Re: [SLUG] strange returned mail

From: Matthew Rogers (matt@runithard.com)
Date: Tue Mar 11 2008 - 21:09:56 EST


I saw some of this and i set postfix to work with POSTGREY and block all
the meathead spammers.......

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  reject_rbl_client zen.spamhaus.org,
  reject_rbl_client bl.spamcop.net,
  check_policy_service inet:127.0.0.1:60000

I also added an SPF record for all my domains in BIND.

ex:
    runithard.com. IN TXT "v=spf1 a mx ~all"

That way ALL mail is rejected UNLESS it was sent from this domain. I
think that would solve you issue.

--Matthew Rogers

Bob Stia wrote:
> On Tuesday 11 March 2008 12:12:11 am Paul M Foster wrote:
>
>> On Sun, Mar 09, 2008 at 09:41:31PM -0400, Bob Stia wrote:
>>
>>> Hello Sluggers,
>>>
>>> Am getting quite a few of these Failed Mail messaages lately. Don't know
>>> what to make of it. I certainly didn't send it out.Anyone know what is
>>> happening here?
>>> -------------------------------------------------------------
>>> This is the mail system at host lbox.org.
>>>
>>> I'm sorry to have to inform you that your message could not
>>> be delivered to one or more recipients. It's attached below.
>>>
>>> For further assistance, please send mail to postmaster.
>>>
>>> If you do so, please include this problem report. You can
>>> delete your own text from the attached returned message.
>>>
>>> The mail system
>>>
>>> <zion@localhost.org> (expanded from <zion@localhost>): delivery
>>> temporarily suspended: connect to 127.0.0.1[127.0.0.1]: Connection
>>> refused unnamed
>>> Delivery report
>>> ---------------------------------------------------------------------
>>> And then there is an encapsulated message to a mailing list following
>>> it.
>>>
>> I'm not an expert, but here's my guess (without seeing the headers). It
>> looks like someone has spoofed your "From" address in sending an email
>> to lbox.org. I'm guessing that the "localhost" in this case is the
>> localhost of the receiving mail server. It looks like someone sent an
>> email to this mailserver, with zion@localhost as the "To" address.
>> Naturally, that didn't resolve, and the lbox mailserver bounced the
>> message to the presumed sender, you.
>>
>> As administrator of this and other lists, I see traffic like this quite a
>> lot, and they're generally just spoof bounces. In fact, I see so many of
>> them that I have procmail recipes in place that just shove them into a
>> folder so I don't actually have to look at them. Every month, a script
>> sweeps the oldest ones away, but newer ones stay for a while in case I
>> need to investigate something about them.
>>
>> Paul
>>
>
> Thanks Paul
>
> I guess that means not much can be done about it. I guess I will just have to
> put some kind of filter on it.
>
> Bob S
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:21:06 EDT