Re: Tracking down a mail forwarding loop
On 2/12/2015 12:43 AM, LuKreme wrote: On Feb 11, 2015, at 6:20 PM, Wietse Venema wie...@porcupine.org wrote: LuKreme: Received: from thenewestsecret.net (unknown [170.130.246.215]) by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0 for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST) Delivered-To: *bob*@covisp.net Received: by 170.130.246.215 with SMTP id 998S7h4.33K03w6s2R18O2.22351x4s23d1n26; Tue, 10 Feb 2015 08:51:05 -0700 (PST) X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Received: from thenewestsecret.net (thenewestsecret.net. ) by mx.google.com with ESMTP id 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4 for *bob*@covisp.net; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Mime-Version: 1.0 Date: Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net To: *bob*@covisp.net This message contains a Delivered-To: *bob*@covisp.net header. Apparently, the sender added this to trigger a delivery error. Apparently, the sender, c...@thenewestsecret.net, wants to receive a bounce message. That message would confirm that *bob*@covisp.net is a valid email address. Does it make sense to reject messages with a Delivered-To: header? Yes. Incoming mail with that header cannot be delivered by postfix, regardless whether it's really looping or not. Although in this particular case it might be better to reject the spammy-looking client. Why does it generate a mail loop in my local postfix? The presence of that header triggers the loop detection in postfix. The sender is adding that header either in a misguided attempt to improve delivery, or to intentionally cause a bounce to verify the address. Could it have anything to do with the always_bcc setting? No. The header is added by the sender. Would some other MTA deliver the message anyway, or this simply a spam harvesting tactic? The messages don’t seem to generate a valid bounce to a valid address… Some MTAs behave the same as postfix eg. qmail. Some MTAs don't use Delivered-To: and ignore it eg. Exchange. We don't know the motive of the sender. We do know this isn't really a loop and it looks like spam to me. -- Noel Jones
Re: Tracking down a mail forwarding loop
On 12 Feb 2015, at 08:25 , Noel Jones njo...@megan.vbhcs.org wrote: On 2/12/2015 12:43 AM, LuKreme wrote: On Feb 11, 2015, at 6:20 PM, Wietse Venema wie...@porcupine.org wrote: LuKreme: Received: from thenewestsecret.net (unknown [170.130.246.215]) by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0 for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST) Delivered-To: *bob*@covisp.net Received: by 170.130.246.215 with SMTP id 998S7h4.33K03w6s2R18O2.22351x4s23d1n26; Tue, 10 Feb 2015 08:51:05 -0700 (PST) X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Received: from thenewestsecret.net (thenewestsecret.net. ) by mx.google.com with ESMTP id 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4 for *bob*@covisp.net; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Mime-Version: 1.0 Date: Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net To: *bob*@covisp.net This message contains a Delivered-To: *bob*@covisp.net header. Apparently, the sender added this to trigger a delivery error. Apparently, the sender, c...@thenewestsecret.net, wants to receive a bounce message. That message would confirm that *bob*@covisp.net is a valid email address. Does it make sense to reject messages with a Delivered-To: header? Yes. Incoming mail with that header cannot be delivered by postfix, regardless whether it's really looping or not. Although in this particular case it might be better to reject the spammy-looking client. Yes, but my postscreen is already aggressive enough that I had to tone it down a tad to let some legitimate mail (well, mail I wanted) in. Why does it generate a mail loop in my local postfix? The presence of that header triggers the loop detection in postfix. The sender is adding that header either in a misguided attempt to improve delivery, or to intentionally cause a bounce to verify the address. What is interesting is that I see these *only* for one specific user, which is what made me think it was something on my end. We don't know the motive of the sender. We do know this isn't really a loop and it looks like spam to me. Oh, they are all spam so far. Thanks. -- 'Luck is my middle name,' said Rincewind, indistinctly. 'Mind you, my first name is Bad.' --Interesting Times
Re: Tracking down a mail forwarding loop
LuKreme: Received: from thenewestsecret.net (unknown [170.130.246.215]) by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0 for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST) Delivered-To: *bob*@covisp.net Received: by 170.130.246.215 with SMTP id 998S7h4.33K03w6s2R18O2.22351x4s23d1n26; Tue, 10 Feb 2015 08:51:05 -0700 (PST) X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Received: from thenewestsecret.net (thenewestsecret.net. ) by mx.google.com with ESMTP id 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4 for *bob*@covisp.net; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Mime-Version: 1.0 Date: Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net To: *bob*@covisp.net This message contains a Delivered-To: *bob*@covisp.net header. Apparently, the sender added this to trigger a delivery error. Apparently, the sender, c...@thenewestsecret.net, wants to receive a bounce message. That message would confirm that *bob*@covisp.net is a valid email address. Wietse
Re: Tracking down a mail forwarding loop
On Feb 11, 2015, at 6:20 PM, Wietse Venema wie...@porcupine.org wrote: LuKreme: Received: from thenewestsecret.net (unknown [170.130.246.215]) by mail.covisp.net (Postfix) with ESMTP id 00E42212DC0 for *bob*@covisp.net; Tue, 10 Feb 2015 08:53:22 -0700 (MST) Delivered-To: *bob*@covisp.net Received: by 170.130.246.215 with SMTP id 998S7h4.33K03w6s2R18O2.22351x4s23d1n26; Tue, 10 Feb 2015 08:51:05 -0700 (PST) X-Received: by 170.130.246.215 with SMTP id 134G6f10K6Z34b712c43li; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Received: from thenewestsecret.net (thenewestsecret.net. ) by mx.google.com with ESMTP id 59333u4l19.1C4P11z.147.0.5.1.2.5.5.5.1.0.7.0.4 for *bob*@covisp.net; Tue, 10 Feb 2015 08:51:05 -0700 (PST) Mime-Version: 1.0 Date: Message-Id: 235.946781y2r0b6qn6-c...@thenewestsecret.net To: *bob*@covisp.net This message contains a Delivered-To: *bob*@covisp.net header. Apparently, the sender added this to trigger a delivery error. Apparently, the sender, c...@thenewestsecret.net, wants to receive a bounce message. That message would confirm that *bob*@covisp.net is a valid email address. Does it make sense to reject messages with a Delivered-To: header? Why does it generate a mail loop in my local postfix? Could it have anything to do with the always_bcc setting? $ postconf always_bcc always_bcc = backups@*otherlocaldomain*.com Would some other MTA deliver the message anyway, or this simply a spam harvesting tactic? The messages don’t seem to generate a valid bounce to a valid address… -- S is for SUSAN who perished of fits T is for TITUS who flew into bits
Re: Tracking down a mail forwarding loop
On Feb 6, 2015, at 3:43 PM, LuKreme krem...@kreme.com wrote: On 06 Feb 2015, at 15:05 , Wietse Venema wie...@porcupine.org wrote: NORMALLY, that header is present AFTER mail is delivered to b...@covisp.net. If it is present BEFORE mail is delivered to b...@covisp.net, then you have a loop (or the sender has added this header to trigger an error). Ah, right. I’ve added it and am eagerly awaiting another of these emails. As the old saying goes: A watched pot never delivers a mail loop causing message. -- 'We get that in here some nights, when someone's had a few. Cosmic speculation about whether the gods exist. Next thing, there's a bolt of lightning through the door with a note wrapped round it saying, Yes, we do and a pair of sandals with smoke coming out.' (Small Gods)
Re: Tracking down a mail forwarding loop
LuKreme: On 05 Feb 2015, at 15:53 , Wietse Venema wie...@porcupine.org wrote: LuKreme: On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote: Have you considered the possibility that the mail was sent with a bogus Delivered-To: header (i.e. the header is present, but not added by Postfix). Yes, but I'm unsure how to diagnose that. header_checks: /^Delivered-To: bob@covisp\.net$/ hold That would hold ALL the mail for bob, right? it is only the occasional email that causes this loop error. NORMALLY, that header is present AFTER mail is delivered to b...@covisp.net. If it is present BEFORE mail is delivered to b...@covisp.net, then you have a loop (or the sender has added this header to trigger an error). Wietse
Re: Tracking down a mail forwarding loop
On 06 Feb 2015, at 15:05 , Wietse Venema wie...@porcupine.org wrote: NORMALLY, that header is present AFTER mail is delivered to b...@covisp.net. If it is present BEFORE mail is delivered to b...@covisp.net, then you have a loop (or the sender has added this header to trigger an error). Ah, right. I’ve added it and am eagerly awaiting another of these emails. -- C code. C code run. Run, code, run.
Re: Tracking down a mail forwarding loop
Only other thing I can think of is that this is somehow related to always_bcc? -- A dyslexic walks into a bra...
Re: Tracking down a mail forwarding loop
wie...@porcupine.org (Wietse Venema) wrote: LuKreme: On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote: Have you considered the possibility that the mail was sent with a bogus Delivered-To: header (i.e. the header is present, but not added by Postfix). Yes, but I'm unsure how to diagnose that. header_checks: /^Delivered-To: bob@covisp\.net$/ hold Here is a full dump of one of these files (with only the user name munged) https://www.dropbox.com/s/mvdg1f48fo640g3/768FC212C05.txt?dl=0 We already know that the message loops because the Delivered-To: header is present. Here are the first few headers of the message before delivery: Return-Path: ros...@approvednowauto.com Received: from approvednowauto.com (unknown [170.130.246.204]) by mail.covisp.net (Postfix) with ESMTP id D3F1A212C03 for b...@covisp.net; Thu, 5 Feb 2015 14:58:19 -0700 (MST) Delivered-To: b...@covisp.net I suggest that you have a look at the other ones. If none of the other Received: headers belongs to your systems, then they added Delivered-To: b...@covisp.net before sending the message to your systems. Wietse I also noticed a List_Unsubscribe header buried in there - might want to look at whatever is doing list expansion. Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: Tracking down a mail forwarding loop
LuKreme: On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote: Have you considered the possibility that the mail was sent with a bogus Delivered-To: header (i.e. the header is present, but not added by Postfix). Yes, but I'm unsure how to diagnose that. header_checks: /^Delivered-To: bob@covisp\.net$/ hold Here is a full dump of one of these files (with only the user name munged) https://www.dropbox.com/s/mvdg1f48fo640g3/768FC212C05.txt?dl=0 We already know that the message loops because the Delivered-To: header is present. Here are the first few headers of the message before delivery: Return-Path: ros...@approvednowauto.com Received: from approvednowauto.com (unknown [170.130.246.204]) by mail.covisp.net (Postfix) with ESMTP id D3F1A212C03 for b...@covisp.net; Thu, 5 Feb 2015 14:58:19 -0700 (MST) Delivered-To: b...@covisp.net I suggest that you have a look at the other ones. If none of the other Received: headers belongs to your systems, then they added Delivered-To: b...@covisp.net before sending the message to your systems. Wietse
Re: Tracking down a mail forwarding loop
On 05 Feb 2015, at 05:07 , Wietse Venema wie...@porcupine.org wrote: Have you considered the possibility that the mail was sent with a bogus Delivered-To: header (i.e. the header is present, but not added by Postfix). Yes, but I’m unsure how to diagnose that. Here is a full dump of one of these files (with only the user name munged) https://www.dropbox.com/s/mvdg1f48fo640g3/768FC212C05.txt?dl=0 -- Thank you for sending me a copy of your book; I'll waste no time reading it. - Moses Hadas
Re: Tracking down a mail forwarding loop
LuKreme: On Feb 4, 2015, at 9:20 AM, Miles Fidelman mfidel...@meetinghouse.net wrote: LuKreme wrote: I have a local user who is generating occasional mail forwarding loop errors, which are causing forged emails to cause NDNs and fill up mailq. Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net) ... Delivered-To: b...@covisp.net Have you considered the possibility that the mail was sent with a bogus Delivered-To: header (i.e. the header is present, but not added by Postfix). Wietse
Re: Tracking down a mail forwarding loop
LuKreme wrote: I have a local user who is generating occasional mail forwarding loop errors, which are causing forged emails to cause NDNs and fill up mailq. Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net) The only place that “*bob*” is mentioned in virtual is in line like this: bill...@covisp.net bob,fred,george Where bob, fred, and george are all local users. bob doesn’t have a .forward, and I looked at his .procmailrc and it’s not forwarding mail anywhere. Where else do I look? postmap -q b...@covisp.net /etc/postfix/virtual doesn’t return any results. I'd start with the headers in a message that's looped - that might help track things down. Miles Fidelman
Tracking down a mail forwarding loop
I have a local user who is generating occasional mail forwarding loop errors, which are causing forged emails to cause NDNs and fill up mailq. Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net) The only place that “*bob*” is mentioned in virtual is in line like this: bill...@covisp.net bob,fred,george Where bob, fred, and george are all local users. bob doesn’t have a .forward, and I looked at his .procmailrc and it’s not forwarding mail anywhere. Where else do I look? postmap -q b...@covisp.net /etc/postfix/virtual doesn’t return any results. -- Behind every great man there's a woman with a vibrator -- Hawkeye Pierce
Re: Tracking down a mail forwarding loop
LuKreme: I have a local user who is generating occasional mail forwarding loop errors, which are causing forged emails to cause NDNs and fill up mailq. Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net) The only place that ?*bob*? is mentioned in virtual is in line like this: bill...@covisp.net bob,fred,george Where bob, fred, and george are all local users. bob doesn?t have a .forward, and I looked at his .procmailrc and it?s not forwarding mail anywhere. Where else do I look? Other opportunities for forwarding, such as postconf mailbox_command? Wietse
Re: Tracking down a mail forwarding loop
On 04 Feb 2015, at 07:38 , Wietse Venema wie...@porcupine.org wrote: LuKreme: I have a local user who is generating occasional mail forwarding loop errors, which are causing forged emails to cause NDNs and fill up mailq. Jan 30 13:46:08 mail postfix/local[44147]: 7020950D4D4: to=*bob*@covisp.net, relay=local, delay=0.65, delays=0.59/0/0/0.06, dsn=5.4.6, status=bounced (mail forwarding loop for *bob*@covisp.net) The only place that ?*bob*? is mentioned in virtual is in line like this: bill...@covisp.net bob,fred,george Where bob, fred, and george are all local users. bob doesn?t have a .forward, and I looked at his .procmailrc and it?s not forwarding mail anywhere. Where else do I look? Other opportunities for forwarding, such as postconf mailbox_command”? Yeah, that’s why I checked procmailrc. I do see that the modification date on the procmailrc is quite recent. Maybe he munged something and got it fixed. I’ll keep watching. -- Growing up leads to growing old, and then to dying/And dying to me don't sound like all that much fun.
