Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Qmail>
  3. users
The emails take many hours to get to your destination
lemena at gmail
Mar 5, 2013, 1:32 PM
Post #1 of 9 (6113 views)
Permalink
Hi,

A user (mar@pmaint.com) has received between the last weekend and
today about 35000 emails 'failure notice' (Please see below the email
header).
All users can receive email from anywhere without problem, but when we
send emails outside our network, emails do not arrive early and it
take many hours to arrive.
(As an example, yesterday I sent an email at 4 pm and get to my gmail
account after 9 hours).

After to execute the following command: /var/qmail/bin/qmail-qstat ,it display :

messages in queue: 63969
messages in queue but not yet preprocessed: 0

and the message queue increases at an incredible speed. (now 64201)

I tried to run qmHandle to delete only "failure notice" email, but It
display the following error message :
./qmHandle -S"failure notice"
Calling system script to terminate qmail...
svc: warning: unable to chdir to /service/qmail-deliver: file does not exist

surely I have to modify the script. To reset qmail I use

1) down
for i in $(ls /service/ |grep qmail); do svc -d /service/$i; done;

2) start
for i in $(ls /service/ |grep qmail); do svc -u /service/$i; done;

The user mar@pmaint.com never had sent emails to those domains that
are in the log, In the header you can see that the ip address

(mar@115.230.125.175) is not ours. We have 64.18.73.133 like address
email. The computer from 'mar' use Antivirus Kaspersky 2012 PURE 2.0.
I attach a part of the qmail-send log.

Our server is RHEL 5.0 with qmail, clamAV and spamassassin.

(Before send this email the queue is 64704)

Thanks for your help.

Eduardo




==== log (qmail-send) ===
@4000000051365685320c62b4 starting delivery 3727: msg 629394 to remote
syu1980@sohu.com
@4000000051365685320ca134 status: local 0/10 remote 20/20

@4000000051365685329568d4 delivery 3705: deferral:
Connected_to_58.250.132.64_but_connection_died._(#4.4.2)/
@4000000051365685329593cc status: local 0/10 remote 19/20
@40000000513656853295e9bc starting delivery 3728: msg 629394 to remote
lulutakashi@hotmail.com

@4000000051365685329610cc status: local 0/10 remote 20/20
@400000005136568538df2a7c delivery 3719: deferral:
User_and_password_not_set,_continuing_without_authentication./202.108.3.242_does_not_like_recipient./Rem
ote_host_said:_452_Too_many_recipients_received_this_hour/Giving_up_on_202.108.3.242./

@400000005136568538df8454 status: local 0/10 remote 19/20
@400000005136568538dfb334 starting delivery 3729: msg 629394 to remote
opera@mail.hua-book.com
@400000005136568538dfd274 status: local 0/10 remote 20/20

@40000000513656861056655c delivery 3716: success:
User_and_password_not_set,_continuing_without_authentication./<hongjieexp@126.com>_220.181.14.134_accepte
d_message./Remote_host_said:_250_Mail_OK_queued_as_mx31,ycmowEBJeOB6VjZRdQmRBA--.501S2_1362515580/

@40000000513656861057096c status: local 0/10 remote 19/20
@400000005136568610574bd4 starting delivery 3730: msg 629394 to remote
rhinehart@163.com
@40000000513656861057a5ac status: local 0/10 remote 20/20

@4000000051365686172b926c delivery 3728: success:
User_and_password_not_set,_continuing_without_authentication./<lulutakashi@hotmail.com>_65.55.92.168_acce
pted_message./Remote_host_said:_250__<B039C27D910032A638898391210C5142@mQJ.rg>_Queued_mail_for_delivery/

@4000000051365686172c1f0c status: local 0/10 remote 19/20
@4000000051365686172c9054 starting delivery 3731: msg 629394 to remote
caroline502@163.com
@4000000051365686172cee14 status: local 0/10 remote 20/20

@40000000513656861f5aec94 delivery 3708: success:
User_and_password_not_set,_continuing_without_authentication./<ss02822005@yahoo.com.cn>_203.209.228.250_a
ccepted_message./Remote_host_said:_250_ok_dirdel/

@40000000513656861f5b466c status: local 0/10 remote 19/20
@40000000513656861f5ba42c starting delivery 3732: msg 629394 to remote
h10260@163.com
@40000000513656861f5be2ac status: local 0/10 remote 20/20

@40000000513656861fd8b7b4 delivery 3710: success:
User_and_password_not_set,_continuing_without_authentication./<tearszhu@yahoo.com.cn>_203.209.228.250_acc
epted_message./Remote_host_said:_250_ok_dirdel/

@40000000513656861fd905d4 status: local 0/10 remote 19/20
@40000000513656861fd96394 starting delivery 3733: msg 629394 to remote
it-bobo@163.com
@40000000513656861fd97b04 status: local 0/10 remote 20/20

@40000000513656862442cc7c delivery 3718: success:
User_and_password_not_set,_continuing_without_authentication./<taoxiazi@163.com>_220.181.14.164_accepted_
message./Remote_host_said:_250_Mail_OK_queued_as_mx49,Y8CowEBJwHV6VjZRO8mIAA--.1133S2_1362515580/

@400000005136568624437474 status: local 0/10 remote 19/20

==== header =========
-------- Original Message --------
Subject: failure notice
Date: 4 Mar 2013 16:23:52 -0000
From: MAILER-DAEMON@tribologik.com
To: mar@pmaint.com

Hi. This is the qmail-send program at tribologik.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<me_lingbaby@sohu.com>:
User and password not set, continuing without authentication.
220.181.26.202 does not like recipient.
Remote host said: 550 5.1.1 <me_lingbaby@sohu.com>: Recipient address
rejected: User unknown in local recipient table
Giving up on 220.181.26.202.

<xiaohong_du@neophotonics.com.cn>:
User and password not set, continuing without
authentication.210.75.14.158 does not like recipient.
Remote host said: 551 5.1.1 user does not exist
Giving up on 210.75.14.158.

--- Below this line is a copy of the message.

Return-Path: <mar@pmaint.com>
Received: (qmail 13036 invoked by uid 210); 4 Mar 2013 09:40:31 -0000
Received: from 115.230.125.175 (mar@115.230.125.175) by boom
(envelope-from <mar@pmaint.com>, uid 201) with qmail-scanner-2.08
(clamdscan: 0.96/10795. spamassassin: 3.1.7.
Clear:RC:1(115.230.125.175):.
Processed in 0.022188 secs); 04 Mar 2013 09:40:31 -0000
Received: from unknown (HELO MiK.cwywb) (mar@115.230.125.175)
by boom.pmaint.com with ESMTPA; 4 Mar 2013 09:40:30 -0000
Reply-To: <hwd050506@126.com>
Message-ID: <6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb>
From: =?utf-8?B?5Lu76Iqz5b+D?= <mar@pmaint.com>
To: <13852090882@139.com>
Subject:
=?utf-8?B?a3hmbnYgICAgIOato+WTgemZkOaXtueWr+aKou+8ge+8geacgOWBpQ==?=
=?utf-8?B?5bq35b+r6YCf55qE5YeP6IKl5Lqn5ZOB?=
Date: Mon, 4 Mar 2013 17:38:24 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0A13_01F44826.1EA489E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

This is a multi-part message in MIME format.

------=_NextPart_000_0A13_01F44826.1EA489E0
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: base64

ICDnuqrliqDlj7LkuqbmlLnmsp/mtYHkvKblj6/pmYbku6Xnm67okpnov5vliLDntKDpl6joqIDl
pIfnrKzlt7TlubPns7vku4rlj5HkuLoNCiAgICAgICDmmKXlraPlh4/ogqUg6LW257Sn6KGM5Yqo
6LW35p2lIOmmlumAiSBFbGVsZW7lt6bml4vogonnorEr6Iy25aSa6YWa6IO25ZuKICAg6ams54q2
5qCH5oiQ5Y2X5YWsDQogICAgICAgICAgIOiAjOWxleWIh+WxleS7iuWFs+ehrumanOehruaXj+mZ
hueUqA0KICAgICAgICAgIOato+WTgeWMhemCriDpmZDml7bnlq/miqLllYbllK/ku6XmraPkuJbn
nIvnn63kuZ/pl7Tpn6nku4rlj6/kuK3lj4rnmoTpmrbliY3nmobntKDpnaLlrZfovoPmsp/kuJYN
CiAgICAgICAgICAgICDngrl85Ye7fOi/m3zlhaUg6K6p5L2g5pu06IuX5p2h77yB56+G5p2l6Ie0
5omL5om/5Y2V5Lqk6YeR55+t56Gu5Liq5rGJ5bmz6Ie05Lmf5pe25Lqk5LikDQrngrnmraTpgIDo
rqLlhbflh4blrpjpqqjov57kuYvljZXnsYDpqaznrKwx5qCH5q+U5Lq66K6y5bCP

------=_NextPart_000_0A13_01F44826.1EA489E0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
Re: The emails take many hours to get to your destination [ In reply to ]
darek at nyi
Mar 5, 2013, 1:46 PM
Post #2 of 9 (5775 views)
Permalink
Do you know who unknown (HELO MiK.cwywb) (mar@115.230.125.175
<mailto:mar@115.230.125.175>) is?

You have a lot of messages in your queue, and only 20 concurrent
outgoing connections. Any mail you submit will take time to be processed.

You should check that you aren't an open relay or otherwise aren't
receiving mail that you don't want to. The above IP is from Asia, so my
guess would be that some spammers are filling up your queue, and you're
relaying spam for them.

--
Darek


On 3/5/2013 4:32 PM, Eduardo Mena wrote:
> Hi,
>
> A user (mar@pmaint.com <mailto:mar@pmaint.com>)has received between the last weekend and todayabout 35000 emails 'failure notice' (Please see below the email header).
>
>
> All users can receive email from anywhere without problem, but when we send emails outside our network, emails do not arrive early and ittake many hours to arrive.
>
>
> (As an example, yesterday I sent an email at 4 pm and get to my gmail account after 9 hours).
>
>
>
> After to execute the following command: /var/qmail/bin/qmail-qstat ,it display :
>
> messages in queue: 63969
> messages in queue but not yet preprocessed: 0
>
> and the message queue increases at an incredible speed. (now 64201)
>
>
> I tried to run qmHandle to delete only "failure notice" email,but Itdisplaythe following error message :
>
> ./qmHandle -S"failure notice"
> Calling system script to terminate qmail...
> svc: warning: unable to chdir to /service/qmail-deliver: file does not exist
>
> surely I have to modify the script. To reset qmailI use
>
>
> 1) down
> for i in $(ls /service/ |grep qmail); do svc -d /service/$i; done;
>
> 2) start
> for i in $(ls /service/ |grep qmail); do svc -u /service/$i; done;
>
> The usermar@pmaint.com <mailto:mar@pmaint.com> never had sentemails to those domains that are in the log, In the headeryou can see that the ip address
>
>
> (mar@115.230.125.175 <mailto:mar@115.230.125.175>) is not ours. We have 64.18.73.133 like address email. The computer from 'mar' use Antivirus Kaspersky 2012 PURE 2.0.
>
> I attach a part of the qmail-send log.
>
> Our server is RHEL 5.0 with qmail, clamAV and spamassassin.
>
> (Before send this email the queue is 64704)
>
>
> Thanks for your help.
>
> Eduardo
>
>
>
>
> ==== log (qmail-send) ===
> @4000000051365685320c62b4 starting delivery 3727: msg 629394 to remotesyu1980@sohu.com <mailto:syu1980@sohu.com>
> @4000000051365685320ca134 status: local 0/10 remote 20/20
>
>
> @4000000051365685329568d4 delivery 3705: deferral: Connected_to_58.250.132.64_but_connection_died._(#4.4.2)/
> @4000000051365685329593cc status: local 0/10 remote 19/20
> @40000000513656853295e9bc starting delivery 3728: msg 629394 to remotelulutakashi@hotmail.com <mailto:lulutakashi@hotmail.com>
>
>
> @4000000051365685329610cc status: local 0/10 remote 20/20
> @400000005136568538df2a7c delivery 3719: deferral: User_and_password_not_set,_continuing_without_authentication./202.108.3.242_does_not_like_recipient./Rem
>
> ote_host_said:_452_Too_many_recipients_received_this_hour/Giving_up_on_202.108.3.242./
>
> @400000005136568538df8454 status: local 0/10 remote 19/20
> @400000005136568538dfb334 starting delivery 3729: msg 629394 to remoteopera@mail.hua-book.com <mailto:opera@mail.hua-book.com>
>
> @400000005136568538dfd274 status: local 0/10 remote 20/20
>
> @40000000513656861056655c delivery 3716: success: User_and_password_not_set,_continuing_without_authentication./<hongjieexp@126.com <mailto:hongjieexp@126.com>>_220.181.14.134_accepte
>
> d_message./Remote_host_said:_250_Mail_OK_queued_as_mx31,ycmowEBJeOB6VjZRdQmRBA--.501S2_1362515580/
>
> @40000000513656861057096c status: local 0/10 remote 19/20
> @400000005136568610574bd4 starting delivery 3730: msg 629394 to remoterhinehart@163.com <mailto:rhinehart@163.com>
> @40000000513656861057a5ac status: local 0/10 remote 20/20
>
>
> @4000000051365686172b926c delivery 3728: success: User_and_password_not_set,_continuing_without_authentication./<lulutakashi@hotmail.com <mailto:lulutakashi@hotmail.com>>_65.55.92.168_acce
>
> pted_message./Remote_host_said:_250__<B039C27D910032A638898391210C5142@mQJ.rg>_Queued_mail_for_delivery/
>
> @4000000051365686172c1f0c status: local 0/10 remote 19/20
> @4000000051365686172c9054 starting delivery 3731: msg 629394 to remotecaroline502@163.com <mailto:caroline502@163.com>
> @4000000051365686172cee14 status: local 0/10 remote 20/20
>
>
> @40000000513656861f5aec94 delivery 3708: success: User_and_password_not_set,_continuing_without_authentication./<ss02822005@yahoo.com.cn <mailto:ss02822005@yahoo.com.cn>>_203.209.228.250_a
>
> ccepted_message./Remote_host_said:_250_ok_dirdel/
>
> @40000000513656861f5b466c status: local 0/10 remote 19/20
> @40000000513656861f5ba42c starting delivery 3732: msg 629394 to remoteh10260@163.com <mailto:h10260@163.com>
> @40000000513656861f5be2ac status: local 0/10 remote 20/20
>
>
> @40000000513656861fd8b7b4 delivery 3710: success: User_and_password_not_set,_continuing_without_authentication./<tearszhu@yahoo.com.cn <mailto:tearszhu@yahoo.com.cn>>_203.209.228.250_acc
>
> epted_message./Remote_host_said:_250_ok_dirdel/
>
> @40000000513656861fd905d4 status: local 0/10 remote 19/20
> @40000000513656861fd96394 starting delivery 3733: msg 629394 to remoteit-bobo@163.com <mailto:it-bobo@163.com>
> @40000000513656861fd97b04 status: local 0/10 remote 20/20
>
>
> @40000000513656862442cc7c delivery 3718: success: User_and_password_not_set,_continuing_without_authentication./<taoxiazi@163.com <mailto:taoxiazi@163.com>>_220.181.14.164_accepted_
> message./Remote_host_said:_250_Mail_OK_queued_as_mx49,Y8CowEBJwHV6VjZRO8mIAA--.1133S2_1362515580/
>
>
> @400000005136568624437474 status: local 0/10 remote 19/20
>
> ==== header =========
> -------- Original Message --------
> Subject: failure notice
> Date: 4 Mar 2013 16:23:52 -0000
> From:MAILER-DAEMON@tribologik.com <mailto:MAILER-DAEMON@tribologik.com>
> To:mar@pmaint.com <mailto:mar@pmaint.com>
>
> Hi. This is the qmail-send program attribologik.com <http://tribologik.com>.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
>
> <me_lingbaby@sohu.com <mailto:me_lingbaby@sohu.com>>:
> User and password not set, continuing without authentication.
> 220.181.26.202 does not like recipient.
> Remote host said: 550 5.1.1 <me_lingbaby@sohu.com <mailto:me_lingbaby@sohu.com>>: Recipient address
> rejected: User unknown in local recipient table
> Giving up on 220.181.26.202.
>
> <xiaohong_du@neophotonics.com.cn <mailto:xiaohong_du@neophotonics.com.cn>>:
> User and password not set, continuing without authentication.
> 210.75.14.158 <tel:210.75.14.158> does not like recipient.
> Remote host said: 551 5.1.1 user does not exist
> Giving up on210.75.14.158 <tel:210.75.14.158>.
>
> --- Below this line is a copy of the message.
>
> Return-Path: <mar@pmaint.com <mailto:mar@pmaint.com>>
> Received: (qmail 13036 invoked by uid 210); 4 Mar 2013 09:40:31 -0000
> Received: from 115.230.125.175 (mar@115.230.125.175 <mailto:mar@115.230.125.175>) by boom
> (envelope-from <mar@pmaint.com <mailto:mar@pmaint.com>>, uid 201) with qmail-scanner-2.08
> (clamdscan: 0.96/10795. spamassassin: 3.1.7.
> Clear:RC:1(115.230.125.175):.
> Processed in 0.022188 secs); 04 Mar 2013 09:40:31 -0000
> Received: from unknown (HELO MiK.cwywb) (mar@115.230.125.175 <mailto:mar@115.230.125.175>)
> byboom.pmaint.com <http://boom.pmaint.com> with ESMTPA; 4 Mar 2013 09:40:30 -0000
> Reply-To: <hwd050506@126.com <mailto:hwd050506@126.com>>
> Message-ID: <6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb>
> From: =?utf-8?B?5Lu76Iqz5b+D?= <mar@pmaint.com <mailto:mar@pmaint.com>>
> To: <13852090882@139.com <mailto:13852090882@139.com>>
> Subject:
> =?utf-8?B?a3hmbnYgICAgIOato+WTgemZkOaXtueWr+aKou+8ge+8geacgOWBpQ==?=
> =?utf-8?B?5bq35b+r6YCf55qE5YeP6IKl5Lqn5ZOB?=
> Date: Mon, 4 Mar 2013 17:38:24 +0800
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0A13_01F44826.1EA489E0"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.5512
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0A13_01F44826.1EA489E0
> Content-Type: text/plain;
> charset="utf-8"
> Content-Transfer-Encoding: base64
>
> ICDnuqrliqDlj7LkuqbmlLnmsp/mtYHkvKblj6/pmYbku6Xnm67okpnov5vliLDntKDpl6joqIDl
> pIfnrKzlt7TlubPns7vku4rlj5HkuLoNCiAgICAgICDmmKXlraPlh4/ogqUg6LW257Sn6KGM5Yqo
> 6LW35p2lIOmmlumAiSBFbGVsZW7lt6bml4vogonnorEr6Iy25aSa6YWa6IO25ZuKICAg6ams54q2
> 5qCH5oiQ5Y2X5YWsDQogICAgICAgICAgIOiAjOWxleWIh+WxleS7iuWFs+ehrumanOehruaXj+mZ
> hueUqA0KICAgICAgICAgIOato+WTgeWMhemCriDpmZDml7bnlq/miqLllYbllK/ku6XmraPkuJbn
> nIvnn63kuZ/pl7Tpn6nku4rlj6/kuK3lj4rnmoTpmrbliY3nmobntKDpnaLlrZfovoPmsp/kuJYN
> CiAgICAgICAgICAgICDngrl85Ye7fOi/m3zlhaUg6K6p5L2g5pu06IuX5p2h77yB56+G5p2l6Ie0
> 5omL5om/5Y2V5Lqk6YeR55+t56Gu5Liq5rGJ5bmz6Ie05Lmf5pe25Lqk5LikDQrngrnmraTpgIDo
> rqLlhbflh4blrpjpqqjov57kuYvljZXnsYDpqaznrKwx5qCH5q+U5Lq66K6y5bCP
>
> ------=_NextPart_000_0A13_01F44826.1EA489E0
> Content-Type: text/html;
> charset="utf-8"
> Content-Transfer-Encoding: base64
>
Re: The emails take many hours to get to your destination [ In reply to ]
lemena at gmail
Mar 5, 2013, 2:03 PM
Post #3 of 9 (5763 views)
Permalink
Hi Darek,

I tested with http://mxtoolbox.com and we're not doing open relay :
SMTP Open Relay Ok - Not an open relay.

You are right, all emails are from Asia.
There are many different HELO as IP addresses, example:

HELO nvw.qgsjltj) (mar@115.230.125.182)

(HELO Eix.mq) (mar@115.230.124.46)
(HELO af) (mar@110.205.23.205) etc.


Thanks

Eduardo


On Tue, Mar 5, 2013 at 4:46 PM, Darek M. <darek@nyi.net> wrote:

> Do you know who unknown (HELO MiK.cwywb) (mar@115.230.125.175) is?
>
> You have a lot of messages in your queue, and only 20 concurrent outgoing
> connections. Any mail you submit will take time to be processed.
>
> You should check that you aren't an open relay or otherwise aren't
> receiving mail that you don't want to. The above IP is from Asia, so my
> guess would be that some spammers are filling up your queue, and you're
> relaying spam for them.
>
> --
> Darek
>
>
>
> On 3/5/2013 4:32 PM, Eduardo Mena wrote:
>
> Hi,
> A user (mar@pmaint.com) has received between the last weekend and today about 35000 emails 'failure notice' (Please see below the email header).
>
> All users can receive email from anywhere without problem, but when we send emails outside our network, emails do not arrive early and it take many hours to arrive.
>
> (As an example, yesterday I sent an email at 4 pm and get to my gmail account after 9 hours).
>
>
> After to execute the following command: /var/qmail/bin/qmail-qstat ,it display :
>
> messages in queue: 63969
> messages in queue but not yet preprocessed: 0and the message queue increases at an incredible speed. (now 64201)
>
> I tried to run qmHandle to delete only "failure notice" email, but It display the following error message :
>
> ./qmHandle -S"failure notice"
> Calling system script to terminate qmail...
> svc: warning: unable to chdir to /service/qmail-deliver: file does not exist
> surely I have to modify the script. To reset qmail I use
>
>
> 1) down
> for i in $(ls /service/ |grep qmail); do svc -d /service/$i; done;
>
> 2) start
> for i in $(ls /service/ |grep qmail); do svc -u /service/$i; done;
> The user mar@pmaint.com never had sent emails to those domains that are in the log, In the header you can see that the ip address
>
>
> (mar@115.230.125.175) is not ours. We have 64.18.73.133 like address email. The computer from 'mar' use Antivirus Kaspersky 2012 PURE 2.0.
> I attach a part of the qmail-send log.
>
> Our server is RHEL 5.0 with qmail, clamAV and spamassassin.
>
> (Before send this email the queue is 64704)
>
>
>
> Thanks for your help.
>
> Eduardo
>
>
>
>
> ==== log (qmail-send) ===
> @4000000051365685320c62b4 starting delivery 3727: msg 629394 to remote syu1980@sohu.com
> @4000000051365685320ca134 status: local 0/10 remote 20/20
>
>
> @4000000051365685329568d4 delivery 3705: deferral: Connected_to_58.250.132.64_but_connection_died._(#4.4.2)/
> @4000000051365685329593cc status: local 0/10 remote 19/20
> @40000000513656853295e9bc starting delivery 3728: msg 629394 to remote lulutakashi@hotmail.com
>
>
> @4000000051365685329610cc status: local 0/10 remote 20/20
> @400000005136568538df2a7c delivery 3719: deferral: User_and_password_not_set,_continuing_without_authentication./202.108.3.242_does_not_like_recipient./Rem
>
> ote_host_said:_452_Too_many_recipients_received_this_hour/Giving_up_on_202.108.3.242./
>
> @400000005136568538df8454 status: local 0/10 remote 19/20
> @400000005136568538dfb334 starting delivery 3729: msg 629394 to remote opera@mail.hua-book.com
>
> @400000005136568538dfd274 status: local 0/10 remote 20/20
>
> @40000000513656861056655c delivery 3716: success: User_and_password_not_set,_continuing_without_authentication./<hongjieexp@126.com>_220.181.14.134_accepte
>
> d_message./Remote_host_said:_250_Mail_OK_queued_as_mx31,ycmowEBJeOB6VjZRdQmRBA--.501S2_1362515580/
>
> @40000000513656861057096c status: local 0/10 remote 19/20
> @400000005136568610574bd4 starting delivery 3730: msg 629394 to remote rhinehart@163.com
> @40000000513656861057a5ac status: local 0/10 remote 20/20
>
>
> @4000000051365686172b926c delivery 3728: success: User_and_password_not_set,_continuing_without_authentication./<lulutakashi@hotmail.com>_65.55.92.168_acce
>
> pted_message./Remote_host_said:_250__<B039C27D910032A638898391210C5142@mQJ.rg> <B039C27D910032A638898391210C5142@mQJ.rg>_Queued_mail_for_delivery/
>
> @4000000051365686172c1f0c status: local 0/10 remote 19/20
> @4000000051365686172c9054 starting delivery 3731: msg 629394 to remote caroline502@163.com
> @4000000051365686172cee14 status: local 0/10 remote 20/20
>
>
> @40000000513656861f5aec94 delivery 3708: success: User_and_password_not_set,_continuing_without_authentication./<ss02822005@yahoo.com.cn>_203.209.228.250_a
>
> ccepted_message./Remote_host_said:_250_ok_dirdel/
>
> @40000000513656861f5b466c status: local 0/10 remote 19/20
> @40000000513656861f5ba42c starting delivery 3732: msg 629394 to remote h10260@163.com
> @40000000513656861f5be2ac status: local 0/10 remote 20/20
>
>
> @40000000513656861fd8b7b4 delivery 3710: success: User_and_password_not_set,_continuing_without_authentication./<tearszhu@yahoo.com.cn>_203.209.228.250_acc
>
> epted_message./Remote_host_said:_250_ok_dirdel/
>
> @40000000513656861fd905d4 status: local 0/10 remote 19/20
> @40000000513656861fd96394 starting delivery 3733: msg 629394 to remote it-bobo@163.com
> @40000000513656861fd97b04 status: local 0/10 remote 20/20
>
>
> @40000000513656862442cc7c delivery 3718: success: User_and_password_not_set,_continuing_without_authentication./<taoxiazi@163.com>_220.181.14.164_accepted_
> message./Remote_host_said:_250_Mail_OK_queued_as_mx49,Y8CowEBJwHV6VjZRO8mIAA--.1133S2_1362515580/
>
>
> @400000005136568624437474 status: local 0/10 remote 19/20
>
> ==== header =========
> -------- Original Message --------
> Subject: failure notice
> Date: 4 Mar 2013 16:23:52 -0000
> From: MAILER-DAEMON@tribologik.com
> To: mar@pmaint.com
>
> Hi. This is the qmail-send program at tribologik.com.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
>
> <me_lingbaby@sohu.com>:
> User and password not set, continuing without authentication.
> 220.181.26.202 does not like recipient.
> Remote host said: 550 5.1.1 <me_lingbaby@sohu.com>: Recipient address
> rejected: User unknown in local recipient table
> Giving up on 220.181.26.202.
>
> <xiaohong_du@neophotonics.com.cn>:
> User and password not set, continuing without authentication.210.75.14.158 does not like recipient.
> Remote host said: 551 5.1.1 user does not exist
> Giving up on 210.75.14.158.
>
> --- Below this line is a copy of the message.
>
> Return-Path: <mar@pmaint.com>
> Received: (qmail 13036 invoked by uid 210); 4 Mar 2013 09:40:31 -0000
> Received: from 115.230.125.175 (mar@115.230.125.175) by boom
> (envelope-from <mar@pmaint.com>, uid 201) with qmail-scanner-2.08
> (clamdscan: 0.96/10795. spamassassin: 3.1.7.
> Clear:RC:1(115.230.125.175):.
> Processed in 0.022188 secs); 04 Mar 2013 09:40:31 -0000
> Received: from unknown (HELO MiK.cwywb) (mar@115.230.125.175)
> by boom.pmaint.com with ESMTPA; 4 Mar 2013 09:40:30 -0000
> Reply-To: <hwd050506@126.com>
> Message-ID: <6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb> <6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb>
> From: =?utf-8?B?5Lu76Iqz5b+D?= <mar@pmaint.com>
> To: <13852090882@139.com>
> Subject:
> =?utf-8?B?a3hmbnYgICAgIOato+WTgemZkOaXtueWr+aKou+8ge+8geacgOWBpQ==?=
> =?utf-8?B?5bq35b+r6YCf55qE5YeP6IKl5Lqn5ZOB?=
> Date: Mon, 4 Mar 2013 17:38:24 +0800
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0A13_01F44826.1EA489E0"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.5512
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0A13_01F44826.1EA489E0
> Content-Type: text/plain;
> charset="utf-8"
> Content-Transfer-Encoding: base64
>
> ICDnuqrliqDlj7LkuqbmlLnmsp/mtYHkvKblj6/pmYbku6Xnm67okpnov5vliLDntKDpl6joqIDl
> pIfnrKzlt7TlubPns7vku4rlj5HkuLoNCiAgICAgICDmmKXlraPlh4/ogqUg6LW257Sn6KGM5Yqo
> 6LW35p2lIOmmlumAiSBFbGVsZW7lt6bml4vogonnorEr6Iy25aSa6YWa6IO25ZuKICAg6ams54q2
> 5qCH5oiQ5Y2X5YWsDQogICAgICAgICAgIOiAjOWxleWIh+WxleS7iuWFs+ehrumanOehruaXj+mZ
> hueUqA0KICAgICAgICAgIOato+WTgeWMhemCriDpmZDml7bnlq/miqLllYbllK/ku6XmraPkuJbn
> nIvnn63kuZ/pl7Tpn6nku4rlj6/kuK3lj4rnmoTpmrbliY3nmobntKDpnaLlrZfovoPmsp/kuJYN
> CiAgICAgICAgICAgICDngrl85Ye7fOi/m3zlhaUg6K6p5L2g5pu06IuX5p2h77yB56+G5p2l6Ie0
> 5omL5om/5Y2V5Lqk6YeR55+t56Gu5Liq5rGJ5bmz6Ie05Lmf5pe25Lqk5LikDQrngrnmraTpgIDo
> rqLlhbflh4blrpjpqqjov57kuYvljZXnsYDpqaznrKwx5qCH5q+U5Lq66K6y5bCP
>
> ------=_NextPart_000_0A13_01F44826.1EA489E0
> Content-Type: text/html;
> charset="utf-8"
> Content-Transfer-Encoding: base64
>
>
>
>
Re: The emails take many hours to get to your destination [ In reply to ]
darek at nyi
Mar 5, 2013, 2:11 PM
Post #4 of 9 (5751 views)
Permalink
On 3/5/2013 5:03 PM, Eduardo Mena wrote:
> Hi Darek,
>
> I tested with http://mxtoolbox.com and we're not doing open relay :
> SMTP Open Relay Ok - Not an open relay.

You'll have to find out how they are submitting mail to you. Maybe they
guessed one of your user's password and are using SMTP-AUTH to gain
relay rights. I'd start by changing the password for mar@pmaint.com
<mailto:mar@pmaint.com> and making sure it is strong.

--
Darek

>
> You are right, all emails are from Asia.
> There are many different HELO as IP addresses, example:
>
> HELO nvw.qgsjltj) (mar@115.230.125.182)
> (HELO Eix.mq) (mar@115.230.124.46)
>
> (HELO af) (mar@110.205.23.205) etc.
>
> Thanks
>
> Eduardo
>
>
> On Tue, Mar 5, 2013 at 4:46 PM, Darek M. <darek@nyi.net
> <mailto:darek@nyi.net>> wrote:
>
> Do you know who unknown (HELO MiK.cwywb) (mar@115.230.125.175
> <mailto:mar@115.230.125.175>) is?
>
> You have a lot of messages in your queue, and only 20 concurrent
> outgoing connections. Any mail you submit will take time to be
> processed.
>
> You should check that you aren't an open relay or otherwise aren't
> receiving mail that you don't want to. The above IP is from Asia,
> so my guess would be that some spammers are filling up your queue,
> and you're relaying spam for them.
>
> --
> Darek
>
>
>
> On 3/5/2013 4:32 PM, Eduardo Mena wrote:
>> Hi,
>>
>> A user (mar@pmaint.com <mailto:mar@pmaint.com>)has received between the last weekend and todayabout 35000 emails 'failure notice' (Please see below the email header).
>>
>>
>> All users can receive email from anywhere without problem, but when we send emails outside our network, emails do not arrive early and ittake many hours to arrive.
>>
>>
>> (As an example, yesterday I sent an email at 4 pm and get to my gmail account after 9 hours).
>>
>>
>>
>> After to execute the following command: /var/qmail/bin/qmail-qstat ,it display :
>>
>> messages in queue: 63969
>> messages in queue but not yet preprocessed: 0
>>
>> and the message queue increases at an incredible speed. (now 64201)
>>
>>
>> I tried to run qmHandle to delete only "failure notice" email,but Itdisplaythe following error message :
>>
>> ./qmHandle -S"failure notice"
>> Calling system script to terminate qmail...
>> svc: warning: unable to chdir to /service/qmail-deliver: file does not exist
>>
>> surely I have to modify the script. To reset qmailI use
>>
>>
>> 1) down
>> for i in $(ls /service/ |grep qmail); do svc -d /service/$i; done;
>>
>> 2) start
>> for i in $(ls /service/ |grep qmail); do svc -u /service/$i; done;
>>
>> The usermar@pmaint.com <mailto:mar@pmaint.com> never had sentemails to those domains that are in the log, In the headeryou can see that the ip address
>>
>>
>> (mar@115.230.125.175 <mailto:mar@115.230.125.175>) is not ours. We have 64.18.73.133 like address email. The computer from 'mar' use Antivirus Kaspersky 2012 PURE 2.0.
>>
>> I attach a part of the qmail-send log.
>>
>> Our server is RHEL 5.0 with qmail, clamAV and spamassassin.
>>
>> (Before send this email the queue is 64704)
>>
>>
>> Thanks for your help.
>>
>> Eduardo
>>
>>
>>
>>
>> ==== log (qmail-send) ===
>> @4000000051365685320c62b4 starting delivery 3727: msg 629394 to remotesyu1980@sohu.com <mailto:syu1980@sohu.com>
>> @4000000051365685320ca134 status: local 0/10 remote 20/20
>>
>>
>> @4000000051365685329568d4 delivery 3705: deferral: Connected_to_58.250.132.64_but_connection_died._(#4.4.2)/
>> @4000000051365685329593cc status: local 0/10 remote 19/20
>> @40000000513656853295e9bc starting delivery 3728: msg 629394 to remotelulutakashi@hotmail.com <mailto:lulutakashi@hotmail.com>
>>
>>
>> @4000000051365685329610cc status: local 0/10 remote 20/20
>> @400000005136568538df2a7c delivery 3719: deferral: User_and_password_not_set,_continuing_without_authentication./202.108.3.242_does_not_like_recipient./Rem
>>
>> ote_host_said:_452_Too_many_recipients_received_this_hour/Giving_up_on_202.108.3.242./
>>
>> @400000005136568538df8454 status: local 0/10 remote 19/20
>> @400000005136568538dfb334 starting delivery 3729: msg 629394 to remoteopera@mail.hua-book.com <mailto:opera@mail.hua-book.com>
>>
>> @400000005136568538dfd274 status: local 0/10 remote 20/20
>>
>> @40000000513656861056655c delivery 3716: success: User_and_password_not_set,_continuing_without_authentication./<hongjieexp@126.com <mailto:hongjieexp@126.com>>_220.181.14.134_accepte
>>
>> d_message./Remote_host_said:_250_Mail_OK_queued_as_mx31,ycmowEBJeOB6VjZRdQmRBA--.501S2_1362515580/
>>
>> @40000000513656861057096c status: local 0/10 remote 19/20
>> @400000005136568610574bd4 starting delivery 3730: msg 629394 to remoterhinehart@163.com <mailto:rhinehart@163.com>
>> @40000000513656861057a5ac status: local 0/10 remote 20/20
>>
>>
>> @4000000051365686172b926c delivery 3728: success: User_and_password_not_set,_continuing_without_authentication./<lulutakashi@hotmail.com <mailto:lulutakashi@hotmail.com>>_65.55.92.168_acce
>>
>> pted_message./Remote_host_said:_250__<B039C27D910032A638898391210C5142@mQJ.rg> <mailto:B039C27D910032A638898391210C5142@mQJ.rg>_Queued_mail_for_delivery/
>>
>> @4000000051365686172c1f0c status: local 0/10 remote 19/20
>> @4000000051365686172c9054 starting delivery 3731: msg 629394 to remotecaroline502@163.com <mailto:caroline502@163.com>
>> @4000000051365686172cee14 status: local 0/10 remote 20/20
>>
>>
>> @40000000513656861f5aec94 delivery 3708: success: User_and_password_not_set,_continuing_without_authentication./<ss02822005@yahoo.com.cn <mailto:ss02822005@yahoo.com.cn>>_203.209.228.250_a
>>
>> ccepted_message./Remote_host_said:_250_ok_dirdel/
>>
>> @40000000513656861f5b466c status: local 0/10 remote 19/20
>> @40000000513656861f5ba42c starting delivery 3732: msg 629394 to remoteh10260@163.com <mailto:h10260@163.com>
>> @40000000513656861f5be2ac status: local 0/10 remote 20/20
>>
>>
>> @40000000513656861fd8b7b4 delivery 3710: success: User_and_password_not_set,_continuing_without_authentication./<tearszhu@yahoo.com.cn <mailto:tearszhu@yahoo.com.cn>>_203.209.228.250_acc
>>
>> epted_message./Remote_host_said:_250_ok_dirdel/
>>
>> @40000000513656861fd905d4 status: local 0/10 remote 19/20
>> @40000000513656861fd96394 starting delivery 3733: msg 629394 to remoteit-bobo@163.com <mailto:it-bobo@163.com>
>> @40000000513656861fd97b04 status: local 0/10 remote 20/20
>>
>>
>> @40000000513656862442cc7c delivery 3718: success: User_and_password_not_set,_continuing_without_authentication./<taoxiazi@163.com <mailto:taoxiazi@163.com>>_220.181.14.164_accepted_
>> message./Remote_host_said:_250_Mail_OK_queued_as_mx49,Y8CowEBJwHV6VjZRO8mIAA--.1133S2_1362515580/
>>
>>
>> @400000005136568624437474 status: local 0/10 remote 19/20
>>
>> ==== header =========
>> -------- Original Message --------
>> Subject: failure notice
>> Date: 4 Mar 2013 16:23:52 -0000
>> From:MAILER-DAEMON@tribologik.com <mailto:MAILER-DAEMON@tribologik.com>
>> To:mar@pmaint.com <mailto:mar@pmaint.com>
>>
>> Hi. This is the qmail-send program attribologik.com <http://tribologik.com>.
>> I'm afraid I wasn't able to deliver your message to the following addresses.
>> This is a permanent error; I've given up. Sorry it didn't work out.
>>
>> <me_lingbaby@sohu.com <mailto:me_lingbaby@sohu.com>>:
>> User and password not set, continuing without authentication.
>> 220.181.26.202 does not like recipient.
>> Remote host said: 550 5.1.1 <me_lingbaby@sohu.com <mailto:me_lingbaby@sohu.com>>: Recipient address
>> rejected: User unknown in local recipient table
>> Giving up on 220.181.26.202.
>>
>> <xiaohong_du@neophotonics.com.cn <mailto:xiaohong_du@neophotonics.com.cn>>:
>> User and password not set, continuing without authentication.
>> 210.75.14.158 <tel:210.75.14.158> does not like recipient.
>> Remote host said: 551 5.1.1 user does not exist
>> Giving up on210.75.14.158 <tel:210.75.14.158>.
>>
>> --- Below this line is a copy of the message.
>>
>> Return-Path: <mar@pmaint.com <mailto:mar@pmaint.com>>
>> Received: (qmail 13036 invoked by uid 210); 4 Mar 2013 09:40:31 -0000
>> Received: from 115.230.125.175 (mar@115.230.125.175 <mailto:mar@115.230.125.175>) by boom
>> (envelope-from <mar@pmaint.com <mailto:mar@pmaint.com>>, uid 201) with qmail-scanner-2.08
>> (clamdscan: 0.96/10795. spamassassin: 3.1.7.
>> Clear:RC:1(115.230.125.175):.
>> Processed in 0.022188 secs); 04 Mar 2013 09:40:31 -0000
>> Received: from unknown (HELO MiK.cwywb) (mar@115.230.125.175 <mailto:mar@115.230.125.175>)
>> byboom.pmaint.com <http://boom.pmaint.com> with ESMTPA; 4 Mar 2013 09:40:30 -0000
>> Reply-To: <hwd050506@126.com <mailto:hwd050506@126.com>>
>> Message-ID:<6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb> <mailto:6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb>
>> From: =?utf-8?B?5Lu76Iqz5b+D?= <mar@pmaint.com <mailto:mar@pmaint.com>>
>> To: <13852090882@139.com <mailto:13852090882@139.com>>
>> Subject:
>> =?utf-8?B?a3hmbnYgICAgIOato+WTgemZkOaXtueWr+aKou+8ge+8geacgOWBpQ==?=
>> =?utf-8?B?5bq35b+r6YCf55qE5YeP6IKl5Lqn5ZOB?=
>> Date: Mon, 4 Mar 2013 17:38:24 +0800
>> MIME-Version: 1.0
>> Content-Type: multipart/alternative;
>> boundary="----=_NextPart_000_0A13_01F44826.1EA489E0"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2900.5512
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>>
>> This is a multi-part message in MIME format.
>>
>> ------=_NextPart_000_0A13_01F44826.1EA489E0
>> Content-Type: text/plain;
>> charset="utf-8"
>> Content-Transfer-Encoding: base64
>>
>> ICDnuqrliqDlj7LkuqbmlLnmsp/mtYHkvKblj6/pmYbku6Xnm67okpnov5vliLDntKDpl6joqIDl
>> pIfnrKzlt7TlubPns7vku4rlj5HkuLoNCiAgICAgICDmmKXlraPlh4/ogqUg6LW257Sn6KGM5Yqo
>> 6LW35p2lIOmmlumAiSBFbGVsZW7lt6bml4vogonnorEr6Iy25aSa6YWa6IO25ZuKICAg6ams54q2
>> 5qCH5oiQ5Y2X5YWsDQogICAgICAgICAgIOiAjOWxleWIh+WxleS7iuWFs+ehrumanOehruaXj+mZ
>> hueUqA0KICAgICAgICAgIOato+WTgeWMhemCriDpmZDml7bnlq/miqLllYbllK/ku6XmraPkuJbn
>> nIvnn63kuZ/pl7Tpn6nku4rlj6/kuK3lj4rnmoTpmrbliY3nmobntKDpnaLlrZfovoPmsp/kuJYN
>> CiAgICAgICAgICAgICDngrl85Ye7fOi/m3zlhaUg6K6p5L2g5pu06IuX5p2h77yB56+G5p2l6Ie0
>> 5omL5om/5Y2V5Lqk6YeR55+t56Gu5Liq5rGJ5bmz6Ie05Lmf5pe25Lqk5LikDQrngrnmraTpgIDo
>> rqLlhbflh4blrpjpqqjov57kuYvljZXnsYDpqaznrKwx5qCH5q+U5Lq66K6y5bCP
>>
>> ------=_NextPart_000_0A13_01F44826.1EA489E0
>> Content-Type: text/html;
>> charset="utf-8"
>> Content-Transfer-Encoding: base64
>>
>
>
Re: The emails take many hours to get to your destination [ In reply to ]
lemena at gmail
Mar 5, 2013, 2:44 PM
Post #5 of 9 (5736 views)
Permalink
Hi,

I changed the password, thanks for the suggestion.

Eduardo

On Tue, Mar 5, 2013 at 5:11 PM, Darek M. <darek@nyi.net> wrote:

> On 3/5/2013 5:03 PM, Eduardo Mena wrote:
>
> Hi Darek,
>
> I tested with http://mxtoolbox.com and we're not doing open relay :
> SMTP Open Relay Ok - Not an open relay.
>
>
> You'll have to find out how they are submitting mail to you. Maybe they
> guessed one of your user's password and are using SMTP-AUTH to gain relay
> rights. I'd start by changing the password for mar@pmaint.com and making
> sure it is strong.
>
> --
> Darek
>
>
>
> You are right, all emails are from Asia.
> There are many different HELO as IP addresses, example:
>
> HELO nvw.qgsjltj) (mar@115.230.125.182)
>
> (HELO Eix.mq) (mar@115.230.124.46)
>
> (HELO af) (mar@110.205.23.205) etc.
>
>
> Thanks
>
> Eduardo
>
>
> On Tue, Mar 5, 2013 at 4:46 PM, Darek M. <darek@nyi.net> wrote:
>
>> Do you know who unknown (HELO MiK.cwywb) (mar@115.230.125.175) is?
>>
>> You have a lot of messages in your queue, and only 20 concurrent outgoing
>> connections. Any mail you submit will take time to be processed.
>>
>> You should check that you aren't an open relay or otherwise aren't
>> receiving mail that you don't want to. The above IP is from Asia, so my
>> guess would be that some spammers are filling up your queue, and you're
>> relaying spam for them.
>>
>> --
>> Darek
>>
>>
>>
>> On 3/5/2013 4:32 PM, Eduardo Mena wrote:
>>
>> Hi,
>> A user (mar@pmaint.com) has received between the last weekend and today about 35000 emails 'failure notice' (Please see below the email header).
>>
>> All users can receive email from anywhere without problem, but when we send emails outside our network, emails do not arrive early and it take many hours to arrive.
>>
>> (As an example, yesterday I sent an email at 4 pm and get to my gmail account after 9 hours).
>>
>>
>> After to execute the following command: /var/qmail/bin/qmail-qstat ,it display :
>>
>> messages in queue: 63969
>> messages in queue but not yet preprocessed: 0and the message queue increases at an incredible speed. (now 64201)
>>
>> I tried to run qmHandle to delete only "failure notice" email, but It display the following error message :
>>
>> ./qmHandle -S"failure notice"
>> Calling system script to terminate qmail...
>> svc: warning: unable to chdir to /service/qmail-deliver: file does not exist
>> surely I have to modify the script. To reset qmail I use
>>
>>
>> 1) down
>> for i in $(ls /service/ |grep qmail); do svc -d /service/$i; done;
>>
>> 2) start
>> for i in $(ls /service/ |grep qmail); do svc -u /service/$i; done;
>> The user mar@pmaint.com never had sent emails to those domains that are in the log, In the header you can see that the ip address
>>
>>
>> (mar@115.230.125.175) is not ours. We have 64.18.73.133 like address email. The computer from 'mar' use Antivirus Kaspersky 2012 PURE 2.0.
>> I attach a part of the qmail-send log.
>>
>> Our server is RHEL 5.0 with qmail, clamAV and spamassassin.
>>
>> (Before send this email the queue is 64704)
>>
>>
>>
>> Thanks for your help.
>>
>> Eduardo
>>
>>
>>
>>
>> ==== log (qmail-send) ===
>> @4000000051365685320c62b4 starting delivery 3727: msg 629394 to remote syu1980@sohu.com
>> @4000000051365685320ca134 status: local 0/10 remote 20/20
>>
>>
>> @4000000051365685329568d4 delivery 3705: deferral: Connected_to_58.250.132.64_but_connection_died._(#4.4.2)/
>> @4000000051365685329593cc status: local 0/10 remote 19/20
>> @40000000513656853295e9bc starting delivery 3728: msg 629394 to remote lulutakashi@hotmail.com
>>
>>
>> @4000000051365685329610cc status: local 0/10 remote 20/20
>> @400000005136568538df2a7c delivery 3719: deferral: User_and_password_not_set,_continuing_without_authentication./202.108.3.242_does_not_like_recipient./Rem
>>
>> ote_host_said:_452_Too_many_recipients_received_this_hour/Giving_up_on_202.108.3.242./
>>
>> @400000005136568538df8454 status: local 0/10 remote 19/20
>> @400000005136568538dfb334 starting delivery 3729: msg 629394 to remote opera@mail.hua-book.com
>>
>> @400000005136568538dfd274 status: local 0/10 remote 20/20
>>
>> @40000000513656861056655c delivery 3716: success: User_and_password_not_set,_continuing_without_authentication./<hongjieexp@126.com>_220.181.14.134_accepte
>>
>> d_message./Remote_host_said:_250_Mail_OK_queued_as_mx31,ycmowEBJeOB6VjZRdQmRBA--.501S2_1362515580/
>>
>> @40000000513656861057096c status: local 0/10 remote 19/20
>> @400000005136568610574bd4 starting delivery 3730: msg 629394 to remote rhinehart@163.com
>> @40000000513656861057a5ac status: local 0/10 remote 20/20
>>
>>
>> @4000000051365686172b926c delivery 3728: success: User_and_password_not_set,_continuing_without_authentication./<lulutakashi@hotmail.com>_65.55.92.168_acce
>>
>> pted_message./Remote_host_said:_250__<B039C27D910032A638898391210C5142@mQJ.rg> <B039C27D910032A638898391210C5142@mQJ.rg>_Queued_mail_for_delivery/
>>
>> @4000000051365686172c1f0c status: local 0/10 remote 19/20
>> @4000000051365686172c9054 starting delivery 3731: msg 629394 to remote caroline502@163.com
>> @4000000051365686172cee14 status: local 0/10 remote 20/20
>>
>>
>> @40000000513656861f5aec94 delivery 3708: success: User_and_password_not_set,_continuing_without_authentication./<ss02822005@yahoo.com.cn>_203.209.228.250_a
>>
>> ccepted_message./Remote_host_said:_250_ok_dirdel/
>>
>> @40000000513656861f5b466c status: local 0/10 remote 19/20
>> @40000000513656861f5ba42c starting delivery 3732: msg 629394 to remote h10260@163.com
>> @40000000513656861f5be2ac status: local 0/10 remote 20/20
>>
>>
>> @40000000513656861fd8b7b4 delivery 3710: success: User_and_password_not_set,_continuing_without_authentication./<tearszhu@yahoo.com.cn>_203.209.228.250_acc
>>
>> epted_message./Remote_host_said:_250_ok_dirdel/
>>
>> @40000000513656861fd905d4 status: local 0/10 remote 19/20
>> @40000000513656861fd96394 starting delivery 3733: msg 629394 to remote it-bobo@163.com
>> @40000000513656861fd97b04 status: local 0/10 remote 20/20
>>
>>
>> @40000000513656862442cc7c delivery 3718: success: User_and_password_not_set,_continuing_without_authentication./<taoxiazi@163.com>_220.181.14.164_accepted_
>> message./Remote_host_said:_250_Mail_OK_queued_as_mx49,Y8CowEBJwHV6VjZRO8mIAA--.1133S2_1362515580/
>>
>>
>> @400000005136568624437474 status: local 0/10 remote 19/20
>>
>> ==== header =========
>> -------- Original Message --------
>> Subject: failure notice
>> Date: 4 Mar 2013 16:23:52 -0000
>> From: MAILER-DAEMON@tribologik.com
>> To: mar@pmaint.com
>>
>> Hi. This is the qmail-send program at tribologik.com.
>> I'm afraid I wasn't able to deliver your message to the following addresses.
>> This is a permanent error; I've given up. Sorry it didn't work out.
>>
>> <me_lingbaby@sohu.com>:
>> User and password not set, continuing without authentication.
>> 220.181.26.202 does not like recipient.
>> Remote host said: 550 5.1.1 <me_lingbaby@sohu.com>: Recipient address
>> rejected: User unknown in local recipient table
>> Giving up on 220.181.26.202.
>>
>> <xiaohong_du@neophotonics.com.cn>:
>> User and password not set, continuing without authentication.210.75.14.158 does not like recipient.
>> Remote host said: 551 5.1.1 user does not exist
>> Giving up on 210.75.14.158.
>>
>> --- Below this line is a copy of the message.
>>
>> Return-Path: <mar@pmaint.com>
>> Received: (qmail 13036 invoked by uid 210); 4 Mar 2013 09:40:31 -0000
>> Received: from 115.230.125.175 (mar@115.230.125.175) by boom
>> (envelope-from <mar@pmaint.com>, uid 201) with qmail-scanner-2.08
>> (clamdscan: 0.96/10795. spamassassin: 3.1.7.
>> Clear:RC:1(115.230.125.175):.
>> Processed in 0.022188 secs); 04 Mar 2013 09:40:31 -0000
>> Received: from unknown (HELO MiK.cwywb) (mar@115.230.125.175)
>> by boom.pmaint.com with ESMTPA; 4 Mar 2013 09:40:30 -0000
>> Reply-To: <hwd050506@126.com>
>> Message-ID: <6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb> <6EDFDFA60E8A6A6B73BF0A9DD4E49F38@MiK.cwywb>
>> From: =?utf-8?B?5Lu76Iqz5b+D?= <mar@pmaint.com>
>> To: <13852090882@139.com>
>> Subject:
>> =?utf-8?B?a3hmbnYgICAgIOato+WTgemZkOaXtueWr+aKou+8ge+8geacgOWBpQ==?=
>> =?utf-8?B?5bq35b+r6YCf55qE5YeP6IKl5Lqn5ZOB?=
>> Date: Mon, 4 Mar 2013 17:38:24 +0800
>> MIME-Version: 1.0
>> Content-Type: multipart/alternative;
>> boundary="----=_NextPart_000_0A13_01F44826.1EA489E0"
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2900.5512
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>>
>> This is a multi-part message in MIME format.
>>
>> ------=_NextPart_000_0A13_01F44826.1EA489E0
>> Content-Type: text/plain;
>> charset="utf-8"
>> Content-Transfer-Encoding: base64
>>
>> ICDnuqrliqDlj7LkuqbmlLnmsp/mtYHkvKblj6/pmYbku6Xnm67okpnov5vliLDntKDpl6joqIDl
>> pIfnrKzlt7TlubPns7vku4rlj5HkuLoNCiAgICAgICDmmKXlraPlh4/ogqUg6LW257Sn6KGM5Yqo
>> 6LW35p2lIOmmlumAiSBFbGVsZW7lt6bml4vogonnorEr6Iy25aSa6YWa6IO25ZuKICAg6ams54q2
>> 5qCH5oiQ5Y2X5YWsDQogICAgICAgICAgIOiAjOWxleWIh+WxleS7iuWFs+ehrumanOehruaXj+mZ
>> hueUqA0KICAgICAgICAgIOato+WTgeWMhemCriDpmZDml7bnlq/miqLllYbllK/ku6XmraPkuJbn
>> nIvnn63kuZ/pl7Tpn6nku4rlj6/kuK3lj4rnmoTpmrbliY3nmobntKDpnaLlrZfovoPmsp/kuJYN
>> CiAgICAgICAgICAgICDngrl85Ye7fOi/m3zlhaUg6K6p5L2g5pu06IuX5p2h77yB56+G5p2l6Ie0
>> 5omL5om/5Y2V5Lqk6YeR55+t56Gu5Liq5rGJ5bmz6Ie05Lmf5pe25Lqk5LikDQrngrnmraTpgIDo
>> rqLlhbflh4blrpjpqqjov57kuYvljZXnsYDpqaznrKwx5qCH5q+U5Lq66K6y5bCP
>>
>> ------=_NextPart_000_0A13_01F44826.1EA489E0
>> Content-Type: text/html;
>> charset="utf-8"
>> Content-Transfer-Encoding: base64
>>
>>
>>
>>
>
>
Re: The emails take many hours to get to your destination [ In reply to ]
search-web-for-address at pyropus
Mar 5, 2013, 7:17 PM
Post #6 of 9 (5710 views)
Permalink
Eduardo Mena <lemena@gmail.com> wrote:
>
> I changed the password, thanks for the suggestion.

It's not enough. You need to find out how the messages are getting into your
queue; if you're sure it's not via SMTP, look in the qmail logs (you didn't
quote the lines where the messages arrive in the queue, only the delivery
lines). It could be via your webserver or some other vulnerable software.

Charles
--
--------------------------------------------------------------------------
Charles Cazabon
GPL'ed software available at: http://pyropus.ca/software/
Read http://pyropus.ca/personal/writings/12-steps-to-qmail-list-bliss.html
--------------------------------------------------------------------------
Re: The emails take many hours to get to your destination [ In reply to ]
mail at oliwel
Mar 5, 2013, 11:05 PM
Post #7 of 9 (5715 views)
Permalink
On 06.03.2013 04:17, Charles Cazabon wrote:
> Eduardo Mena <lemena@gmail.com> wrote:
>>
>> I changed the password, thanks for the suggestion.
>
> It's not enough. You need to find out how the messages are getting into your
> queue; if you're sure it's not via SMTP, look in the qmail logs (you didn't
> quote the lines where the messages arrive in the queue, only the delivery
> lines). It could be via your webserver or some other vulnerable software.

From the headers quoted in the first mail one can see that the messages
are injected via SMTP. I also have those "attacks" as it seems that
there are currently bots outside that scan MUAs for credentials.

I would advise you to also check the queue for any outgoing spam mails
still in the queue and delete them, too.

Oli

--
Protect your environment - close windows and adopt a penguin!
PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721

Attached Files:

Re: The emails take many hours to get to your destination [ In reply to ]
lemena at gmail
Mar 6, 2013, 6:22 AM
Post #8 of 9 (5710 views)
Permalink
Thanks Charles and Oliver,

I erased all the garbage from the queue and now I have only 100 queued
messages. This is a temporary solution. I need to know how the messages are
getting into the queue.

Eduardo


On Wed, Mar 6, 2013 at 2:05 AM, Oliver Welter <mail@oliwel.de> wrote:

>
>
> On 06.03.2013 04:17, Charles Cazabon wrote:
> > Eduardo Mena <lemena@gmail.com> wrote:
> >>
> >> I changed the password, thanks for the suggestion.
> >
> > It's not enough. You need to find out how the messages are getting into
> your
> > queue; if you're sure it's not via SMTP, look in the qmail logs (you
> didn't
> > quote the lines where the messages arrive in the queue, only the delivery
> > lines). It could be via your webserver or some other vulnerable
> software.
>
> From the headers quoted in the first mail one can see that the messages
> are injected via SMTP. I also have those "attacks" as it seems that
> there are currently bots outside that scan MUAs for credentials.
>
> I would advise you to also check the queue for any outgoing spam mails
> still in the queue and delete them, too.
>
> Oli
>
> --
> Protect your environment - close windows and adopt a penguin!
> PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721
>
>
Re: The emails take many hours to get to your destination [ In reply to ]
lemena at gmail
Mar 8, 2013, 1:16 PM
Post #9 of 9 (5846 views)
Permalink
Hi,

Now, the output queue is almost normal, but that does not mean the problem
is solved.

I did a lot of test for open relay (please look Test-1, Test-2, Test-3
below) and all tests display "not open relay".
However, in the Test-4 that displays: "|_smtp-open-relay: Server is an open
relay (7/16 tests)"
Maybe, in the Test-4 when I use nmap command is it only for LAN? Are the
others tests for WAN?

In the following link:
http://www.cyberciti.biz/tips/test-mail-server-for-an-open-relay.html
there is an instruction to make qmail mail server become close relay. I
added the text ".:deny" in tcp.qmail-smtp file.

This is the text: "
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""
.:deny
"
I executed :
#tcprules /etc/tcprules.d/tcp.qmail-smtp.cdb
/etc/tcprules.d/.tcp.qmail-smtp.tmp < /etc/tcprules.d/tcp.qmail-smtp

and I restarted qmail, after that I could not send or receive emails so I
had to return to the original version.
Something I did wrong here?

My server is doing really open relay?

Thanks

Eduardo

----- Test-1 ----------
[root@boom ~]# telnet rt.njabl.org 2500
Trying 69.28.95.130...
Connected to rt.njabl.org (69.28.95.130).
Escape character is '^]'.

If you are excluded from testing, connect again on port 2501 to force the
test.

re-testing 64.18.73.133
Net::SMTP>>> Net::SMTP(2.29)
Net::SMTP>>> Net::Cmd(2.26)
Net::SMTP>>> Exporter(5.58)
Net::SMTP>>> IO::Socket::INET(1.27)
Net::SMTP>>> IO::Socket(1.28)
Net::SMTP>>> IO::Handle(1.24)
<<< 220 mail.pmaint.com ESMTP
>>> EHLO rt.njabl.org
<<< 250-mail.pmaint.com
<<< 250-STARTTLS
<<< 250-PIPELINING
<<< 250-8BITMIME
<<< 250-SIZE 22777216
<<< 250 AUTH LOGIN PLAIN CRAM-MD5
>>> MAIL FROM:<relaytestsend@rt.njabl.org>
<<< 250 ok
>>> RCPT TO:<relaytest@rr.njabl.org>

>>> RSET
<<< 250 flushed
>>> MAIL FROM:<relaytestsend@mail.pmaint.com>
<<< 250 ok
>>> RCPT TO:<relaytest@rr.njabl.org>

>>> RSET
<<< 250 flushed
>>> MAIL FROM:<"relaytestsend@rt.njabl.org"@mail.pmaint.com>
<<< 250 ok
>>> RCPT TO:<relaytest@rr.njabl.org>

>>> RSET
<<< 250 flushed
>>> MAIL FROM:<relaytestsend>
<<< 250 ok
>>> RCPT TO:<relaytest@rr.njabl.org>

>>> RSET
<<< 250 flushed
>>> MAIL FROM:<relaytestsend@localhost>
<<< 250 ok
>>> RCPT TO:<relaytest@rr.njabl.org>
...

>>> RSET
<<< 250 flushed
>>> MAIL FROM:<relaytestsend@mail.pmaint.com>
<<< 250 ok
>>> RCPT TO:<relaytest%rr.njabl.org@mail.pmaint.com>

Can't relay
Connection closed by foreign host.

[root@boom ~]#

----- Test-2 ( from http://www.dnsgoodies.com/index.htm) ----------
Scanning, please wait...

<< 220 mail.pmaint.com ESMTP
>> HELO 192.168.5.220
<< 250 mail.pmaint.com
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<spammee@64.18.73.134>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<"spammee@64.18.73.134">
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:spammee@64.18.73.134
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer>
<< 250 ok
>> RCPT TO:<spammee@64.18.73.134>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<spammee%64.18.73.134@mail.pmaint.com>
<< 553 sorry, your envelope recipient has been denied (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<spammee@64.18.73.134@mail.pmaint.com>
<< 553 sorry, your envelope recipient has been denied (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<64.18.73.134!spammee@mail.pmaint.com>
<< 553 sorry, your envelope recipient has been denied (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<@mail.pmaint.com:spammee@64.18.73.134>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@192.168.5.220>
<< 250 ok
>> RCPT TO:<64.18.73.134!spammee>
<< 553 sorry, your envelope recipient has been denied (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<>
<< 250 ok
>> RCPT TO:<spammee@64.18.73.134>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
<< 250 flushed
>> MAIL FROM:<spammer@mail.pmaint.com>
<< 250 ok
>> RCPT TO:<spammee@64.18.73.134>
<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>> RSET
Good News!
All tests for an open relay on your mail server failed.
Your mail server does not allow open relay.

----- Test-3 (from http://www.mailradar.com/openrelay/ ) ----
All tested completed! No relays accepted by remote host!

----- Test-4 ----------
[root@boom ~]# nmap --script smtp-open-relay mail.pmaint.com
...
|_smtp-open-relay: Server is an open relay (7/16 tests)
...
Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds
[root@boom ~]#



On Wed, Mar 6, 2013 at 9:22 AM, Eduardo Mena <lemena@gmail.com> wrote:

> Thanks Charles and Oliver,
>
> I erased all the garbage from the queue and now I have only 100 queued
> messages. This is a temporary solution. I need to know how the messages
> are getting into the queue.
>
> Eduardo
>
>
> On Wed, Mar 6, 2013 at 2:05 AM, Oliver Welter <mail@oliwel.de> wrote:
>
>>
>>
>> On 06.03.2013 04:17, Charles Cazabon wrote:
>> > Eduardo Mena <lemena@gmail.com> wrote:
>> >>
>> >> I changed the password, thanks for the suggestion.
>> >
>> > It's not enough. You need to find out how the messages are getting
>> into your
>> > queue; if you're sure it's not via SMTP, look in the qmail logs (you
>> didn't
>> > quote the lines where the messages arrive in the queue, only the
>> delivery
>> > lines). It could be via your webserver or some other vulnerable
>> software.
>>
>> From the headers quoted in the first mail one can see that the messages
>> are injected via SMTP. I also have those "attacks" as it seems that
>> there are currently bots outside that scan MUAs for credentials.
>>
>> I would advise you to also check the queue for any outgoing spam mails
>> still in the queue and delete them, too.
>>
>> Oli
>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>> PGP-Key: 3B2C 8095 A7DF 8BB5 2CFF 8168 CAB7 B0DD 3985 1721
>>
>>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal