Unknown senders at Mail Queue

Juan Carmona

New Member
Oct 24, 2006
23
0
1
Hi there

We are tracking an strange messages serie at Mail Queue (Proxmox Mail Gateway 1.7) that is hold on for delivery. Generally the sender are users from our domain but we have too many entries like that


- - - - - - - - - -

Deferred Mails for Domain 'ebgz.itownet.cn' (max 200 entries)

Date Time KByte Sender Receiver(s)
Fri Dec 21 15:50:01 7 MAILER-DAEMON fozzye@ebgz.itownet.cn
SMTP RESULT: connect to ebgz.itownet.cn[59.42.252.66]: Connection timed out

- - - - - - - - - - - -

The sender is MAILER-DAEMON????

The target domain is unusual for our users...

We accept no relay (I hope), no way to identify the sender... Is our security at risk?

Thanks in advace,

Juan Carmona
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,520
906
163
Hi there

We are tracking an strange messages serie at Mail Queue (Proxmox Mail Gateway 1.7) that is hold on for delivery. Generally the sender are users from our domain but we have too many entries like that


- - - - - - - - - -

Deferred Mails for Domain 'ebgz.itownet.cn' (max 200 entries)

Date Time KByte Sender Receiver(s)
Fri Dec 21 15:50:01 7 MAILER-DAEMON fozzye@ebgz.itownet.cn
SMTP RESULT: connect to ebgz.itownet.cn[59.42.252.66]: Connection timed out

- - - - - - - - - - - -

The sender is MAILER-DAEMON????

The target domain is unusual for our users...

We accept no relay (I hope), no way to identify the sender... Is our security at risk?

Thanks in advace,

Juan Carmona

Hi Juan,

these email are standard non-delivery reports, nothing unusual,
 

Juan Carmona

New Member
Oct 24, 2006
23
0
1
Hi Tom

I agree with you that ndlr are normal. But you think that all those ndlr are too?

2001.con.cn
4gtech.cn
85.100.178.in
999ok.cn
airbags.cn
arbin.com.cn
bbs.soxu.cn
bj800.cn
bluetee.cn
cdsgroup.com.cn
chemistry.iitd.emet.in
cp-group.cn
cpcb.nic.in
cskt.com.cn
csy2005.com.cn
da-lite.com.cn
ded.in
dil.co.in
ebgz.itownet.cn
exoweb.cn
fenglong.cn
flextronics.com.cn
futures.jrj.com.cn
hy.chiname.cn
jump.oiwin.cn
kctek.cn
krq.cn
liangni.anyp.cn
linkcard.com.cn
lpdesign.cn
mail.impu.cn
nanjiao.cn
netoneblr.bsnl.co.in
newbalance.net.cn
newthink.com.cn
nhzx.com.cn
njo.cn
rty.com.cn
samsonmotors.co.in
sh.gwhn.com.cn
sh.hiu.cn
shchance.cn
spatialport.com.cn
star.bjnet.edu.cn
symeiji.cn
taijing.com.cn
tj.2008s.cn
transen.cn
welcome.sh.vnet.cn
worldsupport.cn
www.168dy.cn
www.21stcentury.com.cn
www.casagio.com.cn
www.chinactp.cn
www.ebook2008.cn
www.ecp.com.cn
www.freecounter.in
www.heho.cn
www.huaans.com.cn
www.icam.cn
www.lanse.com.cn
www.lihuang.com.cn
www.linkshop.com.cn
www.mj6.cn
www.mlrj.cn
www.sztol.cn
www.xib.com.cn

I pasted "as are", from the mail queue.

Do you note the common .cn, it is? ;)

This happens from a few weeks. Before we have not see this volume of common ndlr.

How do I find the users that are sending mails to that domains?

Thanks,

Juan Carmona
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,520
906
163
Hi Tom

I agree with you that ndlr are normal. But you think that all those ndlr are too?

2001.con.cn
4gtech.cn
85.100.178.in
999ok.cn
airbags.cn
arbin.com.cn
bbs.soxu.cn
bj800.cn
bluetee.cn
cdsgroup.com.cn
chemistry.iitd.emet.in
cp-group.cn
cpcb.nic.in
cskt.com.cn
csy2005.com.cn
da-lite.com.cn
ded.in
dil.co.in
ebgz.itownet.cn
exoweb.cn
fenglong.cn
flextronics.com.cn
futures.jrj.com.cn
hy.chiname.cn
jump.oiwin.cn
kctek.cn
krq.cn
liangni.anyp.cn
linkcard.com.cn
lpdesign.cn
mail.impu.cn
nanjiao.cn
netoneblr.bsnl.co.in
newbalance.net.cn
newthink.com.cn
nhzx.com.cn
njo.cn
rty.com.cn
samsonmotors.co.in
sh.gwhn.com.cn
sh.hiu.cn
shchance.cn
spatialport.com.cn
star.bjnet.edu.cn
symeiji.cn
taijing.com.cn
tj.2008s.cn
transen.cn
welcome.sh.vnet.cn
worldsupport.cn
www.168dy.cn
www.21stcentury.com.cn
www.casagio.com.cn
www.chinactp.cn
www.ebook2008.cn
www.ecp.com.cn
www.freecounter.in
www.heho.cn
www.huaans.com.cn
www.icam.cn
www.lanse.com.cn
www.lihuang.com.cn
www.linkshop.com.cn
www.mj6.cn
www.mlrj.cn
www.sztol.cn
www.xib.com.cn

I pasted "as are", from the mail queue.

Do you note the common .cn, it is? ;)

This happens from a few weeks. Before we have not see this volume of common ndlr.

How do I find the users that are sending mails to that domains?

Thanks,

Juan Carmona

Hi Juan,

to minimize NDR´s please activate smtp-level filtering - please take a look into the deployment guide, chapter performance tuning and filtering on smtp level.

please also note, that the spam volume is very high on christmas time.

If you want to track messages I highly recommend to use the mail tracking center, introduced in Proxmox 2.1 - you wrote you are using still 1.7 - I always suggest to upgrade as soon as we release the servicepacks.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!