# komische Mails in der Mailqueue



## Laubie (15. Mai 2012)

Hiho!
Ich hab da mal ne Frage zu der Mailqueue:

pro Tag kommt ungefähr 1 Mail in meiner Mailqueue an:

```
453D01614E 4810 Sat May 12 16:32:11 MAILER-DAEMON
 (connect to mail.admail.com.ar[200.69.192.203]:25: Connection timed out)
 newbornrp4@admail.com.ar

 4961816158 4706 Sun May 13 06:04:44 MAILER-DAEMON
 (Host or domain name not found. Name service error for name=iicbelgium.com type=MX: Host not found, try again)
 uniquestko0@iicbelgium.com

 45369161BA 5187 Tue May 15 08:41:03 MAILER-DAEMON
 (connect to dhl.ca[199.40.254.85]:25: Connection timed out)
 pastimesq110@dhl.ca

 84274161B8 4734 Sun May 13 16:13:18 MAILER-DAEMON
 (connect to ameriton.com[205.178.189.129]:25: Connection timed out)
 straplessesf49@ameriton.com

 B820A161B2 5114 Tue May 15 08:48:12 MAILER-DAEMON
 (connect to dhl.fi[199.40.254.85]:25: Connection timed out)
 ewerx3@dhl.fi

 B016A161BB 5155 Tue May 15 08:42:16 MAILER-DAEMON
 (connect to dhl.ca[199.40.254.85]:25: Connection timed out)
 fastenedjb282@dhl.ca
```
nach grob einer Woche sind die dann wieder weg... woher kommt das?
Kann man das irgendwie abschalten?
Ich gehe mal davon aus, dass das Mails sind, die mein Mailer-Daemon verschickt, oder?

Grüße
Laubie


----------



## Burge (15. Mai 2012)

irgendwas ist bei dir gehacket.
Offenbar versendest du spam. und was dort hängen geblieben ist konnte nicht zugestellt werden.


----------



## Laubie (15. Mai 2012)

ne... ist nichts gehackt.
Ich habe mir die Mails mal angeschaut.

```
server1:~# postcat -q B820A161B2
*** ENVELOPE RECORDS deferred/B/B820A161B2 ***
message_size:            5114             652               1               0            5114
message_arrival_time: Tue May 15 08:48:12 2012
create_time: Tue May 15 08:48:12 2012
named_attribute: rewrite_context=local
named_attribute: envelope_id=AM..20120515T064812Z@server1.domain.de
sender: 
named_attribute: log_client_name=localhost.localdomain
named_attribute: log_client_address=127.0.0.1
named_attribute: log_client_port=57507
named_attribute: log_message_origin=localhost.localdomain[127.0.0.1]
named_attribute: log_helo_name=localhost
named_attribute: log_protocol_name=ESMTP
named_attribute: client_name=localhost.localdomain
named_attribute: reverse_client_name=localhost.localdomain
named_attribute: client_address=127.0.0.1
named_attribute: client_port=57507
named_attribute: helo_name=localhost
named_attribute: protocol_name=ESMTP
named_attribute: client_address_type=2
named_attribute: dsn_orig_rcpt=rfc822;ewerx3@dhl.fi
original_recipient: ewerx3@dhl.fi
recipient: ewerx3@dhl.fi
*** MESSAGE CONTENTS deferred/B/B820A161B2 ***
Received: from localhost (localhost.localdomain [127.0.0.1])
        by server1.domain.de (Postfix) with ESMTP id B820A161B2
        for <ewerx3@dhl.fi>; Tue, 15 May 2012 08:48:12 +0200 (CEST)
Content-Type: multipart/report; report-type=delivery-status;
 boundary="----------=_1337064492-8050-3"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Subject: BANNED message from you
 (.exe,.exe-ms,World-Parcel-Express-Details.exe)
In-Reply-To: <VO3N59N6ZLX3N4HKTNJQZRBKKWP1Z2BZCZZ338G5NEW6SG05NTENRM77U7FG39723953@kul-dc.dhl.com>
Message-ID: <VSwDq25PJVHWGe@server1.domain.de>
From: "Content-filter at server1.domain.de" <postmaster@server1.domain.de>
To: <ewerx3@dhl.fi>
Date: Tue, 15 May 2012 08:48:12 +0200 (CEST)

This is a multi-part message in MIME format...

------------=_1337064492-8050-3
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

BANNED CONTENTS ALERT

Our content checker found
    banned name: .exe,.exe-ms,World-Parcel-Express-Details.exe

in email presumably from you <ewerx3@dhl.fi>
to the following recipient:
-> name@eine_meiner_domains.de

Our internal reference code for your message is 08050-19/wDq25PJVHWGe

First upstream SMTP client IP address: [117.80.243.40] 
According to a 'Received:' trace, the message originated at: [199.40.206.33],
  [199.40.206.33] [199.40.206.33:57562] helo=gateway2a.dhl.com

Return-Path: <ewerx3@dhl.fi>
From: "DHL International" <noreply@dhl.co.za>
Message-ID:
  <VO3N59N6ZLX3N4HKTNJQZRBKKWP1Z2BZCZZ338G5NEW6SG05NTENRM77U7FG39723953@kul-dc.dhl.com>
Subject: DHL Express Notification for shipment  23149306327802755J2P9

Delivery of the email was stopped!

The message has been blocked because it contains a component
(as a MIME part or nested within) with declared name
or MIME type or contents type violating our access policy.

To transfer contents that may be considered risky or unwanted
by site policies, or simply too large for mailing, please consider
publishing your content on the web, and only sending an URL of the
document to the recipient.

Depending on the recipient and sender site policies, with a little
effort it might still be possible to send any contents (including
viruses) using one of the following methods:

- encrypted using pgp, gpg or other encryption methods;

- wrapped in a password-protected or scrambled container or archive
  (e.g.: zip -e, arj -g, arc g, rar -p, or other methods)

Note that if the contents is not intended to be secret, the
encryption key or password may be included in the same message
for recipient's convenience.

We are sorry for inconvenience if the contents was not malicious.

The purpose of these restrictions is to cut the most common propagation
methods used by viruses and other malware. These often exploit automatic
mechanisms and security holes in more popular mail readers (Microsoft
mail readers and browsers are a common target). By requiring an explicit
and decisive action from the recipient to decode mail, the danger of
automatic malware propagation is largely reduced.


------------=_1337064492-8050-3
Content-Type: message/delivery-status; name="dsn_status"
Content-Disposition: inline; filename="dsn_status"
Content-Transfer-Encoding: 7bit
Content-Description: Delivery error report

Reporting-MTA: dns; server1.domain.de
Received-From-MTA: smtp; server1.domain.de ([127.0.0.1])
Arrival-Date: Tue, 15 May 2012 08:48:12 +0200 (CEST)

Original-Recipient: rfc822;name@eine_meiner_domains.de
Final-Recipient: rfc822;name@eine_meiner_domains.de
Action: failed
Status: 5.7.0
Diagnostic-Code: smtp; 554-5.7.0 Reject, id=08050-19 - BANNED:
 554 5.7.0 .exe,.exe-ms,World-Parcel-Express-Details.exe
Last-Attempt-Date: Tue, 15 May 2012 08:48:12 +0200 (CEST)
Final-Log-ID: 08050-19/wDq25PJVHWGe

------------=_1337064492-8050-3
Content-Type: text/rfc822-headers; name="header"
Content-Disposition: inline; filename="header"
Content-Transfer-Encoding: 7bit
Content-Description: Message header section

Return-Path: <ewerx3@dhl.fi>
Received: from 40.243.80.117.broad.sz.js.dynamic.163data.com.cn (unknown [117.80.243.40])
        by server1.domain.de (Postfix) with ESMTP id 5A800161B9
        for <name@eine_meiner_domains.de>; Tue, 15 May 2012 08:40:05 +0200 (CEST)
X-Spam-Relays-Untrusted: [ ip=199.40.20.209
        rdns=mykulws2395.kul-dc.dhl.com
        helo=gateway2a.dhl.com
        by=gateway2a.dhl.com ident= envfrom= intl=0 id= auth= msa=0 ]
Received: from [199.40.206.33] ([199.40.206.33:57562] helo=gateway2a.dhl.com)
        by cm-mr13 (envelope-from <noreply@dhl.co.za>)
        (ecelerity 2.2.3.46 r(37554)) with ESMTP
        id 29/97-04068-86BECFE4; Tue, 15 May 2012 14:40:04 +0800
From: "DHL International" <noreply@dhl.co.za>
To: 
Subject: DHL Express Notification for shipment  23149306327802755J2P9
Date: Tue, 15 May 2012 14:40:04 +0800
MIME-Version: 1.0
X-Priority: 3
Message-ID: <VO3N59N6ZLX3N4HKTNJQZRBKKWP1Z2BZCZZ338G5NEW6SG05NTENRM77U7FG39723953@kul-dc.dhl.com>
Content-Type: multipart/mixed;
  boundary="----=x__yode_91_03_20"

------------=_1337064492-8050-3--
*** HEADER EXTRACTED deferred/B/B820A161B2 ***
*** MESSAGE FILE END deferred/B/B820A161B2 ***
```
Mein Spamfilter hat in der eingehenden Mail nen Virus gefunden und will eine Virusmeldung zurückschicken...
Was für Virenmails von Freunden sinnvoll ist, ist natürlich für SPAM-Viren eher nervig.
Wie behandelt ihr solche Mails? einfach droppen? oder Nachricht an den Absender?

Grüße
Laubie


----------



## Burge (15. Mai 2012)

ah dann hast glück hatte sowas schonmal auf einem anderen server.
ich persönlich würde die droppen


----------



## F4RR3LL (15. Mai 2012)

bei mir wird sowas auch gedroppt und fertig.


----------



## Laubie (16. Mai 2012)

puh... ok... an welcher Stelle stand das noch gleich mit dem droppen?


----------



## Till (18. Mai 2012)

Schau mal in die amavisd.conf Datei bzw. die Dateien in /etc/amavis/conf.d/


----------



## Laubie (18. Mai 2012)

PERFEKT 

Ich habe die /etc/amavis/conf.d/50-user geändert:

habe jetzt 
$final_virus_destiny = D_DISCARD;

Dann bin ich den Müll also auch los 

DANKE


----------

