What is this? Relay? Spam?

motobrandt

Verified User
Joined
Jan 8, 2004
Messages
217
I'm seeing this from random domains in my exim_mainlog

2006-10-23 17:09:14 1GbOpC-000Bfw-Ka ** qelcoef@ne.jp F=<>: Unrouteable address
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka qelcoef@ne.jp: error ignored
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka Completed

Doesn't it seem strange that there would be an error of unrouteable address yet the error would be ignored?

Has anyone else seen this? or know what it is?

Thanks!
 

pucky

Verified User
Joined
Sep 9, 2006
Messages
795
motobrandt said:
I'm seeing this from random domains in my exim_mainlog

2006-10-23 17:09:14 1GbOpC-000Bfw-Ka ** qelcoef@ne.jp F=<>: Unrouteable address
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka qelcoef@ne.jp: error ignored
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka Completed

Doesn't it seem strange that there would be an error of unrouteable address yet the error would be ignored?

Has anyone else seen this? or know what it is?

Thanks!
Unroutable means your DNS setup is botched. Or, ne.jp doesnt exist or they have no mail records. One or the other. Why dont you look up ne.jp to see if its a valid domain. If it is and they have all their mail records in place then its your own dns setup.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
.ne.jp is the Japanese equivalent of the .net universal top-level domain.

Writing to qelcoef@ne.jp would therefore be equivalent to writing to anyone@net instead of anyone@example.net. (note that anyone@example.net is NOT a valid email address; I made it up for the purpose of the example.

F=<> indicates you've gotten an email from a mailer-daemon addressed to qelcoef@ne.jp so the question is why would you get such an email?

Generally you'd get such an email from a mailer-daemon if you sent an undeliverable email which was received by the destination server and then the destination server found it couldn't make the delivery.

So, either your server is sending out spam with a return address of qelcoef@ne.jp or some other server is, and is spoofing your server as the return path. (The latter is a good reason why I don't believe any server should ever respond for undeliverable email.)

To tell if it's your server doing the sending look for qelcoef@ne.jp anywhere else in the mainlog, as an origin address. If you find it, then your server is being used to send spam.

Either way the next question is why are you getting an error ignored.

And the answer is that mail from a mailer-daemon (<>) cannot (according to RFCs) be returned. Why? Because returning it would create a mail-loop. Since your server has no place to deliver it (qelcoef@ne.jp doesn't exist on your server), can't forward it because the mailer-daemon isn't authenticated, and can't return it because <> isn't a valid address, it has no other recourse but to ignore the error and throw away the message.

Which is what the log is telling you it did.

Jeff
 

motobrandt

Verified User
Joined
Jan 8, 2004
Messages
217
As for the ne.jp stuff yeah I found that information searching around too. Jeff does a good job of explaining it. And yeah it is a completely bogus address. I'll have to do some more searching around for more examples.

Thanks for the explanation Jeff. I thought we lost you for a couple weeks there. I wasn't aware that the log was telling me that Exim disposed of the message. I guess it's my own ignorance in the message language but I would expect a discarded message rather then a completed line.

Another nuance to my original post is that I'm getting similar log entries for other domains having nothing to do with ne.jp that's why I was more interested in the log messages themselves then the domain or address itself.

Is it also possible that spamblocker is sending a reject email to this address (spoofed as it may be) and that this is causing this message?
 
Top