FAQ
Hi.

I've noticed a number of attack-like "mail failures". The rate at
which we see them comes and goes at different times of the day; when
they're active they pass through at the rate of 1 or 2 per minute.

Here's an example, for the list alu-board-only at alu.org (we've seen
this for other alu.org lists too).

/var/log/maillog:
Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from localhost[127.0.0.1]
Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: client=localhost[127.0.0.1]
Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: reject: RCPT from localhost[127.0.0.1]: 450 <beverley at alu.org>: User unknown in local recipient table; from=<alu-board-only-bounces at alu.org> to=<beverley at alu.org> proto=ESMTP helo=<bibop.alu.org>
Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from localhost[127.0.0.1]

/usr/local/mailman/smtp-failure:
Mar 13 02:56:29 2005 (2547) All recipients refused: {'beverley at alu.org': (450, '<beverley at alu.org>: User unknown in local recipient table')}, msgid: <mailman.6.1110619218.2549.alu-board-only at alu.org>
Mar 13 02:56:29 2005 (2547) delivery to beverley at alu.org failed with code 450: <beverley at alu.org>: User unknown in local recipient table

/usr/local/mailman/smtp:
Mar 13 02:56:29 2005 (2547) <mailman.6.1110619218.2549.alu-board-only at alu.org> smtp for 1 recips, completed in 1.027 seconds

/usr/local/mailman/post:
Mar 13 02:56:29 2005 (2547) post to alu-board-only from alu-board-only-bounces at alu.org, size66, message-id=<mailman.6.1110619218.2549.alu-board-only at alu.org>, 1 failures

What I'd like to know is where (and from apparantly who) this message
originated, but I can't figure out from these logs what's going on.

It looks like an attempt from the Outgoing qrunner to send mail to
alu-board-only (hence the alu-board-only-bounces return address), with
beverley at alu.org as one of the addressees, which doesn't make sense.

Any ideas?

Thanks,

- nick

Search Discussions

  • Brad Knowles at Mar 13, 2005 at 2:40 pm

    At 11:40 AM +0000 2005-03-13, Nick Levine wrote:

    /var/log/maillog:
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from
    localhost[127.0.0.1]
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB:
    client=localhost[127.0.0.1]
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB:
    reject: RCPT from localhost[127.0.0.1]: 450 <beverley at alu.org>: User
    unknown in local recipient table;
    from=<alu-board-only-bounces at alu.org> to=<beverley at alu.org>
    proto=ESMTP helo=<bibop.alu.org>
    Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from
    localhost[127.0.0.1]

    /usr/local/mailman/smtp-failure:
    Mar 13 02:56:29 2005 (2547) All recipients refused:
    {'beverley at alu.org': (450, '<beverley at alu.org>: User unknown in
    local recipient table')}, msgid:
    <mailman.6.1110619218.2549.alu-board-only at alu.org>
    Mar 13 02:56:29 2005 (2547) delivery to beverley at alu.org failed
    with code 450: <beverley at alu.org>: User unknown in local recipient
    table

    /usr/local/mailman/smtp:
    Mar 13 02:56:29 2005 (2547)
    <mailman.6.1110619218.2549.alu-board-only at alu.org> smtp for 1
    recips, completed in 1.027 seconds

    /usr/local/mailman/post:
    Mar 13 02:56:29 2005 (2547) post to alu-board-only from
    alu-board-only-bounces at alu.org, size66,
    message-id=<mailman.6.1110619218.2549.alu-board-only at alu.org>, 1
    failures

    What I'd like to know is where (and from apparantly who) this message
    originated, but I can't figure out from these logs what's going on.
    It looks to me like someone sent an e-mail message from
    beverley at alu.org to alu-board-only at alu.org, but there was an error
    (maybe this list is set up to reject messages from non-subscribers?),
    so Mailman tried to send an error back to beverley at alu.org. What
    you're seeing here is the bounce of that error message.

    If you really want to understand what happened, you have to go
    back an additional step -- you've got to find where someone claimed
    to be beverley at alu.org and sent the message to alu-board-only at alu.org.
    It looks like an attempt from the Outgoing qrunner to send mail to
    alu-board-only (hence the alu-board-only-bounces return address), with
    beverley at alu.org as one of the addressees, which doesn't make sense.
    Actually, it's the other way around. See above.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    SAGE member since 1995. See <http://www.sage.org/> for more info.
  • Mark Sapiro at Mar 13, 2005 at 4:06 pm

    Brad Knowles wrote:
    At 11:40 AM +0000 2005-03-13, Nick Levine wrote:

    /var/log/maillog:
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from
    localhost[127.0.0.1]
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB:
    client=localhost[127.0.0.1]
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB:
    reject: RCPT from localhost[127.0.0.1]: 450 <beverley at alu.org>: User
    unknown in local recipient table;
    from=<alu-board-only-bounces at alu.org> to=<beverley at alu.org>
    proto=ESMTP helo=<bibop.alu.org>
    Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from
    localhost[127.0.0.1]

    /usr/local/mailman/smtp-failure:
    Mar 13 02:56:29 2005 (2547) All recipients refused:
    {'beverley at alu.org': (450, '<beverley at alu.org>: User unknown in
    local recipient table')}, msgid:
    <mailman.6.1110619218.2549.alu-board-only at alu.org>
    Mar 13 02:56:29 2005 (2547) delivery to beverley at alu.org failed
    with code 450: <beverley at alu.org>: User unknown in local recipient
    table

    /usr/local/mailman/smtp:
    Mar 13 02:56:29 2005 (2547)
    <mailman.6.1110619218.2549.alu-board-only at alu.org> smtp for 1
    recips, completed in 1.027 seconds

    /usr/local/mailman/post:
    Mar 13 02:56:29 2005 (2547) post to alu-board-only from
    alu-board-only-bounces at alu.org, size66,
    message-id=<mailman.6.1110619218.2549.alu-board-only at alu.org>, 1
    failures

    What I'd like to know is where (and from apparantly who) this message
    originated, but I can't figure out from these logs what's going on.
    It looks to me like someone sent an e-mail message from
    beverley at alu.org to alu-board-only at alu.org, but there was an error
    (maybe this list is set up to reject messages from non-subscribers?),
    so Mailman tried to send an error back to beverley at alu.org. What
    you're seeing here is the bounce of that error message.
    I agree with Brad that this is most likely, and if it is the case that
    non-member posts are rejected, you could temporarily change that to
    "hold" and then you can see the headers of the held message which will
    give more info.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Nick Levine at Mar 13, 2005 at 5:17 pm
    Mark / Brad,

    Many thanks for your mails.

    I have tracked down (most of) what's going on.

    vette:48:Mar 12 01:20:18 2005 (2549) alu-board-only post from
    beverley at alu.org held,
    message-id=<27673729.1097937559808.JavaMail.root at dezilu.com> : Post by
    non-member to a members-only list

    Because the sender was spoofed as coming from alu.org, the "you are on
    hold" message went to bibop's mail server, which happens to return the
    code 450 (= temporary failure?) for unknown users. It looks like
    mailman keeps trying to resend a 450 bounce, every 15(?) minutes.

    Bounces from other mail servers tend to carry the 550 code (=
    permanent failure?) and mailman gives up.

    Uhm, will it keep on doing this forever? It's tried sending to
    beverley over 130 times since yesterday morning.

    Regards,

    - nick
  • Brad Knowles at Mar 13, 2005 at 6:00 pm

    At 5:17 PM +0000 2005-03-13, Nick Levine wrote:

    Because the sender was spoofed as coming from alu.org, the "you are on
    hold" message went to bibop's mail server, which happens to return the
    code 450 (= temporary failure?) for unknown users.
    That's a little unusual, but does happen sometimes.
    It looks like
    mailman keeps trying to resend a 450 bounce, every 15(?) minutes.
    It's not Mailman trying to resend the message. It's your MTA, to
    which Mailman handed over the message.
    Bounces from other mail servers tend to carry the 550 code (=
    permanent failure?) and mailman gives up.
    Again, it's not Mailman giving up. It's your MTA.
    Uhm, will it keep on doing this forever? It's tried sending to
    beverley over 130 times since yesterday morning.
    Your MTA will continue to try to re-send that message for the
    period of time that it is configured to do so. With the information
    you have available to you, you should be able to figure out which of
    the messages in the mail queue of your MTA is the one you want to
    delete, and then you can use the tools appropriate to your MTA to
    delete it.


    However, the MTA-specific aspects of this process are something
    you should pursue on a mailing list or newsgroup that is appropriate
    to your MTA (e.g., postfix-users), and not here.

    --
    Brad Knowles, <brad at stop.mail-abuse.org>

    "Those who would give up essential Liberty, to purchase a little
    temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

    SAGE member since 1995. See <http://www.sage.org/> for more info.
  • Nick Levine at Mar 13, 2005 at 6:03 pm
    Brad,

    It's not Mailman trying to resend the message. It's your MTA,
    to which Mailman handed over the message.

    Aha.

    However, the MTA-specific aspects of this process are
    something you should pursue on a mailing list or newsgroup that is
    appropriate to your MTA (e.g., postfix-users), and not here.

    Of course. Thanks again.

    - nick

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMar 13, '05 at 11:40a
activeMar 13, '05 at 6:03p
posts6
users3
websitelist.org

People

Translate

site design / logo © 2022 Grokbase