Mailing List Archive: exim: dev

Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing

Index | Next | Previous | View Threaded

tymes10 at gmail

Jun 7, 2005, 10:40 AM

Post #1 of 24 (549 views)
Permalink

Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing

I don't operate or have experience with Exim, but I've have noticed a
problem with several different exim mail servers (one 4.50 several
4.41 and probably other versions). Perhaps someone can look at this
and determine if it is a bug in Exim.

A virus spoofing my domain will send an Exim server a message which
will initially accept the message but later tries to bounce the
message because it finds the illicit .scr/.pif/.exe attachment, the
mailbox is full, no such user or some other problem. So now the Exim
server generates and sends a bounce to my server which detects the
illicit attachment or forgery and responds with either a

after DATA "."
554 5.7.1 Message cannot be accepted, virus found

after RCPT TO: fake [at] domain
550 5.1.1 fake [at] domain User unknown; rejecting

Here is the problem, the Exim servers will retry to resend the message
(ignoring the 55x errors) every two hours for 2 or 3 days. The
bounce's message-id, date, other headers, and the quoted forgery all
demonstrate that the multiple bounces are caused by a single message
and the multiples are a result of a problem with Exim not
acknowledging my server's 55x responses. Normally this problem
wouldn't be noticed as bounces aren't normally seen.

Can someone determine if this is a current bug or when it was fixed
and under what condition this exists? I presume all MAIL FROM: <>
should be deleted or forwarded to a badmail mailbox after rejected
with a 55x error and not remain in the outgoing queue.

If it helps, I've noticed from the headers of the quarantined messages
that these bounces all have...

Received: from mailnull by xxxxxxxxxxxxx with local (Exim 4.xx)
X-Failed-Recipients: forged [at] yyyyyyyyyy
Auto-Submitted: auto-generated

Here is the header from one of the 27 identical messages recently
bounced from the one Exim 4.50 server I've encountered with this
problem...

Received: from bob.xstreamhost.com ([69.72.225.186])
by mail.agate.ca (mmmMail) with ESMTP (SSL) id GNA74607
for <info [at] forged>; Sun, 05 Jun 2005 07:08:03 -0700
Received: from mailnull by bob.xstreamhost.com with local (Exim 4.50)
id 1DedQo-0007nX-LM
for info [at] forged; Sat, 04 Jun 2005 11:31:38 -0700
X-Failed-Recipients: info [at] croogstudios
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon [at] bob>
To: info [at] forged
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1DedQo-0007nX-LM [at] bob>
Date: Sat, 04 Jun 2005 11:31:38 -0700
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - bob.xstreamhost.com
X-AntiAbuse: Original Domain - forged.dom
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source:
X-Source-Args:
X-Source-Dir:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

info [at] croogstudios
This message has been rejected because it has
a potentially executable attachment "your_letter.pif"

------ This is a copy of the message, including all the headers. ------

Return-path: <info [at] forged>
Received: from [24.84.217.133] (port=1152 helo=croogstudios.com)
by bob.xstreamhost.com with esmtp (Exim 4.50)
id 1DedQh-0007nK-TT
for info [at] croogstudios; Sat, 04 Jun 2005 11:31:38 -0700
From: info [at] forged
To: info [at] croogstudios
Subject: Re: Your letter
Date: Sat, 4 Jun 2005 11:33:58 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0008_00003597.00002991"
X-Priority: 3
X-MSMail-Priority: Normal

jwblist at olympus

Jun 7, 2005, 11:30 AM

Post #2 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On 6/7/05 10:40 AM, "Tony Marques" <tymes10 [at] gmail> wrote:

> I don't operate or have experience with Exim, but I've have noticed a
> problem with several different exim mail servers (one 4.50 several
> 4.41 and probably other versions). Perhaps someone can look at this
> and determine if it is a bug in Exim.
>
> A virus spoofing my domain will send an Exim server a message which
> will initially accept the message but later tries to bounce the
> message because it finds the illicit .scr/.pif/.exe attachment, the
> mailbox is full, no such user or some other problem. So now the Exim
> server generates and sends a bounce to my server which detects the
> illicit attachment or forgery and responds with either a

It's more an error in configuration. These days, sending back an entire
message in a bounce is most unfriendly, since it's so likely to distribute a
virus to an innocent third party. We cut off our bounce messages at--I
think--10K. Newer Exims (I forget the transition point) can also be
configured not to return the body at all).

> Here is the problem, the Exim servers will retry to resend the message
> (ignoring the 55x errors) every two hours for 2 or 3 days. The
> bounce's message-id, date, other headers, and the quoted forgery all
> demonstrate that the multiple bounces are caused by a single message
> and the multiples are a result of a problem with Exim not
> acknowledging my server's 55x responses. Normally this problem
> wouldn't be noticed as bounces aren't normally seen.

In my experience, Exim doesn't do that, and I'm not quite sure what I would
do to cause it.

--John

tymes10 at gmail

Jun 7, 2005, 3:29 PM

Post #3 of 24 (539 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

> It's more an error in configuration. These days, sending back an entire
> message in a bounce is most unfriendly, since it's so likely to distribute a
> virus to an innocent third party. We cut off our bounce messages at--I
> think--10K. Newer Exims (I forget the transition point) can also be
> configured not to return the body at all).

Yes, that is preferential, although I hope it still returns headers or
at least the IP address of the incoming message.

Yet this doesn't matter in the case where a 550 User Unknown error is
generated. The entire SMTP transaction is briefly... HELO< 250>, MAIL
FROM< 250 OK>, RCPT TO< 550 Unknown User>, QUIT. No DATA so the
message that caused the bounce is irrelevant. This is less of a
problem although there is no reason for the Exim server to retry this
27 times over the next few days.

>> Here is the problem, the Exim servers will retry to resend the message
>> (ignoring the 55x errors) every two hours for 2 or 3 days. The
>> bounce's message-id, date, other headers, and the quoted forgery all
>> demonstrate that the multiple bounces are caused by a single message
>> and the multiples are a result of a problem with Exim not
>> acknowledging my server's 55x responses. Normally this problem
>> wouldn't be noticed as bounces aren't normally seen.
>
> In my experience, Exim doesn't do that, and I'm not quite sure what I would
> do to cause it.

I can get you a list of Exim servers from my logs which seem to do
this. Poeple on this list are even less likely to experience this as
their Exim servers may accept problem messages in the first place and
filter them immediately.

To duplicate this, authenticate or otherwise use your Exim server to
relay a message to a non-local account that generates a 550 User
Unknown error.
1. In DNS, configure the mx sub.yourdom.com to point to any foreign
mail server (like mx1.hotmail.com or whatever).
2. Send a message to your Exim server from <x [at] sub> to
<y [at] sub> using authentication or from a local/known IP
address so it acts as a relay. Once accepted the trap is set.

Your Exim server will try to deliver the message to the foreign host
and get a 550 user unknown or 550 we do not relay for
<x [at] sub> (or in the case of hotmail, 550 Requested action
not taken: mailbox unavailable).

Then it should try to send a bounce from <> to <x [at] sub>, if
that message remains in the queue after the first attempt then we've
duplicated the problem. This is only a few seconds after we've sent
the message.

Just to ensure, this wasn't a problem with my server or it's software
as opposed to the half dozen or so examples of different Exim servers
that I've quickly found in my logs. I've just gone through the
trouble (2 minutes) of setting up the SMTP service on a new server to
debug this.

I took a test Windows 2003 box setup the SMTP service (my main server
doesn't use MS mail software so different server/different mail server
software) and opened the smtp port. With no mailboxes and nothing
else setup, now any message sent to that machine will get a 550 Unable
to relay for <whomever>. I needed to test this against a foreign
server so I setup a public MX for test.tymes.net to forward to this
server (which still won't accept it). That servers logs will indicate
when the remote server tries to connect and deliver a bounce.

I sent off the seed message from a bogus address
<exim-test [at] test> to test an Exim server (sorry, but they
have already sent me 27 virus infected messages) and two hours later,
I got a second bounce so this will presumably continue for the next
few days as that remote Exim 4.50 server tries to deliver the bounce.

Someone with their own Exim server wouldn't haven't to wait two hours
as they would just be able to look in the Outgoing queue to see if the
bounce was still there after the first attempt.

Here is a snipt from the SMTP logs of the server I setup.

2005-06-07 19:47:31 69.72.225.186 bob.xstreamhost.com EHLO -
+bob.xstreamhost.com 250 0 182 24 16 SMTP - - - -
2005-06-07 19:47:31 69.72.225.186 bob.xstreamhost.com MAIL - +FROM:<>
250 0 27 22 0 SMTP - - - -
2005-06-07 19:47:31 69.72.225.186 bob.xstreamhost.com RCPT -
+TO:<exim-sucks [at] test> 550 0 57 35 0 SMTP - - - -
2005-06-07 19:47:31 69.72.225.186 bob.xstreamhost.com DATA - - 554 0 0
4 0 SMTP - - - -
2005-06-07 19:47:31 69.72.225.186 bob.xstreamhost.com QUIT -
bob.xstreamhost.com 240 375 53 4 0 SMTP - - - -
2005-06-07 21:31:38 69.72.225.186 bob.xstreamhost.com EHLO -
+bob.xstreamhost.com 250 0 182 24 0 SMTP - - - -
2005-06-07 21:31:38 69.72.225.186 bob.xstreamhost.com MAIL - +FROM:<>
250 0 27 22 0 SMTP - - - -
2005-06-07 21:31:38 69.72.225.186 bob.xstreamhost.com RCPT -
+TO:<exim-sucks [at] test> 550 0 57 35 0 SMTP - - - -
2005-06-07 21:31:38 69.72.225.186 bob.xstreamhost.com DATA - - 554 0 0
4 0 SMTP - - - -
2005-06-07 21:31:38 69.72.225.186 bob.xstreamhost.com QUIT -
bob.xstreamhost.com 240 437 53 4 0 SMTP - - - -

exim at lists

Jun 7, 2005, 4:24 PM

Post #4 of 24 (539 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

[.OP cc-ed in as I'm assuming he's not on the list]
On Tue, Jun 07, 2005 at 10:40:19AM -0700, Tony Marques wrote:
> I don't operate or have experience with Exim, but I've have noticed a
> problem with several different exim mail servers (one 4.50 several
> 4.41 and probably other versions). Perhaps someone can look at this
> and determine if it is a bug in Exim.
>
> A virus spoofing my domain will send an Exim server a message which
> will initially accept the message but later tries to bounce the
> message because it finds the illicit .scr/.pif/.exe attachment, the
> mailbox is full, no such user or some other problem. So now the Exim
> server generates and sends a bounce to my server which detects the
> illicit attachment or forgery and responds with either a
>
> after DATA "."
> 554 5.7.1 Message cannot be accepted, virus found
>
> after RCPT TO: fake [at] domain
> 550 5.1.1 fake [at] domain User unknown; rejecting
>
> Here is the problem, the Exim servers will retry to resend the message
> (ignoring the 55x errors) every two hours for 2 or 3 days. The
> bounce's message-id, date, other headers, and the quoted forgery all
> demonstrate that the multiple bounces are caused by a single message
> and the multiples are a result of a problem with Exim not
> acknowledging my server's 55x responses. Normally this problem
> wouldn't be noticed as bounces aren't normally seen.

Ok, first off exim doesn't do this. If it gets a 550, this means the
message will be bounced, if it gets a 550 on a bounce, it will "freeze"
the message.

Obviously, in the case you've suggested above, you know that the "single
message" that has the multiples you're talking about is rejected after
DATA (you wouldn't see it at all if rejected after RCPT), so, my first
question is: have you timed how long it takes to do the virus scanning,
and in particular, what is the time delay between the sender-SMTP sending
a final "." and your receiver saying "554 5.7.1"? Is it possible that the
sender-SMTP has timed out?

> Can someone determine if this is a current bug or when it was fixed

Such a bug does not exist. If it did, we would be in much deeper water.

> and under what condition this exists? I presume all MAIL FROM: <>
> SHOULD be deleted or forwarded to a badmail mailbox after rejected
> with a 55x error and not remain in the outgoing queue.

"badmail mailbox" ? ugh! No, exim has the concept of "freezing" a message,
which means that it doesn't get processed in a normal queue run. This has
roughly the effect that you describe, however.

It is possible (given that you've used the same host as an example
several times), that someone has a cronjob which unfreezes messages. This
would be considered bad practice, but it wouldn't be the first time that
bad practice existed on the internet.

Cheers

MBM

--
Matthew Byng-Maddick <mbm [at] colondot> http://colondot.net/
(Please use this address to reply)

tymes10 at gmail

Jun 7, 2005, 5:37 PM

Post #5 of 24 (539 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On 6/7/05, Matthew Byng-Maddick <exim [at] lists> wrote:
> [.OP cc-ed in as I'm assuming he's not on the list]
> On Tue, Jun 07, 2005 at 10:40:19AM -0700, Tony Marques wrote:
> > I don't operate or have experience with Exim, but I've have noticed a
> > problem with several different exim mail servers (one 4.50 several
> > 4.41 and probably other versions). Perhaps someone can look at this
> > and determine if it is a bug in Exim.
> >
> > A virus spoofing my domain will send an Exim server a message which
> > will initially accept the message but later tries to bounce the
> > message because it finds the illicit .scr/.pif/.exe attachment, the
> > mailbox is full, no such user or some other problem. So now the Exim
> > server generates and sends a bounce to my server which detects the
> > illicit attachment or forgery and responds with either a
> >
> > after DATA "."
> > 554 5.7.1 Message cannot be accepted, virus found
> >
> > after RCPT TO: fake [at] domain
> > 550 5.1.1 fake [at] domain User unknown; rejecting
> >
> > Here is the problem, the Exim servers will retry to resend the message
> > (ignoring the 55x errors) every two hours for 2 or 3 days. The
> > bounce's message-id, date, other headers, and the quoted forgery all
> > demonstrate that the multiple bounces are caused by a single message
> > and the multiples are a result of a problem with Exim not
> > acknowledging my server's 55x responses. Normally this problem
> > wouldn't be noticed as bounces aren't normally seen.
>
> Ok, first off exim doesn't do this. If it gets a 550, this means the
> message will be bounced, if it gets a 550 on a bounce, it will "freeze"
> the message.
>
> Obviously, in the case you've suggested above, you know that the "single
> message" that has the multiples you're talking about is rejected after
> DATA (you wouldn't see it at all if rejected after RCPT), so, my first
> question is: have you timed how long it takes to do the virus scanning,
> and in particular, what is the time delay between the sender-SMTP sending
> a final "." and your receiver saying "554 5.7.1"? Is it possible that the
> sender-SMTP has timed out?

No, I'm also talking about 550 after the RCPT and 550 after DATA is recieved.

So for your first question, the total time is only a couple of seconds
at most to do the virus scanning and in the case of the 550 after the
RCPT, there is no virus scanning (dns lookups or anything) and as you
may see in the log of the sample I setup both transactions took less
than a second. There isn't a time out.

Actually it's been another two hours so lets look at the new log entry
from my test of a foreign Exim server...

2005-06-07 23:09:26 69.72.225.186 bob.xstreamhost.com SMTPSVC1 BBOX
142.179.66.95 EHLO - +bob.xstreamhost.com 250 0 182 24 0 SMTP - - - -
2005-06-07 23:09:26 69.72.225.186 bob.xstreamhost.com SMTPSVC1 BBOX
142.179.66.95 MAIL - +FROM:<> 250 0 27 22 0 SMTP - - - -
2005-06-07 23:09:26 69.72.225.186 bob.xstreamhost.com SMTPSVC1 BBOX
142.179.66.95 RCPT - +TO:<exim-sucks [at] test> 550 0 57 35 SMTP
- - - -
2005-06-07 23:09:26 69.72.225.186 bob.xstreamhost.com 142.179.66.95
DATA - - 554 0 0 4 0 SMTP - - - -
2005-06-07 23:09:26 69.72.225.186 bob.xstreamhost.com 142.179.66.95
QUIT - bob.xstreamhost.com 240 375 53 4 0 SMTP - - - -

Again all happend in the same second. I don't like this log, that
DATA command is confusing (MS junk). Here is a example from my
regular server...

69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 Connected
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>> 220
mail.agate.ca ESMTP mmmMail; Tue, 07 Jun 2005 08:48:46 -0700
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 <<< EHLO
bob.xstreamhost.com
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>>
250-mail.agate.ca Hello bob.xstreamhost.com [69.72.225.186], pleased
to meet you.
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 <<< STARTTLS
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>> 220
2.0.0 Ready to start TLS
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 <<< EHLO
bob.xstreamhost.com
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>>
250-mail.agate.ca Hello bob.xstreamhost.com [69.72.225.186], pleased
to meet you.
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 <<< MAIL
FROM:<> SIZE=3681
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>> 250
2.1.0 <>... Sender ok
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 <<< RCPT
TO:<fake [at] xxxxxxxxxxx>
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>> 550
5.1.1 <fake [at] xxxxxxxxxxx> User unknown; rejecting
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 <<< QUIT
69.72.225.186 [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 >>> 221
2.0.0 mail.agate.ca closing connection
SYSTEM [00001B84] Tue, 07 Jun 2005 08:48:46 -0700 Disconnected

Multiply that log entry 25 over two days and tell me if you would
notice it. If it's accepted (by a backup MX for instance) Exim gets
a 250 and is done.

>
> > Can someone determine if this is a current bug or when it was fixed
>
> Such a bug does not exist. If it did, we would be in much deeper water.

You've saying there is a special case for <> messages, they are frozen
and aren't treated as regular messages. A special case is all the
more reason for a bug and all the more reason it may not have been
noticed in the past.

The truth is, what I'm describing usually occurs between an
unmonitored account and another non-monitored sometimes non-existant
account. The sending Exim side lists these bad/frozen and after two
days when it actually stops the result is the same. The destination
may only be noticed as 5 line log entires saying User not found or <>
illegal sender or something. Many recipients may also accept the mail
and eventually have to handle the bounce themselves. This could have
been happening for years -- I've just found some messages from Exim
3.33 which also seemed to have ignored 550 errors.

> > and under what condition this exists? I presume all MAIL FROM: <>
> > SHOULD be deleted or forwarded to a badmail mailbox after rejected
> > with a 55x error and not remain in the outgoing queue.
>
> "badmail mailbox" ? ugh! No, exim has the concept of "freezing" a message,
> which means that it doesn't get processed in a normal queue run. This has
> roughly the effect that you describe, however.
>
> It is possible (given that you've used the same host as an example
> several times), that someone has a cronjob which unfreezes messages. This
> would be considered bad practice, but it wouldn't be the first time that
> bad practice existed on the internet.

Like I've said, I've seen this over and over again where Exim servers
are the culprits. And I wouldn't suspect a cron job unless it's
runing ever hour or some other short time period so can unfreeze
messages so they are sent every two hours window when it retries.

Relay a message through your server from <exim-rulez [at] test>
to <exim-rulez [at] test> and we'll see if this problem exists.

tymes10 at gmail

Jun 7, 2005, 7:27 PM

Post #6 of 24 (541 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

In my previous message, if someone wants to test any of the various
Exim versions/builds just relay a message using whatever means thru
their server from <exim-rulez @ test.tymes.net> to <exim-rulez @
test.tymes.net>. You can use any email address @ test.tymes.net as
the mx host isn't configure with any mailboxes and doesn't relay. The
message you are trying to relay can even be blank -- I first noticed
this only because of infected messages but it will work for 550 User
unknowns so the message content isn't even important.

An Exim server should only try to send two messages after which it
should stop -- freezing (or whatever) the first message and the
generated bounce.

Here is a quick list of Exim Mail servers which haven't respected 550
errors and their version number at the time. I stopped looking at 20
different servers. You might understand why I suspect Exim may have
some sort of issue...

82.108.130.24 mail.ncipher.com (Exim 3.34 #1)
203.101.80.60 smtp.instaxs.net (Exim 3.36 #1)
64.21.80.14 langley.intersurge.com (Exim 4.24)
204.174.223.62 slammer.netnation.com (Exim 4.34)
202.71.129.247 lx6.net4india.com (Exim 4.41 #2)
67.18.101.194 laud.meotex.com (Exim 4.43)
66.235.217.101 host01.ipowerweb.com (Exim 4.43)
80.168.77.109 fozzie.infotech247.com (Exim 4.43)
209.63.57.146 box6.bluehost.com (Exim 4.43)
63.247.94.186 peace.janushosting.com (Exim 4.43)
12.164.27.82 server.netcastdaily.com (Exim 4.43)
64.191.37.5 server001.indexperu.com (Exim 4.43)
69.44.60.20 server1.net-clicks.com (Exim 4.43)
207.58.131.99 vps.libraenterprises.com (Exim 4.43)
69.72.197.26 server145.webdomainserver.com (Exim 4.43)
69.72.218.18 server2.intermana.net (Exim 4.43)
202.60.64.24 cp8.hostingshop.com.au (Exim 4.43)
67.15.80.42 mail.dfsv23.com (Exim 4.44)
69.72.128.18 server145.highprofilehosting.com (Exim 4.44)
69.72.225.186 bob.xstreamhost.com (Exim 4.50)

The bounces were generated by virus/file rejections, unknown users,
and full mailboxes. The retry times ranged from about 90 minutes to 4
hours. If they were retrying less frequently I probably missed them
as I quickly greped this list. I don't know how many more servers
there may which are causing User Unknown errors as they would probably
be impossible to find.

ice at extreme

Jun 7, 2005, 7:44 PM

Post #7 of 24 (541 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Tue, 7 Jun 2005, Tony Marques wrote:

> different servers. You might understand why I suspect Exim may have
> some sort of issue...

2005-06-08 04:34:57 SMTP connection from ice
2005-06-08 04:34:57 1DfqPB-0008Mn-4P <= exim-rulez [at] test
U=ice P=local-smtp S=360 from <exim-rulez [at] test> for
exim-rulez [at] test
2005-06-08 04:34:57 SMTP connection from ice closed by QUIT
2005-06-08 04:34:58 1DfqPB-0008Mn-4P ** exim-rulez [at] test
R=lookuphost T=remote_smtp: SMTP error from remote mailer after
RCPT TO:<exim-rulez [at] test>: host dns.dolphincs.com
[142.179.66.95]: 550 5.7.1 Unable to relay for exim-rulez [at] test
2005-06-08 04:34:58 1DfqPC-0004e1-Ab <= <> R=1DfqPB-0008Mn-4P U=mail
P=local S=1382 from <> for exim-rulez [at] test
2005-06-08 04:34:58 1DfqPB-0008Mn-4P Completed
2005-06-08 04:34:59 1DfqPC-0004e1-Ab ** exim-rulez [at] test
R=lookuphost T=remote_smtp: SMTP error from remote mailer after
RCPT TO:<exim-rulez [at] test>: host dns.dolphincs.com
[142.179.66.95]: 550 5.7.1 Unable to relay for exim-rulez [at] test
2005-06-08 04:34:59 1DfqPC-0004e1-Ab exim-rulez [at] test:
error ignored
2005-06-08 04:34:59 1DfqPC-0004e1-Ab Completed

i completely fail to see the problem.

of course,

collapsed:~$ exim -bP ignore_bounce_errors_after
ignore_bounce_errors_after = 0s
collapsed:~$

i suspect the behaviour you are observing is coming from hosts that
have ignore_bounce_errors set to anything not zero, and have
corresponding auto thawing and retrying policies. this is a
configuration issue (the word "error" was not used on purpose), and
has nothing to do with exim, except for exim providing a(nother) rope
one can hang thyself on, if one so wishes.

nothing is wrong here.

--
[-]

mkdir /nonexistent

lists at timj

Jun 8, 2005, 12:40 AM

Post #8 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Tue, 7 Jun 2005 19:27:08 -0700
Tony Marques <tymes10 [at] gmail> wrote:

> An Exim server should only try to send two messages after which it
> should stop -- freezing (or whatever) the first message and the
> generated bounce.

As others have said, I've never seen Exim exhibit bad behaviour like
you're describing. Exim definitely doesn't keep retrying after 5xx
errors. Whilst there's always the possibility of a bug, I'm pretty sure
it would have been picked up by now considering the huge deployment and
long history of Exim.

However, can I point out an alternative suggestion. Exim is
incorporated into at least one (and probably more) "control panel"
products (Cpanel), where at least some parts of the system are pre-
configured and the users may not be actually configuring Exim
directly; they may be relying on Cpanel to do it. Whilst I know nothing
about Cpanel or other similar software, it's entirely possible that the
authors of such products have done some kind of silly configuration
(e.g. having a cron job run "exim -qff" repeatedly, which would cause
the behaviour you describe), which would explain how many apparently
unconnected Exim machines are exhibiting similar behaviour.

There are two things I would note about this:

a) This seems more likely given that you are complaining about bogus
virus bounces and similar (which are indeed a PITA - see
http://www.timj.co.uk/linux/bogus-virus-warnings.cf ). Well- configured
Exim machines don't spew crap like this out. And "well- configured" in
this case isn't some kind of get-out clause for "if you're an ubergeek
and know how to change some obscure option"; by default it will not do
such things. So the fact that the machines are already misconfigured
surely makes it more likely that the operators (or whoever wrote the
scripts to configure them) have done something else silly with their
configuration?

b) More pertinently, the example you cited in an earlier mail did
indeed exhibit signs of being a "pre-configured" machine. Here goes
again:

To: info [at] forged
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1DedQo-0007nX-LM [at] bob>
Date: Sat, 04 Jun 2005 11:31:38 -0700
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - bob.xstreamhost.com
X-AntiAbuse: Original Domain - forged.dom
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -

Note the "X-AntiAbuse" headers. These are not generated by Exim and I
believe (someone please correct me if I'm wrong) that they are a
fingerprint of Cpanel. So, what would be worth checking is whether
other problem mails you are getting have these. I bet they do, in
which case if my identification is right the culprit would appear to be
Cpanel.

Also note the list of hostnames you sent; quite a number of them do
indeed superficially sound like "web hosting"-type machines, which is
further circumstantial evidence that they are more likely than average
to have pre- configured "control panels" like Cpanel on them; here are a
few examples you gave:

209.63.57.146 box6.bluehost.com (Exim 4.43)
63.247.94.186 peace.janushosting.com (Exim 4.43)
12.164.27.82 server.netcastdaily.com (Exim 4.43)
69.72.197.26 server145.webdomainserver.com (Exim 4.43)
202.60.64.24 cp8.hostingshop.com.au (Exim 4.43)
69.72.128.18 server145.highprofilehosting.com (Exim 4.44)
69.72.225.186 bob.xstreamhost.com (Exim 4.50)

Tim

tymes10 at gmail

Jun 8, 2005, 9:55 AM

Post #9 of 24 (541 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

> i suspect the behaviour you are observing is coming from hosts that
> have ignore_bounce_errors set to anything not zero, and have

Well, an "ignore_bounce_errors" set true should be enough then...
there isn't a need for any cron jobs or anything to thaw as it would
never get frozen and retrying is normal.

So much for Exim "never" doing this, but this seems like it must me a
common misconfiguration.

> configuration issue (the word "error" was not used on purpose), and
> has nothing to do with exim, except for exim providing a(nother) rope
> one can hang thyself on, if one so wishes.
>
> nothing is wrong here.

On your server perhaps, but my limited experience here with Exim isn't
favorable. That is one exceptionally long rope and a lot of servers
seem to be hanging themselves.

I'm glad there isn't a "ignore_bounce_success" option -- that would be
equally as useful. After getting two dozen user unknown responses,
people everywhere would know never to mispell email addresses or send
messages to full mailboxes.

I hope people here will excuse me if I think Exim is stupid for having
such an option.

tom at duncanthrax

Jun 8, 2005, 10:02 AM

Post #10 of 24 (541 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

Tony Marques wrote:

> I hope people here will excuse me if I think Exim is stupid for having
> such an option.

No. Is UNIX stupid for giving you the 'rm -f /etc/passwd' option?

Exim is for people who can read documentation. And now please buzz off
and contact the admins of the problem hosts/cpanel/whatever.

/tom

twilde at dyndns

Jun 8, 2005, 10:12 AM

Post #11 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Wed, 8 Jun 2005, Tony Marques wrote:

> I hope people here will excuse me if I think Exim is stupid for having
> such an option.

It isn't ignore_bounce_errors_after that's a problem, it's a combination
of ignore_bounce_errors_after and auto_thaw. As others have pointed out,
this is a problem with the way these servers are being configured, not
with Exim itself. The default options (auto_thaw of 0s and
ignore_bounce_errors_after of 10w) are perfectly sane, and will result in
exactly one retry, 10 weeks later, not constant retries.

These are both very sensible options to have, the only problem is someone
configuring them incorrectly, and possibly setting it as a default in a
product that includes Exim. You need to complain to the server admins
and/or whomever is distributing exim configured this way by default, not
here.

Tim Wilde

--
Tim Wilde
twilde [at] dyndns
Systems Administrator
Dynamic Network Services, Inc.
http://www.dyndns.org/

lists at timj

Jun 8, 2005, 10:14 AM

Post #12 of 24 (543 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Wed, 8 Jun 2005 09:55:31 -0700
Tony Marques <tymes10 [at] gmail> wrote:

> > i suspect the behaviour you are observing is coming from hosts that
> > have ignore_bounce_errors set to anything not zero, and have
>
> Well, an "ignore_bounce_errors" set true should be enough then...
> there isn't a need for any cron jobs or anything to thaw as it would
> never get frozen and retrying is normal.

I should point out that I think Tamasz was referring to
ignore_bounce_errors_after, which doesn't do quite what it sounds like,
and certainly doesn't cause incessant retries. From the manual:

"After a permanent delivery failure, bounce messages are frozen, because
there is no sender to whom they can be returned. When a frozen bounce
message has been on the queue for more than the given time, it is
unfrozen at the next queue run, and a further delivery is attempted. If
delivery fails again, the bounce message is discarded. This makes it
possible to keep failed bounce messages around for a shorter time than
the normal maximum retry time for frozen messages."

FWIW, this option is set to 2 days by default.

So ignore_bounce_errors_after set to non-zero will cause *one*
additional bounce retry, approximately 2 days after the first rejection,
and then discard the bounce. This is not an unreasonable option for
Exim to have, since a well configured system very rarely generates
bounces anyway (at least not to external users; and internal mail is a
matter of policy), and it is possible that someone misses a bounce
because their mailbox is full or something. (The systems you are
fighting with are not well- configured if they are generating bounces
because they don't like the attachment name or whatever; again, this is
not Exim default behaviour)

A more problematic option is likely to be auto_thaw; this *will* cause
repeated retries of rejected bounces.

FWIW, you are not the only one suffering from brain-dead hosts like
this. Just this morning I was browsing some logs and found some
incessant retries from an Exim server like you describe. They too
carried the X-AntiAbuse headers I was on about earlier, and now you
mention it, I do think I see this with a fair degree of frequency too.

Whilst you're right in saying that the presence of auto_thaw does give
users a long rope to hang themselves with, I wouldn't interpret the
presence of lots of machines doing this as "lots of users get it
wrong"; as I said in my post earlier today, I think it's far more
likely to be a poor choice that is imposed on users of a particular
packaging or configuration system.

Tim

tymes10 at gmail

Jun 8, 2005, 12:17 PM

Post #13 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On 6/8/05, Tim Wilde <twilde [at] dyndns> wrote:

>No. Is UNIX stupid for giving you the 'rm -f /etc/passwd' option?

It would be stupid if it had a "rm_etc_password" command which is what
I would compare "ignore_bounce_errors" to. I hope you notice the
distinction.

On 6/8/05, Tim Wilde <twilde [at] dyndns> wrote:
> On Wed, 8 Jun 2005, Tony Marques wrote:
>
> > I hope people here will excuse me if I think Exim is stupid for having
> > such an option.
>
> It isn't ignore_bounce_errors_after that's a problem, it's a combination
> of ignore_bounce_errors_after and auto_thaw. As others have pointed out,
> this is a problem with the way these servers are being configured, not
> with Exim itself. The default options (auto_thaw of 0s and
> ignore_bounce_errors_after of 10w) are perfectly sane, and will result in
> exactly one retry, 10 weeks later, not constant retries.

Hah, there isn't a "ignore_bounce_errors" command (either my misread
or a result of a "typo/quick typing"), there is a
"ignore_bounce_errors_after" command. That makes all the difference
in the world, and I can finally see more of a reason for such an
option.

Yet, wouldn't you only just need an "auto_thaw" of 10w to do what you
described? You still wouldn't need a "ignore_bounce_errors_after".
Also wouldn't both your example and my example both result in one
retry every 10w, repeatedly? What other option determines a bounces
life?

Of course this is the first time I've encountered any of these options
and I'm not familiar with their behaviors. I'm just reading them
literally and imagining what they describe.

In the case where a server is sending bounces repeatedly every two
hours wouldn't "auto_thaw 2h" be enough to do it? On the other hand
an "ignore_bounce_errors_after 0" result it in retrying as if it
encountered a 45x error and perhaps also retry every two hours? --
strike that... I've just read the message about i_b_e_after option
deleting after one additional retry. We're left with auto_thaw alone.

> These are both very sensible options to have, the only problem is someone
> configuring them incorrectly, and possibly setting it as a default in a
> product that includes Exim. You need to complain to the server admins
> and/or whomever is distributing exim configured this way by default, not
> here.

Well, that would be entirely reasonable if 45x errors didn't exist.
As it is, they are questionable at best.

> Tim Wilde

Thanks Tim. Things are more little more sensible now.
"ignore_bounce_errors" wasn't sensible.

> Tim Jackson wrote 10:14 am
>
> So ignore_bounce_errors_after set to non-zero will cause *one*
> additional bounce retry, approximately 2 days after the first rejection,

Ah, even more sense!

"ignore_bounce_errors_after" causing at most one additional bounce is
entirely sensible -- anything that eventually discards a bounce is
fine.

> Exim to have, since a well configured system very rarely generates
> bounces anyway (at least not to external users; and internal mail is a

Yes, that is one of the reasons why I thought if this was a bug, could
explain why it would go unnoticed.

> A more problematic option is likely to be auto_thaw; this *will* cause
> repeated retries of rejected bounces.

That is likely what I've been describing.

Now why would you need an auto_thaw if there is an i_b_e_after.
Perhaps auto_thaw should not apply to frozen bounce messages, would
that be what i_b_e_after be for?

> Tim Wilde

Again, thanks Tim. Things are even more sensible now. auto_thaw all
messages is bad.

tymes10 at gmail

Jun 8, 2005, 12:37 PM

Post #14 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On 6/8/05, Tim Jackson <lists [at] timj> wrote:
> On Tue, 7 Jun 2005 19:27:08 -0700
> Tony Marques <tymes10 [at] gmail> wrote:
>
> > An Exim server should only try to send two messages after which it
> > should stop -- freezing (or whatever) the first message and the
> > generated bounce.
>
> As others have said, I've never seen Exim exhibit bad behaviour like
> you're describing. Exim definitely doesn't keep retrying after 5xx
> errors. Whilst there's always the possibility of a bug, I'm pretty sure
> it would have been picked up by now considering the huge deployment and
> long history of Exim.

People on this list, people that know how to configure Exim and
rewrite and recompile Exim, probably don't have this
"ignore_bounce_errors" parameter set and probably aren't operating
open relays or doing any number of other bad things. Unfortunately,
it seems this isn't a bug that can be fixed -- it's humans, we should
get rid of them all.

> However, can I point out an alternative suggestion. Exim is
> incorporated into at least one (and probably more) "control panel"
> products (Cpanel), where at least some parts of the system are pre-

Yeah, I considered as much.

> There are two things I would note about this:
>
> a) This seems more likely given that you are complaining about bogus
> virus bounces and similar (which are indeed a PITA - see
> http://www.timj.co.uk/linux/bogus-virus-warnings.cf ). Well- configured
> Exim machines don't spew crap like this out. And "well- configured" in

Well, I can imagine situations where a user with a full mail box
recieves a legitimate notification or a list message which they can't
reply to that would initiate this behavior. If they were on a
misconfigured server, it would try to send a bounces repeatedly
despite being told not to with 55x errors. Nothing bogus.

I too was forced to incorporate bogus filters years ago. Errors we
intercept that seem to be virus related get "550 We couldn't have sent
the virus" responses (I only wish server/filter software everywhere
used MAIL FROM <> and "Content-Type:
multipart/report...report-type=delivery-status headers" exclusively).
This filter is one of the reasons why I was able to find all these
Exim examples. If you have a comprable filter you too may be able to
find your own examples, but you 55x them and may not keep them so you
wouldn't see this -- you have a properly configured Exim and you
reject examples.

Other people may see 20 rejected messages and assume that it wasn't
the server that sent 20 rejections, but that the virus sent them 20
viruses causing those 20 messages. Other people have servers that
accept all messages either normally or through a backup-mx that will
try to forward it to the main server so there is only one bounce from
the Exim server and everything works according to spec. Most of the
time there are no bounces or there are bounces to legitimate
addresses. I can easily imagine this problem going unnoticed for a
long time.

Last month with Sober.P and a server that exploded the 52 RCPT TO so
it sent out 52 responses, I found myself very annoyed. I could have
used that server and the email address I found to mailbomb all my
enemies.

> b) More pertinently, the example you cited in an earlier mail did
> indeed exhibit signs of being a "pre-configured" machine. Here goes

Yes, but I mainly used bob.xstreamhost.com as an example because it
was recent, and because it had the latest version of Exim I found. I
wouldn't want to be here complaining about Exim 3.34 -- even fewer
people would take this seriously.

In the list, 3 of the 20 machines didn't have X-AntiAbuse headers so
this may be the fault of Cpanel or a similar control panel or plug in.

I can certainly blame control panels and server operators. It isn't
Microsoft's fault if nobody knows how to configure Windows securely.

Thank's everyone for helping me try to get to the bottom of this. It
may not be a bug, but it does seem to be stupid, and from my
experience it is not uncommon and it doesn't reflect well on Exim.

tom at duncanthrax

Jun 8, 2005, 12:52 PM

Post #15 of 24 (541 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

Tony Marques wrote:

>>No. Is UNIX stupid for giving you the 'rm -f /etc/passwd' option?
>
>
> It would be stupid if it had a "rm_etc_password" command which is what
> I would compare "ignore_bounce_errors" to.

Neither is stupid. The first one is redundant though. But I rest my case
now.

/tom

tymes10 at gmail

Jun 8, 2005, 1:27 PM

Post #16 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On 6/8/05, Tim Wilde <twilde [at] dyndns> wrote:
>[. Replying off-list because this is probably off-topic for exim-dev
at this point ]
>
> auto_thaw deals with more than just bounces. Failed bounces are only one
> thing that can be frozen in Exim and need to be subsequently thawed. If
> some other factor is causing messages to become frozen, it might be
> desirable to auto thaw it, though I don't use that option personally.

> Yes, pretty much regardless of the ignore_bounce_errors_after setting, an
> auto_thaw of 2 hours would probably cause the behavior you're seeing.

At this point I would like to suggest that

a) auto_thaw shouldn't apply to bounces

or that

b) auto_thaw should mandate ignore_bounce_errors_after be evaluated at
the same time (but first) and work as designed (deleting the bounce
after a second failure) -- (so auto_thaw 2h should imply
ignore_bounce_errors_after 2h).

That suggestion should be on topic?

The multi-bounce situation may not be a bug, but perhaps it can be fixed?

Actually, I'm pretty much about done here. We've found that Exim can
easily do this with an auto_thaw parameter set (nothing to do with
ignore_bounce_errors_after, which if it was also used would actually
fix this problem). -- no cron jobs or anything else as complicated or
calculated needed.

I would like to thank both Tim's for the insight and the patience.
Actually, I would like to thank everyone for the patience and the
help.

I hope some of you see this as an actual problem despite being obscure
(and not uncommon), and consider either of my suggestions above or
develop one of your own to help curb all those humans out there. Like
I said, it certainly doesn't reflect well on Exim.

auto_thaw and bounces don't mix, as presumably that is what
ignore_bounce_errors_after is for.

Signed.

ph10 at cus

Jun 9, 2005, 1:41 AM

Post #17 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Wed, 8 Jun 2005, Tony Marques wrote:

> At this point I would like to suggest that
>
> a) auto_thaw shouldn't apply to bounces

I have researched the history of auto_thaw. It was added to Exim at
release 0.43, a _very_ long time ago. Unfortunately, the ChangeLog does
not record why it was added; I expect somebody asked for it, because I
rarely add features for any other reason. I think I assumed it would be
an option that was very rarely used, and only in execptional
circumstances. The documentation does say that it is a way of saying
"keep on trying, even though there are big problems".

Back in those days, frozen bounces were not nearly such a big issue as
they are today. Also, Exim did a lot more freezing for other reasons,
such as errors in its configuration detected at run time (e.g.
non-existent files or whatever) - I was really cautious when I first
wrote it. Over the years, the reasons for freezing other than failed
bounces have more or less been eliminated. Nowadays, Exim mostly just
defers delivery for those kinds of problem.

In other words: Times have Changed.

In retrospect, the documentation for auto_thaw is not nearly strong
enough in warning of its dangers. I have made a note to add something to
the next edition.

auto_thaw pre-dates ignore_bounce_errors_after (0.53, but called
ignore_errmsg_errors at that time) and timeout_frozen_after (3.20). I
probably erred in not considering the general effect of all these
options. That's the trouble with updating software. It is easy to add
new features without realizing all the ramifications of their
interactions with everything else.

Your suggestion of making auto_thaw not apply to bounces is an
interesting one, and given that we now have ignore_bounce_errors_after,
it makes a lot of sense (and gets back to the original kinds of
reasoning for the existence of auto_thaw). I am strongly tempted to
implement it. What do other people think?

> or that
>
> b) auto_thaw should mandate ignore_bounce_errors_after be evaluated at
> the same time (but first) and work as designed (deleting the bounce
> after a second failure) -- (so auto_thaw 2h should imply
> ignore_bounce_errors_after 2h).

Simply because of the way things are implemented, I don't think this
would be all that easy to do (though I have not looked at the code),
other than by simply forcing a setting of ignore_bounce_errors when
auto_thaw is set (to be <= auto_thaw). I don't think I like this because
it mixes the two things up.

> That suggestion should be on topic?

Yes. Good suggestion.

> The multi-bounce situation may not be a bug, but perhaps it can be fixed?

Indeed, if it is happening a lot (and it seems that it is), it would be
helpful to try to stop people falling into the trap too easily.

> auto_thaw and bounces don't mix, as presumably that is what
> ignore_bounce_errors_after is for.

Quite. I should have realized this some years ago!

Philip

--
Philip Hazel University of Cambridge Computing Service,
ph10 [at] cus Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book

dot at dotat

Jun 9, 2005, 2:16 AM

Post #18 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

I've always wondered why Exim freezes double bounces, rather than sending
them to postmaster (which is what Sendmail and Postfix do).

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

ph10 at cus

Jun 9, 2005, 4:57 AM

Post #19 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Thu, 9 Jun 2005, Tony Finch wrote:

> I've always wondered why Exim freezes double bounces, rather than sending
> them to postmaster (which is what Sendmail and Postfix do).

Well, I was thinking of myself as postmaster, and I sure as heck didn't
want them in my mailbox! And certainly not interrupting me. I rather
wanted them left on the queue so that I could either manually remove
them, or get whatever the problem was fixed when I looked at them at a
time of my own choosing. (Remember, this was 10 years ago, when we
didn't have the current forgery plague.) The freeze_tell option was
invented for those postmasters who wanted to know the instant a message
was frozen.

--
Philip Hazel University of Cambridge Computing Service,
ph10 [at] cus Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book

dot at dotat

Jun 9, 2005, 5:40 AM

Post #20 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Thu, 9 Jun 2005, Philip Hazel wrote:
> On Thu, 9 Jun 2005, Tony Finch wrote:
>
> > I've always wondered why Exim freezes double bounces, rather than sending
> > them to postmaster (which is what Sendmail and Postfix do).
>
> Well, I was thinking of myself as postmaster, and I sure as heck didn't
> want them in my mailbox! And certainly not interrupting me.

Was this before or after the introduction of filtering?

> The freeze_tell option was invented for those postmasters who wanted to
> know the instant a message was frozen.

Though that's even more baffling because it specifically excludes double
bounces!

Most Exim postmasters completely ignore double bounces (cf. the default
configuration) which is less than ideal. However it would require some
extra work to deal with them reasonably automatically (we get over a
thousand each day).

Tony.
--
<fanf [at] exim> <dot [at] dotat> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}

ph10 at cus

Jun 9, 2005, 6:08 AM

Post #21 of 24 (540 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Thu, 9 Jun 2005, Tony Finch wrote:

> > Well, I was thinking of myself as postmaster, and I sure as heck didn't
> > want them in my mailbox! And certainly not interrupting me.
>
> Was this before or after the introduction of filtering?

Must have been before, because it must have been handled right from the
start, and filters only came in after Piete took a look at Exim and
suggested them. Ah yes, I see that filtering was added at release 0.43.

> > The freeze_tell option was invented for those postmasters who wanted to
> > know the instant a message was frozen.
>
> Though that's even more baffling because it specifically excludes double
> bounces!

So it does. I never said I was consistent. :-)

--
Philip Hazel University of Cambridge Computing Service,
ph10 [at] cus Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book

exim at lists

Jun 9, 2005, 7:11 AM

Post #22 of 24 (542 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Thu, Jun 09, 2005 at 10:16:30AM +0100, Tony Finch wrote:
> I've always wondered why Exim freezes double bounces, rather than sending
> them to postmaster (which is what Sendmail and Postfix do).

One of the things that I find useful about this behaviour is that with them
still on the queue, I can adjust recipients, and fiddle with the queue file
normally with the -Mxx options to make things work, and then unfreeze and
deliver them, or delete them.

This is marginally more painful with them going to postmaster.

Cheers

MBM

--
Matthew Byng-Maddick <mbm [at] colondot> http://colondot.net/
(Please use this address to reply)

jwblist at olympus

Jun 9, 2005, 9:42 AM

Post #23 of 24 (542 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On 6/9/05 1:41 AM, "Philip Hazel" <ph10 [at] cus> wrote:

> Your suggestion of making auto_thaw not apply to bounces is an
> interesting one, and given that we now have ignore_bounce_errors_after,
> it makes a lot of sense (and gets back to the original kinds of
> reasoning for the existence of auto_thaw). I am strongly tempted to
> implement it. What do other people think?

Good change, I think.

(But then, our config file is such that it won't make any difference, so
that's easy to say.)

--John

kjetilho at ifi

Jun 20, 2005, 12:33 AM

Post #24 of 24 (541 views)
Permalink

Re: Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing [In reply to]

On Tue, 2005-06-07 at 11:30 -0700, John W. Baxter wrote:
> On 6/7/05 10:40 AM, "Tony Marques" <tymes10 [at] gmail> wrote:
> > A virus spoofing my domain will send an Exim server a message which
> > will initially accept the message but later tries to bounce the
> > message because it finds the illicit .scr/.pif/.exe attachment, the
> > mailbox is full, no such user or some other problem. So now the Exim
> > server generates and sends a bounce to my server which detects the
> > illicit attachment or forgery and responds with either a
>
> It's more an error in configuration. These days, sending back an entire
> message in a bounce is most unfriendly, since it's so likely to distribute a
> virus to an innocent third party. We cut off our bounce messages at--I
> think--10K. Newer Exims (I forget the transition point) can also be
> configured not to return the body at all).

a bit belated response, but I need to object to this assertion. if you
don't have virus scanning to stop yourself from sending out these worms,
please send the virii intact so that _our_ virus scanner will be able to
recognise and discard them. at least Sophos consider 10K snippets of
virii generally benign -- they can no longer reproduce. they're still
an annoyance to our users, though.

(yes, we're using bogus-warning.cf, and it helps a lot.)
--
Kjetil T.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads