Results 1 to 2 of 2

Thread: Undelivered Mail Returned to Sender Spam

  1. #1
    fizi is offline Senior Member
    Join Date
    Nov 2006
    Location
    Canada
    Posts
    69
    Rep Power
    8

    Question Undelivered Mail Returned to Sender Spam

    Over the last few months I've been receiving a lot of Undelivered Mail Returned to Sender spam. Messages that appear to be destine for users that do not exist on my mail system that are then bounced to my admin@myhost.com account.

    I've made tweaks to the MTA in hopes of eliminating the problem and it does partially work once the spammer gets put on the zen.spamhaus.org list. I'm hoping there is a better solution then having to wait for the IP to get blocked.

    These are my MTA settings:

    Untitled.png

    Here is the sanitized headers from one of the messages:

    Code:
    Received: from mailserver.mydomain.com (LHLO mailserver.mydomain.com) (192.168.0.100) by
     mailserver.mydomain.com with LMTP; Fri, 7 Feb 2014 11:25:25 -0800 (PST)
    Received: by mailserver.mydomain.com (Postfix)
    	id 875201D63B61; Fri,  7 Feb 2014 11:25:25 -0800 (PST)
    Date: Fri,  7 Feb 2014 11:25:25 -0800 (PST)
    From: MAILER-DAEMON@mailserver.mydomain.com (Mail Delivery System)
    Subject: Undelivered Mail Returned to Sender
    To: admin@mydomain.com
    Auto-Submitted: auto-replied
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    	boundary="81A171D63B60.1391801125/mailserver.mydomain.com"
    Message-Id: <20140207192525.875201D63B61@mailserver.mydomain.com>
    
    This is a MIME-encapsulated message.
    
    --81A171D63B60.1391801125/mailserver.mydomain.com
    Content-Description: Notification
    Content-Type: text/plain; charset=us-ascii
    
    This is the mail system at host mailserver.mydomain.com.
    
    I'm sorry to have to inform you that your message could not
    be delivered to one or more recipients. It's attached below.
    
    For further assistance, please send mail to postmaster.
    
    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.
    
                       The mail system
    
    <d155809@mydomain.com>: mail for mail.mydomain.com loops back to myself
    
    --81A171D63B60.1391801125/mailserver.mydomain.com
    Content-Description: Delivery report
    Content-Type: message/delivery-status
    
    Reporting-MTA: dns; mailserver.mydomain.com
    Original-Envelope-Id: AM.30200-13.20140207T192525Z@mailserver.mydomain.com
    X-Postfix-Queue-ID: 81A171D63B60
    X-Postfix-Sender: rfc822; admin@mydomain.com
    Arrival-Date: Fri,  7 Feb 2014 11:25:25 -0800 (PST)
    
    Final-Recipient: rfc822; d155809@mydomain.com
    Original-Recipient: rfc822;d155809@mydomain.com
    Action: failed
    Status: 5.4.6
    Diagnostic-Code: X-Postfix; mail for mail.mydomain.com loops back to myself
    
    --81A171D63B60.1391801125/mailserver.mydomain.com
    Content-Description: Undelivered Message
    Content-Type: message/rfc822
    
    Return-Path: <admin@mydomain.com>
    Received: from localhost (localhost [127.0.0.1])
    	by mailserver.mydomain.com (Postfix) with ESMTP id 81A171D63B60
    	for <d155809@mydomain.com>; Fri,  7 Feb 2014 11:25:25 -0800 (PST)
    MIME-Version: 1.0
    From: "Content-filter at mailserver.mydomain.com" <admin@mydomain.com>
    Date: Fri,  7 Feb 2014 11:25:25 -0800 (PST)
    Subject: VIRUS (Suspect.DoubleExtension-zippwd-15) in mail TO YOU from
     <uoctmmbc@creativelifelonglearning.eu>
    To: d155809 <d155809@mydomain.com>
    Message-ID: <VRBiK_n9iESb0h@mailserver.mydomain.com>
    Content-Type: text/plain; charset="UTF-8"
    Content-Disposition: inline
    Content-Transfer-Encoding: 7bit
    
    VIRUS ALERT
    
    Our content checker found
        virus: Suspect.DoubleExtension-zippwd-15
    
    in an email to you from probably faked sender:
      ?@[92.102.197.15]
    claiming to be: <uoctmmbc@creativelifelonglearning.eu>
    
    Content type: Virus
    Our internal reference code for your message is 30200-13/BiK_n9iESb0h
    
    First upstream SMTP client IP address: [92.102.197.15] 
    According to a 'Received:' trace, the message apparently originated at:
      [92.102.197.15], [92.102.197.15] unknown [92.102.197.15]
    
    Return-Path: <uoctmmbc@creativelifelonglearning.eu>
    From: "FedEx.com" <uoctmmbc@creativelifelonglearning.eu>
    Message-ID: <91a1575d40f7d5ce5dd5dc00d3fb5ecf@bounce.PC-DE-MARC>
    X-Mailer: PHPMailer [version 1.71-blue_mailer]
    Subject: Some important information is missing
    The message has been quarantined as: virus-quarantine.bg7kiivl0@mydomain.com
    
    Please contact your system administrator for details.
    
    --81A171D63B60.1391801125/mailserver.mydomain.com--

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,506
    Rep Power
    57

    Default

    Quote Originally Posted by fizi View Post
    Over the last few months I've been receiving a lot of Undelivered Mail Returned to Sender spam. Messages that appear to be destine for users that do not exist on my mail system that are then bounced to my admin@myhost.com account.
    This is called (amongst other names) NDR Spam, have you looked at any of the forum threads or internet posts on this topic?

    site:zimbra.com +"ndr spam" - Yahoo Search Results
    +postfix +"ndr spam" - Yahoo Search Results

    Quote Originally Posted by fizi View Post
    I've made tweaks to the MTA in hopes of eliminating the problem ....
    Which 'tweaks' have you made, exactly? If it's the ones shown in your attachment then I don't find any of them to be useful and don't have them checked. You've also used the zen.spamhaus RBL in all of the entries you've listed, as far as I'm aware the zen RBL is purely that an "RBL" and shouldn't be used in any of those entries and also only need to be used once.

    Which (if any) of the tweaks in this wiki article have you tried? have you also modified your Kill/Tag percentages?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Undelivered Mail Returned to Sender
    By Melpel in forum Users
    Replies: 1
    Last Post: 02-02-2012, 12:40 AM
  2. Undelivered Mail Returned to Sender
    By Frank Liu in forum Administrators
    Replies: 1
    Last Post: 03-17-2011, 05:44 AM
  3. Undelivered Mail Returned to Sender
    By Hasansaggaf in forum Administrators
    Replies: 3
    Last Post: 08-16-2009, 10:23 AM
  4. Undelivered Mail Returned to Sender
    By tabster in forum Administrators
    Replies: 11
    Last Post: 12-09-2008, 03:30 AM
  5. Undelivered Mail Returned to Sender
    By reza225 in forum Administrators
    Replies: 1
    Last Post: 03-10-2007, 12:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •