Large amount of messages in root email account

[SidebandSamurai]

Hello everyone,

I have over 71,000 messages in the root email box all say the same thing:

Code: Select all

Message 71552:
From MAILER-DAEMON@grumpy.sbgk.com  Mon Dec 13 16:05:49 2010
Date: Mon, 13 Dec 2010 16:05:49 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON@grumpy.sbgk.com>
To: postmaster@grumpy.sbgk.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="oBDNsCuK025914.1292285149/grumpy.sbgk.com"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--oBDNsCuK025914.1292285149/grumpy.sbgk.com

The original message was received at Mon, 13 Dec 2010 16:05:45 -0800
from localhost
with id oBDNsCuJ025914

   ----- The following addresses had permanent fatal errors -----
<randycuevasuw@ran.es>
    (reason: 550 5.1.1 <randycuevasuw@ran.es>... User unknown)

   ----- Transcript of session follows -----
... while talking to mailer.ran.es.:
>>> DATA
<<< 550 5.1.1 <randycuevasuw@ran.es>... User unknown
550 5.1.1 <randycuevasuw@ran.es>... User unknown
<<< 503 5.0.0 Need RCPT (recipient)

--oBDNsCuK025914.1292285149/grumpy.sbgk.com
Content-Type: message/delivery-status

Reporting-MTA: dns; grumpy.sbgk.com
Arrival-Date: Mon, 13 Dec 2010 16:05:45 -0800

Final-Recipient: RFC822; randycuevasuw@ran.es
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mailer.ran.es
Diagnostic-Code: SMTP; 550 5.1.1 <randycuevasuw@ran.es>... User unknown
Last-Attempt-Date: Mon, 13 Dec 2010 16:05:49 -0800

--oBDNsCuK025914.1292285149/grumpy.sbgk.com
Content-Type: message/rfc822

Return-Path: <MAILER-DAEMON>
Received: from localhost (localhost)
        by grumpy.sbgk.com (8.13.8/8.13.8) id oBDNsCuJ025914;
        Mon, 13 Dec 2010 16:05:45 -0800
Date: Mon, 13 Dec 2010 16:05:45 -0800
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <201012140005.oBDNsCuJ025914@grumpy.sbgk.com>
To: <randycuevasuw@ran.es>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="oBDNsCuJ025914.1292285145/grumpy.sbgk.com"
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)

This is a MIME-encapsulated message

--oBDNsCuJ025914.1292285145/grumpy.sbgk.com

    **********************************************
    **      THIS IS A WARNING MESSAGE ONLY      **
    **  YOU DO NOT NEED TO RESEND YOUR MESSAGE  **
    **********************************************

The original message was received at Mon, 13 Dec 2010 11:41:32 -0800
from localhost.localdomain [127.0.0.1]

   ----- Transcript of session follows -----
<regina.desroches@sbgk.com>... Deferred: Connection timed out with mail.sbgk.com.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

--oBDNsCuJ025914.1292285145/grumpy.sbgk.com
Content-Type: message/delivery-status

Original-Envelope-Id: 000701cb9b6b$558b9c90$b852c162@ran.es
Reporting-MTA: dns; grumpy.sbgk.com
Arrival-Date: Mon, 13 Dec 2010 11:41:32 -0800

Final-Recipient: RFC822; regina.desroches@sbgk.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; mail.sbgk.com
Last-Attempt-Date: Mon, 13 Dec 2010 16:05:44 -0800
Will-Retry-Until: Sat, 18 Dec 2010 11:41:32 -0800

--oBDNsCuJ025914.1292285145/grumpy.sbgk.com
--More--


First the the address destination:

Code: Select all

<randycuevasuw@ran.es>
    (reason: 550 5.1.1 <randycuevasuw@ran.es>... User unknown)

We would never send to the .es domain

second

Code: Select all

<regina.desroches@sbgk.com>... Deferred: Connection timed out with mail.sbgk.com.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old


Is a user that does not exist on our system anymore. So has someone forged regina.desroches's Email address and the mail server is attempting to deliver it to a user that does not exist on my system but can not send it to the .es user because he does not exist either?

How do I stop these messages?

Thanks for all your help.

Sincerely,

Sideband Samurai

[les]

If the original user is no longer there then postmaster tries to return DSN's to the "faked" from address. You have a couple of options....

1. If you have a spam filter out front blacklist_to the deleted user. Then dud mail coming in can be dropped without a DSN (of the few ways you can do filtering in scalix.....spamassassin/amavis integrated to sendmail does this. spamass-milter still sends DSN's)

2. redirect postmaster email to /dev/null in sendmail's /etc/aliases. Note, that this wild idea only only affects mail root cant re-deliver. legitimate postmaster/mailer-daemon in/out of scalix won't be affected.

Option 1 is the best way, Option 2 is the easiest.

[SidebandSamurai]

Thanks for your response,

Is this a situation where the spammers are using my server as a third party relay?

What is happening is that we are getting listed on some blacklists like barracuda networks. We are a lawfirm and can not afford to be blocked by black lists.

I used a service at network abuse network and had the following result:

Code: Select all

Connecting to 66.93.36.210 for registered user test ...

<<< 220 grumpy.sbgk.com ESMTP Scalix SMTP Relay 11.4.6.13676; Wed, 09 Feb 2011 16:30:54 -0800 (PST)
>>> HELO www.abuse.net
<<< 250 mail.server.com Hello verify.abuse.net [xx.xx.xx.xx], pleased to meet you
Relay test 1
>>> RSET
<<< 250 mail.server.com Reset state
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 spamtest@abuse.net... Sender ok
>>> RCPT TO:<harold.robinson@sbgk.com>
<<< 250 Ok
>>> DATA
<<< 354 Enter mail, end with "." on a line by itself (relay)
>>> (message body)
<<< 250 Ok

Which appears that I can indeed be used as a third party relay. If so How do I close this up and stop it from happening?

Thanks for the help

Sincerely,

SidebandSamurai

[les]

Thanks for your response,

Is this a situation where the spammers are using my server as a third party relay?

What is happening is that we are getting listed on some blacklists like barracuda networks. We are a lawfirm and can not afford to be blocked by black lists.

I used a service at network abuse network and had the following result:

Code: Select all

Connecting to 66.93.36.210 for registered user test ...

<<< 220 grumpy.sbgk.com ESMTP Scalix SMTP Relay 11.4.6.13676; Wed, 09 Feb 2011 16:30:54 -0800 (PST)
>>> HELO www.abuse.net
<<< 250 grumpy.sbgk.com Hello verify.abuse.net [64.57.183.77], pleased to meet you
Relay test 1
>>> RSET
<<< 250 grumpy.sbgk.com Reset state
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 spamtest@abuse.net... Sender ok
>>> RCPT TO:<harold.robinson@sbgk.com>
<<< 250 Ok
>>> DATA
<<< 354 Enter mail, end with "." on a line by itself (relay)
>>> (message body)
<<< 250 Ok

Which appears that I can indeed be used as a third party relay. If so How do I close this up and stop it from happening?

Thanks for the help

Sincerely,

SidebandSamurai

You are on internet blacklists. See....

http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a66.93.36.210

But you are not an open realy. See....

http://www.mxtoolbox.com/SuperTool.aspx?action=smtp%3a66.93.36.210

In your test, you sent email to the scalix domain...sbgk.com. That will get through. To test an open relay try sending from an external address to another external address.

You need to get yourself of the internet blacklists.

[SidebandSamurai]

hmmm,

Am I able to test like this:

from: harold.robinson@sbgk.com
to anyone on the internet
from (another network on the internet)

In other words The spammer is sending mail from the cox internet service, (not from our local network) the from address above is forged by a spammer with my legitmate Email Address. The Spammer attaches to our server with harold.robinson@sbgk.com, sends it to mickey.mouse@disney.com and it sends successfully.

You see I am seeing a lot of old former employee email addresss appear in this root email. for example, it would be from rigena.deroches@sbgk.com to email.address@network.com (could be any email address). recipient email address is invalid, and since rigena.deroches@sbgk.com IS ALSO invalid it ends up in the root email box undeliverable.

regular users are also receiving these messages, as if they sent something to someone but it failed. So in the previous example, if the spammer used harold.robinson@sbgk.com and sent it to mickey.mouse@disney.com and mickey.mouse@disney.com was invalid I would receive the NDR message as if I had really sent the message to mickey.mouse@disney.com when I really did not.

How else would I get those messages. Why would my system be listed on the blacklists when I know we can-not send smtp (port 25) mail from any workstations (only from the mail server) as blocked from our firewall.

... you know I need to positively test this theory. I will get back in a few.

Thanks for the help.

Sincerely,

Sideband Samurai

[les]

You see I am seeing a lot of old former employee email addresss appear in this root email. for example, it would be from rigena.deroches@sbgk.com to email.address@network.com (could be any email address). recipient email address is invalid, and since rigena.deroches@sbgk.com IS ALSO invalid it ends up in the root email box undeliverable.

regular users are also receiving these messages, as if they sent something to someone but it failed. So in the previous example, if the spammer used harold.robinson@sbgk.com and sent it to mickey.mouse@disney.com and mickey.mouse@disney.com was invalid I would receive the NDR message as if I had really sent the message to mickey.mouse@disney.com when I really did not.

How else would I get those messages. Why would my system be listed on the blacklists when I know we can-not send smtp (port 25) mail from any workstations (only from the mail server) as blocked from our firewall.

... you know I need to positively test this theory. I will get back in a few.

Thanks for the help.

Sincerely,

Sideband Samurai

setting root mail to go to /dev/null via /etc/aliases will stop the massive amount of junk ndr's ending up in root's mailbox.

Just because your pc's cant send smtp outbound, doesn't mean you'll never end up on a blacklist. If your server sends back a huge amount of NDR's to faked address that come in as spam, then your server will likely get listed at backscatterer.org. A spammer can target your domain and send billions of messages saying they are from you, or one of your users. You can't stop that.

If you are filtering via sendmail/spamassassin, and using spamass-milter, then you will be sending back NDR's even if messages are detected as spam and beyond your "spamasss-milter delete settings". This is just the way spamass-milter works, and it can cause a lot of backscatter.
Amavis, on the other hand, if configured to delete spam above 6 for instance, can be configured to silently delete those junk messages without sending NDR's. hence, its a better option than spamass-milter.

The only other way someone can relay through your server is if they use auth and know a users password. Then they can connect to your server, auth, and send whatever they want via your server.

[SidebandSamurai]

Hi All,

I tested to see if I could connect from my workstation to a gmail mail server. I found out that alt1.gmail-smtp-in.l.google.com, is a mail server at gmail. I then used putty to attach to port 25 at that IP address, and what do you know:

Code: Select all

220 mx.google.com ESMTP c36si2311338anc.19

so that is my next project to make sure that sending on port 25 is blocked by smoothwall except the static IP for the email server.

Of course the easy way is to request a separate IP address from my ISP that is used exclusively for Email. That way if workstations have a virus, then our mail server IP address will not be banned.

What are your thoughts on this?

Thanks for the help.

Sincerely,

Harold Robinson

[les]

Hi All,

I tested to see if I could connect from my workstation to a gmail mail server. I found out that alt1.gmail-smtp-in.l.google.com, is a mail server at gmail. I then used putty to attach to port 25 at that IP address, and what do you know:

Code: Select all

220 mx.google.com ESMTP c36si2311338anc.19

so that is my next project to make sure that sending on port 25 is blocked by smoothwall except the static IP for the email server.

Of course the easy way is to request a separate IP address from my ISP that is used exclusively for Email. That way if workstations have a virus, then our mail server IP address will not be banned.

What are your thoughts on this?

Thanks for the help.

Sincerely,

Harold Robinson

Really, the easiest way is to block outbound smtp at your perimeter firewall from clients other than your scalix server. Linux Firewalls can do this without any dramas.

Also, your scalix server, should send outbound mail to a smart host (via sendmail), i.e. your isp's smtp server, rather than delivering direct. If you deliver direct other mailservers can potentially drop email from you if they use filters that look at internet blacklists. If mail goes via your isp's smtp server then it *should* look legit to other mail servers.

[SidebandSamurai]

Les

Thanks for all the help,

I am using Smoothwall Firewall Advanced server 2008, I thought I had this configured the firewall properly but I guess not. It helps to check just to make sure. I had the Rule setup but the second step was to actually apply it to a range of IP address. Once I understood what was going on I was able to get the firewall configured properly and its now blocking port 25. YeA!!!!


So I believe I have stopped port 25 on the network. but what about all those NDR's I receive in the root mailbox. How do I stop receiving those?

I don't have a spam filter setup but I am considering an external service called MailRoute to filter our Email incoming as well as outgoing, plus I get the additional service of store and forward, so if the Email server is down, they will hold the Email until we are back online. That's all for $37.50 a month for 15 users.

Thanks for the help

Sincerely,

Sideband Samurai

[les]

So I believe I have stopped port 25 on the network. but what about all those NDR's I receive in the root mailbox. How do I stop receiving those?

I don't have a spam filter setup but I am considering an external service called MailRoute to filter our Email incoming as well as outgoing, plus I get the additional service of store and forward, so if the Email server is down, they will hold the Email until we are back online. That's all for $37.50 a month for 15 users.

Well, even if you don't have a spam filter.....

vi /etc/aliases

postmaster: /dev/null

save and quit.

newaliases

you will no longer get ndr's to root.