0
Ive hosted my own email for years now, and only recently have I started receiving failure notices that I have not sent. Below is an example of a header
Hi. This is the qmail-send program at MYSERVER.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<bao-01@msn.com>:
User and password not set, continuing without authentication.
65.55.92.184 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.184.
<karanisthegasman@hotmail.com>:
User and password not set, continuing without authentication.
65.55.92.168 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.55.92.168.
<x0laurensays@aim.com>:
User and password not set, continuing without authentication.
64.12.138.161 does not like recipient.
Remote host said: 550 5.1.1 <x0laurensays@aim.com>: Recipient address rejected: aim.com
Giving up on 64.12.138.161.
<shortstuff128@cs.com>:
User and password not set, continuing without authentication.
64.12.91.196 does not like recipient.
Remote host said: 550 5.1.1 <shortstuff128@cs.com>: Recipient address rejected: cs.com
Giving up on 64.12.91.196.
<zerin3@aol.com>:
User and password not set, continuing without authentication.
64.12.91.195 does not like recipient.
Remote host said: 550 5.1.1 <zerin3@aol.com>: Recipient address rejected: aol.com
Giving up on 64.12.91.195.
<apps+opee1eef@facebookmail.com>:
User and password not set, continuing without authentication.
<apps+opee1eef@facebookmail.com> 173.252.79.16 failed after I sent the message.
Remote host said: 554 5.7.1 POL-P8 http://postmaster.facebook.com/response_codes?ip=MYIP#pol-m Message refused
--- Below this line is a copy of the message.
Return-Path: <me@MYSERVER.co.uk>
Received: (qmail 31378 invoked by uid 0); 19 Feb 2014 17:27:42 -0000
Received: from 212.156.182.55.static.turktelekom.com.tr (HELO mycomputer) (me@MYSERVER.co.uk@212.156.182.55)
by MYSERVER.co.uk with ESMTPA; 19 Feb 2014 17:27:41 -0000
From: "=?ISO-8859-1?Q?frostix28=40aol.com?=" <frostix28@aol.com>
To: "=?ISO-8859-1?Q?micayla12=40aol.com?=" <micayla12@aol.com>,
"=?ISO-8859-1?Q?bao-01=40msn.com?=" <bao-01@msn.com>,
"=?ISO-8859-1?Q?yourkissistorture=40yahoo.com?="
<yourkissistorture@yahoo.com>,
"=?ISO-8859-1?Q?karanisthegasman=40hotmail.com?="
<karanisthegasman@hotmail.com>,
"=?ISO-8859-1?Q?jman5510=40yahoo.com?=" <jman5510@yahoo.com>,
"=?ISO-8859-1?Q?x0laurensays=40aim.com?=" <x0laurensays@aim.com>,
"=?ISO-8859-1?Q?zerin3=40aol.com?=" <zerin3@aol.com>,
"=?ISO-8859-1?Q?shortstuff128=40cs.com?=" <shortstuff128@cs.com>,
"=?ISO-8859-1?Q?apps+opee1eef=40facebookmail.com?="
<apps+opee1eef@facebookmail.com>,
"=?ISO-8859-1?Q?registration=40ebay.com?=" <registration@ebay.com>,
"=?ISO-8859-1?Q?frostix28=40aol.com?=" <frostix28@aol.com>
Subject: =?ISO-8859-1?Q?frostix28=40aol.com?=
Date: Tue, 19 Feb 2014 06:27:39 +0100
MIME-Version: 1.0
X-mailer: Microsoft Office Outlook, Build 11.0.5510
Reply-To: frostix28@aol.com
Content-type: Multipart/mixed; boundary="4A2C4E38_686FF402_boundary"
Content-Description: Multipart message
--4A2C4E38_686FF402_boundary
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text
=EF=BB=BF<html><head><meta http-equiv=3D"content-type" content: text/html;=
charset=3DUTF-8></head><body><a href=
=3D"http://contactaviators.com/bx/hga.html">http://contactaviators.com/bx/hga.=
html</a></body></html>
--4A2C4E38_686FF402_boundary--
Ive changed myserver address to MYSERVER.co.uk in there and my IP to MYIP. The rest of the message remains unchanged,
From what i can see in the header the email originated from 212.156.182.55 rather than my server, But then the message itself came back to my server.
Is this normal ? Ive checked for open relays etc and all of the online scanners suggest the mail server is et up correctly.
Should I treat this as spam or is this something worse ?
Edit:
Since this has started happening ive been keeping a closer eye on the log files.
One of the lines got me
xinetd[892]: START: smtp pid=22325 from=205.201.134.23
That ip when whois'ed is for mailchimp. Im not sure why mailchip are connecting to me but they seem to be (their connection only lasted 1 sec though according to the logs
exussum
Posted 2014-02-20T09:18:42.163
Reputation: 431
mail client i use is Thunderbird, I connect to mail.MYSERVER.co.uk. which has an A record for the IP. No Relays are used just the 1 server with only 1 mx record – exussum – 2014-02-20T09:30:08.763
mxtoolbox.com was used to check the mail server. all tests passed – exussum – 2014-02-20T09:32:33.867
Ive not changed the set up since October 2011, And I do not reconize any emails on the list besides
registration@ebay.combut thats a generic one. The IP address which i think sent it was the 212.156.182.55 which is in turkey. My server is hosted in Manchester UK – exussum – 2014-02-20T09:40:11.303In that case, it suggests as if you're being used as a relay despite testing... what service did you use to test for it? http://www.mailradar.com/openrelay/ I assume the server is free of virus's etc and it's not a script on the actual server sending it out?
– Dave – 2014-02-20T09:42:47.563All tested completed! No relays accepted by remote host! is the result of that. Server as far as im aware is and no automatic emails are sent from that server – exussum – 2014-02-20T09:46:53.030
I wonder then, if they're using an Alias of some sort... They send from IP x.x.x.5 but use an alias to make it appear from you, so when it fails the return message goes to you, not the source. – Dave – 2014-02-20T09:47:58.977
And again, I assume the sender
frostix28@aol.comisn't you? – Dave – 2014-02-20T10:00:50.063Thats correct, Ive not seen / heard that address before this email
me@MYSERVER.co.ukis my email address in the log above – exussum – 2014-02-20T10:03:04.103Main reason ive changed the addresses is incase it was a real problem, Didnt want to advertise it being broken – exussum – 2014-02-20T10:05:39.113
What is the purpose of this mail server? Is it your own, or can anyone 'join' and use your services etc (do you offer email hosting, for example)? – Dave – 2014-02-20T10:08:43.720
My own. There are roughly 20 users on there. Mail accounts can only be created by me – exussum – 2014-02-20T10:09:36.127
I'm struggling here. I have the same set up with my own mail server and never experienced this... It is worrying in-case the recipient does think it's your server sending the email (blacklisting)... Other than checking out Task Scheduler (to make sure there isn't something running you don't know about), a full virus and malware scan I'm out of ideas. – Dave – 2014-02-20T10:13:28.443
Ive had the set up for years now, Yesterday I got 3 of these emails, all from separate IP's but have similar messages. Ill double check all cron jobs and make sure everything is updated. Thanks for your suggestions – exussum – 2014-02-20T10:16:13.947
How often are these occurring? – Dave – 2014-02-20T10:18:13.667
3 in total, 8:18, 17:27, 17:28 all 19th Feb. None since – exussum – 2014-02-20T10:21:35.057
Is this a VPS or dedicated? – Dave – 2014-02-20T10:22:08.447
VPS running CentOS 6 – exussum – 2014-02-20T10:23:32.267
@DaveRook Just had 8 more now, all in the space of 2 minutes :( any way to set up logging to log every mail sent ? – exussum – 2014-02-20T14:28:00.660
I don't use the same mail client (I use hMailServer) but there must be a way to enable logging. Hopefull you'll see a pattern (to see if anything is sent from you, or if it's only being sent back to you)! – Dave – 2014-02-21T08:45:56.777
Please take extended discussion or troubleshooting to [chat]. – slhck – 2014-02-21T09:40:34.873