Re: [courier-users] Weird messages received - Leigh S. Jones, KR6X - net.sourceforge.lists.courier-users

15 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Weird messages re...

From	Sent On	Attachments
M Core	Oct 18, 2007 11:13 pm
Gordan Bobic	Oct 19, 2007 12:56 am
Leigh S. Jones, KR6X	Oct 19, 2007 6:01 am
Alessandro Vesely	Oct 19, 2007 7:28 am
M Core	Oct 19, 2007 8:07 am
Gordan Bobic	Oct 19, 2007 8:24 am
Marcin 'Rambo' Roguski	Oct 19, 2007 8:29 am
Gordan Bobic	Oct 19, 2007 8:36 am
Johnny C. Lam	Oct 19, 2007 9:26 am
Alessandro Vesely	Oct 19, 2007 10:28 am
Alessandro Vesely	Oct 19, 2007 11:14 am
M Core	Oct 19, 2007 1:11 pm
Johnny C. Lam	Oct 19, 2007 1:34 pm
Gordon Messmer	Oct 19, 2007 4:18 pm
Gordon Messmer	Oct 19, 2007 4:21 pm

Subject:	Re: [courier-users] Weird messages received
From:	Leigh S. Jones, KR6X (kr...@kr6x.com)
Date:	Oct 19, 2007 6:01:43 am
List:	net.sourceforge.lists.courier-users

I've been receiving these kinds of messages myself. And, in fairly large numbers. In my case, when I trace it back to the source, I discover that someone is using an invalid user name from my domain as the envelope sender address when sending spam. A non-delivery message then bounces back to the invalid user name from the server of the intended spam recipient. This non-delivery message is attached to the "weird" message, and clearly identifies the IP address of the bot net system that sent the original spam.

There really is some mechanism here that I would like to have the power to change. These "weird" messages clearly occur as reports of non-delivery being sent to "postmaster". For me, the postmaster, the quantity of non-delivery messages overwhelms me to the point that I ignore real non-delivery messages that I would like to be alert to.

Just as clear is the fact that these messages are originating inside of Courier. My own Courier software is the current "stable" Debian binary version of Courier 0.53.3 retrieved by apt-get, and non-delivery messages to postmaster are enabled. Just why Courier believes that these particular kinds of non-delivery messages should be originated remains a mystery to me...

----- Original Message ----- From: "Gordan Bobic" <gor...@bobich.net> To: <cour...@lists.sourceforge.net> Sent: Friday, October 19, 2007 12:57 AM Subject: Re: [courier-users] Weird messages received

On Fri, 19 Oct 2007, M Core wrote:

Sometimes I receive an email to my admin account stating that the email I sent to an inva...@mydomain.com was not sent. The message has an attachment and when you open them down eventually you find a spam email that is FROM the invalid_user@mydomain to a vali...@mydomain.com

How is this happening? What do I look at?

From an external account I teleneted in and sent a message from the

inva...@mydomain.com to vali...@mydomain.com. And it worked... so I thought it is an open relay. But when I try any of the websites etc. to check for this none of them can find an open relay on my mail server.

It's not an open relay. It accepts email for vali...@mydomain.com. That's where the bounce went to, because somebody forged the envelope from header to your valid account.

But now that you mentioned it - is there a way to make Courier make an additional check?

e.g. it receives a message: From: inva...@mydomain.com To: val...@maydomain.com

Normally, this is not too plausible to check if from is for a non-locally hosted domain, but if from is from a locally hosted domain, can we make Courier check if from is deliverable, and if not, reject with "unknown sender" or some such?

On a separate note, is it possible to get Courier to do return path verification? i.e. for the from address, look up mx, connect, and do: HELO, MAIL FROM, RCPT TO, QUIT, just to see if the FROM address is deliverable?

Gordan

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets