I find out my server is sending a spam. Spam is sent by postfix server. It has large queue of emails, that are going to be sent without my help. I cant understand which script is added these emails to postfix queue.
Now I have these questions:
How to determine what script is adding mails to postfix queue?
How to clear postfix queue from spam? (all emails are spam, there are no emails sent by me)
Why reports are recieved by user123? (user123 - is ubuntu user, not original, changed by security reason)
Report from /var/mail/user123:
From MAILER-DAEMON Tue Nov 11 04:01:47 2014
Return-Path: <>
X-Original-To: user123#ubuntu
Delivered-To: user123#ubuntu
Received: by ubuntu (Postfix)
id 8F0D227364; Mon, 10 Nov 2014 15:15:52 -0500 (EST)
Date: Mon, 10 Nov 2014 15:15:52 -0500 (EST)
From: MAILER-DAEMON#ubuntu (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: user123#ubuntu
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="C0BE92ECAB.1415650552/ubuntu"
Message-Id: <20141110201552.8F0D227364#ubuntu>
This is a MIME-encapsulated message.
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii
This is the mail system at host ubuntu.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<quirin.cyrille#orange.fr>: delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; ubuntu
X-Postfix-Queue-ID: C0BE92ECAB
X-Postfix-Sender: rfc822; user123#ubuntu
Arrival-Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
Final-Recipient: rfc822; quirin.cyrille#orange.fr
Action: failed
Status: 4.0.0
Diagnostic-Code: X-Postfix; delivery temporarily suspended: host
smtp-in.orange.fr[80.12.242.9] refused to talk to me: 550 mwinf5c20 ME
Adresse IP source bloquee pour incident de spam. Client host blocked for
spamming issues. OFR006_102 Ref
http://csi.cloudmark.com/reset-request/?ip=74.218.214.24 [102]
--C0BE92ECAB.1415650552/ubuntu
Content-Description: Undelivered Message Headers
Content-Type: text/rfc822-headers
Return-Path: <user123#ubuntu>
Received: by ubuntu (Postfix, from userid 1006)
id C0BE92ECAB; Wed, 5 Nov 2014 13:50:50 -0500 (EST)
From: =?UTF-8?B?T25seSBDYXNpbm8=?= <only_casino#bingo-chips.us>
To: "MOIDU88480" <quirin.cyrille#orange.fr>
Subject: =?UTF-8?B?Qm9uam91ciBNT0lEVTg4NDgwLiBWZWdhcyBEYXlzIENhc2lubyAtIExhcyBWZWdhcyBzJ2ludml0ZSBjaGV6IHZvdXMgc3VyIFZlZ2FzIERheSBDYXNpbm8h?=
Content-Type: multipart/mixed; boundary="PHP-mixed-3b3472b0874837cf2218d941eec5b6d8"
Message-Id: <20141105185050.C0BE92ECAB#ubuntu>
Date: Wed, 5 Nov 2014 13:50:50 -0500 (EST)
--C0BE92ECAB.1415650552/ubuntu--
Googling gives no result.
My google search queries could be wrong, but I really need to fix this problem.
So any help is appreciated.
If I can provide more useful information please ask it in comments.
P.S. Server is hosting magento and wordpress sites.
P.S.S. 74.218.214.24 - is IP of my dedicated server, not original. It was changed in this post due to security reason.
UPDATE
Some lines from /var/log/mail.log:
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: to=<mywookie#ymail.com>, relay=mta6.am0.yahoodns.net[98.136.216.25]:25, delay=7.7, delays=7.4/0/0.19/0.06, dsn=5.7.1, status=bounced (host mta6.am0.yahoodns.net[98.136.216.25] said: 553 5.7.1 [BL21] Connections will not be accepted from 74.218.214.24, because the ip is in Spamhaus's list; see http://postmaster.yahoo.com/550-bl23.html (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[10428]: 65EDE3C718: lost connection with mta6.am0.yahoodns.net[98.136.216.25] while sending RCPT TO
Nov 9 06:40:05 u17135818 postfix/pickup[10080]: 1338B3ED4A: uid=1006 from=<user123>
Nov 9 06:40:05 u17135818 postfix/cleanup[12998]: 1338B3ED4A: message-id=<20141109114005.1338B3ED4A#ubuntu>
Nov 9 06:40:05 u17135818 postfix/cleanup[13261]: 133D53ED54: message-id=<20141109114005.133D53ED54#ubuntu>
Nov 9 06:40:05 u17135818 postfix/smtp[10424]: DECBB27368: to=<toshiki_6#hotmail.com>, relay=mx2.hotmail.com[207.46.8.199]:25, delay=9.6, delays=9.3/0.02/0.19/0.06, dsn=5.0.0, status=bounced (host mx2.hotmail.com[207.46.8.199] said: 550 OU-002 (BAY004-MC6F11) Unfortunately, messages from 74.218.214.24 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL FROM command))
Nov 9 06:40:05 u17135818 postfix/smtp[12030]: EFA783D645: to=<festefaen#gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b]:25, delay=7.3, delays=6.6/0/0.09/0.64, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:4001:c08::1b] said: 550-5.7.1 [2607:f1c0:841:fe00::66:d8fd 12] Our system has detected that 550-5.7.1 this message is likely unsolicited mail. To reduce the amount of spam 550-5.7.1 sent to Gmail, this message has been blocked. Please visit 550-5.7.1 http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550 5.7.1 more information. sd5si10854734igb.33 - gsmtp (in reply to end of DATA command))
...
Nov 11 04:01:54 u17135818 postfix/smtp[17765]: E01792762C: host mx1.free.fr[212.27.48.6] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17797]: 953592B312: host cluster1.eu.messagelabs.com[85.158.143.99] refused to talk to me: 450 Requested action aborted [7.2] 21614, please visit www.messagelabs.com/support for more details about this error message.
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: C7D883257C: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 0799A259AD: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 90F4332280: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 67B8B2E7C7: from=<user123#ubuntu>, status=expired, returned to sender
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: 9063532F5D: removed
Nov 11 04:01:54 u17135818 postfix/qmgr[17712]: EE4222A874: removed
Nov 11 04:01:54 u17135818 postfix/smtp[17724]: 61C22360A0: to=<lgennuso#princetonhcs.org>, relay=smtp4.princetonhcs.org[209.123.81.114]:25, delay=381492, delays=381485/5.6/0.59/0, dsn=4.5.0, status=deferred (host smtp4.princetonhcs.org[209.123.81.114] refused to talk to me: 550 5.5.0 74.218.214.24 is blacklisted by FortiGuard. This email from IP has been rejected. The email message was detected as spam.)
Nov 11 04:01:54 u17135818 postfix/smtp[17800]: 61B3A3AD2C: to=<bigboy#starbucks.org>, relay=none, delay=259892, delays=259884/2.2/5.5/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=starbucks.org type=MX: Host not found, try again)
Nov 11 04:01:54 u17135818 postfix/smtp[17787]: CD3312175D: host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command)
Nov 11 04:01:54 u17135818 postfix/smtp[17819]: 780C624266: to=<max.charlene#aliceadsl.fr>, relay=mx1.free.fr[212.27.48.7]:25, conn_use=5, delay=227385, delays=227377/6.5/0.66/0.34, dsn=4.0.0, status=deferred (host mx1.free.fr[212.27.48.7] said: 451 too many errors detected from your IP (74.218.214.24), please visit http://postmaster.free.fr/ (in reply to DATA command))
Nov 11 04:01:54 u17135818 postfix/smtp[17778]: CE12E26756: to=<rcataldo#laposte.net>, relay=smtpz4.laposte.net[194.117.213.1]:25, delay=133031, delays=133023/6.5/0.79/0.27, dsn=5.0.1, status=bounced (host smtpz4.laposte.net[194.117.213.1] said: 501 5.0.1 Emetteur invalide. Invalid Sender. LPN007_405 (in reply to MAIL FROM command))
It looks like one service or software triggering this mails. You can block all outgoing mails frompostfix by using the mail relaying options for external domains, this is possible if you don't want to send any mails from your machine.
You can check the maillog file inside /var/log - that will give the more details, also check the command mailq to see how many mails are pending.
Update:-
Do you allowed any of other people in your network to send mail through your machine ?, then you can suspect that case. Few things I can notice from the log is that -
The mail being rejected by the receiver end saying your public IP is flooding mails.
If these mails are coming periodically and not from any of other machines in your network, then you have to find out which process or application doing this. For that you have to use the tcpdump and monitor for the TCP packets. From that you can see that, the mail client first pushing the mail to your local postfix server, then that's being forwarded to the target mail server.
This is the way I can see to find out which application sending mails from your computer.
Hope this will help you to figure out the culprit.
Related
I have plesk 12.5.30 on my server which is often blacklisted on Symantec Mail Security reputation.
The ip is new (I have purchased the server on 13.02.2017).
Also my ip is blacklisted on BACKSCATTERER.
Seeing the log of postfix I have a lot of entries like
Mar 22 14:51:43 server postfix/smtpd[14204]: connect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: lost connection after EHLO from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:45 server postfix/smtpd[14204]: disconnect from 75-143-80-240.dhcp.aubn.al.charter.com[75.143.80.240]
Mar 22 14:51:50 server postfix/smtpd[14204]: connect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: lost connection after EHLO from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:51:51 server postfix/smtpd[14204]: disconnect from 128.128.72.76.cable.dhcp.goeaston.net[76.72.128.128]
Mar 22 14:52:19 server postfix/smtpd[14204]: connect from mail.dedeckeraccountants.be[91.183.46.186]
Mar 22 14:52:19 server postfix/smtpd[14204]: disconnect from mail.dedeckeraccountants.be[91.183.46.186]
I have
Changed the smtp port to a non standard one (9456)
Installed firewall and fail2ban on plesk and setted as in image
Setted mail settings of plesk as in image
Installed a spamassasin
I have noticed also that some days ago i have lines in log like these
Mar 19 06:47:00 server postfix/smtp[13517]: CCC1C510023D: to=<229e7dc3183452c7d3290d1ba28f073e#www.lablue.de>, relay=none, delay=235637, delays=235636/0.05/0.09/0, dsn=4.4.1, status=deferred (connect to www.lablue.de[217.22.195.26]:25: Connection refused)
Mar 19 06:47:00 server postfix/smtp[13503]: 7EDD55100138: to=<Weber226#brockel.kirche-rotenburg.de>, relay=kirche-rotenburg-verden.de[136.243.213.122]:25, delay=239980, delays=239979/0.01/0.35/0.1, dsn=4.0.0, status=deferred (host kirche-rotenburg-verden.de[136.243.213.122] said: 451 Temporary local problem - please try later (in reply to RCPT TO command))
Mar 19 06:47:00 server postfix/smtp[13504]: 97B055100233: to=<office#angerlehner.at>, relay=none, delay=222922, delays=222922/0.01/0.64/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=angerlehner.at type=MX: Host not found, try again)
Mar 19 06:47:00 server postfix/smtp[13509]: 1E15F510019B: host mx1.leventboru.com.tr[89.19.1.69] said: 450 4.7.1 Recipient address rejected: Requested action not taken: mailbox unavailable or not local (in reply to RCPT TO command)
And i noticed a very long mail queue in plesk settings (i have deleted all mail in queue)
Any advice to block this attack??
Thanks in advance
Edit: I want to share my plesk-postfix settings
[plesk-postfix]
enabled = true
filter = postfix-sasl
action = iptables-multiport[name="plesk-postfix", port="http,https,smtp,submission,pop3,pop3s,imap,imaps,sieve", protocol=tcp]
logpath = /var/log/maillog
maxretry = 2
There is somenthing can i improve here?
You might consider to use a Fail2Ban - filter with the following regex - expressions:
failregex = ^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
If you need further Fail2Ban regex - expressions, pls. consider to ADD the corresponding log - file entries, because some general standart ones may not suit your needs or/and your qmail/postfix/imap-courier/dovecot version, installed on your server. ;-)
Edit:
In order to be more precise, I now add the full suggestion, incl. the regex, that #MattiaDiGiuseppe already used in his comments - it's just a bit better formatted this way.
[Definition]
_daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds]
failregex = ^%(__prefix_line)swarning: (.*?)does not resolve to address <HOST>: Name or service not known$
^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 554 5\.7\.1 .* Relay access denied.*$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: lost connection$
^%(__prefix_line)sSSL_accept error from \S+\s*\[<HOST>\]: -1$
^%(__prefix_line)slost connection after (AUTH|UNKNOWN|EHLO) from [^\[]*\[<HOST>\]\s*$
ignoreregex = authentication failed: Connection lost to authentication server$
Pls. consider to have a look at all standart filters ( for Fail2Ban 0.10 AND older versions), by visiting:
=> https://github.com/fail2ban/fail2ban/tree/0.10/config/filter.d
If you desire to view the standarts for older versions, just click on the "Branch: 0.10" dropdpwn - button, pls.
I'm running a small IRCd on a vps. No firewall. When users register their nicks, a confirmation email is sent out to them by Sendmail to the email address they entered during registration. All but Gmail users get email. I found this and made an spf record using my IP address and placed it my MX record:
"v=spf1 ip4:168.235.75.84 include:_spf.google.com ~all"
But Gmail emails still aren't received. Here's some text from /var/mail/root
----- The following addresses had permanent fatal errors -----
<email.address#gmail.com>
(reason: 550-5.7.1 [2604:180:3:284::8c64] Our system has detected that this message does)
----- Transcript of session follows -----
... while talking to gmail-smtp-in.l.google.com.:
>>> DATA
<<< 550-5.7.1 [2604:180:3:284::8c64] Our system has detected that this message does
<<< 550-5.7.1 not meet IPv6 sending guidelines regarding PTR records and
<<< 550-5.7.1 authentication. Please review
<<< 550-5.7.1 https://support.google.com/mail/?p=ipv6_authentication_error for more
<<< 550 5.7.1 information. hn5si5276310pac.203 - gsmtp
554 5.0.0 Service unavailable
--u4AMhua5032690.1462920236/xtremeirc.net
Content-Type: message/delivery-status
Reporting-MTA: dns; xtremeirc.net
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Tue, 10 May 2016 18:43:55 -0400
Final-Recipient: RFC822; email.address#gmail.com
Action: failed
Status: 5.7.1
Remote-MTA: DNS; gmail-smtp-in.l.google.com
Diagnostic-Code: SMTP; 550-5.7.1 [2604:180:3:284::8c64] Our system has detected that this message does
Last-Attempt-Date: Tue, 10 May 2016 18:43:56 -0400
--u4AMhua5032690.1462920236/xtremeirc.net
Content-Type: text/rfc822-headers
Return-Path: <root#xtremeirc.net>
Received: from xtremeirc.net (localhost.localdomain [127.0.0.1])
by xtremeirc.net (8.14.4/8.14.4/Debian-8) with ESMTP id u4AMhsa5032688;
Tue, 10 May 2016 18:43:55 -0400
Received: (from root#localhost)
by xtremeirc.net (8.14.4/8.14.4/Submit) id u4AMhsQs032687;
Tue, 10 May 2016 18:43:54 -0400
Date: Tue, 10 May 2016 18:43:54 -0400
From: root <root#xtremeirc.net>
Message-Id: <201605102243.u4AMhsQs032687#xtremeirc.net>
--u4AMhua5032690.1462920236/xtremeirc.net--
For what it's worth, I have an IPv6 address set up for my domain.
I'm out of my league on this and don't know what I'm doing wrong here? If I need to post more information, please advise. Thanks.
Your SPF record should include your IPv6 address.
"v=spf1 ip4:168.235.75.84 ip6:2604:180:3:284::8c64 include:_spf.google.com ~all"
i have a problem with sending email from my server to hotmail and gmail. seems the mail is just dropped, no returned bounce email notices etc. the emails just vanish. I have looked around for solutions on the net but nothing seems to help. below are the email headers of one mail which is send correctly to another big provider, without any problem. As i cant make any sense of it as to why hotmail is rejecting these mails, i hope someone can make something of it and give me directions on maybe a solution:
Return-Path: <s----#----.nl>
Delivered-To: <s----#ziggo.nl>
Received: from md2.tb.mail.iss.local ([212.54.34.152])
by mc7.tb.mail.iss.local (Dovecot) with LMTP id lQqGGXGJuFUZJAAAqQNqOQ
for <s----#ziggo.nl>; Wed, 29 Jul 2015 10:10:01 +0200
Received: from mx24.gn.mail.iss.as9143.net ([212.54.34.152])
by md2.tb.mail.iss.local (Dovecot) with LMTP id lPAPLTGvolV/XgAAH7GgQA
; Wed, 29 Jul 2015 10:12:41 +0200
Received: from mail.lastikweb.eu ([185.10.49.172])
by mx24.gn.mail.iss.as9143.net with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
(Exim 4.82)
(envelope-from <s----#----.nl>)
id 1ZKMR6-0001UG-T6
for sleenheer#ziggo.nl; Wed, 29 Jul 2015 10:10:00 +0200
Received: from localhost ([127.0.0.1] helo=aicit.nl)
by mail.lastikweb.eu with esmtpa (Exim 4.76)
(envelope-from <s----#----.nl>)
id 1ZKMR6-0001R8-EW
for s----#ziggo.nl; Wed, 29 Jul 2015 10:10:00 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 29 Jul 2015 10:10:00 +0200
From: s----#----.nl
To: s----#ziggo.nl
Subject: mail headers
Message-ID: <8670b9ca857e112fbc307d29ee84ccb2#aicit.nl>
X-Sender: s----#----.nl
User-Agent: Roundcube Webmail/0.9.5
X-Ziggo-spamsetting: Instelling=Gemiddeld Scorelimiet=14
X-Ziggo-spambar: /
X-Ziggo-spamscore: 0.0
X-Ziggo-spamreport: CMAE Analysis: v=2.1 cv=DeLq0aZW c=1 sm=0 tr=0 a=cWpRTkv7rqSFuHP3f9xSTw==:17 a=XVisR3dVAAAA:8 a=cIF5Tx0qAAAA:8 a=drCK43fGrOkA:10 a=IkcTkHD0fZMA:10 a=zOBTXjUuO1YA:10 a=nS36O97Bj3wUElCrIrAA:9 a=QEXdDO2ut3YA:10 xcat=Undefined/Undefined
none
X-Ziggo-Spam-Status: No
X-Spam-Status: No
X-Spam-Flag: No
test
I have dkim installed, tested all settings with mxtoolbox (dns, smtp etc) al seems to be right, but still Hotmail and Gmail is not accepting emails from my server (which holds about 25 domains, all sending through this server).
thanks!
Gmail ending up in spam is related to designated user not being able to send out through main server. case you have server: mail.server.com and you are sending mail with my.domain.com, the spf record needs to hold the ip6 of mail.server.com in spf. Obviously rDNS needs to be correct. For the hotmail problem, this is purely microsoft. you can check up with support from outlook.com, but only thing you get is "we dont block your server, although some emails are filtered. this can be caused by mitigation time, which can take up to 48 hours". Thats it. No messages are returned, simply dropped. Maybe msn.com outlook.com and live.com are experiencing the same problem.
I've been frequently receiving emails with the subject line "failure notice" and I've included one example below.
Should I be concerned about this and what, if any actions do I have available, as it looks like my email address is being used as the return path.
Note I have changed the details sightly to "mydomain.co.uk", the email that is not mine to "removed_not_my_email#yahoo.com" and my email to "my_email#mydomain.co.uk"
Hi. This is the qmail-send program at mydomain.co.uk.
I tried to deliver a bounce message to this address, but the bounce bounced!
<removed_not_my_email#yahoo.com>:
98.136.217.202 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (removed_not_my_email#yahoo.com) [0] - mta1335.mail.gq1.yahoo.com
--- Below this line is the original bounce.
Return-Path: <>
Received: (qmail 9093 invoked for bounce); 12 Mar 2014 11:08:39 +0100
Date: 12 Mar 2014 11:08:39 +0100
From: MAILER-DAEMON#mydomain.co.uk
To: removed_not_my_email#yahoo.com
Subject: failure notice
Hi. This is the qmail-send program at mydomain.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<moggiex#gmail.com>:
173.194.68.26 failed after I sent the message.
Remote host said: 552-5.7.0 This message was blocked because its content presents a potential
552-5.7.0 security issue. Please visit http://support.google.com/mail/bin/answe
552-5.7.0 r.py?answer=6590 to review our message content and attachment content
552 5.7.0 guidelines. s4si12659992qan.75 - gsmtp
--- Below this line is a copy of the message.
Return-Path: <removed_not_my_email#yahoo.com>
Received: (qmail 9089 invoked by uid 110); 12 Mar 2014 11:08:37 +0100
Delivered-To: mydomain.co.uk-my_email#mydomain.co.uk
Received: (qmail 9083 invoked from network); 12 Mar 2014 11:08:37 +0100
Received: from triband-del-59.177.226.218.bol.net.in (59.177.226.218)
by mydomain.co.uk with SMTP; 12 Mar 2014 11:08:32 +0100
Received: from apache by sdsgtchsccutvijfsjftr. with local (Exim 4.63)
(envelope-from <removed_not_my_email#yahoo.com>)
id YMVXBT-G78HLB-XN
for <my_email#mydomain.co.uk>; Wed, 12 Mar 2014 15:38:31 +0530
To: <my_email#mydomain.co.uk>
Subject: Image has been sent my_email
Date: Wed, 12 Mar 2014 15:38:31 +0530
From: "Evernote service" <removed_not_my_email#yahoo.com>
Message-ID: <7CC92FB2B133AA0F3984DE6BA6E33439#sdsgtchsccutvijfsjftr.>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
etc...
There is no verification on the sender in SMTP. Anyone can send email from whatever emailadress they can think of.
Spam & malware is distributed using this fact. Circumventing certain spamfilters because the sender-address/return-path seems legitimate.
The notice that 'content presents a potential 552-5.7.0 security issue' could mean that an executable was attached. Maybe harmless, but probably a virus or malware.
Not nice, but also not much you can do about it.
To avoid your email address being used, in the future, as source of this practice, protect your email address.
Don't post it on webpages in clear.
Use a temporary emailaddress when subscribing to sites and or mailinglists.
I have a problem with all the mails sent from my company, often ending up in the recipients spam folder. It's from approximately 5-6 different mail adresses sending from the same mail server. We have a dedicated server that is both hosting out website aswell as managing all mails and so forth.
We usually don't get any error messages when the mails either never arrives, or ends up in the recipients spam folder.
But we received this 1 error message, so i hope you have an idea of what to do to keep our mails out of the spam folders. We might have to hire external developers to take care of the problem, i just want to get an idea of what the problem is, so i know if i can fix it, or tell the developers what to do.
"ANON" is put in, to keep mails involved anonymous. Should i delete anything else?
Error message:
-----Oprindelig meddelelse-----
Fra: Mail Delivery Subsystem [mailto:mailer-daemon#googlemail.com]
Sendt: 27. september 2013 08:26
Til: support#example.com
Emne: Delivery Status Notification (Failure)
Delivery to the following recipient failed permanently:
ANON#ANON.dk
Technical details of permanent failure:
Message rejected by Google Groups. Please visit
http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review our Bulk Email Senders Guidelines.
----- Original message -----
X-Received: by 10.14.109.66 with SMTP id r42mr7804640eeg.43.1380263171652;
Thu, 26 Sep 2013 23:26:11 -0700 (PDT)
Return-Path: <support#example.com>
Received: from server.example.com ([2a01:4f8:121:267::2])
by mx.google.com with ESMTPS id
o7si4443732eep.48.1969.12.31.16.00.00
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Thu, 26 Sep 2013 23:26:11 -0700 (PDT)
Received-SPF: neutral (google.com: 2a01:4f8:121:267::2 is neither permitted nor denied by best guess record for domain of support#example.com) client-ip=2a01:4f8:121:267::2;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 2a01:4f8:121:267::2 is neither permitted nor denied by best guess record for domain of support#example.com) smtp.mail=support#example.com;
dkim=neutral (bad format) header.i=#example.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=example.com; s=default;
h=Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:T
o:From; bh=E5v2ubiy1T/bYA8pEndEZlZwb928MRpgJuoPSy8WsQE=;
b=AbAc/65Y88xmhdGHxUUs3kK/1rOvTH0uEpPAVEN1sv8KNdJvzvRqiO72gqXan0M7wXRVeev6IJ
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+qmI
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+vdF
0iumBwj875irmYAaST9hzm+eIF02whaZDgkzRr2jjJKN9bn11tBmtlTK0JzTGDUMf1Ij+f
64lUpYIyyaqlNUYnaPt28=;
Received: from post.ABCDEFGHIJK.com ([xxx.xxx.xxx.xxx]:49696
helo=WIN7UVQT1EBIRO)
by server.example.com with esmtpa (Exim 4.80.1)
(envelope-from <support#example.com>)
id 1VPRUi-0008Dh-Os
for ANON#ANON.dk; Fri, 27 Sep 2013 06:25:41 +0000
From: "ANON - example.com" <support#example.com>
To: "'XYZ ABC'" <a.bcd#efg.hi>
References: <E1VORD0-0007hu-Jn#server.example.com>
<CACyHzxudCSh+4NOEu-_QR1yQYA=uR0DOrTTcgDsg9KcRLTWDFQ#mail.gmail.com>
In-Reply-To:
<CACyHzxudCSh+4NOEu-_QR1yQYA=uR0DOrTTcgDsg9KcRLTWDFQ#mail.gmail.com>
Subject: SV: example.com: Ordre # 700003820 opdatering
Date: Fri, 27 Sep 2013 08:25:38 +0200
Message-ID: <00d501cebb4a$637159b0$2a540d10$#example.com>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00D6_01CEBB5B.26FF0BB0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGYr839QgwXgZ5pAdux+XF0Yh5W4AHfGYRhmjY70GA=
Content-Language: da
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.example.com
X-AntiAbuse: Original Domain - ANON.dk
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - example.com
X-Get-Message-Sender-Via: server.example.com: authenticated_id:
support#example.com
X-Source:
X-Source-Args:
X-Source-Dir:
I needed to edit the MX records for the domains sending the mails, as the domains and websites were on the same server the mail server couldn't comprehend it.