Weird email failure messages

S

SALvation

Perch
This just started happening yesterday. When I send an email using my account, the email gets to where its supposed to go, but then a couple of hours later, I get a failure notice that says it failed and it looks like it tried to send it to tons of different people. I scanned and I don't have any viruses so what's going on?

Here is an example of the failure message:

Hi. This is the qmail-send program at mail*.****phere.biz.
I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

<[email protected]>:
216.241.21.61 does not like recipient.
Remote host said: 550-"The recipient cannot be verified. Please check all recipients of this 550 message to verify they are valid." Giving up on 216.241.21.61.

<[email protected]>:
146.155.1.152 does not like recipient.
Remote host said: 554 Sorry, no mailbox here by that name. (#5.1.1) Giving up on 146.155.1.152.

<[email protected]>:
Sorry, I couldn't find any host named tte.codelco.cl. (#5.1.2)

<[email protected]>:
Sorry, I couldn't find any host named directo.cl. (#5.1.2)

<[email protected]>:
200.14.80.93 does not like recipient.
Remote host said: 550 (SPF) 204.14.104.85 is not allowed to send mail from gmail.com Giving up on 200.14.80.93.

<[email protected]>:
64.76.145.71 does not like recipient.
Remote host said: 550 5.1.1 <[email protected]>... User unknown Giving up on 64.76.145.71.

<[email protected]>:
66.197.154.245 does not like recipient.
Remote host said: 550 unknown user
Giving up on 66.197.154.245.

<[email protected]>:
66.98.190.71 does not like recipient.
Remote host said: 550 sorry, no mailbox here by that name. (#5.7.17) Giving up on 66.98.190.71.

<[email protected]>:
200.27.29.202 does not like recipient.
Remote host said: 550 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table Giving up on 200.27.29.202.

...and it keeps going...
 
Yogesh is investigating, and Tanmaya will be looking into it as soon as he comes on shift, there are a few tickets like this.
 
I had a client report the same sort of thing today. Looks like an "alphabet" spambot firing off messages. All the addresses are in alphabetical order. It may be someone trying to find a mail server they can exploit for their purposes.
 
Any explanation of root cause? Can I give my customer any explanation or assurance other than "try it now, I think it's fixed"?
 
Yes it is fixed.
We had a clever spammer basically, that spammed for his life from mail4.

We got rid of him, cleaned the queue and changed the outgoing IP for Mail4 because his activities happened to get the old IP listed at a few places
 
Clever in the sense that he used a single email to email hundreds of customers.. and after sending 100 such mega emails.. his email address would get blacklisted automatically by our mass mailing prevention system. But he immediately switched to another mail box and began spamming...

And he did this over and over again, through some automated script maybe.. till there were an insane number of emails going out..
Wow, people have too much time or their hands
 
Yash said:
Clever in the sense that he used a single email to email hundreds of customers.. and after sending 100 such mega emails.. his email address would get blacklisted automatically by our mass mailing prevention system. But he immediately switched to another mail box and began spamming...
Click to expand...

To prevent incidents like this, would it be possible to configure the mass mailing prevention system to limit email quota per domain rather than email address?
 
So why are we getting his bounces? And why are those bounce reports being returned in response to messages we send out?

And... it happening again - I just had another one about 30 minutes ago.
 
Edit:
The bounces that happened yesterday were because of the spamming. Some outgoing email went through, some got bounced back..

If you are receiving fresh bounces, it is most likely unrelated and I suggest you open a ticket
 
It would be good if you could get some information on the bounce issue. I have had a ticket open about this for some days (CVW-54429-637) and all support say is that it was due to the spamming.

This is a security issue, not a spam issue. Somehow, an email I sent to one person was picked up and sent to many email addresses unknown to me. And I see here that this is (or has) apparently happening to others. I really need to know how this could happen and what has been done to stop it to be comfortable with the security in place on the servers.

Rgds, John T.
 
John,

1) The issue on mail4 was resolved long ago as I stated. We had a spammer and as a result of that, outgoing emails were delayed or either bounced back (as some people have reported). The issue has since been resolved.

2) You claim that your email was sent to people that were not originally intended to be sent. We have found no evidence of any security flaw or any reason why such a peculiar thing could happen. We have received not a single ticket or report from many many customers on such an issue. Nonetheless, your issue will be looked into by a Level3 tech. It is being treated as unrelated to this incident. We monitor the security of our servers very carefully, and mail4 was NEVER compromised. It was only abused
 
Yash,
Thanks for getting this escalated.

The reason I posted on this thread is the first post looks like it has similar symptoms to mine. SALvation posted:
"When I send an email using my account, the email gets to where its supposed to go, but then a couple of hours later, I get a failure notice that says it failed and it looks like it tried to send it to tons of different people."

This is similar to what happened to me. I sent an email. It got to the correct recipient. But I also get a report from the Jodo mail server that attempted delivery to other email addresses (all unknown to me) failed. From this I surmise that my email was also successfully sent to other email addresses, also unknown to me.

This is different from a spammer sending their own emails out to tons of people, somehow it looks like private emails were sent to tons of people.

I look forward to receiving the analysis.

Rgds, John T.
 
Here is what i told John:
---------------------------------------------------------
As you already know a spammer spammed in a big way. Our techs tried to fix the situation immediately to save mail server from getting blacklisted worldwide (that is important for us as not all ISPs around the world respond to unblock requests ). They suspended the account and cleaned up the spam mails from the queue.
Unfortunately here the queue got corrupted and left a few bounce info about these messages.
Now, the details of what exactly was left. The messageid(along with bounce response for each mail) was left as a bounce while the actual message no longer existed.
Here you sent your mail, but it was assigned the same messageid, and while processing mailserver found it has been tagged as a bounce and it delievered the bounce info of the spammers message back to you instead of delivering the message.
---------------------------------------------------------

Now this is a rare situation and not that your messages are being sent to someone, but accidently getting bounced instead of being delivered. This again applies to only the bounces of the spammer and not all messages.

We are investigating the queue handling tools provided with Hsphere to prevent this in future.
 
Thank you for the explanations.
And thank you for the follow up.

I have only recently moved to Jodohost. I had been reasonably satisfied with the support I had received in the past. But, I was not so impressed by the initial support responses to this issue. I must say that I am now very comfortable with your answers about the queue corruption.

Getting clear and timely answers to questions is a great way to gain and keep customers. That's one of the things that attracted me to this hosting company - the apparent good communications about server and technical issues.

Rgds, John T.
 
You must log in or register to reply here.
Back
Top