Agile & Plan-Driven Development * Managing Projects & Teams * Testing >> & QA >> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >> _______________________________________________ >> Qmail-scanner-general mailing list >> Qmail-scanner-general@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general >> >> > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Qmail-scanner-general mailing list > Qmail-scanner-general@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Qmail-scanner-general mailing list Qmail-scanner-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
