Re: [exim] Re: spamassassin message abandoned bug

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMwill+sherwoodphoto.com@sherwoodphoto.com at <-
MMIan FREISLICH at ->
Delete this message
Reply to this message
Author: will+sherwoodphoto.com@sherwoodphoto.com
Date:  
To: if, jeffrey, will, exim-users, jeff
CC: 
Subject: Re: [exim] Re: spamassassin message abandoned bug
btw, there is a 100% correlation to turning on and turning off spamassassin
to getting these error messages.
We've been dealing with this since at least last October and spotted
occurrences prior.

thanks
will

Original Message:
-----------------
From: Ian FREISLICH if@???
Date: Tue, 17 May 2005 15:04:10 +0200
To: jeffrey@???, will@???, exim-users@???,
jeff@???
Subject: Re: [exim] Re: spamassassin message abandoned bug


Jeffrey Wheat wrote:
> Will,
> 
>     This is an unresolved issue and it seems that the
> common response is "spammers or virus connections, ignore it".
> Well I am not about to ignore this problem as it probably is
> causing valid emails to be rejected as well. I am presently
> considering giving postfix or qmail an evaluation due to the
> lack of interest in investigating this problem. If you hear
> of anything else regaring this problem, please let me know.
> I will let you know if I hear of anything else as well.

I've seen both "connection lost" and "message abandoned" messages.
The actual message is:

2005-05-17 10:02:07 1DXwvT-0000PK-Ju SMTP data timeout (message abandoned)
on connection from (mx02.cpt.softwarefutures.com) [196.44.238.133]

and

2005-05-17 11:50:13 SMTP connection from (spdcprxx.metropolitan.co.za)
[196.36.160.196] lost while reading message data

I always assumed that this was because the remote sender got stuck
somehow and exim timed out the connection in the first instance and
that the remote sender terminated the connection with a TCP RST in
the second.

It's not something that I'm particularly concerned about and I'm
mostly sure that the problem lies with the sending host, not my
exim host.

Take the first example here:
[ian] ~ $ telnet 196.44.238.133 25
Trying 196.44.238.133...
Connected to mx02.cpt.softwarefutures.com.
Escape character is '^]'.
220
**02******************************************************************0****0
*2*************************200*****2******0200
quit
221 2.0.0 mx02.cpt.softwarefutures.com Service closing transmission channel

The only time I've seen a greeting like that before is from the
University of Kwazulu Natal here in South Africa. They are RFC
ignorant (DSN) and they tarpit connections to the point where the
SMTP timeout takes effect from my side (I've seen a response take
take 15 minutes to be acknowledged). I don't have the time to
dissect this one. I've no reason to believe that this bunch mentioned
here are not spam kooks as well and have an SMTP server sufficiently
broken to result in wierd and wonderful behaviours.

The second log message, the server does not accept connections on
port 25, but DNS claims it's www.cadiz.co.za. Maybe it's some
home-brew thing that delivers mail out and also has a sufficiently
broken SMTP implimentation.

I'm pretty sure that if I pick any random entry fom my log there
will be some similar anomaly. Lets see:

2005-05-17 12:34:47 SMTP connection from
(host138-132.pool82104.interbusiness.it) [82.104.132.138] lost while
reading message data (header) 

[ian] ~ $ nslookup 82.104.132.138
...
Name:    host138-132.pool82104.interbusiness.it
Address:  82.104.132.138


[ian] ~ $ telnet 82.104.132.138 25
Trying 82.104.132.138...
telnet: connect to address 82.104.132.138: Operation timed out
telnet: Unable to connect to remote host

>From the DNS, this looks like a dialup. It's probably a pawn3d machine.

I must say, I really think this is a non-issue. It probably relates
to the remote side not being willing to wait more than a second or
two while you run the message though SA and some AV scanner. If it's
a pawn3d machine, it probably won't even bother with a TCP RST, it
might just abandon the connection leaving you to time out. Otherwise,
it just RSTs the connection if it doesn't get a response quickly
enough to CRLF.CRLF after DATA. It should wait 5 minutes, but how
many spammers and virii are prepared to wait that long, after all
they have the whole world to infect. So many computers so little
time.

Perhaps all that postfix or qmail will buy you is that they won't
log on this condition. The additional feature qmail will give you
is a huge amount of colateral spam as a byproduct of its implimentation.
Actually, it won't give that to you, you will give that to the
world. Think hard about that before you install that piece of junk.

Ian

--
Ian Freislich



--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .




This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Re: spamassassin message abandoned bug[exim] add clamav virus protection->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)