|
| Re: Very Odd |
 |
Fri, 14 Mar 2008 14:58:05 -070 |
User wrote:
> I have a user, let's say joe@myserver.com
I interpret this to mean that you administer a mailserver and its logs
at myserver.com
> and periodically I notice
> spam going to joexxxx@myserver.com that of course is being rejected
> as "user unknown".
... and to further mean that the server is configured to not
promiscuously accept mail 'addressed' (to be defined) to nonusers at
myserver.com. Where 'addressed' means that the server rejects the
transaction which sez RCPT TO a nonuser address. I don't know what the
server might do if there are numerous RCPT TO addresses some of which
are users and some of which are non-users. So you are describing what
you see when you examine the server's logs of rejected transactions.
> It only happens to "Joe", no other user.
>
> Since midnight last night the incoming log shows 26,508 of these
> messages to Joexxxx@myserver.com
>
> Where xxxx is a random 4-letter addition.
I'm imagining some kind of borken malware spamtrojan which is 'stuck on'
various permutations of a particular username at myserver.com.
> Joe has no idea and does not employ any sort of anti-spam device that
> would be responsible for this.
I can't imagine what that sentence means.
> Only "clue" I can provide is that all emails are being
"rejected" as
> well by the various RBL's including bl.spamcop.net among others such a
> spamhaus for example.
How does a mail get rejected by more than one mechanism? Isn't there a
sequence that if a mail is rejected by one mechanism, such as 'user
unknown' that it wouldn't proceed to the next mechanism, such as
checking to see if the sending IP is blocklisted.
--
Mike Easter
kibitzer, not SC admin
|
| Post Reply
|
| Very Odd |
 |
Fri, 14 Mar 2008 15:39:53 -050 |
I have a user, let's say joe@myserver.com and periodically I notice spam
going to joexxxx@myserver.com that of course is being rejected as "user
unknown". It only happens to "Joe", no other user.
Since midnight last night the incoming log shows 26,508 of these
messages to Joexxxx@myserver.com
Where xxxx is a random 4-letter addition.
Joe has no idea and does not employ any sort of anti-spam device that
would be responsible for this. Neither do I, only SpamAssassin server-side.
Anybody have a clue ???
Only "clue" I can provide is that all emails are being
"rejected" as
well by the various RBL's including bl.spamcop.net among others such a
spamhaus for example.
|
| Post Reply
|
| Re: Very Odd |
 |
Sat, 15 Mar 2008 08:39:42 -080 |
On 3/15/2008 6:36 AM User scribbled:
> On 14.03.2008 16:58, Mike Easter wrote:
>
> --- Original Message ---
>
>> User wrote:
>>> I have a user, let's say joe@myserver.com
>> I interpret this to mean that you administer a mailserver and its logs
>> at myserver.com
>
> Correct but a different domain name - myserver.com is just for example
> purpose but I suspect you know that already. :-)
>
>>> and periodically I notice
>>> spam going to joexxxx@myserver.com that of course is being
rejected
>>> as "user unknown".
>> ... and to further mean that the server is configured to not
>> promiscuously accept mail 'addressed' (to be defined) to nonusers at
>> myserver.com. Where 'addressed' means that the server rejects the
>> transaction which sez RCPT TO a nonuser address. I don't know what
the
>> server might do if there are numerous RCPT TO addresses some of which
>> are users and some of which are non-users. So you are describing what
>> you see when you examine the server's logs of rejected transactions.
>
> joe@myserver.com is a valid user.
>
>>> It only happens to "Joe", no other user.
>>>
>>> Since midnight last night the incoming log shows 26,508 of these
>>> messages to Joexxxx@myserver.com
>>>
>>> Where xxxx is a random 4-letter addition.
>> I'm imagining some kind of borken malware spamtrojan which is 'stuck
on'
>> various permutations of a particular username at myserver.com.
>
> I suspect that the user "Joe" either has some sort of goofy
anti-spam
> application OR some site he has accessed has some sort of anti-spam
> device setup to add the random 4-letter additions. No idea or clue at my
> end, never saw this before.
How would Joe's anti spam app cause spam to be coming /to/ him?
How would some other site anti spam device be spewing out spam?
Why would you think either?
Why not see this as a spammer using alphabetic address generation
spamware which, as Mike has suggested, is stuck?
>
>>> Joe has no idea and does not employ any sort of anti-spam device
that
>>> would be responsible for this.
>> I can't imagine what that sentence means.
>
> It means that "Joe" does not use any anti-spam software that
would
> generate the aforementioned problem.
see above
>
>>> Only "clue" I can provide is that all emails are being
"rejected" as
>>> well by the various RBL's including bl.spamcop.net among others
such a
>>> spamhaus for example.
>> How does a mail get rejected by more than one mechanism? Isn't there
a
>> sequence that if a mail is rejected by one mechanism, such as 'user
>> unknown' that it wouldn't proceed to the next mechanism, such as
>> checking to see if the sending IP is blocklisted.
>
> Yes, it is first rejected by "user unknown" followed by the
rejection
> from the RBL's.
>
What Mike said was if it is 1st rejected as unknown, then it should not
|
| Post Reply
|
| Re: Very Odd |
 |
Sat, 15 Mar 2008 09:36:03 -050 |
On 14.03.2008 16:58, Mike Easter wrote:
--- Original Message ---
> User wrote:
>> I have a user, let's say joe@myserver.com
>
> I interpret this to mean that you administer a mailserver and its logs
> at myserver.com
Correct but a different domain name - myserver.com is just for example
purpose but I suspect you know that already. :-)
>> and periodically I notice
>> spam going to joexxxx@myserver.com that of course is being rejected
>> as "user unknown".
>
> ... and to further mean that the server is configured to not
> promiscuously accept mail 'addressed' (to be defined) to nonusers at
> myserver.com. Where 'addressed' means that the server rejects the
> transaction which sez RCPT TO a nonuser address. I don't know what the
> server might do if there are numerous RCPT TO addresses some of which
> are users and some of which are non-users. So you are describing what
> you see when you examine the server's logs of rejected transactions.
joe@myserver.com is a valid user.
>> It only happens to "Joe", no other user.
>>
>> Since midnight last night the incoming log shows 26,508 of these
>> messages to Joexxxx@myserver.com
>>
>> Where xxxx is a random 4-letter addition.
>
> I'm imagining some kind of borken malware spamtrojan which is 'stuck on'
> various permutations of a particular username at myserver.com.
I suspect that the user "Joe" either has some sort of goofy anti-spam
application OR some site he has accessed has some sort of anti-spam
device setup to add the random 4-letter additions. No idea or clue at my
end, never saw this before.
>> Joe has no idea and does not employ any sort of anti-spam device that
>> would be responsible for this.
>
> I can't imagine what that sentence means.
It means that "Joe" does not use any anti-spam software that would
generate the aforementioned problem.
>> Only "clue" I can provide is that all emails are being
"rejected" as
>> well by the various RBL's including bl.spamcop.net among others such a
>> spamhaus for example.
>
> How does a mail get rejected by more than one mechanism? Isn't there a
> sequence that if a mail is rejected by one mechanism, such as 'user
> unknown' that it wouldn't proceed to the next mechanism, such as
> checking to see if the sending IP is blocklisted.
Yes, it is first rejected by "user unknown" followed by the rejection
from the RBL's.
|
| Post Reply
|
| Re: Very Odd |
 |
Sun, 16 Mar 2008 07:36:25 -050 |
On 15.03.2008 11:39, jg wrote:
--- Original Message ---
> On 3/15/2008 6:36 AM User scribbled:
>
>> On 14.03.2008 16:58, Mike Easter wrote:
>>
>> --- Original Message ---
>>
>>> User wrote:
>>>> I have a user, let's say joe@myserver.com
>>> I interpret this to mean that you administer a mailserver and its
logs
>>> at myserver.com
>>
>> Correct but a different domain name - myserver.com is just for example
>> purpose but I suspect you know that already. :-)
>>
>>>> and periodically I notice
>>>> spam going to joexxxx@myserver.com that of course is being
rejected
>>>> as "user unknown".
>>> ... and to further mean that the server is configured to not
>>> promiscuously accept mail 'addressed' (to be defined) to nonusers
at
>>> myserver.com. Where 'addressed' means that the server rejects the
>>> transaction which sez RCPT TO a nonuser address. I don't know what
the
>>> server might do if there are numerous RCPT TO addresses some of
which
>>> are users and some of which are non-users. So you are describing
what
>>> you see when you examine the server's logs of rejected
transactions.
>>
>> joe@myserver.com is a valid user.
>>
>>>> It only happens to "Joe", no other user.
>>>>
>>>> Since midnight last night the incoming log shows 26,508 of
these
>>>> messages to Joexxxx@myserver.com
>>>>
>>>> Where xxxx is a random 4-letter addition.
>>> I'm imagining some kind of borken malware spamtrojan which is
'stuck on'
>>> various permutations of a particular username at myserver.com.
>>
>> I suspect that the user "Joe" either has some sort of goofy
anti-spam
>> application OR some site he has accessed has some sort of anti-spam
>> device setup to add the random 4-letter additions. No idea or clue at
my
>> end, never saw this before.
>
> How would Joe's anti spam app cause spam to be coming /to/ him?
He could be using a fake address generation mechanism when he is
required to post his address on a site where he doesn't want to post his
real address. I use an extension in Firefox to do just that. Since it's
obvious I am treading in unknown waters, I have to cover all bases no
matter how stupid it may sound.
> How would some other site anti spam device be spewing out spam?
Didn't say that other sites are spewing out spam, just the thought that
some other site may be responsible for generating fake addresses. Note
my last sentence above.
> Why would you think either?
Note my last sentence in first response above.
> Why not see this as a spammer using alphabetic address generation
> spamware which, as Mike has suggested, is stuck?
Sounds reasonable but we don't know that for sure, that's why I asked in
the first place. I'd like to pin it down to an actual scenario.
>>
>>>> Joe has no idea and does not employ any sort of anti-spam
device that
>>>> would be responsible for this.
>>> I can't imagine what that sentence means.
>>
>> It means that "Joe" does not use any anti-spam software that
would
>> generate the aforementioned problem.
>
> see above
>
>>
>>>> Only "clue" I can provide is that all emails are
being "rejected" as
>>>> well by the various RBL's including bl.spamcop.net among others
such a
>>>> spamhaus for example.
>>> How does a mail get rejected by more than one mechanism? Isn't
there a
>>> sequence that if a mail is rejected by one mechanism, such as
'user
>>> unknown' that it wouldn't proceed to the next mechanism, such as
>>> checking to see if the sending IP is blocklisted.
>>
>> Yes, it is first rejected by "user unknown" followed by the
rejection
>> from the RBL's.
>>
> What Mike said was if it is 1st rejected as unknown, then it should not
> have been tested any further. So how does rbl reject get done?
|
| Post Reply
|
|
|