LISTSERV - LSTOWN-L Archives - COMMUNITY.EMAILOGY.COM

LSTOWN-L Archives

LISTSERV List Owners' Forum

LSTOWN-L

	LISTSERV Archives
	LSTOWN-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Re: Odd bounce
Michael McNeil <[log in to unmask]>
Mon, 25 Mar 2002 17:09:52 -0800
text/plain (87 lines)
Tom,

It appears that someone set up a slew of subscriptions before configuring their mail system.  I can't see any MX record for <dougsmith.net> and the main webpage points to <dougweb.com> which does have a mail system.

IINET.NET.AU is using q-mail.  That's a mailer often used by web hosts to provide mail services to their web clients, e.g., web host <mail.iinet.net.au> to provide <dougsmith.net> with a mail system creating <[log in to unmask]>, <[log in to unmask]> ... <[log in to unmask]>, etc.  Technically, a sub-mail system is created for the client, so that <[log in to unmask]> points to <[log in to unmask]>.  The bounce below is from the web host company <mail.iinet.net.au> reporting on non-existent addresses on.<dougsmith.net>.  Normally, you'd not see a bounce as <dougsmith.net> would not have its own mailer daemon, but in this case, the spam filter for <iinet.net.au> was tripped.

Often, q-mail systems have no mailer daemon, thus they would not bounce mail sent to non-existent users, nor would the mail system refuse any authorize requests from other SMTPs.  This makes the domains utilizing such mailers candidates for spoofing.  It looks as though someone was attempting to set up your list for some major spam.

Then again, someone may be using your list in an attempt to mount a DOS attack on <iinet.net.au> et al by flooding their q-mail clients with output from [log in to unmask] (especially if they mail-bomb your list, multiplying their efforts).

I have a domain on such a system, and mail sent to any made-up user will simply be routed to the postmaster@domain, but not result in a bounce.  Also, anyone can spoof a made-up userid *provided* it represents either a forwarded or non-existent userid, and not a POP account.

Either DELETE the suspect addresses, or if you want to see when they spring into action, set them to NOMAIL and REVIEW.  Then you'll be able to capture any posts sent and determine their point of origin, and exclude them using a mask of their IP number:

        Filter= *@[###.###.###.*]
or
        Filter= *@[###.###.###.]

BTW, you might notify Doug Smith at <[log in to unmask]> that <dougsmith.net> is being used by a spammer.

Domain Name: DOUGSMITH.NET
Registrant:
Douglas Smith (DOUGSMITH4-DOM)
   2142 Janice Drive
   Pleasant Hill, CA 94523-3417
Administrative Contact, Billing Contact:
   Douglas, Smith  (SD11915)  [log in to unmask]
   Douglas Smith
   2142 Janice Drive
   Pleasant Hill , CA 94523-3417
   925-671-4863

Just my thoughts.

Michael


At 08:46 AM 3/21/02 -0500, Tom Rawson wrote:
>Can someone decipher why we might be getting a bounce like this?  We've received several in the last few days.
>
>We do have one list member at iinet.net.au but I can't figure out why we get so many addresses back in the bounce,
>none of them hers.  Most in this example appear to be attempted spam delivery addresses at other domains, which
>seem to exist but which do not appear on our list.
>
>================================================================
>
>The enclosed message has been identified as a delivery error for the
>GUATEMALA-ADOPT list because it was sent to
>[log in to unmask]
>
>------------------------------ Message in error -------------------------------
>Received: from mail.iinet.net.au (203.59.3.37) by maelstrom.stjohns.edu (LSMTP
>          for OpenVMS v1.1a) with SMTP id <[log in to unmask]>;
>          Thu, 21 Mar 2002 8:24:46 -0500
>Received: (qmail 13510 invoked for bounce); 21 Mar 2002 13:24:18 -0000
>Date: 21 Mar 2002 13:24:18 -0000
>From: [log in to unmask]
>To: [log in to unmask]
>Subject: failure notice
>
>Hi. This is the qmail-send program at mail.iinet.net.au.
>I'm afraid I wasn't able to deliver your message to the following addresses.
>This is a permanent error; I've given up. Sorry it didn't work out.
>
><[log in to unmask]>:
>63.211.86.9 does not like recipient.
>Remote host said: 550 5.1.1 <[log in to unmask]>... User unknown
>Giving up on 63.211.86.9.
>
><[log in to unmask]>:
>209.228.4.171 failed after I sent the message.
>Remote host said: 554 Your message has been returned by our UCE/spam filter. (#5.7.1)
>
><[log in to unmask]>:
>213.171.192.176 does not like recipient.
>Remote host said: 551 Bad Recipient
>Giving up on 213.171.192.176.
>
><[log in to unmask]>:
>
><[log in to unmask]>:
>
><[log in to unmask]>:
>
><[log in to unmask]>:
>
ATOM RSS1 RSS2
COMMUNITY.EMAILOGY.COM