Re: [exim] Better Tracking

Top Page
Delete this message
Reply to this message
Author: Grant Peel
Date:  
To: exim-users
Subject: Re: [exim] Better Tracking
----- Original Message -----
From: "Grant Peel" <gpeel@???>
To: <exim-users@???>
Sent: Monday, March 17, 2008 10:03 AM
Subject: Re: [exim] Better Tracking


> ----- Original Message -----
> From: "Ted Cooper" <eximX1211@???>
> To: <exim-users@???>
> Sent: Monday, March 17, 2008 9:52 AM
> Subject: Re: [exim] Better Tracking
>
>
>> Grant Peel wrote:
>>> Hi all,
>>>
>>> I have been wrestling with my servers trying to cut down on the amount
>>> of
>>> spam we are sending.
>>>
>>> Can someone translate these log lines:
>>>
>>> 2008-03-16 18:36:06 1Jb1SX-000Eu2-Ll <= <> R=1Jb1SV-000Etp-55 U=mailnull
>>> P=local S=1185
>>> ...
>>> 2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll ** binod@??? R=dnslookup
>>> T=remote_smtp: SMTP error from remote mail server after RCPT
>>> TO:<binod@???>: host borland-mxa.mail.eds.net [192.85.154.83]:
>>> 550 5.1.2 <binod@???>... Rejected: 69.90.69.141 Backscatter
>>> 2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll binod@???: error ignored
>>> 2008-03-16 18:36:14 1Jb1SX-000Eu2-Ll Completed
>>>
>>> it looks to me as if the original message was rejected because the
>>> remote
>>> mail host seen my server as a spammer.
>>>
>>> What I need to know, is how did the original message (log line 1) get
>>> into my server at all? How can I beef up the loggin to tell me if it was
>>> a localy generated message, or if Ihave a hacked account. (password
>>> 'guessed').?
>>>
>>> -Grant
>>
>> It's a bounce message generated by your server.
>>
>> Look for an email from binod@??? heading into your server. See
>> what it was doing.
>>
>> My guess is that you're accepting email that you shouldn't and
>> subsequently bouncing it. Make sure you are checking for valid recipient
>> before you accept the email at RCPT time.
>>
>> The remote server is rejecting you because you are trying to bounce a
>> message to them that they don't seem to have sent. My guess is that they
>> keep track of every single outgoing email from/to and don't accept
>> bounces that don't match up.
>> --
>> The Exim Manual
>> http://www.exim.org/docs.html
>> http://www.exim.org/exim-html-current/doc/html/spec_html/index.html
>>
>> --
>> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
>>
>
> Excellent,
>
> Then when I grep the original message, I see this:
>
> 2008-03-16 18:36:05 1Jb1SV-000Etp-55 <= binod@??? U=mailnull
> P=spam-scanned S=3313 id=00     c887b6$075bb784$63a9baaa@foivved

>
> 2008-03-16 18:36:05 1Jb1SV-000Etp-55 ** kempsmeal@???
> <info@???> R=dnslooku     remote_smtp: SMTP error from
> remote mail server after end of data: host mailin-01.mx.aol.com [20
> 8.156.248]: 554-:  (HVU:B1)
> http://postmaster.info.aol.com/errors/554hvub1.html\n554 TRANSACTION 
> LED

>
> So how do I figure out HOW it came to my server to begin with?
>
> -Grant
>
>
> --
> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>


Ted, At the risk of sounding totally incompetent, how do I check for valid
recipients befor accepting the message?

Here is my configure such as it is:

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################
primary_hostname = constellation.thenetnow.com
domainlist local_domains = /etc/virtual/domains
domainlist relay_to_domains =
hostlist relay_from_hosts = /etc/virtual/domains
hostlist blacklisted_domains = /etc/virtual/blacklist
acl_smtp_rcpt = acl_check_rcpt
trusted_users = mailnull:root:webmail:www
exim_user = mailnull
exim_group = mail
never_users =
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 0s
timeout_frozen_after = 1d
return_path_remove
untrusted_set_sender = *
helo_allow_chars = _
daemon_smtp_ports = 25 : 109
bounce_message_file = /usr/local/etc/exim/bounce_message_file
warn_message_file = /usr/local/etc/exim/warn_message_file
return_size_limit = 10000
bounce_return_message = false
delay_warning = 72h
log_selector = +incoming_interface
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl
acl_check_rcpt:
  accept  hosts = :
  dnslists      = ips.backscatterer.org
  message       = This message looks like a bounce, and your server is 
listed at \
                ips.backscatterer.org, so I assume that this is 
"backscatter". \
                Please configure your mail server to not send "backscatter 
spam". \
                For advice, try http://www.dontbouncespam.org/
                log_message = ATTENTION BACKSCATTERER
  deny    local_parts   = ^.*[@%!/|] : ^\\.
  deny    senders = :
          condition     = ${if ! eq{$recipients_count}{1}{1}}
          message       = Bounces must have only a single recipient
          log_message   = Another denied due to backscatter-Single Recipient
# accept  local_parts   = postmaster
#          domains       = +local_domains
  require verify        = sender
  deny    message       = rejected because $sender_host_address was \
                          found in our blacklist
          log_message   = domain found in $blacklisted_domains
          hosts         = +blacklisted_domains
  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient
  accept  domains       = +relay_to_domains
          endpass
          message       = unrouteable address
          verify        = recipient
  accept  hosts         = +relay_from_hosts
  accept  authenticated = *



######################################################################
#                      ROUTERS CONFIGURATION                         #


...