Spam problem

sky

Verified User
Joined
Nov 12, 2004
Messages
318
Hello all :)

Here is a snippet of my email logs.
I dont understand what the "R=" "P=" means ...

edit : logs in attachement in next post

Can you tell me witch emails are sent from MY server ... and witch ones are just sent TO my server...

The problem is that i dont now if my server is acting like an open relay or not...

Im receivint about 1500 emails each day... most of them have this sort of subject : underlivered Mail Returned to Sender

If you neeed mor info... just ask.

Thx,
Sky
 
Last edited:
better than doing a enormous quote of the logs, i attach them here.
 

Attachments

Hello

how can whe find out if the server is a open relay for spammers ?
 
R= is followed by the name of the router exim uses.

Routers are defined in /etc/exim.conf.

P= is followed by the method used. For example SMTP means the email is delivered by SMTP, and LOCAL means it's a local email delivery.

I'm not going to read through approximately 3000 lines to tell you what each of them means, so if you have any other specific questions you should ask them.

But by default the server is NOT an open relay unless you've reconfigured exim.conf to make it so.

But of course form to email forms and programs could be causing it to act as such.

Check your main server IP# here to see if you're listed on any blocklists.

Jeff
 
Hello jlasman

i dont expect you to read all the lines ^^

im just receiving to many email with a subject like :
Undeliverable Mail
or
Mail delevery Failure
or
Delevery status notification (Failure)

Thies emails have been sent with xxxxx_AT_graphiks_DOT_net as sender, so the server ust reply to me sayng that that user does not exist.

Well, ill check again the website on the server.

Sky
 
There wasn't any reason to post so many lines if it wasn't important to read them.

If you post a few lines, and I'll do some testing with those lines.

Jeff
 
Two of my domains appear to be the target of this spam too. I was getting hundreds of those returned emails a day. At first they were coming to me with addresses that were random dictionary terms. Now they are random letters. Today I received a few with random letters & numbers. My domain funnels are mandatory given how I work things unfortunately. It is painful, but I have it resolved now. Here's what I did:

Filter on server was unable to bounce returned mail for some reason. So I downloaded mailwasher freeware from www.mailwasher.net. I put in blacklist filters, I can't copy them, but here's what I have:

administrator@*
noreply@*
postmaster@*
mailer-daemon@*
mail-delivery@*
mail-daemon@*
etc
I have it set to bounce those mail immediately, and it gets most. The ones that slip through I just highlight in a group and manually bounce/delete.

It's the best solution I have found so far.
-WC-
 
Thx WildCard for your post.
That is a solution... temporily at least.

but while i delete or bounce the emails... the server is still working away with usless emails...

Jlsman, heres a litle snippet :
2006-01-24 20:55:26 1F1UGD-000605-QK <= [email protected] H=(legrandcerf.fr) [201.12.101.14] P=smtp S=2408 id=000001c6211f$bf82a1f0$b4c6a8c0@reseda T="Re: Phara macy descendible" from <[email protected]> for [email protected]
2006-01-24 20:55:26 1F1UGD-000605-QK => server <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=2525
2006-01-24 20:55:26 1F1UGD-000605-QK Completed
2006-01-24 20:55:30 1F1UGH-00060C-KP <= <> H=velum.qala.com.sg [210.193.2.49] P=esmtp S=2745 [email protected] T="Returned mail: User unknown (from mail.kedasia.com)" from <> for [email protected]
2006-01-24 20:55:30 1F1UGH-00060C-KP => server <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=2841
2006-01-24 20:55:30 1F1UGH-00060C-KP Completed
2006-01-24 20:57:36 1F1UIK-00060m-Ef <= <> H=cumeil7.prima.com.ar (cumeils.prima.com.ar) [200.42.0.175] P=smtp S=3039 T="failure notice" from <> for [email protected]
2006-01-24 20:57:36 1F1UIK-00060m-Ef => server <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=3137
2006-01-24 20:57:36 1F1UIK-00060m-Ef Completed
2006-01-24 20:57:56 1F1UIe-00060w-1d <= [email protected] H=pool-00042.externet.hu (bisman.com) [212.40.100.66] P=smtp S=2438 id=000001c62120$1eef09d0$68d1a8c0@arboreta T="Re: Pharamac y adhere" from <[email protected]> for [email protected]
2006-01-24 20:57:56 1F1UIe-00060w-1d => server <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=2560
2006-01-24 20:57:56 1F1UIe-00060w-1d Completed

Thx for your help.
 
Just a question :
if a disabled for a time the php function mail(), will i be shure that the emails are not sent via a webpage ?

i run chkrootkit each day tobe shure and dont have a trojan or somthing else... nothing yet.

Sky
 
sky,
2006-01-24 20:55:26 1F1UGD-000605-QK <= [email protected] H=(legrandcerf.fr) [201.12.101.14] P=smtp S=2408 id=000001c6211f$bf82a1f0$b4c6a8c0@reseda T="Re: Phara macy descendible" from <[email protected]> for [email protected]
2006-01-24 20:55:26 1F1UGD-000605-QK => server <[email protected]> F=<[email protected]> R=virtual_user T=virtual_localdelivery S=2525
2006-01-24 20:55:26 1F1UGD-000605-QK Completed
The above email came from a server at 201.12.101.14, giving a helo origin name of legrandcerf.fr. The subject is "Re: Phara macy descendible." The return-path is [email protected], and the from address is also [email protected]. The to address is [email protected], and based on that address, it made successful local delivery using the virtual_user router.
2006-01-24 20:55:30 1F1UGH-00060C-KP <= <> H=velum.qala.com.sg [210.193.2.49] P=esmtp S=2745 [email protected] T="Returned mail: User unknown (from mail.kedasia.com)" from <> for [email protected]
2006-01-24 20:55:30 1F1UGH-00060C-KP => server <[email protected]> F=<> R=virtual_user T=virtual_localdelivery S=2841
2006-01-24 20:55:30 1F1UGH-00060C-KP Completed
The above email came from a server at 210.193.2.49, giving a helo origin name of velum.qala.com.sg. The subject is "Returned mail: User unknown (from mail.kedasia.com)". The return path is <>, which means the mail is coming from an automated server daemon at the destination mailserver. The from address is the same. The to address is [email protected]. Again, it made a successful local delivery using the virtual_user router.

Now the question you need to ask yourself is "is [email protected] a real user, or is it the username of a domain? If it's the username of a domain, then it's possible there's a bad php script on that domain.
if a disabled for a time the php function mail(), will i be shure that the emails are not sent via a webpage
Most likely, but you'll also assure that your clients' forms will stop working. It's probably better that you find and fix the problem(s).

Jeff
 
Ok, thx for that analyse !

The email [email protected] is NOT a user or a email account on the server.

So whe are shure that the emails are sent from another server as spam?

I have cut off mail() for 24 hours... ill see what happens.

Thx again :)

Sky
 
I did a simple log analysis.

As long as you've got mail turned off I can't test. Please post again when the mai is turned on.

Jeff
 
I also am experiencing this problem.... the target domain is receiving upwards of 5,000 'undeliverable message' messages each day.

I have reviewed some of the original messages (some are included as attachments to the reject messages); they all originate from different source IP addresses.

This has been happening for a couple months now.

Any suggestions are appreciated.
 
First off, let me say that I have been using unique email addresses everywhere I go with all different points of contact. It allows me the ability to track who is selling my info. Doing this, I was surprised to find out my Dell.com unique address started to get flooded with spam. Either they sold my info or they were hacked. Guessing the latter...

Anyways, check out my suggestion post above. It really helped for me.

One of my domains (4 char.net) that I have had for nearly a decade gets hit with this stuff in waves. Right now I am just at the 50/day low part of the wave.

If you are getting 5k/day, then you and your server are feeling the pain.

I have amended my funnel use to compensate for these PITA returned mails. Here's what I did - which I only did because I have had my domain used as an email funnel for years.

1) Set my funnel to all go to a '[email protected]' address.
2) Watched that account closely for a week, just deleting the returned to sender emails.
3) Any emails that were legit, I went into Direct Admin email forwards for that domain, and would set that legit address to forward to my '[email protected]' address.
4) My returned to sender level is small enough now that I just have my cell phone check it 3 times a day (I have a Treo smartphone with email client) and I just select all the problem emails and delete them on the server.
5) If my returned to sender level goes up again, I will just have to restore the mailwasher plan mentioned in the post above.

It's worked for me for a few months. Hope it helps you.

If you do NOT need email funnel, I suggest you just kill it. It's proving to be a pain. :-)

-WC-
 
Back
Top