Re: [qmailtoaster] Re: Weird Boucne Backs

Tue, 17 Apr 2012 21:19:32 -0700

I wonder if these are similar or the same as the bounce back that recently have started to come through my server.  Here is the header.  The rest is a spam message.

Hi. This is the qmail-send program at laetitia.area510.net.
I tried to deliver a bounce message to this address, but the bounce bounced!

<train...@learndr.com>:
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1)
I'm not going to try again; this message has been in the queue too long.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 31040 invoked for bounce); 17 Apr 2012 03:00:45 -0000
Date: 17 Apr 2012 03:00:45 -0000
From: mailer-dae...@laetitia.area510.net
To: train...@learndr.com
Subject: failure notice

Hi. This is the qmail-send program at laetitia.area510.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<c_nau-le...@yother.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <train...@learndr.com>
Received: (qmail 31035 invoked by uid 89); 17 Apr 2012 03:00:45 -0000
Received: by simscan 1.4.0 ppid: 31027, pid: 31029, t: 0.3880s
         scanners: attach: 1.4.0 clamav: 0.97.3
/m:54/d:14650 spam: 3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on laetitia.area510.net
X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_99,MISSING_MID,RDNS_NONE
	autolearn=no version=3.2.5
Received: from unknown (HELO ml124.learndr.com) (8.31.112.124)
  by laetitia.area510.net with SMTP; 17 Apr 2012 03:00:45 -0000
Received-SPF: pass (laetitia.area510.net: SPF record at learndr.com designates 8.31.112.124 as permitted sender)
Received: by ml124.learndr.com id hhjedq195e81 for <c_nau-le...@yother.com>; Mon, 16 Apr 2012 23:00:14 -0400 (envelope-from <train...@learndr.com>)
Date: Mon, 16 Apr 2012 23:00:14 -0400
X-Sender: train...@learndr.com
To: c_nau-le...@yother.com
From: train...@learndr.com <train...@learndr.com>
Subject: No More Hiring Mistakes: Interviewing the Right Way
Mime-Version: 1.0 
Content-Type: text/plain; charset="us-ascii"


On 04/17/2012 08:30 PM, Michael J. Colvin wrote: 
I guess QMT being compromised was my concern, but like I said, I've yet to
get any of these, and I use the same server(s)...

It is happening with two different users, or groups of users, on separate
domains, but all using the same servers...

I'm hoping it's malware, and will switch gears to try to confirm it's not
before digging around in qmail anymore...

I'll let you know.

Thanks!

Mike


-----Original Message-----
From: Eric Shubert [mailto:e...@shubes.net]
Sent: Tuesday, April 17, 2012 8:15 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Re: Weird Boucne Backs

I think it's safe to say that this is malware, based on the
alphabetical nature of the addresses.

Question is, how are the messages getting into the queue?

I suppose that your QMT could be compromised, but I have never heard of
such a thing. Not outside of the realm of possibility, but given that
the problem is limited to a single domain, I'd say not likely.

My guess is that the client machines are infected with malware. What's
perhaps worse is that the virus appears to be active in more than one
host in the domain, which means it might be able to spread across their
network. This could be difficult to rid.

Does this happen on every message these clients send, or is the problem
sporadic? If it's consistent (and perhaps even if it's not), you might
try turning on spamdyke's detailed logging and have them submit on port
25. Then you'll see everything that's happening in the session, in
detail.

I would also recommend running malwarebytes on the client machines and
see what that finds. Anti-virus programs don't catch all types of
malware, and I think this might be a type that their anti-virus
software isn't catching.

--
-Eric 'shubes'


On 04/17/2012 07:52 PM, Michael J. Colvin wrote:


          

            
Have you identified the host which is connected to your QMT? Is it a
client directly connecting, or are they coming in via an Exchange
server?



          

          
They are both...  One is directly connecting to one of my Qmail


        

        
servers, and


        

          
the other client is coming from their Exchange server (They use us as


        

        
a


        

          
Smarthost).

Here's the NDR from the other client:

-------------------------------------

-----Original Message-----
From: mailer-dae...@mail.norcalisp.com
[mailto:mailer-dae...@mail.norcalisp.com]
Sent: Tuesday, April 17, 2012 11:01 AM
To: g...@xxxxxxxx.com
Subject: failure notice

Hi. This is the qmail-send program at mail.norcalisp.com.
I'm afraid I wasn't able to deliver your message to the following


        

        
addresses.


        

          
This is a permanent error; I've given up. Sorry it didn't work out.

<acamp...@yahoo.com>:
User and password not set, continuing without authentication.
<acamp...@yahoo.com>  74.6.140.64 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a


        

        
yahoo.com


        

          
account (acamp...@yahoo.com) [-5] - mta1114.mail.sk1.yahoo.com

<acan...@telus.net>:
User and password not set, continuing without authentication.
204.209.205.52 does not like recipient.
Remote host said: 550 5.1.1<acan...@telus.net>  recipient rejected


        

        
Giving up


        

          
on 204.209.205.52.

<acampbell...@yahoo.co>:
Sorry, I couldn't find any host named yahoo.co. (#5.1.2)

<acampo...@aol.com>:
User and password not set, continuing without authentication.
205.188.146.194 does not like recipient.
Remote host said: 550 5.1.1<acampo...@aol.com>: Recipient address


        

        
rejected:


        

          
aol.com Giving up on 205.188.146.194.

<acanue...@dryden.net>:
User and password not set, continuing without authentication.
216.40.42.4 does not like recipient.
Remote host said: 554 5.7.1<acanue...@dryden.net>: Recipient address
rejected: user acanue...@dryden.net does not exist Giving up on


        

        
216.40.42.4.


        

          
<acampbell5...@insightbb.com>:
User and password not set, continuing without authentication.
208.47.185.21 does not like recipient.
Remote host said: 550 5.1.1 Recipient acampbell5...@insightbb.com


        

        
does not


        

          
exist here Giving up on 208.47.185.21.

<acamp4...@aol.com>:
User and password not set, continuing without authentication.
205.188.190.1 does not like recipient.
Remote host said: 550 5.1.1<acamp4...@aol.com>: Recipient address


        

        
rejected:


        

          
aol.com Giving up on 205.188.190.1.

<acan...@hotmail.com>:
User and password not set, continuing without authentication.
65.55.37.88 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable


        

        
Giving


        

          
up on 65.55.37.88.

<acand54...@aol.com>:
User and password not set, continuing without authentication.
64.12.90.66 does not like recipient.
Remote host said: 550 5.1.1<acand54...@aol.com>: Recipient address
rejected: aol.com Giving up on 64.12.90.66.

<acan...@hotmail.com>:
User and password not set, continuing without authentication.
65.55.37.72 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable


        

        
Giving


        

          
up on 65.55.37.72.

<acana...@cs.com>:
User and password not set, continuing without authentication.
205.188.103.1 does not like recipient.
Remote host said: 550 5.1.1<acana...@cs.com>: Recipient address


        

        
rejected:


        

          
cs.com Giving up on 205.188.103.1.

<acan...@cablelan.net>:
User and password not set, continuing without authentication.
64.18.5.10 does not like recipient.
Remote host said: 550 Unrouteable address Giving up on 64.18.5.10.

<acampb...@oanet.com>:
User and password not set, continuing without authentication.
<acampb...@oanet.com>  216.17.3.48 failed on DATA command.
Remote host said: 554 no valid recipients, bye

<acandelar...@cox.net>:
User and password not set, continuing without authentication.
68.6.19.3 does not like recipient.
Remote host said: 550 5.1.1<acandelar...@cox.net>  invalid recipient


        

        
- Refer


        

          
to Error Codes section at
http://postmaster.cox.net/confluence/display/postmaster/Error+Codes


        

        
for more


        

          
information.
Giving up on 68.6.19.3.

<acampb...@pdxinc.com>:
User and password not set, continuing without authentication.
63.237.119.43 does not like recipient.
Remote host said: 550 #5.1.0 Address rejected.
Giving up on 63.237.119.43.

<acamp...@aws.org>:
User and password not set, continuing without authentication.
<acamp...@aws.org>  12.176.97.142 failed after I sent the message.
Remote host said: 554 5.7.0 Reject, id=31447-18 - SPAM

<acanta...@optusnet.com.au>:
User and password not set, continuing without authentication.
211.29.133.14 does not like recipient.
Remote host said: 553 5.3.0<acanta...@optusnet.com.au>... No such


        

        
user


        

          
Giving up on 211.29.133.14.

<aca...@laposte.net>:
User and password not set, continuing without authentication.
<aca...@laposte.net>  193.251.214.113 failed after I sent the


        

        
message.


        

          
Remote host said: 550 5.2.0 Mail rejete. Mail rejected. LPN_506 [506]

<ac...@vt.edu>:
User and password not set, continuing without authentication.
198.82.183.88 does not like recipient.
Remote host said: 550 User unknown
Giving up on 198.82.183.88.

--- Below this line is a copy of the message.

Return-Path:<g...@xxxxxxxx.com>
Received: (qmail 19160 invoked by uid 89); 17 Apr 2012 18:00:52 -0000
Received: by simscan 1.4.0 ppid: 19156, pid: 19157, t: 0.5312s
          scanners: attach: 1.4.0 clamav: 0.96.3/m:53/d:12510
Received: from unknown (HELO mail.norcalisp.com) (192.168.100.32)
   by mail.norcalisp.com with SMTP; 17 Apr 2012 18:00:52 -0000
Received: (qmail 9243 invoked by uid 1010); 17 Apr 2012 11:00:50 -


        

        
0700


        

          
Received: from 63.205.11.93 by mail.norcalisp.com (envelope-from
<g...@xxxxxxxx.com>, uid 1008) with qmail-scanner-1.25-st-qms
  (clamdscan: 0.91.2/1082. spamassassin: 3.2.0. perlscan: 1.25-st-


        

        
qms.


        

          
  Clear:RC:1(63.205.11.93):.
  Processed in 0.35736 secs); 17 Apr 2012 18:00:50 -0000
X-Antivirus-NorCalISP-Mail-From: g...@xxxxxxx.com via


        

        
mail.norcalisp.com


        

          
X-Antivirus-NorCalISP: 1.25-st-qms (Clear:RC:1(63.205.11.93):.


        

        
Processed in


        

          
0.35736 secs Process 9237)
Received: from adsl-63-205-11-93.dsl.scrm01.pacbell.net (HELO


        

        
GregVAIO)


        

          
(g...@xxxxxxxxxx.com@63.205.11.93)
   by mail.norcalisp.com with SMTP; 17 Apr 2012 11:00:50 -0700
From: "Greg XXXXXXX"<g...@xxxxxxx.com>
To:<n...@xxxxxx.com>
References:<007001cd180b$04509830$0cf1c890$@XXXXXX.com>
In-Reply-To:<007001cd180b$04509830$0cf1c890$@XXXXXXX.com>
Subject: RE: Invoice
Date: Tue, 17 Apr 2012 11:00:50 -0700
Message-ID:<006d01cd1cc4$06aef730$140ce590$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_006E_01CD1C89.5A501F30"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac0YCwNSfAH4V5C+S1i2sICAgcM9NQEuPfMQ
Content-Language: en-us

This is a multi-part message in MIME format.

------=_NextPart_000_006E_01CD1C89.5A501F30
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Nate,



Can I please get a tracking number?  Thanks.

-----------------------------------------------

As with the other client, nothing's showing in the logs for other


        

        
than the


        

          
intended rcpt "n...@xxxxxx.com"


Mike



---------------------------------------------------------------------


        

        
------------


        

          
Qmailtoaster is sponsored by Vickers Consulting Group


        

        
(www.vickersconsulting.com)


        

          
     Vickers Consulting Group offers Qmailtoaster support and


        

        
installations.


        

          
       If you need professional help with your setup, contact them


        

        
today!



-----------------------------------------------------------------------
----------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and
installations.
      If you need professional help with your setup, contact them
today!
-----------------------------------------------------------------------
----------
     Please visit qmailtoaster.com for the latest news, updates, and
packages.

      To unsubscribe, e-mail: qmailtoaster-list-
unsubscr...@qmailtoaster.com
     For additional commands, e-mail: qmailtoaster-list-
h...@qmailtoaster.com



      

      


---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com)
    Vickers Consulting Group offers Qmailtoaster support and installations.
      If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
     Please visit qmailtoaster.com for the latest news, updates, and packages.
     
      To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
     For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com




    

    

    
-- 

      

  























					Reply via email to