[Mimedefang] HBEDV Reporting broken? - False Positives Reported

Albert E. Whale aewhale at ABS-CompTech.com
Sun Dec 15 15:04:01 EST 2002 

"David F. Skoll" wrote:

> On Sat, 14 Dec 2002, Albert E. Whale wrote:
>
> > Upon further review, I have found that the Name Servers were unable to
> > retrieve IP Addresses information from the Domain Addresses which are being
> > Blocked by the Filters on the Router.
>
> But who is doing the lookup?  H+BEDV or MIMEDefang?  Why would H+BEDV
> attempt a DNS lookup?
>

Looks more like Sendmail is doing the Lookup.  Here's a sample of the logs.

Dec 15 12:06:11 access2 sendmail[2953]: gBDJIOuj002074:
to=<debra134 at kebi.com>, delay=1+21:23:24, xdelay=00:00:00,
mailer=esmtp, pri=4262908, relay=kebi.com., dsn=4.0.0,
stat=Deferred: Name server: kebi.com.: host name lookup failure
Dec 15 13:09:17 access2 sendmail[5436]: gBDJIOui002074:
to=<suzanne8004 at kebi.com>, delay=1+22:26:30, xdelay=00:00:56,
mailer=esmtp, pri=4352763, relay=kebi.com., dsn=4.0.0,
stat=Deferred: Name server: kebi.com.: host name lookup failure

I guess that I am not familiar enough with where MIMEDefang interfaces into
Sendmail/MILTER to decide who knew what first.  I realize that the DNS can be
down on a server and Sendmail will retry to send the info for
confTO_QUEUERETURN's Value.

Here's additional information.  Maybe I'm looking for simple solution, THIS MAY
NOT BE a Mimedefang issue.  Thank you for reviewing the information:

This is a MIME-encapsulated message

--gBDJIOui002074.1039808567/access2.hky.com

The original message was received at Wed, 11 Dec 2002 14:07:29
-0500
from [63.126.198.217]

   ----- The following addresses had permanent fatal errors -----
<alyssa at hky.com>
    (reason: 451 4.1.8 Domain of sender address
suzanne8004 at kebi.com does not resolve)
    (expanded from: <alyssa at hky.com>)

   ----- Transcript of session follows -----
... while talking to access.hky.com.:
>>> DATA
<<< 451 4.1.8 Domain of sender address suzanne8004 at kebi.com does
not resolve
<alyssa at hky.com>... Deferred: 451 4.1.8 Domain of sender address
suzanne8004 at kebi.com does not resolve
<<< 503 5.0.0 Need RCPT (recipient)
Message could not be delivered for 2 days
Message will be deleted from queue

--gBDJIOui002074.1039808567/access2.hky.com
Content-Type: message/delivery-status

Reporting-MTA: dns; access2.hky.com
Received-From-MTA: DNS; localhost
Arrival-Date: Wed, 11 Dec 2002 14:07:29 -0500

Final-Recipient: RFC822; alyssa at hky.com
X-Actual-Recipient: RFC822; alyssa at access.hky.com
Action: failed
Status: 4.4.7
Remote-MTA: DNS; access.hky.com
Diagnostic-Code: SMTP; 451 4.1.8 Domain of sender address
suzanne8004 at kebi.com does not
resolve
Last-Attempt-Date: Fri, 13 Dec 2002 14:42:47 -0500
--gBDJIOui002074.1039808567/access2.hky.com
Content-Type: message/rfc822

Return-Path: <suzanne8004 at kebi.com>
Received: from wks02 ([63.126.198.217])
        by access2.hky.com (8.12.6/8.12.6) with ESMTP id
gBBJ7Suh013607
        for <alyssa at hky.com>; Wed, 11 Dec 2002 14:07:29 -0500
Received: from [202.9.153.20] (HELO mdss1.kebi.com)
  by wks02 (CommuniGate Pro SMTP 3.5.6)
  with ESMTP id 384699; Sun, 08 Dec 2002 19:12:41 -0500
Message-ID: <00005dbb4caa$00006afb$00002d90 at mdss1.kebi.com>
To: <Undisclosed.Recipients>
From: suzanne8004 at kebi.com
Subject: We WILL get YOU the mortgage you need             F
Date: Mon, 09 Dec 2002 05:42:38 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------=_1039633649-7125-62"
X-Scanned-By: MIMEDefang 2.25 (www . roaringpenguin . com /
mimedefang)

This is a multi-part message in MIME format...

------------=_1039633649-7125-62
Content-Type: text/plain; name="WARNING.TXT"
Content-Disposition: inline; filename="WARNING.TXT"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)

WARNING: This e-mail has been altered by MIMEDefang.  Following
this
paragraph are indications of the actual changes made.  For more
information about your site's MIMEDefang policy, contact
MIMEDefang Administrator <postmaster at hky.com>.  For more
information about MIMEDefang, see:

            http://www.roaringpenguin.com/mimedefang/enduser.php3

This was message was found to be carrying an attachment
that contained a known virus.  The attachment has been replaced.
The following information may be helpful to determine its source:
        Sender:         <suzanne8004 at kebi.com>
        From:   suzanne8004 at kebi.com
        Virus:
        Attachment:
        Mime-Encoding:  text/plain

The original sender may NOT have been notified
(it may not be a valid email address).


------------=_1039633649-7125-62--

--gBDJIOui002074.1039808567/access2.hky.com--


--
Albert E. Whale - CISSP
http://www.abs-comptech.com
----------------------------------------------------------------------
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
Sr. Security, Network, and Systems Consultant
Board of Directors - InfraGard - Pittsburgh, PA

More information about the MIMEDefang mailing list