The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mailnull sending spam...

Discussion in 'E-mail Discussions' started by doulos61, Aug 3, 2011.

  1. doulos61

    doulos61 Well-Known Member

    Joined:
    Dec 13, 2006
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    ... unless I am reading this incorrectly.

    I am having a large number of emails that are staying in the queue. Here is what I see at the initial investigation. There are two message id's involved; 1QoTYs-0007Q0-2U and 1QoTYm-0006mz-8R. In these example I have substituted "myserver.com" for my domain. Here are some sample headers -

    Code:
    [B]1QoTYs-0007Q0-2U[/B]-H
    mailnull 47 12
    <>
    1312347606 0
    -ident mailnull
    -received_protocol local
    -body_linecount 86
    -max_received_linelength 296
    -allow_unqualified_recipient
    -allow_unqualified_sender
    -frozen 1312347606
    -localerror
    XX
    1
    jennettekristy@jlbk.com
    
    154P Received: from mailnull by myserver.com with local (Exim 4.69)
    	id 1QoTYs-0007Q0-2U
    	for jennettekristy@jlbk.com; Tue, 02 Aug 2011 23:59:42 -0500
    097  X-Failed-Recipients: stagesandbag@shema.com,
      lamestcatholicity@shema.com,
      ifacgoek@shema.com
    029  Auto-Submitted: auto-replied
    064F From: Mail Delivery System <Mailer-Daemon@myserver.com>
    028T To: jennettekristy@jlbk.com
    059  Subject: Mail delivery failed: returning message to sender
    053I Message-Id: <E1QoTYs-0007Q0-2U@myserver.com>
    038  Date: Tue, 02 Aug 2011 23:59:42 -0500
     
    1QoTYs-0007Q0-2U-D
    This message was created automatically by mail delivery software.
    
    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:
    
      stagesandbag@shema.com
        The mail server detected your message as spam and has prevented delivery (50).
      lamestcatholicity@shema.com
        The mail server detected your message as spam and has prevented delivery (50).
      ifacgoek@shema.com
        The mail server detected your message as spam and has prevented delivery (50).
    
    ------ This is a copy of the message, including all the headers. ------
    
    Return-path: <jennettekristy@jlbk.com>
    Received: from [101.0.53.149] (port=1364 helo=gen47luvm.96uzd9b.1mhpkm2tsnr.gj)
    	by myserver.com with smtp (Exim 4.69)
    	(envelope-from <jennettekristy@jlbk.com>)
    	id 1QoTYm-0006mz-8R; Tue, 02 Aug 2011 23:59:42 -0500
    To: <ifacgoek@shema.com>
    Message-ID: <49g83f81y82-89150643-346a1i15@ojopnslaj>
    From: "ISABELLE NEREIDA" <jennettekristy@jlbk.com>
    And the exim_mainlog entry -

    Message 1QoTYs-0007Q0-2U
    Code:
    2011-08-02 23:59:42 [28520] 1QoTYs-0007Q0-2U <= <> R=1QoTYm-0006mz-8R U=mailnull P=local S=4939 T="Mail delivery failed: returning message to sender" f$
    2011-08-02 23:59:42 [28522] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1QoTYs-0007Q0-2U
    2011-08-02 23:59:42 [28522] 1QoTYs-0007Q0-2U ** jennettekristy@jlbk.com F=<> P=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after $
    2011-08-02 23:59:42 [28522] 1QoTYs-0007Q0-2U Frozen (delivery error message)
    and the originating message 1QoTYm-0006mz-8R
    Code:
    2011-08-02 23:59:42 [26101] 1QoTYm-0006mz-8R H=(gen47luvm.96uzd9b.1mhpkm2tsnr.gj) [101.0.53.149]:1364 I=[66.249.19.251]:25 Warning: "SpamAssassin $
    2011-08-02 23:59:42 [26101] 1QoTYm-0006mz-8R <= jennettekristy@jlbk.com H=(gen47luvm.96uzd9b.1mhpkm2tsnr.gj) [101.0.53.149]:1364 I=[66.249.19.251]$
    2011-08-02 23:59:42 [28518] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1QoTYm-0006mz-8R
    2011-08-02 23:59:42 [28518] 1QoTYm-0006mz-8R cancelled by system filter: The mail server detected your message as spam and has prevented delivery $
    2011-08-02 23:59:42 [28520] cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1QoTYm-0006mz-8R
    So the question is -
    For message (1QoTYs-0007Q0-2U) is the mailnull trying to send out spam message or notification of spam

    or,

    Is this mail message (1QoTYm-0006mz-8R) the real spam?

    I appreciate the input
    Thnx
    D
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    mailnull (exim) is trying to send a notification to the original sender that the message failed due to being spam.

    Code:
    Subject: Mail delivery failed: returning message to sender
     
  3. doulos61

    doulos61 Well-Known Member

    Joined:
    Dec 13, 2006
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the response, Tristan -
    Where I am confused for sure is who is the "original sender" of the email? I am doing what I can to root out any potential spam sending on my end. Just a side note; there are 4 email accounts on "@shema.com", and none of the ones listed here are vaild.

    Thnx
    D
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Could you provide the full exigrep output without truncating the lines for the messages? They terminate in $ so it's more difficult to see the full details. The sender is definitely jennettekristy@jlbk.com but, without seeing the full exigrep output for the messages, I cannot say which IP is definitely their IP and which is your IP.
     
  5. doulos61

    doulos61 Well-Known Member

    Joined:
    Dec 13, 2006
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Tristian,
    Would the command line be -

    Code:
    exigrep 1QoTYs-0007Q0-2U
    or something like that?

    Thnx
    D
     
  6. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    The command to use would be:

    Code:
     exigrep 1QoTYs-0007Q0-2U /var/log/exim_mainlog 
     
  7. doulos61

    doulos61 Well-Known Member

    Joined:
    Dec 13, 2006
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I was unable to locate it using the command. I know that I am still having this issue so I wll provied another example. I just didn't want you to think I wasn't responding. I will update before the weekend is out. Thanks everyone for the help.
     
Loading...

Share This Page