Re: I think I'm being relayed through, but I don't know how.

Wed, 06 Jun 2001 17:48:03 -0700 

> From:  Kourosh Ghassemieh <[EMAIL PROTECTED]>
> Date:  Wed, 06 Jun 2001 15:30:15 -0700
>
> 
> Well, what do the logs say?
> 
> It's possible that a spammer sent mail to random addresses
> in one of your hosted domains and had them listed in the BCC:
> field.  The return address being forged as to be from mindless.com.
> Since the users in your domain are non-existent the messages
> are trying to bounce to the sender, which is refusing some of them
> as being non-existent as well.   You'll see them double-bounce
> once they time out.  I'm not that experienced at reading headers
> so I'm not 100% certain but sounds logical.

When an email message is composed, addresses are extracted from the To, CC, 
and BCC headers and placed in the envelope.  They are never again consulted.  
The envelope addresses determine where the message gets sent.  When qmail gets 
a message, it looks at the envelope and puts the contents in queue/remote 
and/or queue/local.  The contents of those files are what is displayed by 
qmail-qread, so we know that the envelope contained a bunch of mindless.com 
addresses and did not include any addresses from my domains.

> Again, what do the logs say?  They can help quite a bit in diagnosing
> problems.  You should be able to find when they came in and from
> where and why they are being refused, if they are.
> 
> What do the logs say?

They're being refused because some of the addreseses were bogus and the real 
mail server for mindless.com rejected them.

Actually, I lost the logs because before I discovered this problem, I blew 
them away due to their having filled my file system to 100%.  In hind sight, I 
realize this is almost certainly because I was relaying spam at the time.

Chris

-- 
Chris Garrigues                 http://www.DeepEddy.Com/~cwg/
virCIO                          http://www.virCIO.Com
4314 Avenue C                   
Austin, TX  78751-3709          +1 512 374 0500

  My email address is an experiment in SPAM elimination.  For an
  explanation of what we're doing, see http://www.DeepEddy.Com/tms.html 

    Nobody ever got fired for buying Microsoft,
      but they could get fired for relying on Microsoft.

PGP signature

Reply via email to