[Mailman-Users] investigating attack-like "mail failures"

Brad Knowles brad at stop.mail-abuse.org
Sun Mar 13 15:40:17 CET 2005

At 11:40 AM +0000 2005-03-13, Nick Levine wrote:

>      /var/log/maillog:
>      Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from 
>      Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: 
>      Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: 
>reject: RCPT from localhost[]: 450 <beverley at alu.org>: User 
>unknown in local recipient table; 
>from=<alu-board-only-bounces at alu.org> to=<beverley at alu.org> 
>proto=ESMTP helo=<bibop.alu.org>
>      Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from 
>      /usr/local/mailman/smtp-failure:
>      Mar 13 02:56:29 2005 (2547) All recipients refused: 
>{'beverley at alu.org': (450, '<beverley at alu.org>: User unknown in 
>local recipient table')}, msgid: 
><mailman.6.1110619218.2549.alu-board-only at alu.org>
>      Mar 13 02:56:29 2005 (2547) delivery to beverley at alu.org failed 
>with code 450: <beverley at alu.org>: User unknown in local recipient 
>      /usr/local/mailman/smtp:
>      Mar 13 02:56:29 2005 (2547) 
><mailman.6.1110619218.2549.alu-board-only at alu.org> smtp for 1 
>recips, completed in 1.027 seconds
>      /usr/local/mailman/post:
>      Mar 13 02:56:29 2005 (2547) post to alu-board-only from 
>alu-board-only-bounces at alu.org, size=1066, 
>message-id=<mailman.6.1110619218.2549.alu-board-only at alu.org>, 1 
>  What I'd like to know is where (and from apparantly who) this message
>  originated, but I can't figure out from these logs what's going on.

	It looks to me like someone sent an e-mail message from 
beverley at alu.org to alu-board-only at alu.org, but there was an error 
(maybe this list is set up to reject messages from non-subscribers?), 
so Mailman tried to send an error back to beverley at alu.org.  What 
you're seeing here is the bounce of that error message.

	If you really want to understand what happened, you have to go 
back an additional step -- you've got to find where someone claimed 
to be beverley at alu.org and sent the message to alu-board-only at alu.org.

>  It looks like an attempt from the Outgoing qrunner to send mail to
>  alu-board-only (hence the alu-board-only-bounces return address), with
>  beverley at alu.org as one of the addressees, which doesn't make sense.

	Actually, it's the other way around.  See above.

