[Mailman-Users] investigating attack-like "mailfailures"

Mark Sapiro msapiro at value.net
Sun Mar 13 17:06:28 CET 2005 

Brad Knowles wrote:

>At 11:40 AM +0000 2005-03-13, Nick Levine wrote:
>
>>      /var/log/maillog:
>>      Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from 
>>localhost[127.0.0.1]
>>      Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: 
>>client=localhost[127.0.0.1]
>>      Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: 
>>reject: RCPT from localhost[127.0.0.1]: 450 <beverley at alu.org>: User 
>>unknown in local recipient table; 
>>from=<alu-board-only-bounces at alu.org> to=<beverley at alu.org> 
>>proto=ESMTP helo=<bibop.alu.org>
>>      Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from 
>>localhost[127.0.0.1]
>>
>>      /usr/local/mailman/smtp-failure:
>>      Mar 13 02:56:29 2005 (2547) All recipients refused: 
>>{'beverley at alu.org': (450, '<beverley at alu.org>: User unknown in 
>>local recipient table')}, msgid: 
>><mailman.6.1110619218.2549.alu-board-only at alu.org>
>>      Mar 13 02:56:29 2005 (2547) delivery to beverley at alu.org failed 
>>with code 450: <beverley at alu.org>: User unknown in local recipient 
>>table
>>
>>      /usr/local/mailman/smtp:
>>      Mar 13 02:56:29 2005 (2547) 
>><mailman.6.1110619218.2549.alu-board-only at alu.org> smtp for 1 
>>recips, completed in 1.027 seconds
>>
>>      /usr/local/mailman/post:
>>      Mar 13 02:56:29 2005 (2547) post to alu-board-only from 
>>alu-board-only-bounces at alu.org, size=1066, 
>>message-id=<mailman.6.1110619218.2549.alu-board-only at alu.org>, 1 
>>failures
>>
>>  What I'd like to know is where (and from apparantly who) this message
>>  originated, but I can't figure out from these logs what's going on.
>
>	It looks to me like someone sent an e-mail message from 
>beverley at alu.org to alu-board-only at alu.org, but there was an error 
>(maybe this list is set up to reject messages from non-subscribers?), 
>so Mailman tried to send an error back to beverley at alu.org.  What 
>you're seeing here is the bounce of that error message.
>

I agree with Brad that this is most likely, and if it is the case that
non-member posts are rejected, you could temporarily change that to
"hold" and then you can see the headers of the held message which will
give more info.

--
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list