-1

I have started to receive emails with the subject: "Mail delivery failed: returning message to sender" for emails I haven't sent. I host my own mail server at my domain matos-sorge.com (a linode) and I am slightly worried someone is using my mail server for spamming.

The emails I receive look like this:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed:

acoperis@ls12.globehosting.net
  (generated from ppaxylfg510@acoperisexpert.ro)
  mailbox is full: retry timeout exceeded

------ This is a copy of the message, including all the headers. ------

Return-path: <paulo@matos-sorge.com> Received: from [70.45.238.57]
(port=15427 helo=host-70-45-238-57.onelinkpr.net)   by
ls12.globehosting.net with esmtp (Exim 4.80)    (envelope-from
<paulo@matos-sorge.com>)    id 1WkK88-001FK5-6e     for
ppaxylfg510@acoperisexpert.ro; Wed, 14 May 2014 00:20:59 +0300 From:
<paulo@matos-sorge.com> To: <ppaxylfg510@acoperisexpert.ro> Subject:
regional Asistent manager Date: 13 May 2014 05:42:50 -0800 Message-ID:
<002801cf6eb6$056bf74c$152b8580$@matos-sorge.com> MIME-Version: 1.0
Content-Type: text/plain;   charset="ibm852" Content-Transfer-Encoding:
8bit X-Mailer: Microsoft Office Outlook 11 Thread-Index:
Acjpbbuaee0o3789jpbbuaee0o3789== X-MimeOLE: Produced By Microsoft
MimeOLE V6.1.7601.17514 X-Spam-Status: No, score=2.5 X-Spam-Score: 25
X-Spam-Bar: ++ X-Ham-Report: Spam detection software, running on the
system "ls12.globehosting.net", has  identified this incoming email as
possible spam.  The original message  has been attached to this so you
can view it (if it isn't spam) or label  similar future email.  If you
have any questions, see  the administrator of that system for details.
Content preview:  Buna ziua! Noua ne-a placut CV-ul dvs si am hotarat
ca sunteti
  interesati sa lucrati in compania noastra. Ne specializam in consultare in
  domeniul de management al afacerilor. Activitatea noastra se desfasoara in
  mai multe tari din lume, la fel avem si clienti in Romania. Si in legatura
  cu acest fat,dorim sa marim numarul de membrii echipei noastre. Activitatea
  poate fi deplina sau partiala. Salariu de la 400 pana la 2000 euro lunar.
  [...]     Content analysis details:   (2.5 points, 3.0 required)
  pts rule name              description  ---- ---------------------- --------------------------------------------------
  2.5 URIBL_DBL_SPAM         Contains an URL listed in the DBL blocklist
                           [URIs: myjob-ro.com] X-Spam-Flag: NO

Buna ziua!

Noua ne-a placut CV-ul dvs si am hotarat ca sunteti interesati sa
lucrati in compania noastra. Ne specializam in consultare in domeniul
de management al afacerilor.

Activitatea noastra se desfasoara in mai multe tari din lume, la fel
avem si clienti in Romania. Si in legatura cu acest fat,dorim sa marim
numarul de membrii echipei noastre. Activitatea poate fi deplina sau
partiala. Salariu de la 400 pana la 2000 euro lunar.

Daca sunteti interesati de oferta propusa,va rugam sa scrieti pe
adresa Lizzie@myjob-ro.com pentru a primi mai multe informatii. Cu
respect,HR Manager

I never tried to send this message.

I use postfix + dovecot on my mailserver, but I am far from being a professional network administrator. How can I ensure my server is not being used for spamming. If it isn't then, why do I get these messages?

Paulo Matos
  • 279
  • 2
  • 3
  • 10
  • The formatting of the mail got messed up when you pasted it into the question. Prefixing each line with `> ` is not the right way to post the original mail. Rather you should prefix each line with four spaces, and ensure you keep the line breaks in the same place as in the original. That will make it much easier to read. – kasperd May 13 '14 at 22:07

1 Answers1

5

If none of the IP addresses listed in the header belongs to your infrastructure, you can safely ignore these messages, as anyone can use your mail address when sending spam and you will receive the error reports (this is called backscatter spam).

You can somewhat reduce this problem by adding SPF and/or DKIM to your mail infrastructure because the chance that mails sent from illegitimate sources using your addresses will be sorted out as spam increases.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • All good advice. I would add another idea to that. If your mail infrastructure is capable of doing it, you could record the `Message-ID` of all message being sent from your domain. Then when a bounce comes in (which can be recognized by not having a sender, i.e. `MAIL From:<>`), then you can reject that bounce at the end of `DATA` if it did not contain a valid `Message-ID` somewhere. This will change it from your own problem to somebody else's problem. That somebody else should learn to reject incoming mail instead of accepting it and producing a bounce. – kasperd May 13 '14 at 22:12
  • It's definitely backscatter; expect your queue to get a minor rash off of it. @kasperd, this is why I believe in allowing only for valid recipients, because it cuts down a large part of the backscatter "up front" due to an invalid recipient address, and a blank `From:` would trigger that. – Avery Payne May 13 '14 at 22:50