Hi all:
The other day a spammer found an open relay in one of our customers'
machines (insert here rant about Windows lusers who run toy mail servers
in their computers without knowing how to configure them properly), and
sent around 5000 mails. Said customer's machine dumped them on my mail
server... and of course, since it was allowed to relay, our mail server
started to send them out. WHen I arrived in the morning, I had more than
1500 mails in my queue.
Anyway, I stop qmail-send (kill (PID of qmail-send) + "killall
qmail-remote"), and start deleting spam from the queue using qmHandle
(the Perl script listed in qmail.org). I had previously done also a
"killall tcpserver" to avoid more mails being added to the queue by SMTP
while I was messing with it. However, I can't finish deleting all of the
spam before users start complaining, so I start qmail again, thinking
"well, I'll delete the rest later"... and here is where the problem with
the queue starts.
When I later stopped qmail again to delete more spam, I started finding
weird inconsistencies. For example, qmail-read would show a piece of
junk-mail, but when I tried to view or delete it using qmHandle, it
would say that it didn't exist. Or I would go to queue/info and see a
certain file (say, 880099), and when I tried to view it using qmHandle,
it would say again that it didn't exist. Not only that, but some users
started receiving bounce messages for users to which they had NOT send
mails, almost as if qmail had mixed up the recipients for the junk mails
and the regular ones. For example, here is one reported to me:
>From: <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Wednesday, June 13, 2001 1:31 PM
>Subject: failure notice
>
> Hi. This is the qmail-send program at mail.ddnet.es.
> I'm afraid I wasn't able to deliver your message to the following
addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
>
> <[EMAIL PROTECTED]>:
> 64.136.25.17 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] Account Inactive
> Giving up on 64.136.25.17.
>
> <[EMAIL PROTECTED]>:
> 204.127.134.17 does not like recipient.
> Remote host said: 550 Invalid recipient: <[EMAIL PROTECTED]>
> Giving up on 204.127.134.17.
>
> <[EMAIL PROTECTED]>:
> 64.4.49.7 does not like recipient.
> Remote host said: 550 Requested action not taken:user account inactive
> Giving up on 64.4.49.7.
>
> <[EMAIL PROTECTED]>:
> 64.94.242.241 does not like recipient.
> Remote host said: 553 5.7.1 No such mailbox.702.776N01e:
[EMAIL PROTECTED]
> Giving up on 64.94.242.241.
>
> <[EMAIL PROTECTED]>:
> 204.49.54.3 does not like recipient.
> Remote host said: 550 Unknown user.
> Giving up on 204.49.54.3.
>
> <[EMAIL PROTECTED]>:
> 64.4.56.135 does not like recipient.
> Remote host said: 550 Requested action not taken:user account inactive
> Giving up on 64.4.56.135.
>
> <[EMAIL PROTECTED]>:
> 207.217.120.79 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.217.120.79.
>
> <[EMAIL PROTECTED]>:
> 64.4.55.135 does not like recipient.
> Remote host said: 550 Requested action not taken: mailbox unavailable
> Giving up on 64.4.55.135.
>
> <[EMAIL PROTECTED]>:
> 207.217.120.79 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.217.120.79.
>
> <[EMAIL PROTECTED]>:
> 199.221.118.14 does not like recipient.
> Remote host said: 550 RCPT TO:<[EMAIL PROTECTED]> User unknown
> Giving up on 199.221.118.14.
>
> <[EMAIL PROTECTED]>:
> 206.40.44.3 does not like recipient.
> Remote host said: 550 5.1.1 <[EMAIL PROTECTED]>... User unknown
> Giving up on 206.40.44.3.
>
> <[EMAIL PROTECTED]>:
> 206.13.28.142 does not like recipient.
> Remote host said: 550 5.1.1 unknown or illegal alias: [EMAIL PROTECTED]
> Giving up on 206.13.28.142.
>
> <[EMAIL PROTECTED]>:
> 207.46.181.13 does not like recipient.
> Remote host said: 550 5.1.1 [EMAIL PROTECTED] User unknown
> Giving up on 207.46.181.13.
>
> <[EMAIL PROTECTED]>:
> 12.10.123.8 does not like recipient.
> Remote host said: 550 Relaying is prohibited
> Giving up on 12.10.123.8.
>
> <[EMAIL PROTECTED]>:
> 207.217.120.79 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.217.120.79.
>
> <[EMAIL PROTECTED]>:
> 207.46.181.13 does not like recipient.
> Remote host said: 550 5.1.1 [EMAIL PROTECTED] User unknown
> Giving up on 207.46.181.13.
>
> <[EMAIL PROTECTED]>:
> 207.55.158.20 does not like recipient.
> Remote host said: 550 Invalid recipient <[EMAIL PROTECTED]>
> Giving up on 207.55.158.20.
>
> <[EMAIL PROTECTED]>:
> 207.217.120.29 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.217.120.29.
>
> <[EMAIL PROTECTED]>:
> 204.216.215.3 does not like recipient.
> Remote host said: 550 5.1.1 <[EMAIL PROTECTED]>... User unknown
> Giving up on 204.216.215.3.
>
> <[EMAIL PROTECTED]>:
> 64.4.42.7 does not like recipient.
> Remote host said: 550 Requested action not taken:user account inactive
> Giving up on 64.4.42.7.
>
> <[EMAIL PROTECTED]>:
> 63.221.191.10 does not like recipient.
> Remote host said: 550 5.1.1 user [EMAIL PROTECTED] not known
> Giving up on 63.221.191.10.
>
> <[EMAIL PROTECTED]>:
> 216.136.129.18 failed after I sent the message.
> Remote host said: 554 delivery error: dd Sorry, your message to
[EMAIL PROTECTED] cannot be delivered. This account has been
disabled or
discontinued. - mta445.mail.yahoo.com
>
> <[EMAIL PROTECTED]>:
> 165.166.0.25 does not like recipient.
> Remote host said: 550 5.1.1 unknown or illegal user: [EMAIL PROTECTED]
> Giving up on 165.166.0.25.
>
> <[EMAIL PROTECTED]>:
> 205.252.14.32 does not like recipient.
> Remote host said: 550 5.1.1 <[EMAIL PROTECTED]>... User unknown
> Giving up on 205.252.14.32.
>
> <[EMAIL PROTECTED]>:
> 207.114.0.132 does not like recipient.
> Remote host said: 550 5.1.1 <[EMAIL PROTECTED]>... User unknown
> Giving up on 207.114.0.132.
>
> <[EMAIL PROTECTED]>:
> 64.75.34.135 does not like recipient.
> Remote host said: 554 <[EMAIL PROTECTED]>: Recipient address rejected:
Relay access denied
> Giving up on 64.75.34.135.
>
> <[EMAIL PROTECTED]>:
> 63.215.240.108 does not like recipient.
> Remote host said: 550 <[EMAIL PROTECTED]>... User unknown
> Giving up on 63.215.240.108.
>
> <[EMAIL PROTECTED]>:
> 64.4.49.71 does not like recipient.
> Remote host said: 550 Requested action not taken: mailbox unavailable
> Giving up on 64.4.49.71.
>
> <[EMAIL PROTECTED]>:
> Connected to 207.115.59.58 but sender was rejected.
> Remote host said: 550 5.0.0 Access denied
>
> <[EMAIL PROTECTED]>:
> Connected to 207.115.58.97 but sender was rejected.
> Remote host said: 550 5.0.0 Access denied
>
> <[EMAIL PROTECTED]>:
> 207.46.181.13 does not like recipient.
> Remote host said: 550 5.1.1 [EMAIL PROTECTED] User unknown
> Giving up on 207.46.181.13.
>
> <[EMAIL PROTECTED]>:
> 216.136.129.4 failed after I sent the message.
> Remote host said: 554 delivery error: dd This user doesn't have a
yahoo.com account ([EMAIL PROTECTED]) - mta577.mail.yahoo.com
>
> <[EMAIL PROTECTED]>:
> 207.46.181.13 does not like recipient.
> Remote host said: 550 5.1.1 [EMAIL PROTECTED] User unknown
> Giving up on 207.46.181.13.
>
> <[EMAIL PROTECTED]>:
> 198.3.99.212 does not like recipient.
> Remote host said: 550 Invalid recipient: <[EMAIL PROTECTED]>
> Giving up on 198.3.99.212.
>
> <[EMAIL PROTECTED]>:
> 207.69.200.239 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.69.200.239.
>
> <[EMAIL PROTECTED]>:
> 207.69.200.239 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.69.200.239.
>
> <[EMAIL PROTECTED]>:
> 207.69.200.63 does not like recipient.
> Remote host said: 550 [EMAIL PROTECTED] unknown
> Giving up on 207.69.200.63.
>
> --- Below this line is a copy of the message.
>
> Return-Path: <[EMAIL PROTECTED]>
> Received: (qmail 23265 invoked from network); 13 Jun 2001 11:31:47 -0000
> Received: from unknown (HELO gfk.gfk-emer.com) (212.95.216.134)
> by mail.ddnet.es with SMTP; 13 Jun 2001 11:31:47 -0000
> Received: (qmail 24543 invoked from network); 13 Jun 2001 09:36:08 -0000
> Received: from unknown (HELO none) (192.168.2.34)
> by dummy.ddnet.es with SMTP; 13 Jun 2001 09:36:08 -0000
> Message-ID: <000c01c0f3e8$742de160$[EMAIL PROTECTED]>
> From: "Rosa Pascual" <[EMAIL PROTECTED]>
> To: "Julio Sobrino" <[EMAIL PROTECTED]>
> Subject: Bases de Datos SMS
> Date: Wed, 13 Jun 2001 11:08:45 +0200
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0009_01C0F3F9.36D4DCE0"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 5.00.2919.6600
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
>
(gfk-emer.com is one of our customers; they have a qmail server on a
dialup connection, and we queue mail for them and act as primary MX).
As you can see, there are no traces of the above pile of addresses in
the headers of the original mail (it could have been a BCC, but I'm sure
that the original sender does NOT know any of those people in the U.S.
and therefore had no business sending mail to them). Rather, it looks
like the above pile of addresses were used by the spammer...
After seeing this, I stopped qmail and ran queue-fix, but the problem
still persisted for 2 or 3 days, until the queue ran out of spam (either
because they bounced or because we deleted them by hand). My question
is: has anbody seen this before? I have a hard time believing that
qmail's queue could have been corrupted by just 1500 mails, and I
haven't touched the queue by hand in any moment (other than to view
(that is, *read*) some files). It certainly looks very odd to me...
(Additional information: qmail 1.03, Red Hat 6.2, kernel 2.2.17).
Paulo Jan.
DDnet.
