Re: [exim] Mail Looping

Top Page
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: Re: [exim] Mail Looping
On Sat, Sep 11, 2004 at 02:19:51PM +0200, Graham Dodd said:
> Hello exim-users,
>
> I would appreciate it if the exim experts can look at the enclosed
> snippit of logfile and help me figure out why we are stuck in a mail
> loop.
>
> What I have understood from the mail log
>
> User sent email to a number of addresses both local and remote,
> according to logfile all were either delivered or accepted for
> delivery (MsgId: 1C5eRC-0006Xb-UZ)
>
> A reject was received from the .cz postmaster and delivered locally
> (MsgId: 1C5eRq-0006Xx-BW)
>
> A connection is made from [194.78.218.254] to send the message to all
> addresses (MsgId: 1C5eTT-0006Y8-4m)
>
> Why did (and is still sending) skynet.be resend this message again ?


Who knows? Stupid client?

> How is it sending this message again through me.


It's not - see below.

> I ran a relay test (www.abuse.net) which indicates that I do not relay
>
> Sorry for the long email, but this is the second time this has
> happened and last time we managed to take down 7 mail servers


Firewall the idiot if he keeps looping, and wait for someone to complain
- at leat you'll know the culprit.

> thank you for any help / ideas
>
> Graham
>


I have done a little reblocking, so the mail flow is clearer.

> ----------- Logfile -------------------------------------------------
> 2004-09-10 07:59:11 1C5eRC-0006Xb-UZ <= s.ross@??? H=w0021f8.intranet.my-domain.de (falk7aae0v9cyy) [192.168.1.86]:1048 I=[10.7.18.1]:25 P=asmtp A=login:ross@??? S=2177 id=ACEELAIPDNEHIABIAAJBIEAFCOAA.s.ross@??? T="AW: BELL DELIVERY DATES" from <s.ross@???> for a.grabowski@??? neil7100@??? b.kutien@??? a.sponhauer@??? p.becker@??? didier@??? cs@??? p.golajewski@??? petsn.@tiger-team.cz


OK, here the email comes in from s.ross@??? on host
192.168.1.86, with several recipients.

> 2004-09-10 07:59:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1C5eRC-0006Xb-UZ
> 2004-09-10 07:59:11 SMTP connection from w0021f8.intranet.my-domain.de (falk7aae0v9cyy) [192.168.1.86]:1048 closed by QUIT
> 2004-09-10 07:59:12 1C5eRC-0006Xb-UZ => graboa_my-domain_de <a.grabowski@???> F=<s.ross@???> R=router_cyrus T=transport_cyrus S=2390
> 2004-09-10 07:59:12 1C5eRC-0006Xb-UZ => kutieb_my-domain_de <b.kutien@???> F=<s.ross@???> R=router_cyrus T=transport_cyrus S=2384
> 2004-09-10 07:59:12 1C5eRC-0006Xb-UZ => sponha_my-domain_de <a.sponhauer@???> F=<s.ross@???> R=router_cyrus T=transport_cyrus S=2390
> 2004-09-10 07:59:13 1C5eRC-0006Xb-UZ => beckep_my-domain_de <p.becker@???> F=<s.ross@???> R=router_cyrus T=transport_cyrus S=2384
> 2004-09-10 07:59:13 1C5eRC-0006Xb-UZ => didier@??? F=<s.ross@???> R=lookuphost T=remote_smtp S=2251 H=in.mx.skynet.be [195.238.3.129] C="250 2.0.0 i8A6D5Qj025526 Message accepted for delivery"
> 2004-09-10 07:59:14 1C5eRC-0006Xb-UZ => cs@??? F=<s.ross@???> R=lookuphost T=remote_smtp S=2251 H=mail1.hdweb.dk [81.7.130.231] C="250 ok 1094796786 qp 27722"
> 2004-09-10 07:59:14 1C5eRC-0006Xb-UZ => p.golajewski@??? F=<s.ross@???> R=lookuphost T=remote_smtp S=2251 H=my-domain.pl [195.149.226.32] C="250 ok 1094796787 qp 30531"
> 2004-09-10 07:59:20 1C5eRC-0006Xb-UZ => petsn.@tiger-team.cz F=<s.ross@???> R=lookuphost T=remote_smtp S=2251 H=large.di.cz [213.151.85.130] C="250 2.0.0 i8A6DnN14559 Message accepted for delivery"
> 2004-09-10 08:01:12 1C5eRC-0006Xb-UZ => neil7100@??? F=<s.ross@???> R=lookuphost T=remote_smtp S=2251 H=mx.terra.es [213.4.129.130] C="250 2.5.0 Ok."
> 2004-09-10 08:01:12 1C5eRC-0006Xb-UZ Completed


The mail is delivered to everybody, including somebody in the skynet.be
domain.

> 2004-09-10 07:59:49 SMTP connection from [213.151.85.252]:57102 (TCP/IP connection count = 1)
> 2004-09-10 07:59:54 1C5eRq-0006Xx-BW <= postmaster@??? H=colek.di.cz (ovce.di.cz) [213.151.85.252]:57102 I=[10.7.18.1]:25 P=esmtp X=TLSv1:DES-CBC3-SHA:
> 168 S=6313 id=1275D39B62EE@??? T="Delivery failure notification" from <postmaster@???> for s.ross@???
> 2004-09-10 07:59:54 SMTP connection from colek.di.cz (ovce.di.cz) [213.151.85.252]:57102 closed by QUIT
> 2004-09-10 07:59:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1C5eRq-0006Xx-BW
> 2004-09-10 07:59:55 1C5eRq-0006Xx-BW => ross_my-domain_de <s.ross@???> F=<postmaster@???> R=router_cyrus T=transport_cyrus S=6518
> 2004-09-10 07:59:55 1C5eRq-0006Xx-BW Completed


ross gets a bounce message from di.cz (presumably the recipient was
petsn.@tiger-team.cz)

> 2004-09-10 08:01:30 SMTP connection from [194.78.218.254]:21222 (TCP/IP connection count = 1)
> 2004-09-10 08:01:32 1C5eTT-0006Y8-4m <= s.ross@??? H=194-78-218-254.pro.turboline.skynet.be (spirit.local) [194.78.218.254]:21222 I=[10.7.18.1]:25 P=esmtp S=3520 id=000001c496fd$97d49440$6400000a@??? T="AW: BELL DELIVERY DATES" from <s.ross@???> for a.grabowski@??? b.kutien@??? a.sponhauer@??? p.becker@???


Here somebody did a 'reply all' to the original message, using a broken
MUA that doesn't even put a Re: $subject in, and the recipients in your
domain were delivered to you. This person in the skynet.be domain is
using s.ross@??? as their envelope sender, which may or may not
be correct, but otherwise, you are not relaying - you are accepting mail
for local domains. That is as it should be.
--
--------------------------------------------------------------------------
|  Stephen Gran                  | Wow, I'm being shot at from both sides. |
|  steve@???             | That means I *must* be right.  :-)      |
|  http://www.lobefin.net/~steve | -- Larry Wall in                        |
|                       | <199710211959.MAA18990@???>        |

--------------------------------------------------------------------------