del1very confirmation, "probe" emails, and spamassassin

Mon, 05 Oct 2009 10:56:13 -0700 

[Sorry for the typoed subject, but I got bounced for 'delivery
confirmation' the first time I sent this]

I just noticed that the user that spamass-milter runs under
(spamass-milter, oddly enough) is receiving emails from postfix, that
all look something like this:

 --55340A0B78E0.1254754944/server1.gnuconsulting.com
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host server1.gnuconsulting.com.

Enclosed is the mail delivery report that you requested.

                   The mail system

<st...@foobar.com>: delivery via 1.2.3.4[1.2.3.4]:25: 250 2.1.5 Ok

 --55340A0B78E0.1254754944/server1.gnuconsulting.com
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; server1.gnuconsulting.com
X-Postfix-Queue-ID: 55340A0B78E0
X-Postfix-Sender: rfc822; spamass-mil...@server1.gnuconsulting.com
Arrival-Date: Mon,  5 Oct 2009 11:02:24 -0400 (EDT)

Final-Recipient: rfc822; st...@foobar.com
Action: deliverable
Status: 2.1.5
Remote-MTA: dns; 1.2.3.4
Diagnostic-Code: smtp; 250 2.1.5 Ok

 --55340A0B78E0.1254754944/server1.gnuconsulting.com
Content-Description: Message Headers
Content-Type: text/rfc822-headers

Return-Path: <spamass-mil...@server1.gnuconsulting.com>
Received: by server1.gnuconsulting.com (Postfix, from userid 130)
        id 55340A0B78E0; Mon,  5 Oct 2009 11:02:24 -0400 (EDT)
From: spamass-mil...@server1.gnuconsulting.com
Subject: probe
To:     <st...@foobar.com>
Message-Id: <20091005150224.55340a0b7...@server1.gnuconsulting.com>
Date: Mon,  5 Oct 2009 11:02:24 -0400 (EDT)

 --55340A0B78E0.1254754944/server1.gnuconsulting.com--


Searching for "mail delivery report you requested", it appears this is
the sort of thing that postfix will generate if it's called as sendmail 
with the -bv flag.  But as far as I can tell, I'm not...  I've grep'ed 
for 'sendmail' and 'bv' in /etc/postfix/ /etc/spamassassin/
/etc/default/, and so on, and have come up with nothing.  I'm afraid
that I've somehow left my server open to a dictionary or VRFY attack of
some sort (even though I have 'disable_vrfy_command = yes' in my
main.cf).  Any advice on where I should look next?

David

Attachment: signature.asc
Description: Digital signature

Reply via email to