Re: [Qmail-scanner-general]qmail / qmail-scanner / something creates email to unintended recipient

Thu, 01 Sep 2005 14:31:22 -0700

This is possibly the weirdest problem I have ever seen with qmail/qmail-scanner. So, we took down the mail server, removed queue/, build a new queue/ using 'make setup check', restarted mail. It happened again. At this point I'm at a loss.
Why would qmail and/or qmail-scanner randomly insert an extra recip? It just doesn't make sense to me, but it's happening and we are getting the bounces to prove it. (No, it's not a spoof. The bounces include the text that the sender originally sent out in an email.) 

Any ideas?


We are literally going to have to move this client to another mail 
server running something else, which we really can't afford to do but I 
don't see any other solutions.


Any help is appreciated!

[EMAIL PROTECTED] wrote:


We are running qmail-1.03 on RH7.3 with vpopmail-5.2.1 and 
qmail-scanner-1.25. We have an odd problem. It seems that sometimes 
when a user sends a mail with a Cc: to himself (and it may also be the 
To:, but we don't have an examples), that user sometimes gets a bounce 
from our qmail server for an address that the user didn't specify. For 
example, let's say that user A sends this email:


From: bob
To: sam
Cc: bob


(I did a lot of copy&pasting to ensure I provided a lot of detail. So 
please scroll all the way down, thanks!)



An as a note, the "unintended" recipient will be named 
"[EMAIL PROTECTED]". The unintended recipient appears random though. 
Sometimes it may be [EMAIL PROTECTED], etc. The addresses 
look like fake spammer addresses to me.


Then every once in a while bob will get this bounce:

...
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 10, 2005 2:26 AM
To: [EMAIL PROTECTED]
Subject: failure notice


Hi. This is the qmail-send program at server.mydomain.com. I'm
afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[EMAIL PROTECTED]>:
64.97.131.1 does not like recipient.
Remote host said: 550 RCPT TO:<[EMAIL PROTECTED]> User unknown Giving
up on 64.97.131.1.

--- Below this line is a copy of the message.
Return-Path: <[EMAIL PROTECTED]>
Received: (qmail 15860 invoked by uid 508); 10 Aug 2005 09:26:25 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 15857 invoked by uid 532); 10 Aug 2005 09:26:25 -0000
Received: from 66.60.130.50 by server.mydomain.com
(envelope-from <[EMAIL PROTECTED]>, uid 501) with
qmail-scanner-1.25
(clamdscan: 0.84/1010. spamassassin: 2.64.
Clear:RC:0(66.60.130.50):SA:0(5.8/6.3):.
Processed in 3.417484 secs); 10 Aug 2005 09:26:25 -0000
X-Spam-Status: No, hits=5.8 required=6.3
X-Spam-Level: +++++
Received: from unknown (HELO smtp1.mc.surewest.net) (66.60.130.50)
by my.ip.ad.rr with SMTP; 10 Aug 2005 09:26:21 -0000
Received: (s3-8911); Wed, 10 Aug 2005 02:29:24 -0700
Received: from unknown (65.78.187.126)
by smtp1.mc.surewest.net (s3-smtpd/0.90-beta3) with SMTP; Wed, 10 Aug
2005 02:29:22 -0700
From: "Bob" <[EMAIL PROTECTED]>
To: "'Sam'" <[EMAIL PROTECTED]>
Cc: "Bob" <[EMAIL PROTECTED]>
Subject: RE: How do you mark a call as an EDU?
Date: Wed, 10 Aug 2005 02:29:35 -0700
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_001D_01C59D53.59DFE920"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To:
X-TST: smtp1 SNWK3 0.31-80 ip=65.78.187.126

This is a multi-part message in MIME format.
...

Now, here is our smtpd log for [EMAIL PROTECTED]:

/var/log/qmail/smtpd/:


[EMAIL PROTECTED] /var/log/qmail/smtpd]# grep -i [EMAIL PROTECTED] * | 
tai64nlocal

2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg
1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532
2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting
delivery 27931: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting
delivery 27935: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery
27931: failure:

64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ 


2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery
27935: failure:

64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ 



And the send log:

[EMAIL PROTECTED] send]# grep -i '[EMAIL PROTECTED]' * | tai64nlocal
2005-08-10 05:43:31.066396500.s:@4000000042f9c8300dbc70fc info msg
1540461: bytes 3566 from <[EMAIL PROTECTED]> qp 15536 uid 532
2005-08-10 05:43:31.066396500.s:@4000000042f9c83012eb028c starting
delivery 27931: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c8320f4f7cac starting
delivery 27935: msg 1540532 to remote [EMAIL PROTECTED]
2005-08-10 05:43:31.066396500.s:@4000000042f9c837008fb31c delivery
27931: failure:

64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ 


2005-08-10 05:43:31.066396500.s:@4000000042f9c83736b04074 delivery
27935: failure:

64.97.131.1_does_not_like_recipient./Remote_host_said:_550_RCPT_TO:<[EMAIL PROTECTED]>_User_unknown/Giving_up_on_64.97.131.1./ 



Now, there was a [EMAIL PROTECTED] that we got mail from at some point:

[EMAIL PROTECTED] qmailscan]# grep -i [EMAIL PROTECTED] qmail-queue.log.1

Wed, 10 Aug 2005 04:25:54 CDT:15498: g_e_h: return-path is 
"[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Wed, 10 Aug 2005 04:25:54 CDT:15498: from="Mai Copeland" 
<[EMAIL PROTECTED]>,subj=If a relaxing moment turns into the right 
moment!, 
x-qmail-scanner-message-id=<[EMAIL PROTECTED]> 
via SMTP from 24.42.69.76
Wed, 10 Aug 2005 04:25:58 CDT:15498: qmail-scanner: 
Clear:RC:0(24.42.69.76):SA:1(9.9/6.3):      4.798779        3145    
[EMAIL PROTECTED]    [EMAIL PROTECTED]      If a relaxing 
moment turns into the right moment!       
<[EMAIL PROTECTED]>  
1123665954.15509-0.server.mydomain.com:312 
1123665954.15509-1.server.mydomain.com:1948 
orig-server.mydomain.com112366595349315498:3145



So what's happening here? I can't quite figure it out. It's like qmail 
or qmail-scanner or SOMETHING is trying to deliver mail to a recip 
that it knew about for a previous email.



There are two mails in qmailscan/archives/ relating to this particular 
email, one for Bob and one for Sam.




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO

September 19-22, 2005 * San Francisco, CA * Development Lifecycle 
Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing 
& QA

Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Qmail-scanner-general mailing list
Qmail-scanner-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general























					Reply via email to