----- Original Message ----- From: "Grant Peel" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, March 17, 2008 10:03 AM Subject: Re: [exim] Better Tracking
> ----- Original Message ----- > From: "Ted Cooper" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Monday, March 17, 2008 9:52 AM > Subject: Re: [exim] Better Tracking > > >> Grant Peel wrote: >>> Hi all, >>> >>> I have been wrestling with my servers trying to cut down on the amount >>> of >>> spam we are sending. >>> >>> Can someone translate these log lines: >>> >>> 2008-03-16 18:36:06 1Jb1SX-000Eu2-Ll <= <> R=1Jb1SV-000Etp-55 U=mailnull >>> P=local S=1185 >>> ... >>> 2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll ** [EMAIL PROTECTED] R=dnslookup >>> T=remote_smtp: SMTP error from remote mail server after RCPT >>> TO:<[EMAIL PROTECTED]>: host borland-mxa.mail.eds.net [192.85.154.83]: >>> 550 5.1.2 <[EMAIL PROTECTED]>... Rejected: 69.90.69.141 Backscatter >>> 2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll [EMAIL PROTECTED]: error ignored >>> 2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll Completed >>> >>> it looks to me as if the original message was rejected because the >>> remote >>> mail host seen my server as a spammer. >>> >>> What I need to know, is how did the original message (log line 1) get >>> into my server at all? How can I beef up the loggin to tell me if it was >>> a localy generated message, or if Ihave a hacked account. (password >>> 'guessed').? >>> >>> -Grant >> >> It's a bounce message generated by your server. >> >> Look for an email from [EMAIL PROTECTED] heading into your server. See >> what it was doing. >> >> My guess is that you're accepting email that you shouldn't and >> subsequently bouncing it. Make sure you are checking for valid recipient >> before you accept the email at RCPT time. >> >> The remote server is rejecting you because you are trying to bounce a >> message to them that they don't seem to have sent. My guess is that they >> keep track of every single outgoing email from/to and don't accept >> bounces that don't match up. >> -- >> The Exim Manual >> http://www.exim.org/docs.html >> http://www.exim.org/exim-html-current/doc/html/spec_html/index.html >> >> -- >> ## List details at http://lists.exim.org/mailman/listinfo/exim-users >> ## Exim details at http://www.exim.org/ >> ## Please use the Wiki with this list - http://wiki.exim.org/ >> >> > > Excellent, > > Then when I grep the original message, I see this: > > 2008-03-16 18:36:05 1Jb1SV-000Etp-55 <= [EMAIL PROTECTED] U=mailnull > P=spam-scanned S=3313 id=00 [EMAIL PROTECTED] > > 2008-03-16 18:36:05 1Jb1SV-000Etp-55 ** [EMAIL PROTECTED] > <[EMAIL PROTECTED]> R=dnslooku remote_smtp: SMTP error from > remote mail server after end of data: host mailin-01.mx.aol.com [20 > 8.156.248]: 554-: (HVU:B1) > http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION > LED > > So how do I figure out HOW it came to my server to begin with? > > -Grant > > > -- > ## List details at http://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > > Ted, At the risk of sounding totally incompetent, how do I check for valid recipients befor accepting the message? Here is my configure such as it is: ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### primary_hostname = constellation.thenetnow.com domainlist local_domains = /etc/virtual/domains domainlist relay_to_domains = hostlist relay_from_hosts = /etc/virtual/domains hostlist blacklisted_domains = /etc/virtual/blacklist acl_smtp_rcpt = acl_check_rcpt trusted_users = mailnull:root:webmail:www exim_user = mailnull exim_group = mail never_users = host_lookup = * rfc1413_hosts = * rfc1413_query_timeout = 0s ignore_bounce_errors_after = 0s timeout_frozen_after = 1d return_path_remove untrusted_set_sender = * helo_allow_chars = _ daemon_smtp_ports = 25 : 109 bounce_message_file = /usr/local/etc/exim/bounce_message_file warn_message_file = /usr/local/etc/exim/warn_message_file return_size_limit = 10000 bounce_return_message = false delay_warning = 72h log_selector = +incoming_interface ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl acl_check_rcpt: accept hosts = : dnslists = ips.backscatterer.org message = This message looks like a bounce, and your server is listed at \ ips.backscatterer.org, so I assume that this is "backscatter". \ Please configure your mail server to not send "backscatter spam". \ For advice, try http://www.dontbouncespam.org/ log_message = ATTENTION BACKSCATTERER deny local_parts = [EMAIL PROTECTED]/|] : ^\\. deny senders = : condition = ${if ! eq{$recipients_count}{1}{1}} message = Bounces must have only a single recipient log_message = Another denied due to backscatter-Single Recipient # accept local_parts = postmaster # domains = +local_domains require verify = sender deny message = rejected because $sender_host_address was \ found in our blacklist log_message = domain found in $blacklisted_domains hosts = +blacklisted_domains accept domains = +local_domains endpass message = unknown user verify = recipient accept domains = +relay_to_domains endpass message = unrouteable address verify = recipient accept hosts = +relay_from_hosts accept authenticated = * ###################################################################### # ROUTERS CONFIGURATION # ... -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
