I wonder if these are similar or the same as the bounce back that
recently have started to come through my server. Here is the
header. The rest is a spam message.Hi. This is the qmail-send program at laetitia.area510.net. I tried to deliver a bounce message to this address, but the bounce bounced! <train...@learndr.com>: Sorry, I wasn't able to establish an SMTP connection. (#4.4.1) I'm not going to try again; this message has been in the queue too long. --- Below this line is the original bounce. Return-Path: <> Received: (qmail 31040 invoked for bounce); 17 Apr 2012 03:00:45 -0000 Date: 17 Apr 2012 03:00:45 -0000 From: mailer-dae...@laetitia.area510.net To: train...@learndr.com Subject: failure notice Hi. This is the qmail-send program at laetitia.area510.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <c_nau-le...@yother.com>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <train...@learndr.com> Received: (qmail 31035 invoked by uid 89); 17 Apr 2012 03:00:45 -0000 Received: by simscan 1.4.0 ppid: 31027, pid: 31029, t: 0.3880s scanners: attach: 1.4.0 clamav: 0.97.3 /m:54/d:14650 spam: 3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on laetitia.area510.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_99,MISSING_MID,RDNS_NONE autolearn=no version=3.2.5 Received: from unknown (HELO ml124.learndr.com) (8.31.112.124) by laetitia.area510.net with SMTP; 17 Apr 2012 03:00:45 -0000 Received-SPF: pass (laetitia.area510.net: SPF record at learndr.com designates 8.31.112.124 as permitted sender) Received: by ml124.learndr.com id hhjedq195e81 for <c_nau-le...@yother.com>; Mon, 16 Apr 2012 23:00:14 -0400 (envelope-from <train...@learndr.com>) Date: Mon, 16 Apr 2012 23:00:14 -0400 X-Sender: train...@learndr.com To: c_nau-le...@yother.com From: train...@learndr.com <train...@learndr.com> Subject: No More Hiring Mistakes: Interviewing the Right Way Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" On 04/17/2012 08:30 PM, Michael J. Colvin wrote: I guess QMT being compromised was my concern, but like I said, I've yet to get any of these, and I use the same server(s)... It is happening with two different users, or groups of users, on separate domains, but all using the same servers... I'm hoping it's malware, and will switch gears to try to confirm it's not before digging around in qmail anymore... I'll let you know. Thanks! Mike-----Original Message----- From: Eric Shubert [mailto:e...@shubes.net] Sent: Tuesday, April 17, 2012 8:15 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: Weird Boucne Backs I think it's safe to say that this is malware, based on the alphabetical nature of the addresses. Question is, how are the messages getting into the queue? I suppose that your QMT could be compromised, but I have never heard of such a thing. Not outside of the realm of possibility, but given that the problem is limited to a single domain, I'd say not likely. My guess is that the client machines are infected with malware. What's perhaps worse is that the virus appears to be active in more than one host in the domain, which means it might be able to spread across their network. This could be difficult to rid. Does this happen on every message these clients send, or is the problem sporadic? If it's consistent (and perhaps even if it's not), you might try turning on spamdyke's detailed logging and have them submit on port 25. Then you'll see everything that's happening in the session, in detail. I would also recommend running malwarebytes on the client machines and see what that finds. Anti-virus programs don't catch all types of malware, and I think this might be a type that their anti-virus software isn't catching. -- -Eric 'shubes' On 04/17/2012 07:52 PM, Michael J. Colvin wrote:Have you identified the host which is connected to your QMT? Is it a client directly connecting, or are they coming in via an Exchange server?They are both... One is directly connecting to one of my Qmailservers, andthe other client is coming from their Exchange server (They use us asaSmarthost). Here's the NDR from the other client: ------------------------------------- -----Original Message----- From: mailer-dae...@mail.norcalisp.com [mailto:mailer-dae...@mail.norcalisp.com] Sent: Tuesday, April 17, 2012 11:01 AM To: g...@xxxxxxxx.com Subject: failure notice Hi. This is the qmail-send program at mail.norcalisp.com. I'm afraid I wasn't able to deliver your message to the followingaddresses.This is a permanent error; I've given up. Sorry it didn't work out. <acamp...@yahoo.com>: User and password not set, continuing without authentication. <acamp...@yahoo.com> 74.6.140.64 failed after I sent the message. Remote host said: 554 delivery error: dd This user doesn't have ayahoo.comaccount (acamp...@yahoo.com) [-5] - mta1114.mail.sk1.yahoo.com <acan...@telus.net>: User and password not set, continuing without authentication. 204.209.205.52 does not like recipient. Remote host said: 550 5.1.1<acan...@telus.net> recipient rejectedGiving upon 204.209.205.52. <acampbell...@yahoo.co>: Sorry, I couldn't find any host named yahoo.co. (#5.1.2) <acampo...@aol.com>: User and password not set, continuing without authentication. 205.188.146.194 does not like recipient. Remote host said: 550 5.1.1<acampo...@aol.com>: Recipient addressrejected:aol.com Giving up on 205.188.146.194. <acanue...@dryden.net>: User and password not set, continuing without authentication. 216.40.42.4 does not like recipient. Remote host said: 554 5.7.1<acanue...@dryden.net>: Recipient address rejected: user acanue...@dryden.net does not exist Giving up on216.40.42.4.<acampbell5...@insightbb.com>: User and password not set, continuing without authentication. 208.47.185.21 does not like recipient. Remote host said: 550 5.1.1 Recipient acampbell5...@insightbb.comdoes notexist here Giving up on 208.47.185.21. <acamp4...@aol.com>: User and password not set, continuing without authentication. 205.188.190.1 does not like recipient. Remote host said: 550 5.1.1<acamp4...@aol.com>: Recipient addressrejected:aol.com Giving up on 205.188.190.1. <acan...@hotmail.com>: User and password not set, continuing without authentication. 65.55.37.88 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailableGivingup on 65.55.37.88. <acand54...@aol.com>: User and password not set, continuing without authentication. 64.12.90.66 does not like recipient. Remote host said: 550 5.1.1<acand54...@aol.com>: Recipient address rejected: aol.com Giving up on 64.12.90.66. <acan...@hotmail.com>: User and password not set, continuing without authentication. 65.55.37.72 does not like recipient. Remote host said: 550 Requested action not taken: mailbox unavailableGivingup on 65.55.37.72. <acana...@cs.com>: User and password not set, continuing without authentication. 205.188.103.1 does not like recipient. Remote host said: 550 5.1.1<acana...@cs.com>: Recipient addressrejected:cs.com Giving up on 205.188.103.1. <acan...@cablelan.net>: User and password not set, continuing without authentication. 64.18.5.10 does not like recipient. Remote host said: 550 Unrouteable address Giving up on 64.18.5.10. <acampb...@oanet.com>: User and password not set, continuing without authentication. <acampb...@oanet.com> 216.17.3.48 failed on DATA command. Remote host said: 554 no valid recipients, bye <acandelar...@cox.net>: User and password not set, continuing without authentication. 68.6.19.3 does not like recipient. Remote host said: 550 5.1.1<acandelar...@cox.net> invalid recipient- Referto Error Codes section at http://postmaster.cox.net/confluence/display/postmaster/Error+Codesfor moreinformation. Giving up on 68.6.19.3. <acampb...@pdxinc.com>: User and password not set, continuing without authentication. 63.237.119.43 does not like recipient. Remote host said: 550 #5.1.0 Address rejected. Giving up on 63.237.119.43. <acamp...@aws.org>: User and password not set, continuing without authentication. <acamp...@aws.org> 12.176.97.142 failed after I sent the message. Remote host said: 554 5.7.0 Reject, id=31447-18 - SPAM <acanta...@optusnet.com.au>: User and password not set, continuing without authentication. 211.29.133.14 does not like recipient. Remote host said: 553 5.3.0<acanta...@optusnet.com.au>... No suchuserGiving up on 211.29.133.14. <aca...@laposte.net>: User and password not set, continuing without authentication. <aca...@laposte.net> 193.251.214.113 failed after I sent themessage.Remote host said: 550 5.2.0 Mail rejete. Mail rejected. LPN_506 [506] <ac...@vt.edu>: User and password not set, continuing without authentication. 198.82.183.88 does not like recipient. Remote host said: 550 User unknown Giving up on 198.82.183.88. --- Below this line is a copy of the message. Return-Path:<g...@xxxxxxxx.com> Received: (qmail 19160 invoked by uid 89); 17 Apr 2012 18:00:52 -0000 Received: by simscan 1.4.0 ppid: 19156, pid: 19157, t: 0.5312s scanners: attach: 1.4.0 clamav: 0.96.3/m:53/d:12510 Received: from unknown (HELO mail.norcalisp.com) (192.168.100.32) by mail.norcalisp.com with SMTP; 17 Apr 2012 18:00:52 -0000 Received: (qmail 9243 invoked by uid 1010); 17 Apr 2012 11:00:50 -0700Received: from 63.205.11.93 by mail.norcalisp.com (envelope-from <g...@xxxxxxxx.com>, uid 1008) with qmail-scanner-1.25-st-qms (clamdscan: 0.91.2/1082. spamassassin: 3.2.0. perlscan: 1.25-st-qms.Clear:RC:1(63.205.11.93):. Processed in 0.35736 secs); 17 Apr 2012 18:00:50 -0000 X-Antivirus-NorCalISP-Mail-From: g...@xxxxxxx.com viamail.norcalisp.comX-Antivirus-NorCalISP: 1.25-st-qms (Clear:RC:1(63.205.11.93):.Processed in0.35736 secs Process 9237) Received: from adsl-63-205-11-93.dsl.scrm01.pacbell.net (HELOGregVAIO)(g...@xxxxxxxxxx.com@63.205.11.93) by mail.norcalisp.com with SMTP; 17 Apr 2012 11:00:50 -0700 From: "Greg XXXXXXX"<g...@xxxxxxx.com> To:<n...@xxxxxx.com> References:<007001cd180b$04509830$0cf1c890$@XXXXXX.com> In-Reply-To:<007001cd180b$04509830$0cf1c890$@XXXXXXX.com> Subject: RE: Invoice Date: Tue, 17 Apr 2012 11:00:50 -0700 Message-ID:<006d01cd1cc4$06aef730$140ce590$@com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_006E_01CD1C89.5A501F30" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Ac0YCwNSfAH4V5C+S1i2sICAgcM9NQEuPfMQ Content-Language: en-us This is a multi-part message in MIME format. ------=_NextPart_000_006E_01CD1C89.5A501F30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Nate, Can I please get a tracking number? Thanks. ----------------------------------------------- As with the other client, nothing's showing in the logs for otherthan theintended rcpt "n...@xxxxxx.com" Mike ---------------------------------------------------------------------------------Qmailtoaster is sponsored by Vickers Consulting Group(www.vickersconsulting.com)Vickers Consulting Group offers Qmailtoaster support andinstallations.If you need professional help with your setup, contact themtoday! ----------------------------------------------------------------------- ---------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! ----------------------------------------------------------------------- ---------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list- unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list- h...@qmailtoaster.com--------------------------------------------------------------------------------- Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! --------------------------------------------------------------------------------- Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com --
|
- [qmailtoaster] Weird Boucne Backs Michael J. Colvin
- [qmailtoaster] Re: Weird Boucne Backs Eric Shubert
- RE: [qmailtoaster] Re: Weird Boucne Backs Michael J. Colvin
- [qmailtoaster] Re: Weird Boucne Backs Eric Shubert
- RE: [qmailtoaster] Re: Weird Boucne Bac... Michael J. Colvin
- [qmailtoaster] Re: Weird Boucne Ba... Eric Shubert
- RE: [qmailtoaster] Re: Weird B... Michael J. Colvin
- Re: [qmailtoaster] Re: Wei... Maxwell Smart
- RE: [qmailtoaster] Re: Wei... Michael J. Colvin
- Re: [qmailtoaster] Re: Wei... Peter Peltonen
- Re: [qmailtoaster] Re: Wei... Peter Peltonen