Topic: Admin account gets spammed with failure notices

[soup]

Everyday my admin account receives up to 50 failure notices with emails I have never seen before. Anyone have any idea why i'm getting these? Could it be related to the german worm that has been spreading around?

Any help would be appreciated... thanks.

Matt

[cc_skavenger]

more then likely, yes they are related....

[Beast]

I have the same problem!

Now up to 100 of these emails every day and increasing all the time. Mostly because they contained spam or invalid "to" user.

It looks as if someone have decided to use one of the domain names used on the SME server as a return address for spam/virus. It uses random user names in front of the domain.

The user that have the domain and a single user account do not like me to disable the domain

Is there a way to disable all invalid usernames for this domain only?

I use the contribs from Knudsen for virus and spam.

[p-jones]

Are theses spams or delivery failure notices from a virus ??

If you have a look at the characteristics of some of these virus' they are masquerading virus' and these notices mean absolutely nothing except that someone who has your email address in their address book has been hit.

What is also does is question the value of turning on the parameter of notifying sender when a virus attachment is recieved.

[Beast]

Do not know if it is spam or virus activity

This is the last reply:

Have replaced my account and domain with noname and the domain in question with problemdomain!

xxxx.dk is the internet providers server.

Received: (qmail 15407 invoked by alias); 22 May 2005 10:21:55 -0000
Delivered-To: alias-localdelivery-noname@noname.dk
Received: (qmail 15404 invoked by uid 101); 22 May 2005 10:21:55 -0000
Delivered-To: admin@nonameserver.noname.dk
Received: (qmail 15402 invoked by alias); 22 May 2005 10:21:55 -0000
Delivered-To: alias-localdelivery-admin@noname.dk
Received: (qmail 15399 invoked by alias); 22 May 2005 10:21:55 -0000
Delivered-To: averycartwrightyf@nonameserver.noname.dk
Received: (qmail 15396 invoked by alias); 22 May 2005 10:21:55 -0000
Delivered-To: alias-localdelivery-averycartwrightyf@problemdomain.dk
Received: (qmail 15390 invoked from network); 22 May 2005 10:21:52 -0000
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on noname.noname.dk
Received: from xxxxx.dk (HELO xxxx.dk) (195.41.53.68)
  by nonameserver.noname.dk (192.168.10.2) with ESMTP; 22 May 2005 10:21:51 -0000
Received: from redwing.mail.pas.earthlink.net (redwing.mail.pas.earthlink.net [207.217.120.246])
   by xxxx.dk (Postfix) with ESMTP id D2109DF35
   for <averycartwrightyf@problemdomain.dk>; Sun, 22 May 2005 12:21:49 +0200 (CEST)
Received: from exim by redwing.mail.pas.earthlink.net with local (Exim 3.36 #1)
   id 1DZnab-0005WS-00
   for averycartwrightyf@problemdomain.dk; Sun, 22 May 2005 03:21:45 -0700
X-Failed-Recipients: pg1001937@onemain.com
From: Mail Delivery System <Mailer-Daemon@redwing.mail.pas.earthlink.net>
To: averycartwrightyf@problemdomain.dk
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1DZnab-0005WS-00@redwing.mail.pas.earthlink.net>
Date: Sun, 22 May 2005 03:21:45 -0700
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
   nonameserver.noname.dk
X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,
   RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,SAVE_THOUSANDS,UPPERCASE_25_50
   autolearn=no version=3.0.3
X-Spam-Level: *

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  pg1001937@onemain.com
    SMTP error from remote mailer after RCPT TO:<pg1001937@onemain.com>:
    host onemain-mx.earthlink.net [209.86.93.122]:
    550 pg1001937@onemain.com...User unknown

------ This is a copy of the message, including all the headers. ------

Return-path: <averycartwrightyf@problemdomain.dk>
Received: from kingbird-120.pocket ([10.4.120.213] helo=kingbird.mail.pas.earthlink.net)
   by redwing.mail.pas.earthlink.net with smtp (Exim 3.36 #1)
   id 1DZj3u-0000Qt-00
   for pg1001937@onemain.com; Sat, 21 May 2005 22:31:42 -0700
X-MindSpring-Loop: postmaster@anewmortgage.com
Received: from localhost ([211.45.208.29])
   by kingbird.mail.pas.earthlink.net (EarthLink Mail Service) with SMTP id 1dzJ3S65j3NZFml0
   for <leonard@anewmortgage.com>; Sat, 21 May 2005 22:31:38 -0700 (PDT)
Message-ID: <2.2.32.2005042205285600b0b596@problemdomain.dk>
From: "Avery Cartwright" <averycartwrightyf@problemdomain.dk>
To: leonard@anewmortgage.com
Subject: =?iso-8859-1?b?TmF0aW9uYWwgUmF0ZXMgQXJlIEFzIExvdyBBcyAzLjk4JSAgdHg=?=
Date: Sun, 22 May 2005 05:28:56 +0000
MIME-Version: 1.0
X-Sender: <averycartwrightyf@problemdomain.dk>
Sender: <averycartwrightyf@problemdomain.dk>
Reply-To: "Avery Cartwright" <averycartwrightyf@problemdomain.dk>
In-Reply-To: <696301c55c63$947002d8$9f9243fa@d0vef01>
X-Mailer: Windows Eudora Pro Version 2.2 (32)
Content-Type: text/html;
   charset="us-ascii"
Content-Transfer-Encoding: 8bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">

<META content="MSHTML 6.00.2800.1491" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Alerting news! Alerting Rates!</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2><A href="http://www.nineteenshots.com/realtor/"
target=_blank><STRONG>Get Refinance Information - Fast &amp;
Simple!</STRONG></A> </FONT><STRONG><BR><BR><FONT face=Arial size=2>-Consolidate
Debt-<BR>-Lower Your Monthly Payments-<BR>-Make Improvements on Your
Home-<BR>-Save Thousands-<BR><BR></FONT><A
href="http://www.nineteenshots.com/realtor/" target=_blank><FONT face=Arial
size=2>Continue Here - It's As Easy As:</FONT></A><BR><BR><A
href="http://www.nineteenshots.com/realtor/" target=_blank><FONT face=Arial
size=2>1 Click <BR>A Few Easy Questions <BR><BR></FONT></A><FONT face=Arial
size=2>All Credit Types Welcome.</FONT></STRONG></DIV>

<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>
<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>
<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>

<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>
<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>
<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>

<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>
<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>
<DIV><STRONG><FONT face=Arial size=2></FONT></STRONG>&nbsp;</DIV>

<DIV><STRONG><FONT face=Arial color=#c0c0c0 size=1><A
href="http://nineteenshots.com/no/">Re_Move_Now_From_Database_QUICK_QUOTES</A></FONT></STRONG></DIV></BODY></HTML>

[p-jones]

Looks to me like the work of a masquerading virus. A virus in someone elses computer randomly sending emails and pretending to be a user at your domain.

There are a few about at the moment (yet I just cannot bring a name to mind at this instant, the latest Sober-I I think) - splits the user and the domain from an address book, then adds various users to that domain and sends an email with an attached virus. Some will be valid users, some wont. Some mail servers will reject non valid users, some will transfer the emails of non valid users to the postmaster or a designated valid user. Some anti-social mailservers will  just delete them and do nothing more about it.

Like I said before - not you but some who has your address in their address book is the culprit and has been hit....

I wouldnt worry about it. I get a few like this everyday. At work, with 600+ users we are getting thousands per day.

[p-jones]

In fact , if you have a look in your setup panel, you have an option there to send emails for unknown users to the administrator and immeadiately above that, you define the administrator - I bet on your server, that is you.

Try creating a dummy user and send those emails to that user. I bet all the emails you are questioning dissapear fom your mailbox - along with other useful administrative messages.

[Beast]

Problem is that I like the "catch-all" feature!

Will not give my private e-mail address away on the web but create a user on the fly. It will reach me because I foreward all unknown mails to my private account. This way I can easy ban a specific e-mail account if it is abused. I can also see where it comes from if I give the user I "create" on the fly a name that reflect the site where I give it away.

But it does not protect me against this

[Drifting]

We are getting the same thing, thousands of them in the admin mailbox. Did set it to return the mail, but it was sending out thousands!!

It's not a virus or worm, it's mail coming in wrongly addressed and then bounced back out.

Wish there was an option to delete bounced mail, or just set it not to send an NDR. (I know how to do that in Exchange, but not SME)

I would appreciate knowing how I can stop this, and also how I might delete the mail queues easily. I have loaded QMhandle, but it takes ages to get rid of the rogue email. (Did a quick search on Contribs, but found nothing on deleting the queue's

Drift.

[Beast]

It is virus/spam or a combination - not bouncing etc.

Look at the posted mail message.

I have registered the domain name and know all user accounts on the server - I live in Denmark and all the "from" accounts are with English names etc.

[Beast]

Is there a way to avoid the failure mails and not disable the forewarding of administrative mails in generel?

Block all non-valid user names?

[raem]

If double bounces are your problem see
Control doublebounce messages see
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/double%20bounce%20message%20deletion%20HOWTO%20for%20sme%20server.htm

[raem]

Forgot to add:
If messages to invalid addresses is your problem see
Control mail to multiple virtual domains & invalid addresses & configure mail blocking rules see
http://www.dungog.net/sme/files/index.php
dungog-mailblocking-1.0-4.noarch.rpm

[Beast]

Great - have installed it and have created the following rules in the "to" field.

Accept: user@problemdomain.dk     
Reject: *@problemdomain.dk    

Will see if it works OK

Thanks!

[raem]

Note also that that contrib by default rejects messages sent to invalid addresses on your server.