User profile for user: mikereynolds
mikereynolds Author
User level: Level 1
0 points

Detailed headers from Server?

Hi,

I feel I am having problems with sending SPAM. I test my smtp relay and it passes using multiple online testers. Yet... I am beginning to get blocked from some other servers. I do see multiple mails in my smtp log from chase.com, bankofamerica.com, for example, to lists of users. I have blocked both the chase.com and bankofamerica.com (I wish i could also do that at home with their junk snail mail) anyway... I digress... I can't seem to figure out how they are getting through. Is there a way to find more detailed header info than what I see in the log, (set to debug at this point), and the mail queue?

thanks,

mike

Mac OS X (10.5.6)

Posted on Jan 13, 2009 8:10 AM

Reply
6 replies
User profile for user: pterobyte
pterobyte
User level: Level 6
11,104 points

Jan 13, 2009 8:27 AM in response to mikereynolds

All the information you need is in the logs (and in the full headers of an e-mail - easier to read, but less complete).

I am beginning to get blocked from some other servers.

Who blocks you? What rejection message do you get?

I do see multiple mails in my smtp log from chase.com, bankofamerica.com, for example, to lists of users.

You say they show being FROM those domains, yet outgoing on your server?
If yes, check the logs to see where they originate. Could be simply be a form of backscatter, but could also mean one of your clients or your server is compromised.

If in doubt, post relevant log excerpts and the output of postconf -n
Reply
User profile for user: mikereynolds
mikereynolds Author
User level: Level 1
0 points

Jan 13, 2009 8:41 AM in response to pterobyte

Thanks for your help:

Who's blocking:
---
Jan 13 11:27:08 mail postfix/smtp[12002]: 7202F2D70EAA: to=<dtordoff@projo.com>, relay=none, delay=2108, delays=2107/0.01/0.39/0, dsn=4.4.1, status=deferred (connect to cluster9.us.messagelabs.com[216.82.254.51]: Connection refused)
---
Jan 13 09:57:23 mail postfix/smtp[9350]: 197392D6D0EE: to=<tracy_stalzer@allyou.com>, relay=none, delay=6919, delays=6918/0.18/0.52/0, dsn=4.4.1, status=deferred (connect to cluster9.us.messagelabs.com[216.82.242.19]: Connection refused)
---


Some Entries of concern
---
Jan 13 09:57:36 mail postfix/smtp[9368]: A07E82D6F14C: to=<obedhurtado@yahoo.com>, relay=d.mx.mail.yahoo.com[66.196.82.7]:25, delay=2241, delays=2228/0.06/13/0, dsn=4.7.0, status=deferred (host d.mx.mail.yahoo.com[66.196.82.7] refused to talk to me: 421 4.7.0 [TS01] Messages from 74.94.176.132 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
---

Jan 13 10:40:34 mail postfix/smtp[10562]: 5DA5A2D70203: to=<onlinebanking@alert.bankofamerica.com>, relay=alert.bankofamerica.com[63.251.12.137]:25, delay=1991, delays=1965/1.3/24/0.73, dsn=2.0.0, status=sent (250 ok 1231861235 qp 13321)
Jan 13 10:40:36 mail postfix/smtp[10557]: 2FA742D70828: to=<onlinebanking@alert.bankofamerica.com>, relay=alert.bankofamerica.com[63.251.12.137]:25, delay=465, delays=436/1.1/27/0.86, dsn=2.0.0, status=sent (250 ok 1231861236 qp 15491)
Jan 13 10:40:39 mail postfix/smtp[10570]: connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out (port 25)
Jan 13 10:40:39 mail postfix/smtp[10570]: 91F382D70888: to=<onlinebanking@alert.bankofamerica.com>, relay=none, delay=399, delays=369/0.17/30/0, dsn=4.4.1, status=deferred (connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out)
Jan 13 10:40:42 mail postfix/smtp[10560]: connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out (port 25)
Jan 13 10:40:42 mail postfix/smtp[10560]: E608F2D70A5B: to=<onlinebanking@alert.bankofamerica.com>, relay=none, delay=30, delays=0.22/0.02/30/0, dsn=4.4.1, status=deferred (connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out)
---
Jan 13 09:17:07 mail postfix/smtp[8057]: AF1A92D6EF76: to=<nightwind@bignet.net>, relay=mail.bignet.net[65.61.49.215]:25, delay=0.94, delays=0.07/0.01/0.74/0.12, dsn=5.7.1, status=bounced (host mail.bignet.net[65.61.49.215] said: 550 5.7.1 Client host rejected: Please see http://spf.pobox.com/why.html?sender=onlinebanking%40alert.bankofamerica.com&ip= 74.94.176.132&receiver= (in reply to MAIL FROM command))
---

postconf -n results

---
alias_maps = hash:/etc/aliases
always_bcc = stpmailadmin@stevensprograms.org
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = all
mail_owner = _postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 52428800
mydestination = $myhostname,localhost.$mydomain,localhost,mail,stevenshome.org,mail.stevenshome .org,mail.stevensprograms.org,stevensprograms.org
mydomain = stevensprograms.org
mydomain_fallback = localhost
myhostname = mail.stevensprograms.org
mynetworks = 127.0.0.1/32,74.94.176.132
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
owner requestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd clientrestrictions = hash:/etc/postfix/smtpdreject permit_mynetworks reject rblclient sbl.spamhaus.org permit
smtpd pw_server_securityoptions = login,plain
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_keyfile =
smtpd use_pwserver = yes
unknown local_recipient_rejectcode = 550
----

And I have cleared my mail queue, but the to address and from address were not any emails of mine. The To would read something like user1@domain.com, user1a@domain.com, etc and from was something@alert.bankofamerica.com, and there were 200+ I cleared this morning.

thanks again,

mike
Reply
User profile for user: pterobyte
pterobyte
User level: Level 6
11,104 points

Jan 13, 2009 9:06 AM in response to mikereynolds

Your server is not an open relay, but it certainly looks like those messages originate on your server.

Either your server got compromised, or a mail client allowed to send through your mail server did.

To find out which of the 2, you should go through the logs and see where those messages originate. Look at one of the entries you posted and go backwards in the logs. You will notice that the log entries have a process number and a queue ID. Following them backwards, you should see which IP (your server, your client) sent it.

Also, immediately change ALL passwords of ALL users and make sure they are strong ones.

HTH,
Alex

P.S. Your DNS servers need fixing too (unrelated to your issue). .131 allows for recursive lookups and is also a lame nameserver.
Reply
User profile for user: mikereynolds
mikereynolds Author
User level: Level 1
0 points

Jan 13, 2009 9:18 AM in response to pterobyte

Thanks again.

What would be the process ID 10562 in the following example? This is all I get when I search the logs for 10562.
--
Jan 13 10:40:34 mail postfix/smtp[10562]: 5DA5A2D70203: to=<onlinebanking@alert.bankofamerica.com>, relay=alert.bankofamerica.com[63.251.12.137]:25, delay=1991, delays=1965/1.3/24/0.73, dsn=2.0.0, status=sent (250 ok 1231861235 qp 13321)
--


Also when I search 5DA5A2D70203 I get this:
---
Jan 13 10:07:23 mail postfix/cleanup[9576]: 5DA5A2D70203: message-id=<20090113150723.5DA5A2D70203@mail.stevensprograms.org>
Jan 13 10:07:23 mail postfix/bounce[9573]: 0243A2D6EA18: sender non-delivery notification: 5DA5A2D70203
Jan 13 10:07:23 mail postfix/qmgr[5634]: 5DA5A2D70203: from=, size=21200, nrcpt=1 (queue active)
Jan 13 10:07:23 mail postfix/qmgr[5634]: 5DA5A2D70203: to=<onlinebanking@alert.bankofamerica.com>, relay=none, delay=0.07, delays=0.04/0.03/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out)
Jan 13 10:12:22 mail postfix/qmgr[5634]: 5DA5A2D70203: from=, size=21200, nrcpt=1 (queue active)
Jan 13 10:13:32 mail postfix/smtp[9690]: 5DA5A2D70203: to=<onlinebanking@alert.bankofamerica.com>, relay=none, delay=369, delays=299/39/31/0, dsn=4.4.1, status=deferred (connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out)
Jan 13 10:22:22 mail postfix/qmgr[5634]: 5DA5A2D70203: from=, size=21200, nrcpt=1 (queue active)
Jan 13 10:22:52 mail postfix/qmgr[5634]: 5DA5A2D70203: to=<onlinebanking@alert.bankofamerica.com>, relay=none, delay=929, delays=899/30/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to alert.bankofamerica.com[63.251.12.137]: Operation timed out)
Jan 13 10:40:08 mail postfix/qmgr[10549]: 5DA5A2D70203: from=, size=21200, nrcpt=1 (queue active)
Jan 13 10:40:34 mail postfix/smtp[10562]: 5DA5A2D70203: to=<onlinebanking@alert.bankofamerica.com>, relay=alert.bankofamerica.com[63.251.12.137]:25, delay=1991, delays=1965/1.3/24/0.73, dsn=2.0.0, status=sent (250 ok 1231861235 qp 13321)
Jan 13 10:40:34 mail postfix/qmgr[10549]: 5DA5A2D70203: removed
---

I still can't see where it originated from... what am I missing here?

Thanks,

mike

PS-thanks about .131
Reply
User profile for user: pterobyte
pterobyte
User level: Level 6
11,104 points

Jan 13, 2009 9:25 AM in response to mikereynolds

You need to look further up, this is already the bounce message. You need to find which IP of yours sent it. It could be that the log rotated (the default log size in Leopard is ridiculously low).
You will find the last 5 rotations inside /var/log/

Alternatively, find the messages in the queue:
/var/spool/postfix/defer/firstletterofqueueID/queueID
/var/spool/postfix/deferred/firstletterofqueueID/queueID

You can look at them in a text editor.

(Do not access those directories through the finder. Only use terminal.)
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Detailed headers from Server?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up