[Mimedefang] E-mail REJECT problem
mythhtpc at gmail.com
Wed Jul 23 09:15:21 EDT 2008
Thanks for the help. We definitely have a virus outbreak inside our
company that is partly responsible for the viruses – but we are also
being attacked from the outside. But I'm pretty sure that the example
I gave is the same e-mail... chances that the sending host
(relay=dsl-145-219-109.telkomadsl.co.za), the recipient and the date
correlate for different e-mails is very slim (but possible). I have
other examples that also closely match.
The specific example was dropped due to RBL. In fact all the messages
come from DSL hosts which are detected by RBL. According to the logs
all messages from this sender was rejected.
Now I know one should not do RBL rejection in filter_recipient, since
the message will be rejected for every recipient (where a once off
rejection would have been far more efficient). Unfortunately however
I have a directive from management that forces me to log all rejected
e-mails in a database. As part of the directive they want to know who
the recipient(s) were. So that leaves me to do all rejections
inside of filter_recipient...
I'll try to monitor the situation more... but is seems that the
outbreak stopped around 2 hours ago.
On Wed, Jul 23, 2008 at 2:33 PM, Kevin A. McGrail <kmcgrail at pccc.com> wrote:
>> I get exactly the two log entries "lost input" and "size=0, class=0,
>> Are you sure that it's the same one?
> Steffen, good catch. I was thinking he was using filter_sender but you are
> right, he's using filter_recipient and he might be rejecting ONLY one of
> several recipients. It's the same queueid just likely a different RCPT.
> helo pccc.com
> mail from: kmcgrail at hallmark.com
> rcpt to: bad at domain.com
> 554 5.7.1 No such user here or blacklisted or something
> rcpt to: good at domain.com
> 250 2.1.5 kmcgrail at pccc.com... Recipient ok
> He's not really blacklisting the IP. He's really blacklisting the sender.
> This should be in filter_sender at which point it will affect all the
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
More information about the MIMEDefang