Mailing List Archive: Qmail: users

Large amount of bounces

Index | Next | Previous | View Threaded

jodie.puah at gmail

May 4, 2009, 9:42 PM

Post #1 of 8 (2012 views)
Permalink

Large amount of bounces

Dear all,

This morning, my mail server was suddenly flooded by a lot of bounces.

It seems like some one was sending tons of email elsewhere with a email
address of my domain in this case, root [at] mydomain and all these sender he
was sending where invalid or weird email addresses.

It flooded my queue with all these bounces and it is driving me crazy. I
can't delete all the emails in queue since there are "real' email in the
queue.

I tried to install qmail-remove and remove those emails, but these bounces
just keeps coming in. what else can I do?

Please advise. I am using qmailrocks.
--
View this message in context: http://www.nabble.com/Large-amount-of-bounces-tp23380933p23380933.html
Sent from the cr.yp.to - qmail mailing list archive at Nabble.com.

lists-qmail at maexotic

May 4, 2009, 11:14 PM

Post #2 of 8 (1919 views)
Permalink

Re: Large amount of bounces [In reply to]

On Mon, May 04, 2009 at 09:42:51PM -0700, Jodizzz wrote:
> I tried to install qmail-remove and remove those emails, but these bounces
> just keeps coming in. what else can I do?

This is called backscatter.

> Please advise. I am using qmailrocks.

I dont know about qmailrocks.
I use patches to qmail-smtpd that enable badrcptto and badrcpttopatterns
control files.
Ask the search engine of your choice for
qmail badrcptto
and/or
qmail badrcptto patterns

With these you add e.g. root [at] domai to the badrcptto control file and
like with badmailfrom qmail-smtpd rejects messages to those users.
From my experience these backscatter always come in waves and they are
using about 5-10 different email addresses in their joe jobs whose result
is the backscatter.
If you are not using numbers in the localpart of email addresses
*[0-9]*@*
is a good pattern to always block.

\Maex

--
Markus Stumpf

jodie.puah at gmail

May 5, 2009, 3:33 AM

Post #3 of 8 (1914 views)
Permalink

Re: Large amount of bounces [In reply to]

Hi,

I managed to remove those emails and now the server is back to norm.

I just realised it wasn't backscatter. Instead someone is sending email to
an invalid email in my domain, such as root [at] mail Which I find
strange

1) mail.mydomain.com is the name of my server, but it does not have any MX
pointing for mail.mydomain.com. It only has MX pointing for mydomain.com. So
why am I still receiving these emails.

2) . But I am worried this is going to happen again. So I want to block the
sender server ip address. But weirdly, I can't find the server IP address in
header of the spam email. header as such.

Return-Path: <root [at] mail>
Delivered-To: @mail.mydomain.com
Received: (qmail 25013 invoked by uid 0); 5 May 2009 05:29:19 +0800
Date: 5 May 2009 05:29:19 +0800
Message-ID: <20090504212919.25012.qmail [at] mail>
content-type: text/html
Subject: Surge primeira amea<E7>a do v<ED>rus (gripe) no Brasil!
From: msaudebrasil.com [at] mail
To: "^@g^@v^@g^@p^@"@"^@i^@g^@"."^@c^@o^@m^@"."^@b^@r^@^@"

Now I am worried I might have caught some virus or being hacked? Possible?

Markus Stumpf-4 wrote:
>
> On Mon, May 04, 2009 at 09:42:51PM -0700, Jodizzz wrote:
>> I tried to install qmail-remove and remove those emails, but these
>> bounces
>> just keeps coming in. what else can I do?
>
> This is called backscatter.
>
>> Please advise. I am using qmailrocks.
>
> I dont know about qmailrocks.
> I use patches to qmail-smtpd that enable badrcptto and badrcpttopatterns
> control files.
> Ask the search engine of your choice for
> qmail badrcptto
> and/or
> qmail badrcptto patterns
>
> With these you add e.g. root [at] domai to the badrcptto control file and
> like with badmailfrom qmail-smtpd rejects messages to those users.
> From my experience these backscatter always come in waves and they are
> using about 5-10 different email addresses in their joe jobs whose result
> is the backscatter.
> If you are not using numbers in the localpart of email addresses
> *[0-9]*@*
> is a good pattern to always block.
>
> \Maex
>
> --
> Markus Stumpf
>
>

--
View this message in context: http://www.nabble.com/Large-amount-of-bounces-tp23380933p23384884.html
Sent from the cr.yp.to - qmail mailing list archive at Nabble.com.

lists-qmail at maexotic

May 5, 2009, 4:56 AM

Post #4 of 8 (1927 views)
Permalink

Re: Large amount of bounces [In reply to]

It would be a LOT easier to help, if you wouldn't obfuscate the real
domain and server names by abusing a domain that you don't even own:
Domain Name: MYDOMAIN.COM
Registrant:
Dotster Inc.
8100 NE Parkway DR
Suite 300
Vancouver, WA 98662
US
If you think you must hide your domain then at least use "example.com"
which is allocated excatly for that reason.

The emails are injected locally. Looking at your qmail-smtpd and
qmail-send logs would have told you that.
As for the origin I'd bet you have some webserver or other service running
on that and that is abused to inject the spam (cms, free wiki, formmail.cgi,
...).

And no, nobody is sending mail TO root at that domain.
Return-Path: <root [at] mail>
Received: (qmail 25013 invoked by uid 0); 5 May 2009 05:29:19 +0800
Delivered-To: @mail.mydomain.com
The local mail program (sendmail, qmail-inject) is invoked by the user
root (or at least with root permissions). You can see that from the fact
that qmail is "invoked by uid 0". This is why the ReturnPath is set to
root [at] _hostname and this is why "root" gets all the bounces (oh, and the
Delivered-To line looks really strange, too, so if you haven't tried to
obfuscated it, too, by deleteing the local part, you might also have some
configuration issues).

\Maex

jodie.puah at gmail

May 5, 2009, 5:04 AM

Post #5 of 8 (1917 views)
Permalink

RE: Large amount of bounces [In reply to]

Hi ,

Sorry about "Mydomain.com" I didn't know I was to use "example.com"

No the Delivered-To is that strange, I didn't change that except the domain.

Now I am anxious. I will check on my mail server instantly. Thanks all for
the help.

-----Original Message-----
From: Markus Stumpf [mailto:lists-qmail [at] maexotic]
Sent: Tuesday, May 05, 2009 7:56 PM
To: Jodizzz
Cc: qmail [at] list
Subject: Re: Large amount of bounces

It would be a LOT easier to help, if you wouldn't obfuscate the real
domain and server names by abusing a domain that you don't even own:
Domain Name: MYDOMAIN.COM
Registrant:
Dotster Inc.
8100 NE Parkway DR
Suite 300
Vancouver, WA 98662
US
If you think you must hide your domain then at least use "example.com"
which is allocated excatly for that reason.

The emails are injected locally. Looking at your qmail-smtpd and
qmail-send logs would have told you that.
As for the origin I'd bet you have some webserver or other service running
on that and that is abused to inject the spam (cms, free wiki, formmail.cgi,
...).

And no, nobody is sending mail TO root at that domain.
Return-Path: <root [at] mail>
Received: (qmail 25013 invoked by uid 0); 5 May 2009 05:29:19 +0800
Delivered-To: @mail.mydomain.com
The local mail program (sendmail, qmail-inject) is invoked by the user
root (or at least with root permissions). You can see that from the fact
that qmail is "invoked by uid 0". This is why the ReturnPath is set to
root [at] _hostname and this is why "root" gets all the bounces (oh, and the
Delivered-To line looks really strange, too, so if you haven't tried to
obfuscated it, too, by deleteing the local part, you might also have some
configuration issues).

\Maex

julien at nura

May 5, 2009, 6:06 AM

Post #6 of 8 (1924 views)
Permalink

Re: Large amount of bounces [In reply to]

Le mardi 05 mai 2009 a 03:33 -0700, Jodizzz a écrit :
> Hi,
>
> I managed to remove those emails and now the server is back to norm.
>
> I just realised it wasn't backscatter. Instead someone is sending email to
> an invalid email in my domain, such as root [at] mail Which I find
> strange
>
> 1) mail.mydomain.com is the name of my server, but it does not have any MX
> pointing for mail.mydomain.com. It only has MX pointing for mydomain.com. So
> why am I still receiving these emails.

I think other SMTP server can use A dns record to deliver mail if there
is no MX record. But for your example, mail does not come from network.

Julien

mducharme at cybergeneration

May 5, 2009, 7:33 AM

Post #7 of 8 (1919 views)
Permalink

RE: Large amount of bounces [In reply to]

> -----Message d'origine-----
> De�: Jodizzz [mailto:jodie.puah [at] gmail]
> Envoy�: 5 mai 2009 06:33
> ��: qmail [at] list
> Objet�: Re: Large amount of bounces
>
>
> Hi,
>
> I managed to remove those emails and now the server is back to norm.
>

Good :)

> I just realised it wasn't backscatter. Instead someone is sending email to
> an invalid email in my domain, such as root [at] mail Which I
> find
> strange
>
> 1) mail.mydomain.com is the name of my server, but it does not have any MX
> pointing for mail.mydomain.com. It only has MX pointing for mydomain.com.
> So
> why am I still receiving these emails.

A SMTP server will use the A record and connect to its port TCP 25 if there
is no MX record, see http://www.ietf.org/rfc/rfc2821.txt, section
5. Address Resolution and Mail Handling

" If no MX records are found, but an A RR is found, the A RR is treated as
if it was associated with an implicit MX RR, with a preference of 0,
pointing to that host."

>
> 2) . But I am worried this is going to happen again. So I want to block
> the
> sender server ip address. But weirdly, I can't find the server IP address
> in
> header of the spam email. header as such.
>
> Return-Path: <root [at] mail>
> Delivered-To: @mail.mydomain.com
> Received: (qmail 25013 invoked by uid 0); 5 May 2009 05:29:19 +0800
> Date: 5 May 2009 05:29:19 +0800
> Message-ID: <20090504212919.25012.qmail [at] mail>
> content-type: text/html
> Subject: Surge primeira amea<E7>a do v<ED>rus (gripe) no Brasil!
> From: msaudebrasil.com [at] mail
> To: "^@g^@v^@g^@p^@"@"^@i^@g^@"."^@c^@o^@m^@"."^@b^@r^@^@"
>
> Now I am worried I might have caught some virus or being hacked? Possible?
>

There is no From: line, looks like the emails are generated locally by
another program running as root. Is there any other services running on that
box (like HTTP) ?

Maxime

amb-1166294724 at bradfords

May 10, 2009, 8:46 PM

Post #8 of 8 (1860 views)
Permalink

Re: Large amount of bounces [In reply to]

Thus said Markus Stumpf on Tue, 05 May 2009 08:14:07 +0200:

> If you are not using numbers in the localpart of email addresses
> *[0-9]*@*
> is a good pattern to always block.

Beware, ezmlm uses numbers in the local part, so if the OP is running
ezmlm this won't work very well.

Andy
--
[-----------[system uptime]--------------------------------------------]
9:46pm up 1:10, 1 user, load average: 1.13, 1.25, 1.19

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads