On Mon, 23 Sep 2002, Toralf Lund wrote:
> I have mentioned this before, but...
>
> The mail queue on our main MX keeps filling up with entries of the form:
>
>
> 59m 3.4K 17tRfs-00vg6d-00 <> *** frozen ***
> users002@???
>
> Closer inspection shows that the corresponding message is a delivery
> failure report from some mail server. The messages are frozen because
> there is no such user here. I'm fairly sure that the original message did
> not originate on our network, i.e. someone outside our company must be
> faking the sender address.
>
> Questions:
> 1. Does anyone have any idea about how I can figure out what where the
> failed messages actually come from.
/path/to/exim -Mvh 17tRfs-00vg6d-00
/path/to/exim -Mvb 17tRfs-00vg6d-00
will show you the headers and body (respectively) of this message. The
body _should_ contain the headers of the message which bounces.
> 2. Has anyone seen anything similar? Note that the address is always the
> same (users002@???)
Some spammer is probably forging this address in their junk.
> 3. Is there a simple way to block the error reports? (If all else fails;
> these messages themselves
Arrange for your MTA reject "RCPT TO: <users002@???>"
Ideally, it should do this by default if that account is invalid
> represent a problem as they fill up the spool area and also make it hard
> to spot real problems.)
There is an option to automatically drop undeliverable bounces.
>
> --
> Toralf Lund <toralf@???>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>