Delivery Failure For Email I Did Not Send

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Delivery Failure For Email I Did Not Send

Carlwill
I received the following email today in my inbox <[hidden email]>:

X-Original-To: [hidden email]
Delivered-To: [hidden email]
X-Virus-Scanned: amavisd-new at example.org
Date: Fri, 23 May 2008 08:52:39 +0100
TO: [hidden email]
FROM: [hidden email]
SUBJECT: RE:   
X-Proofpoint-Sentinel: stfsU2FsdGVkX18wEdC54Xf4nT0Rd1BB8cQ5+62SCi3tgSU5fgRsUsE8c2WS
 g4KFBmVB3/MKdiqnZQoNQ8DO6gJMRD0jRaQT599NE/Gq8pXn17LAoVqadSvn5f67O5qxOcnz

Your mail to  [hidden email]  has not been delivered.
Please readdress the message to the intended recipient @camden-corporate.com



I know for a fact that I "<[hidden email]>" did not send any email and don't understand why I received this bounce back from this domain. Is my Postfix email server being used to relay email as myself w/o my knowledge?

I checked my logs in /var/log/maillog for anything to that domain and found:

[root@mail ~]# cat /var/log/maillog | grep "inchcape.com"
May 23 03:52:50 mail postfix/smtpd[29053]: connect from relay2.inchcape.com[213.174.203.8]
May 23 03:52:50 mail postfix/smtpd[29053]: setting up TLS connection from relay2.inchcape.com[213.174.203.8]
May 23 03:52:51 mail postfix/smtpd[29053]: TLS connection established from relay2.inchcape.com[213.174.203.8]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
May 23 03:53:42 mail postfix/smtpd[29053]: 2EB4915C03B: client=relay2.inchcape.com[213.174.203.8]
May 23 03:53:42 mail postfix/qmgr[14828]: 2EB4915C03B: from=<[hidden email]>, size=1215, nrcpt=1 (queue active)
May 23 03:53:42 mail postfix/smtpd[29053]: disconnect from relay2.inchcape.com[213.174.203.8]
May 23 03:53:42 mail postfix/qmgr[14828]: B4AD015C048: from=<[hidden email]>, size=1670, nrcpt=1 (queue active)
May 23 03:53:42 mail amavis[20084]: (20084-09) Passed CLEAN, [213.174.203.8] [213.174.203.8] <[hidden email]> -> <[hidden email]>, Message-ID: <mailbox-23708-1211529159-362364@relay2>, mail_id: tO-UQpUw1cRI, Hits: -, size: 1215, queued_as: B4AD015C048, 146 ms

Should I be concerned? I don't understand this and am worried my email server is being used w/o my knowledge to do bad things.

I will also include my postconf:

[root@mail ~]# postconf -n
address_verify_sender = <>
alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.example.org
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
proxy_interfaces = 127.0.0.1
qmgr_message_active_limit = 20000
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = example.net, example.com
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP     debugger_command =    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin    xxgdb $daemon_directory/$process_name $process_id & sleep 5
smtpd_client_restrictions = permit_mynetworks,    permit_sasl_authenticated,    reject_unauth_pipelining,    reject_unknown_sender_domain,        reject_non_fqdn_sender,    reject_rbl_client zen.spamhaus.org,        reject_rbl_client bl.spamcop.net,        reject_rbl_client safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    permit_sasl_authenticated,     reject_invalid_hostname,     reject_non_fqdn_hostname,     check_helo_access,    regexp:/etc/postfix/helo.regexp
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,     permit_sasl_authenticated,        check_sender_access hash:/etc/postfix/access,     check_sender_access  hash:/etc/postfix/sender_restrictions,        check_sender_access  hash:/etc/postfix/siteoverride,     reject_non_fqdn_sender,        reject_unknown_sender_domain,         permit
smtpd_soft_error_limit = 4
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.example.org.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550



Reply | Threaded
Open this post in threaded view
|

Re: Delivery Failure For Email I Did Not Send

mouss-2
Carlos Williams wrote:

> I received the following email today in my inbox <[hidden email]>:
>
> X-Original-To: [hidden email]
> Delivered-To: [hidden email]
> X-Virus-Scanned: amavisd-new at example.org
> Date: Fri, 23 May 2008 08:52:39 +0100
> TO: [hidden email]
> FROM: [hidden email]
> SUBJECT: RE:
> X-Proofpoint-Sentinel:
> stfsU2FsdGVkX18wEdC54Xf4nT0Rd1BB8cQ5+62SCi3tgSU5fgRsUsE8c2WS
>  g4KFBmVB3/MKdiqnZQoNQ8DO6gJMRD0jRaQT599NE/Gq8pXn17LAoVqadSvn5f67O5qxOcnz
>
> *Your mail to  [hidden email]  has not been delivered.
> Please readdress the message to the intended recipient @camden-corporate.com
> *
>
>
> I know for a fact that I "<[hidden email]>" did not send any email
> and don't understand why I received this bounce back from this domain. Is my
> Postfix email server being used to relay email as myself w/o my knowledge?
>
>  

That's backscatter. problem is at inchcape.com.

> [snip]
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Delivery Failure For Email I Did Not Send

Carlwill
On Fri, May 23, 2008 at 11:19 AM, mouss <[hidden email]> wrote:

That's backscatter. problem is at inchcape.com.

[snip]

 
Just wondering how you came to that conclusion so I can educate myself next time on this issue? I have not dealt with backscatter before but would like to know how to ID it in my logs for future reference.

Thanks for your help!
Reply | Threaded
Open this post in threaded view
|

Re: Delivery Failure For Email I Did Not Send

mouss-2
Carlos Williams wrote:

> On Fri, May 23, 2008 at 11:19 AM, mouss <[hidden email]> wrote:
>
>  
>> That's backscatter. problem is at inchcape.com.
>>
>>  [snip]
>>    
>>>      
>> Just wondering how you came to that conclusion so I can educate myself next
>>    
> time on this issue? I have not dealt with backscatter before but would like
> to know how to ID it in my logs for future reference.
>  


When you get a "no such user" bounce, the probability that this is
backscatter is very high. correctly configured systems reject invalid
recipients at smtp time.

If the message is a "legitimate" bounce, it should contain the "original
headers" which should show headers that were created on your site. if
the bounce does not contain such headers, then the remote site is not
doing enough efforts to be part of the email game...


other few points:

- the fact that the "original" recipient ([hidden email])
has the same user-part is common in forged sender junk.

- the bouncing system is relay2.inchcape.com. This is the third MX of
the inchcape.com domain. it would mean that when they received the
supposed original mail, their two forst MXes were unreachable. That's
suspicious.