Last week a mail account was compromised and LOADS of Spam was being sent, clogging up the mail server and causing our mail server to blacklisted in several places. We identified the compromised mail account and have secured it now. We have removed ourselves from all known lists, even though there are still some emails not being delivered with 4.4.1 deferral to certain domains (yahoo, hotmail, btinternet as the main ones).
Today we received an email from a customer (whose domain is hosted on our server but their outgoing mail goes via an external smarthost). Their email got to us OK. But they then got an email making it look as if they had sent loads of Spam (in the examples 82.xxx.xxx.xxx is our mail server):
etc. with lots more seeming Spam addresses. And at the bottom them all, it said:-----Original Message-----
From: MAILER-DAEMON@plesk2.mydomain.co.uk [mailto:MAILER-DAEMON@plesk2.mydomain.co.uk]
Sent: 26 January 2010 13:21
To: Gordon
Subject: failure notice
Hi. This is the qmail-send program at plesk2.mydomain.co.uk.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<randy.gregg@worldnet.att.net>:
Connected to 204.127.208.75 but sender was rejected.
Remote host said: 521-82.xxx.xxx.xxx blocked by sbc:blacklist.mailrelay.att.net.
521 DNSRBL: Blocked for abuse. See http://att.net/blocks
<randy.holt@netscape.net>:
64.12.138.88 does not like recipient.
Remote host said: 550 MAILBOX NOT FOUND
Giving up on 64.12.138.88.
<randy.pacheco@earthlink.net>:
209.86.93.227 does not like recipient.
Remote host said: 550 randy.pacheco@earthlink.net...User unknown Giving up on 209.86.93.227.
<randy.phillips@ameritech.net>:
Connected to 207.115.21.20 but sender was rejected.
Remote host said: 553 5.3.0 flpi183 - o0LAi1ds022387, DNSBL:ATTRBL 521< 82.xxx.xxx.xxx >_is_blocked.__For_information_see_http://att.net/blocks
<randy.rocker@aol.com>:
64.12.138.57 does not like recipient.
Remote host said: 550 MAILBOX NOT FOUND
Giving up on 64.12.138.57.
<randy.simmons@sbcglobal.net>:
Connected to 207.115.36.20 but sender was rejected.
Remote host said: 553 5.3.0 nlpi076 - o0LAi12o017702, DNSBL:ATTRBL 521< 82.xxx.xxx.xxx>_is_blocked.__For_information_see_http://att.net/blocks
etc.--- Below this line is a copy of the message.
Return-Path: <customer@domain2.org.uk>
Received: (qmail 4577 invoked from network); 26 Jan 2010 13:20:48 +0000
Received-SPF: none (no valid SPF record)
Received: from lon-mail-relay-2.secondarymailserver.net (193.xxx.xxx.xxx)
by plesk2.mydomain.co.uk with (DHE-RSA-AES256-SHA encrypted) SMTP; 26 Jan 2010 13:20:48 +0000
Received: from smtp5.smarthost.net ([78.xxx.xxx.xxx])
by lon-mail-relay-2.secondarymailserver.net with esmtp (Exim 4.52 (FreeBSD))
id 1NZlLV-000BBQ-SH
for me@mydomain.com; Tue, 26 Jan 2010 13:20:41 +0000
Received: from remote.domain2.org.uk (unknown [78.xxx.xxx.xxx])
by smtp5.smarthost.net (Postfix) with ESMTP id EA7D3146B287
for <me@mydomain.com>; Tue, 26 Jan 2010 13:20:40 +0000 (UTC)
Received: from ELIMSBS-W2K8.sbselim.local ([fe80::9c2a:ab6976a]) by ELIMSBS-W2K8.sbselim.local ([fe80::9c2a:ab69
From: Gordon <customer@domain2.org.uk>
To: me@mydomain.com>
Date: Tue, 26 Jan 2010 13:20:39 +0000
Subject: Installations
76a]) by ELIMSBS-W2K8.sbselim.local ([fe80::9c2a:ab69The mail log shows no suspicious activity looking like emails were sent. But after the incident last week, we are very wary. Can anyone help on what could have caused this failure notice to be generated? Is there anywhere else we can check things on our server to see if all is OK? What can we do about it? And is there something encouraging that we can tell our customer?
Related but separate: can anyone advise us as to how we can get the emails sitting in our Mail Queue delivered while we struggle to find the various postmasters and persuade them to whitelist the mail server as there are thousands of:
being received.deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/
Grateful as ever in advance for all help.
