Hi folks:
I wish I had a better description for this problem, but suddenly I’ve been receiving a heck of a lot of mail delivery sub system errors apparently where invalid commands are being generated, to noreply@yourdomain.com from the domain owner account.
I’m trying to figure out in the first place what is triggering these errors, and interestingly enough, in these messages a “support ticket not opened” shows up , along with a 1and1.com mx server as part of the communication, with the noreply@yourdomain.com being part of the address.
I’m trying to figure out what’s going on, as to why I’m getting these, and what does this indicate?
A compromised server?
If so, it shouldn’t be on the network whatsoever, that is online at all.
Does this mean that somehow my server has been an open relay?
Or can I get rid of problems like this.
It seems ever sinse the day I put out the webmaster@keithnet.us alias, my domain owner inbox (and note I did not say spam folder) has been receiving plenty of likely spam messages, that spam filters are permitting happily for some reason, despite sain spf configurations with sender restrictions.
These mail delivery reports, wich just started a few days ago, are the latest issues I’m now experiencing.
If anyone can give me ideas, let me know.I’ve stayed updated on all Virtualmin software, however.
CentOS 6.3 is installed, and all that good stuff.
Thanks for any ideas on as to why I’m getting this stuff, how I might be able to redirect some of this junk off to good old /dev/null if possible, etc.
Any advice as to what’s going on is appreciated.
If someone could do a remote scan of keithnet.us to see if you can successfully perform open relay commands though I don’t know why you should be able to as I haven’t touched anything in postfix that would allow this, I’d appreciate it.
But if my server is sending out emails at random regardless of delivery reports being successfully generated, I’m wondering what’s going on, and this has alarm bells ringing in my head from an email server standpoint unless you email server folks say otherwise.
Thanks everybody.
Howdy,
Even if you’ve kept your Virtualmin software up to date – web applications can still have problems with folks breaking into them (and are kept up to date separately from any system update).
Do you have any ticket tracking systems on your server that could be generating emails like that?
If you have a bunch of emails with “support ticket not opened” in their body, that sounds like an issue with a ticket tracker. And then question from there is just determining whether that ticket tracker is on your system, or another one.
You may want to review the email headers of those emails, which may assist you in determining the source.
-Eric
Hear is some new details here just in case this helps.
For an email in the delivery report attachments, I get something like:
Reporting-MTA: dns; server1.keithnet.us
X-Postfix-Queue-ID: 630A5409C8
X-Postfix-Sender: rfc822; khinton@server1.keithnet.us
Arrival-Date: Thu, 26 Jul 2012 14:35:01 -0400 (EDT)
Final-Recipient: rfc822; noreply@yourdomain.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx00.1and1.com
Diagnostic-Code: smtp; 550 <noreply@yourdomain.com>: invalid addressFor the mail headers:
Return-Path: <>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on server1.keithnet.us
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,NO_RELAYS
autolearn=ham version=3.3.1
X-Original-To: khinton@server1.keithnet.us
Delivered-To: khinton@server1.keithnet.us
Received: by server1.keithnet.us (Postfix)
id B2FA0400BA; Thu, 26 Jul 2012 14:35:02 -0400 (EDT)
Date: Thu, 26 Jul 2012 14:35:02 -0400 (EDT)
From: MAILER-DAEMON@server1.keithnet.us (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: khinton@server1.keithnet.us
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="630A5409C8.1343327702/server1.keithnet.us"
Content-Transfer-Encoding: 8bit
Message-Id: <20120726183502.B2FA0400BA@server1.keithnet.us>Does anybody have any ideas as to this invalid address thing, maybe where to begin looking at what’s going on?
An incorrect file where this yourdomain.com thing is being derived from?
Thanks!
Howdy,
You may want to review your mail logs, and see how the message with the ID “B2FA0400BA” was delivered to your server.
I don’t see any remote connections though, which may mean it was locally generated.
Also, I see the header “Auto-Submitted: auto-replied”, which may mean it’s an auto-reply issue.
That is, if an email manager to get stuck in an auto-reply loop, that could explain a bunch of email in your mail queue.
Do any users on your server have an auto-reply setup?
-Eric
How might I double checkk who has auto-reply and so on from within the Virtualmin/Webmin interface?
The only type of auto-reply system I have is WHMCS, but that’s for tickets and such.
If I can track down this auto-reply thing, that would help.
And yes, after looking at /var/log/maillog, I can see that these automatic mailer reports I’m getting are all locally being generated in any case.
Thanks Eric.
Look forward to any other follow up comment.
Well, you can typically determine the userid of the account that’s generating the emails by looking in the logs. It should show you a UID.
You can also view the “/var/virtualmin-autoreply/” directory to see auto-replies that were setup by Virtualmin.
-Eric