On Mon, Feb 13, 2012 at 5:19 PM, Robert Van Dresar <[email protected] > wrote:
> > > On Mon, Feb 13, 2012 at 5:09 PM, Eric Shubert <[email protected]> wrote: > >> On 02/13/2012 03:47 PM, Robert Van Dresar wrote: >> >>> You are right, all of our users have to authenticate to send email, I >>> believe that's the default behavior of a stock QMT, so does that mean I >>> can add our domains to the blacklist-senders file?? >>> >> >> Yes, by all means. Records in that file should look like: >> @mydomain.com >> >> >> I've tested for open relay, and that test returns OK. The failure >>> notices I receive in the postmaster account point to one of our users, >>> but it says the offending email is from >>> "[email protected]@**some-random-ip-address", and bounces >>> back >>> to about 50 other email addresses. >>> >> >> I'm not quite sure what you mean here. A specific example with headers >> would help. Try to leave as much data intact as you can, but user and >> domain names can be substituted consistently if you want to. >> >> >> Her computer was off all weekend, >>> and we virus scanned it this morning and nothing. I really didn't think >>> of her password being compromised that's easy enough to change. I guess >>> I'll try that, especially since we're listed on five block lists now. >>> >> >> Sounds as though that's the culprit then. You should attempt to find out >> how her password was compromised. >> >> It can (and does occasionally) happen by network traffic sniffing if her >> configuration sends a password in clear text anywhere (I've seen it happen, >> once). This could be via webmail w/out https (the stock QMT unfortunately >> allows this), or via a client program that's not using TLS, such as a >> remote Outlook03 client. If you have remote clients using Outlook03, you >> should set up QMT to handle smtps (port 465), and configure those clients >> to use SSL accordingly. >> >> If possible, all clients should use TLS for their smtp submissions, >> whether on port 25 or 587. Unfortunately, QMT cannot yet enforce use of >> TLS. Such a feature has been requested to be added to spamdyke, and may (if >> we're lucky) be included in the next spamdyke release. >> >> Please keep us posted. >> >> -- >> -Eric 'shubes' >> >> >> > Here's the "evidence" from one of the block lists: > > Return-Path: <[email protected]> > > X-Original-To: [email protected] > > Received: from mail.airplexus.com (mail.airplexus.com [65.245.57.15]) > by mail.ixlab.de (Spamtrap) with ESMTP > > for [email protected]; Mon, 13 Feb 2012 21:38:50 +0100 (CET) > Received: (qmail 9460 invoked by uid 89); 13 Feb 2012 18:16:22 -0000 > Received: by simscan 1.4.0 ppid: 8048, pid: 9438, t: 0.7778s > > scanners: attach: 1.4.0 clamav: 0.97.3 > /m:54/d:14401 > Received: from 184-82-61-166.static.hostnoc.net (HELO User) ("email address > removed"@[email protected]) > > by mail.airplexus.com with ESMTPA; 13 Feb 2012 18:16:22 -0000 > Reply-To: <[email protected]> > From: "Rose Brown"<[email protected]> > > Subject: Offers : Marks & Spencer > Date: Mon, 13 Feb 2012 19:16:18 -0800 > MIME-Version: 1.0 > Content-Type: text/plain; > charset="Windows-1251" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > X-NiX-Spam-Hash2: d36eed170eb389bf1a5ab832cf972a4b > X-NiX-Spam-Source-IP: 65.245.57.15 > > X-NiX-Spam-MX: mail.ixlab.de > X-NiX-Spam-Listed: yes > > > I've left our mail server stuff intact, but removed her email address > > > > >> >> --------------------------------------------------------------------------------- >> Qmailtoaster is sponsored by Vickers Consulting Group ( >> www.vickersconsulting.com) >> Vickers Consulting Group offers Qmailtoaster support and installations. >> If you need professional help with your setup, contact them today! >> ------------------------------**------------------------------** >> --------------------- >> Please visit qmailtoaster.com for the latest news, updates, and >> packages. >> To unsubscribe, e-mail: qmailtoaster-list-unsubscribe@** >> qmailtoaster.com <[email protected]> >> For additional commands, e-mail: qmailtoaster-list-help@** >> qmailtoaster.com <[email protected]> >> >> >> Sorry, I meant /var/log/qmail/send/current: Here's a snippet from tail -f / www.google.com/mail/help/bulk_mail.html/421_4.7.0_to_review_our_Bulk_Email_Senders_Guidelines._x3si1699355oeb.22/ @400000004f399b773829fbac status: local 0/10 remote 59/60 @400000004f399b77382a037c starting delivery 6158346: msg 111052977 to remote [email protected] @400000004f399b77382a0764 status: local 0/10 remote 60/60 @400000004f399b7800f51ff4 delivery 6158340: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_153.9.243.29_accepted_message./Remote_host_said:_250_2.0.0_Ok:_queued_as_DCED3DCE63BBF87A/ @400000004f399b7800f52bac status: local 0/10 remote 59/60 @400000004f399b7800f52f94 starting delivery 6158347: msg 111052977 to remote [email protected] @400000004f399b7800f5337c status: local 0/10 remote 60/60 @400000004f399b7801f7901c delivery 6158345: deferral: Connected_to_155.43.4.220_but_greeting_failed./Remote_host_said:_421_emerald2.commnet.edu_closing_connection/ @400000004f399b7801f79bd4 status: local 0/10 remote 59/60 @400000004f399b7801f79fbc starting delivery 6158348: msg 111052977 to remote [email protected] @400000004f399b7801f7a3a4 status: local 0/10 remote 60/60 @400000004f399b7818c8892c delivery 6158343: failure: User_and_password_not_set,_continuing_without_authentication./208.35.40.69_does_not_like_recipient./Remote_host_said:_554_Service_unavailable;_Client_host_[ mail.airplexus.com]_blocked_using_Barracuda_Reputation;_ http://www.barracudanetworks.com/reputation/?r=1&ip=65.245.57.15/Giving_up_on_208.35.40.69./ @400000004f399b7818c894e4 status: local 0/10 remote 59/60 @400000004f399b7818c898cc starting delivery 6158349: msg 111052977 to remote [email protected] @400000004f399b7818c8bbf4 status: local 0/10 remote 60/60 @400000004f399b78198be8cc delivery 6158346: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_67.231.152.196_accepted_message./Remote_host_said:_250_2.0.0_12ybnnr63c-1_Message_accepted_for_delivery/ @400000004f399b78198ce6b4 status: local 0/10 remote 59/60 @400000004f399b78198db1d4 starting delivery 6158350: msg 111052977 to remote [email protected] @400000004f399b78198db9a4 status: local 0/10 remote 60/60 @400000004f399b7819acf5bc delivery 6158347: deferral: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_74.125.81.26_failed_after_I_sent_the_message./Remote_host_said:_421-4.7.0_[65.245.57.15______10]_Our_system_has_detected_an_unusual_rate_of/421-4.7.0_unsolicited_mail_originating_from_your_IP_address._To_protect_our/421-4.7.0_users_from_spam,_mail_sent_from_your_IP_address_has_been_temporarily/421-4.7.0_blocked._Please_visit_ http://www.google.com/mail/help/bulk_mail.html/421_4.7.0_to_review_our_Bulk_Email_Senders_Guidelines._h8si3986548obn.55/ @400000004f399b7819b04d34 status: local 0/10 remote 59/60 @400000004f399b7819b0a324 starting delivery 6158351: msg 111052977 to remote [email protected] @400000004f399b7819b179fc status: local 0/10 remote 60/60 @400000004f399b78201c2184 delivery 6158351: deferral: Connected_to_75.180.132.243_but_greeting_failed./Remote_host_said:_554_5.7.1_-_ERROR:_Mail_refused_-_<65.245.57.15>_-_See_ http://postmaster.rr.com/amIBlockedByRR?ip=65.245.57.15/ @400000004f399b78201c3124 status: local 0/10 remote 59/60 @400000004f399b78201c350c starting delivery 6158352: msg 111052977 to remote [email protected] @400000004f399b78201c38f4 status: local 0/10 remote 60/60 @400000004f399b78211fce14 delivery 6158348: deferral: Connected_to_203.0.178.180_but_greeting_failed./Remote_host_said:_ 554-inbound.icp-qv1-irony-in4.iinet.net.au/554_Your_access_to_this_mail_system_from_65.245.57.15_has_been_rejected_due_to_the_sending_MTA's_poor_reputation._If_you_believe_that_this_failure_is_in_error,_please_contact_the_intended_recipient_via_alternate_means./ @400000004f399b78211fddb4 status: local 0/10 remote 59/60 @400000004f399b78211fe19c starting delivery 6158353: msg 111052977 to remote [email protected] @400000004f399b78212004c4 status: local 0/10 remote 60/60 @400000004f399b782891eed4 delivery 6158338: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_207.69.189.42_accepted_message./Remote_host_said:_250_1rX5eZ6UV3PGoTM0_Message_accepted_for_delivery/ @400000004f399b782891fa8c status: local 0/10 remote 59/60 @400000004f399b782891fa8c starting delivery 6158354: msg 111052977 to remote [email protected] @400000004f399b782892025c status: local 0/10 remote 60/60 @400000004f399b782bd876e4 delivery 6158353: deferral: Connected_to_98.139.175.224_but_greeting_failed./Remote_host_said:_421_4.7.0_[TS01]_Messages_from_65.245.57.15_temporarily_deferred_due_to_user_complaints_-_4.16.55.1;_see_ http://postmaster.yahoo.com/421-ts01.html/ @400000004f399b782bd8829c status: local 0/10 remote 59/60 @400000004f399b782bd88684 starting delivery 6158355: msg 111052977 to remote [email protected] @400000004f399b782bd88e54 status: local 0/10 remote 60/60 @400000004f399b7830040bac delivery 6158350: failure: Connected_to_64.68.224.237_but_sender_was_rejected./Remote_host_said:_550_5.7.1_This_system_is_configured_to_reject_mail_from_mail.airplexus.com_[65.245.57.15]_(Host_blacklisted_-_Found_on_Realtime_Black_List_server_' b.barracudacentral.org')/ @400000004f399b7830041764 status: local 0/10 remote 59/60 @400000004f399b7830041b4c starting delivery 6158356: msg 111052977 to remote [email protected] @400000004f399b783004231c status: local 0/10 remote 60/60 @400000004f399b78306e3b44 delivery 6158349: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_216.33.127.20_accepted_message./Remote_host_said:_250_2.0.0_ZbPS1i01x0Kig9d04bPSGz_Message_received:[email protected]_E0000 / @400000004f399b78306e46fc status: local 0/10 remote 59/60 @400000004f399b78306e4ae4 starting delivery 6158357: msg 111052977 to remote [email protected] @400000004f399b78306e4ecc status: local 0/10 remote 60/60 @400000004f399b7907a8a7bc delivery 6157649: failure: User_and_password_not_set,_continuing_without_authentication./216.193.128.40_does_not_like_recipient./Remote_host_said:_554_5.7.1_Service_unavailable;_Client_host_[65.245.57.15]_ blocked_using_bl.spamcop.net;_Blocked_-_see_ http://www.spamcop.net/bl.shtml?65.245.57.15/Giving_up_on_216.193.128.40./ @400000004f399b7907a8b75c status: local 0/10 remote 59/60 @400000004f399b7907a8bb44 starting delivery 6158358: msg 111052977 to remote [email protected] @400000004f399b7907a8bf2c status: local 0/10 remote 60/60 [root@mail send]# tail -f current @400000004f399beb158b116c starting delivery 6159396: msg 39417859 to remote [email protected] @400000004f399beb158b404c status: local 0/10 remote 60/60 @400000004f399beb2918030c delivery 6159393: deferral: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_74.125.81.27_failed_after_I_sent_the_message./Remote_host_said:_421-4.7.0_[65.245.57.15______10]_Our_system_has_detected_an_unusual_rate_of/421-4.7.0_unsolicited_mail_originating_from_your_IP_address._To_protect_our/421-4.7.0_users_from_spam,_mail_sent_from_your_IP_address_has_been_temporarily/421-4.7.0_blocked._Please_visit_ http://www.google.com/mail/help/bulk_mail.html/421_4.7.0_to_review_our_Bulk_Email_Senders_Guidelines._k2si3981800obw.79/ @400000004f399beb2918783c status: local 0/10 remote 59/60 @400000004f399beb2919241c starting delivery 6159397: msg 39417859 to remote [email protected] @400000004f399beb29192804 status: local 0/10 remote 60/60 @400000004f399beb352bd6dc delivery 6159386: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_200.234.222.116_accepted_message./Remote_host_said:_250_2.0.0_Ok:_queued_as_3D689293882F7/ @400000004f399beb352cc90c status: local 0/10 remote 59/60 @400000004f399beb352d9044 starting delivery 6159398: msg 39417859 to remote [email protected] @400000004f399beb352d942c status: local 0/10 remote 60/60 @400000004f399bec02168db4 delivery 6159390: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_200.20.0.140_accepted_message./Remote_host_said:_250_2.0.0_Ok:_queued_as_500C316815/ @400000004f399bec02179f24 status: local 0/10 remote 59/60 @400000004f399bec0217d5d4 starting delivery 6159399: msg 39417859 to remote [email protected] @400000004f399bec02187214 status: local 0/10 remote 60/60 @400000004f399bec14421a94 delivery 6159388: deferral: User_and_password_not_set,_continuing_without_authentication./200.147.36.15_does_not_like_recipient./Remote_host_said:_450_4.7.1_< [email protected] >:_Recipient_address_rejected:_Try_again_later/Giving_up_on_200.147.36.15./ @400000004f399bec1442840c status: local 0/10 remote 59/60 @400000004f399bec144308dc starting delivery 6159400: msg 39417859 to remote [email protected] @400000004f399bec144337bc status: local 0/10 remote 60/60 @400000004f399bec16c4b664 delivery 6159385: failure: User_and_password_not_set,_continuing_without_authentication./74.125.81.27_does_not_like_recipient./Remote_host_said:_550-5.1.1_The_email_account_that_you_tried_to_reach_does_not_exist._Please_try/550-5.1.1_double-checking_the_recipient's_email_address_for_typos_or/550-5.1.1_unnecessary_spaces._Learn_more_at_____________________________/550_5.1.1_ http://support.google.com/mail/bin/answer.py?answer=6596_a6si3176745obx.155/Giving_up_on_74.125.81.27./ @400000004f399bec16c61dc4 status: local 0/10 remote 59/60 @400000004f399bec16c6585c starting delivery 6159401: msg 39417859 to remote [email protected] @400000004f399bec16c6cd8c status: local 0/10 remote 60/60 @400000004f399bec18f9f19c delivery 6159396: deferral: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_74.125.45.27_failed_after_I_sent_the_message./Remote_host_said:_421-4.7.0_[65.245.57.15______10]_Our_system_has_detected_an_unusual_rate_of/421-4.7.0_unsolicited_mail_originating_from_your_IP_address._To_protect_our/421-4.7.0_users_from_spam,_mail_sent_from_your_IP_address_has_been_temporarily/421-4.7.0_blocked._Please_visit_ http://www.google.com/mail/help/bulk_mail.html/421_4.7.0_to_review_our_Bulk_Email_Senders_Guidelines._v6si16161438yhi.48/ @400000004f399bec18fb9394 status: local 0/10 remote 59/60 @400000004f399bec18fbbe8c starting delivery 6159402: msg 39417859 to remote [email protected] @400000004f399bec18fbc65c status: local 0/10 remote 60/60 @400000004f399bec1b4a03ec delivery 6159402: deferral: Connected_to_206.46.232.11_but_greeting_failed./Remote_host_said:_571_Email_from_65.245.57.15_is_currently_blocked_by_Verizon_Online's_anti-spam_system._The_email_sender_or_Email_Service_Provider_may_visit_ http://www.verizon.net/whitelist_and_request_removal_of_the_block._120213/ @400000004f399bec1b4ab79c status: local 0/10 remote 59/60 @400000004f399bec1b4b4ff4 starting delivery 6159403: msg 39417859 to remote [email protected] @400000004f399bec1b4b53dc status: local 0/10 remote 60/60 @400000004f399bec1c3ea8d4 delivery 6159398: failure: User_and_password_not_set,_continuing_without_authentication./192.25.218.45_does_not_like_recipient./Remote_host_said:_550_5.1.1_< [email protected] >:_Recipient_address_rejected:_User_unknown/Giving_up_on_192.25.218.45./ @400000004f399bec1c403744 status: local 0/10 remote 59/60 @400000004f399bec1c406df4 starting delivery 6159404: msg 39417859 to remote [email protected] @400000004f399bec1c40fe7c status: local 0/10 remote 60/60 @400000004f399bec2c5572fc delivery 6159404: failure: User_and_password_not_set,_continuing_without_authentication./207.69.189.45_does_not_like_recipient./Remote_host_said:[email protected]. ..User_unknown/Giving_up_on_207.69.189.45./ @400000004f399bec2c590cdc status: local 0/10 remote 59/60 @400000004f399bec2c59a91c starting delivery 6159405: msg 39417859 to remote [email protected] @400000004f399bec2c59ef6c status: local 0/10 remote 60/60 @400000004f399bec311b6f1c delivery 6158315: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ @400000004f399bec311bd0c4 status: local 0/10 remote 59/60 @400000004f399bec311c0774 starting delivery 6159406: msg 39417859 to remote [email protected] @400000004f399bec311c885c status: local 0/10 remote 60/60 @400000004f399bed01944a0c delivery 6159401: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_66.94.236.34_accepted_message./Remote_host_said:_250_ok_dirdel/ @400000004f399bed01956b1c status: local 0/10 remote 59/60 @400000004f399bed0195b16c starting delivery 6159407: msg 39417859 to remote [email protected] @400000004f399bed019649c4 status: local 0/10 remote 60/60 @400000004f399bed2060d75c delivery 6159400: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_74.6.136.244_accepted_message./Remote_host_said:_250_ok_dirdel/ @400000004f399bed2061c98c status: local 0/10 remote 59/60 @400000004f399bed2062003c starting delivery 6159408: msg 39417859 to remote [email protected] @400000004f399bed2062b3ec status: local 0/10 remote 60/60 @400000004f399bed2a902804 delivery 6159403: success: User_and_password_not_set,_continuing_without_authentication./< [email protected] >_209.240.204.26_accepted_message./Remote_host_said:_250_Ok:_queued_as_6A784740BB/ @400000004f399bed2a90a8ec status: local 0/10 remote 59/60 @400000004f399bed2a91aabc starting delivery 6159409: msg 39417859 to remote [email protected] @400000004f399bed2a91b28c status: local 0/10 remote 60/60 Looks like the server is just spewing email. Robert
