Hi Casey,

I don't know if I understood very well all these evidences you have shown. But appears to me you are not using the Chkuser patch, right? If not, chkuser is a patch to qmail-smtpd that enables it to check the existence of a local user before accepting the message. Without it, qmail-smtpd has to accept every message destined to its local domains, and try to deliver the messages later. If the delivery fails, because the user doesn't exist, qmail will try to bounce the message to the sender, even if it's fake.

Chkuser also adds a lot of other nice features. (it can reject messages from senders with strange patterns or with inexistent domain names)
It's website is:
http://www.interazioni.it/opensource/chkuser/
A (hopefully) nice installation guide is:
http://www.qmailwiki.org/Simscan/Related_Docs/Simscan_ClamAV_Chkuser_Installation_Guide

regards,
bnegrao

What causes bounce messages to be sent to forged addresses?


server1# qmail-qread | grep remote | wc -l
0

server2# qmail-qread | grep remote | wc -l
754

hmmmm....

# find /var/qmail/queue/mess/ -type f -exec grep '^<[EMAIL PROTECTED]>:$' {} \;
| grep -v Binary |  cut -d '@' -f 2 | cut -d '>' -f 1 | sort | uniq
| wc -l
19

Only 19 domains out of:

# cat /var/qmail/users/assign | wc -l
147

Of these,

# find /var/vpopmail/domains/ -type d -maxdepth 1 -mindepth 1 | wc
-l
97

are real domains, the rest are alias domains.  Guessing by the
numbers, this doesn't matter.  As a matter of coincidence, none of
the 19 domains trying to send bounces are aliases.

Every single one of these 19 domains was migrated from an *old*
crusty Redhat 7.3 server with whatever version of vpopmail had been
new at the time.

# for i in `find /var/qmail/queue/mess/ -type f -exec grep
'^<[EMAIL PROTECTED]>:$' {} \; | grep -v Binary |  cut -d '@' -f 2 | cut -d '>'
-f 1 | sort | uniq`; do grep "$i" /var/qmail/users/assign | sed -e
"s/$i/DOMAIN_NAME/g"; done
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+REAL_DOMAIN-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+REAL_DOMAIN-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::
+DOMAIN_NAME-:DOMAIN_NAME:89:89:/var/vpopmail/domains/DOMAIN_NAME:-::

17 of the 19 are real domains, and the 2 which are aliases both
point to real domains which are in the list of 17.

All accounts look the same as far as I can tell:

# cat /var/vpopmail/domains/*/.qmail-default | sort | uniq
| /var/vpopmail/bin/vdelivermail '' bounce-no-mailbox

No unusual .qmail files:

# for i in `find /var/vpopmail/domains/*/.qmail-* -not -name
'.qmail*owner'`; do cat "$i" | grep -v '^&[EMAIL PROTECTED]' | grep -v
'bounce-no-mailbox' | grep -v ezmlm; done | wc -l
0

# for i in `find /var/vpopmail/domains/*/*/.qmail`; do cat "$i" |
grep -v '^| /usr/bin/maildrop'; done | wc -l
0

...and nothing unusual that I can spot, no obvious differences
between contents of the different domain directories, or files
contained within.

Every message in the queue looks like this one:

Received: (qmail 17683 invoked for bounce); 17 Jun 2005 09:48:53
+0000
Date: 17 Jun 2005 09:48:53 +0000
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: failure notice

Hi. This is the qmail-send program at stuart.seattleserver.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[EMAIL PROTECTED]>:
Sorry, no mailbox here by that name. (#5.1.1)

Any advice, please?

Cheers,
--
Casey Allen Shobe | http://casey.shobe.info
[EMAIL PROTECTED] | cell 425-443-4653
AIM & Yahoo:  SomeLinuxGuy | ICQ:  1494523
SeattleServer.com, Inc. | http://www.seattleserver.com


Reply via email to