Re: [exim-dev] Exim from mailnull by local "Auto-Submitted: …

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Tim Jackson
Data:  
Para: exim-dev
Asunto: Re: [exim-dev] Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing
On Tue, 7 Jun 2005 19:27:08 -0700
Tony Marques <tymes10@???> wrote:

> An Exim server should only try to send two messages after which it
> should stop -- freezing (or whatever) the first message and the
> generated bounce.


As others have said, I've never seen Exim exhibit bad behaviour like
you're describing. Exim definitely doesn't keep retrying after 5xx
errors. Whilst there's always the possibility of a bug, I'm pretty sure
it would have been picked up by now considering the huge deployment and
long history of Exim.

However, can I point out an alternative suggestion. Exim is
incorporated into at least one (and probably more) "control panel"
products (Cpanel), where at least some parts of the system are pre-
configured and the users may not be actually configuring Exim
directly; they may be relying on Cpanel to do it. Whilst I know nothing
about Cpanel or other similar software, it's entirely possible that the
authors of such products have done some kind of silly configuration
(e.g. having a cron job run "exim -qff" repeatedly, which would cause
the behaviour you describe), which would explain how many apparently
unconnected Exim machines are exhibiting similar behaviour.

There are two things I would note about this:

a) This seems more likely given that you are complaining about bogus
virus bounces and similar (which are indeed a PITA - see
http://www.timj.co.uk/linux/bogus-virus-warnings.cf ). Well- configured
Exim machines don't spew crap like this out. And "well- configured" in
this case isn't some kind of get-out clause for "if you're an ubergeek
and know how to change some obscure option"; by default it will not do
such things. So the fact that the machines are already misconfigured
surely makes it more likely that the operators (or whoever wrote the
scripts to configure them) have done something else silly with their
configuration?

b) More pertinently, the example you cited in an earlier mail did
indeed exhibit signs of being a "pre-configured" machine. Here goes
again:

To: info@???
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1DedQo-0007nX-LM@???>
Date: Sat, 04 Jun 2005 11:31:38 -0700
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - bob.xstreamhost.com
X-AntiAbuse: Original Domain - forged.dom
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -

Note the "X-AntiAbuse" headers. These are not generated by Exim and I
believe (someone please correct me if I'm wrong) that they are a
fingerprint of Cpanel. So, what would be worth checking is whether
other problem mails you are getting have these. I bet they do, in
which case if my identification is right the culprit would appear to be
Cpanel.

Also note the list of hostnames you sent; quite a number of them do
indeed superficially sound like "web hosting"-type machines, which is
further circumstantial evidence that they are more likely than average
to have pre- configured "control panels" like Cpanel on them; here are a
few examples you gave:

209.63.57.146  box6.bluehost.com        (Exim 4.43)
63.247.94.186  peace.janushosting.com        (Exim 4.43)
12.164.27.82   server.netcastdaily.com        (Exim 4.43)
69.72.197.26   server145.webdomainserver.com    (Exim 4.43)
202.60.64.24   cp8.hostingshop.com.au        (Exim 4.43)
69.72.128.18   server145.highprofilehosting.com    (Exim 4.44)
69.72.225.186  bob.xstreamhost.com        (Exim 4.50)



Tim