Ok, I'll admit I've never messed with mail queue much before, but I started to look at it because we have been getting some spam complaints. I traced it down to a poorly written PHP script that had been comprimised. But as I started looking more, I came across a ton of these:
Headers:
1IacHN-0002Rd-Jg-H
mail 8 8
<>
1190833837 0
-ident mail
-received_protocol local
-body_linecount 101
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1190833841
-localerror
XX
1
[email protected] <==not a domain on my box
151P Received: from mail by sub.domain.com with local (Exim 4.63)
id 1IacHN-0002Rd-Jg
for [email protected]; Wed, 26 Sep 2007 15:10:37 -0400
042 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
066F From: Mail Delivery System <[email protected]>
027T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
055I Message-Id: <[email protected]>
038 Date: Wed, 26 Sep 2007 15:10:37 -0400
Body:
1IacHN-0002Rd-Jg-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
save to /home/user/imap/domain-thats-on-my-box.com/info/Maildir/.INBOX.spam/new/
generated by [email protected]
retry timeout exceeded
------ This is a copy of the message, including all the headers. ------
Return-path: <[email protected]>
Received: from mail by sub.domain.com with spam-scanned (Exim 4.63)
(envelope-from <[email protected]>)
id 1IacHJ-0002RR-AG
for [email protected]; Wed, 26 Sep 2007 15:10:37 -0400
Received: from localhost by sub.domain.com
with SpamAssassin (version 3.1.8);
Wed, 26 Sep 2007 15:10:37 -0400
From: "Humberto Cooke" <[email protected]>
To: <[email protected]>
Subject: ***SPAM*** Personal Message No. 2102127112
Date: Wed, 26 Sep 2007 20:08:55 +0100
Message-Id: <01c80070$af027490$a018b654@terzuber>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
sub.domain.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.7 required=4.0 tests=BAYES_50,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
SUBJ_HAS_UNIQ_ID autolearn=no version=3.1.8
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_46FAAEAD.363D3852"
This is a multi-part message in MIME format.
------------=_46FAAEAD.363D3852
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "sub.domain.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi! I am Elena and would like to meet you. Email me to: [email protected]
I'll be waiting. Bye! [...]
Content analysis details: (5.7 points, 4.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.2 SUBJ_HAS_UNIQ_ID Subject contains a unique ID
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5011]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[84.182.24.160 listed in dnsbl.sorbs.net]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?84.182.24.160>]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[84.182.24.160 listed in combined.njabl.org]
0.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[84.182.24.160 listed in zen.spamhaus.org]
------------=_46FAAEAD.363D3852
Content-Type: text/plain; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Received: from p54b618a0.dip0.t-ipconnect.de ([84.182.24.160])
by sub.domain.com with esmtp (Exim 4.63)
(envelope-from <[email protected]>)
id 1IacHJ-0002RH-4X
for [email protected]; Wed, 26 Sep 2007 15:10:33 -0400
Received: from [84.182.24.160] by MX2.qualitylc.com; Wed, 26 Sep 2007 20:08:55 +0100
From: "Humberto Cooke" <[email protected]>
To: <[email protected]>
Subject: Personal Message No. 2102127112
Date: Wed, 26 Sep 2007 20:08:55 +0100
Message-ID: <01c80070$af027490$a018b654@terzuber>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
Importance: Normal
Hi! I am Elena and would like to meet you.
Email me to: [email protected]
I'll be waiting. Bye!
------------=_46FAAEAD.363D3852--
Log:
2007-09-26 15:10:37 Received from <> R=1IacHJ-0002RR-AG U=mail P=local S=4540 T="Mail delivery failed: returning message to sender"
2007-09-26 15:10:41 SMTP error from remote mail server after RCPT TO:<[email protected]>: host MX2.qualitylc.com [38.112.56.164]: 550 No such user ([email protected])
2007-09-26 15:10:41 [email protected] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host MX2.qualitylc.com [38.112.56.164]: 550 No such user ([email protected])
*** Frozen (delivery error message)
--------------------------------------------------------------------
OK, can anyone please tell me if this is someone trying to use my server as an open relay or what? I have a ton of these and don't know if I should just delete them as it already looks like my server bounced it. But it remains in my queue?
Thanks!
Headers:
1IacHN-0002Rd-Jg-H
mail 8 8
<>
1190833837 0
-ident mail
-received_protocol local
-body_linecount 101
-allow_unqualified_recipient
-allow_unqualified_sender
-frozen 1190833841
-localerror
XX
1
[email protected] <==not a domain on my box
151P Received: from mail by sub.domain.com with local (Exim 4.63)
id 1IacHN-0002Rd-Jg
for [email protected]; Wed, 26 Sep 2007 15:10:37 -0400
042 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
066F From: Mail Delivery System <[email protected]>
027T To: [email protected]
059 Subject: Mail delivery failed: returning message to sender
055I Message-Id: <[email protected]>
038 Date: Wed, 26 Sep 2007 15:10:37 -0400
Body:
1IacHN-0002Rd-Jg-D
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
save to /home/user/imap/domain-thats-on-my-box.com/info/Maildir/.INBOX.spam/new/
generated by [email protected]
retry timeout exceeded
------ This is a copy of the message, including all the headers. ------
Return-path: <[email protected]>
Received: from mail by sub.domain.com with spam-scanned (Exim 4.63)
(envelope-from <[email protected]>)
id 1IacHJ-0002RR-AG
for [email protected]; Wed, 26 Sep 2007 15:10:37 -0400
Received: from localhost by sub.domain.com
with SpamAssassin (version 3.1.8);
Wed, 26 Sep 2007 15:10:37 -0400
From: "Humberto Cooke" <[email protected]>
To: <[email protected]>
Subject: ***SPAM*** Personal Message No. 2102127112
Date: Wed, 26 Sep 2007 20:08:55 +0100
Message-Id: <01c80070$af027490$a018b654@terzuber>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
sub.domain.com
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.7 required=4.0 tests=BAYES_50,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
SUBJ_HAS_UNIQ_ID autolearn=no version=3.1.8
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_46FAAEAD.363D3852"
This is a multi-part message in MIME format.
------------=_46FAAEAD.363D3852
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "sub.domain.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi! I am Elena and would like to meet you. Email me to: [email protected]
I'll be waiting. Bye! [...]
Content analysis details: (5.7 points, 4.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.2 SUBJ_HAS_UNIQ_ID Subject contains a unique ID
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5011]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[84.182.24.160 listed in dnsbl.sorbs.net]
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?84.182.24.160>]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[84.182.24.160 listed in combined.njabl.org]
0.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
[84.182.24.160 listed in zen.spamhaus.org]
------------=_46FAAEAD.363D3852
Content-Type: text/plain; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Received: from p54b618a0.dip0.t-ipconnect.de ([84.182.24.160])
by sub.domain.com with esmtp (Exim 4.63)
(envelope-from <[email protected]>)
id 1IacHJ-0002RH-4X
for [email protected]; Wed, 26 Sep 2007 15:10:33 -0400
Received: from [84.182.24.160] by MX2.qualitylc.com; Wed, 26 Sep 2007 20:08:55 +0100
From: "Humberto Cooke" <[email protected]>
To: <[email protected]>
Subject: Personal Message No. 2102127112
Date: Wed, 26 Sep 2007 20:08:55 +0100
Message-ID: <01c80070$af027490$a018b654@terzuber>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
Importance: Normal
Hi! I am Elena and would like to meet you.
Email me to: [email protected]
I'll be waiting. Bye!
------------=_46FAAEAD.363D3852--
Log:
2007-09-26 15:10:37 Received from <> R=1IacHJ-0002RR-AG U=mail P=local S=4540 T="Mail delivery failed: returning message to sender"
2007-09-26 15:10:41 SMTP error from remote mail server after RCPT TO:<[email protected]>: host MX2.qualitylc.com [38.112.56.164]: 550 No such user ([email protected])
2007-09-26 15:10:41 [email protected] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host MX2.qualitylc.com [38.112.56.164]: 550 No such user ([email protected])
*** Frozen (delivery error message)
--------------------------------------------------------------------
OK, can anyone please tell me if this is someone trying to use my server as an open relay or what? I have a ton of these and don't know if I should just delete them as it already looks like my server bounced it. But it remains in my queue?
Thanks!
Last edited: