What is this? Relay? Spam?

motobrandt

Verified User
Joined
Jan 8, 2004
Messages
217
I'm seeing this from random domains in my exim_mainlog

2006-10-23 17:09:14 1GbOpC-000Bfw-Ka ** [email protected] F=<>: Unrouteable address
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka [email protected]: error ignored
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka Completed

Doesn't it seem strange that there would be an error of unrouteable address yet the error would be ignored?

Has anyone else seen this? or know what it is?

Thanks!
 
motobrandt said:
I'm seeing this from random domains in my exim_mainlog

2006-10-23 17:09:14 1GbOpC-000Bfw-Ka ** [email protected] F=<>: Unrouteable address
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka [email protected]: error ignored
2006-10-23 17:09:14 1GbOpC-000Bfw-Ka Completed

Doesn't it seem strange that there would be an error of unrouteable address yet the error would be ignored?

Has anyone else seen this? or know what it is?

Thanks!

Unroutable means your DNS setup is botched. Or, ne.jp doesnt exist or they have no mail records. One or the other. Why dont you look up ne.jp to see if its a valid domain. If it is and they have all their mail records in place then its your own dns setup.
 
.ne.jp is the Japanese equivalent of the .net universal top-level domain.

Writing to [email protected] would therefore be equivalent to writing to anyone@net instead of [email protected]. (note that [email protected] is NOT a valid email address; I made it up for the purpose of the example.

F=<> indicates you've gotten an email from a mailer-daemon addressed to [email protected] so the question is why would you get such an email?

Generally you'd get such an email from a mailer-daemon if you sent an undeliverable email which was received by the destination server and then the destination server found it couldn't make the delivery.

So, either your server is sending out spam with a return address of [email protected] or some other server is, and is spoofing your server as the return path. (The latter is a good reason why I don't believe any server should ever respond for undeliverable email.)

To tell if it's your server doing the sending look for [email protected] anywhere else in the mainlog, as an origin address. If you find it, then your server is being used to send spam.

Either way the next question is why are you getting an error ignored.

And the answer is that mail from a mailer-daemon (<>) cannot (according to RFCs) be returned. Why? Because returning it would create a mail-loop. Since your server has no place to deliver it ([email protected] doesn't exist on your server), can't forward it because the mailer-daemon isn't authenticated, and can't return it because <> isn't a valid address, it has no other recourse but to ignore the error and throw away the message.

Which is what the log is telling you it did.

Jeff
 
As for the ne.jp stuff yeah I found that information searching around too. Jeff does a good job of explaining it. And yeah it is a completely bogus address. I'll have to do some more searching around for more examples.

Thanks for the explanation Jeff. I thought we lost you for a couple weeks there. I wasn't aware that the log was telling me that Exim disposed of the message. I guess it's my own ignorance in the message language but I would expect a discarded message rather then a completed line.

Another nuance to my original post is that I'm getting similar log entries for other domains having nothing to do with ne.jp that's why I was more interested in the log messages themselves then the domain or address itself.

Is it also possible that spamblocker is sending a reject email to this address (spoofed as it may be) and that this is causing this message?
 
Back
Top