>> >> >> Sam Clippinger wrote: >> >>> That's very strange -- I'm having a hard time imagining any way >>> spamdyke could be injecting "QUIT" into a message like that. The >>> only time spamdyke injects "QUIT" at all is when a connection times >>> out, but then it sends a "." first to end the message. The "QUIT" >>> should be interpreted as an SMTP command. >>> >>> Do your logs show timeouts that correspond with these messages? Are >>> any other parts of the message corrupted (e.g. the headers)? >>> >>> -- Sam Clippinger >>> >>> >> I will try to go back through my logs and correlate the occurrences >> with a timeout. The headers do appear to be incorrect as well, >> though, the From address in the header shows up as >> [EMAIL PROTECTED] -John >>
OK, after enabling full logging and waiting for someone to report the problem again, I now have a little more insight into this problem. Here is the full log of the email transaction: This section is the transcript from my secondary mail server, which receives the message first: 06/04/2008 09:45:30 STARTED: VERSION = 3.1.2, PID = 587 06/04/2008 09:45:30 LEGEND: To remote host = <<< ; to child process = >>> ; blocked by filter = <XX 06/04/2008 09:45:30 LEGEND: From filter to remote host = <FF ; from filter to child process = FF> <<< 06/04/2008 09:45:30 220 mail2.sts-llc.net ESMTP >>> 06/04/2008 09:45:30 EHLO imo-d21.mx.aol.com <<< 06/04/2008 09:45:30 250-mail2.sts-llc.net 250-PIPELINING 250 8BITMIME >>> 06/04/2008 09:45:31 MAIL From:<[EMAIL PROTECTED]> <<< 06/04/2008 09:45:31 250 ok >>> 06/04/2008 09:45:31 RCPT To:<[EMAIL PROTECTED]> <FF 06/04/2008 09:45:31 421 Your address has been graylisted. Try again later. >>> 06/04/2008 09:45:31 RCPT To:<[EMAIL PROTECTED]> <FF 06/04/2008 09:45:31 421 Your address has been graylisted. Try again later. >>> 06/04/2008 09:45:31 RCPT To:<[EMAIL PROTECTED]> <<< 06/04/2008 09:45:31 250 ok >>> 06/04/2008 09:45:31 RCPT To:<[EMAIL PROTECTED]> <<< 06/04/2008 09:45:31 250 ok >>> 06/04/2008 09:45:31 RCPT To:<[EMAIL PROTECTED]> <<< 06/04/2008 09:45:31 250 ok >>> 06/04/2008 09:45:31 DATA <<< 06/04/2008 09:45:31 354 go ahead >>> 06/04/2008 09:45:31 QUIT FF> 06/04/2008 09:46:32 . QUIT <FF 06/04/2008 09:46:32 421 Timeout. Talk faster next time. <XX 06/04/2008 09:46:32 250 ok 1212590792 qp 589 221 mail2.sts-llc.net 06/04/2008 09:46:32 CLOSED ---------------------------------------------------------------------------------------------------- This messages comes into my secondary server, which then gets forwarded to a couple users on my primary server, but this is the message transcript from that machine for one of those users: 06/04/2008 09:46:32 STARTED: VERSION = 3.1.8+TLS, PID = 20953 06/04/2008 09:46:32 LEGEND: To remote host = <<< ; to child process = >>> ; blocked by filter = <XX 06/04/2008 09:46:32 LEGEND: From filter to remote host = <FF ; from filter to child process = FF> <<< 06/04/2008 09:46:32 220 stscore01.sts-llc.net ESMTP >>> 06/04/2008 09:46:32 HELO mail2.sts-llc.net <<< 06/04/2008 09:46:32 250 stscore01.sts-llc.net >>> 06/04/2008 09:46:32 MAIL FROM:<[EMAIL PROTECTED]> <<< 06/04/2008 09:46:32 250 ok >>> 06/04/2008 09:46:32 RCPT TO:<[EMAIL PROTECTED]> <<< 06/04/2008 09:46:32 250 ok >>> 06/04/2008 09:46:32 DATA <<< 06/04/2008 09:46:32 354 go ahead >>> 06/04/2008 09:46:32 Received: (qmail 589 invoked from network); 4 Jun 2008 14:45:31 -0000 Received: from imo-d21.mx.aol.com (205.188.144.207) by mail2.sts-llc.net with SMTP; 4 Jun 2008 14:45:31 -0000 QUIT . <<< 06/04/2008 09:46:32 250 ok 1212590792 qp 20959 >>> 06/04/2008 09:46:32 QUIT <<< 06/04/2008 09:46:32 221 stscore01.sts-llc.net 06/04/2008 09:46:32 CLOSED D ----------------------------------------------------------------------------------------------------------------- And here is the resulting email message in their inbox: From: [EMAIL PROTECTED] Cc: recipient list not shown: ; Sent: Jun 4, 2008 09:46 Subject: QUIT _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
