Setting to disable failure notifications to dead senders

[hecklertm]

My mail queue is mainly full of outgoing mail going back false email addresses from a spammer who is trying to harvest addresses from my ams server. What settings do I use to stop sending error replies back to non-existent senders. my mail queue keep trying to send DNR notices to a false address for the next 2 days.

Any ideas?

[rob]

Presently the outmail queue treats all mails equally, which means that failure notices and normal mail are given equal time in the queue. However, the best bet is to simply remove the source of the failure notices, and to do this I would need to see the actual failure notice message (copy and paste one into a reply if you could). This will tell me where abouts in the software to disable the notification message. I should note that generally these can only be generated by content filtering or antivirus filtering systems, as the outgoing mail queue notificaitons (delivery failure notices) should only be possible to generate from valid users who have relaying permissions. For this reason it may also be possible one of your users login details have been comprimised or even worse, your SMTP is a open relay.

[hecklertm]

I was brain dead when I made this post. Looking through the outgoing logs I did notice that a user's credentials were compromised. I am not sure why. Somehow, a user's password got changed to blank, and an oversea's spammer figured it out. I am using 2.61. There is no known bug that can change a password to blank is there? I think Yahoo loves my mail server now. I am on their sh*t list.

[centralusa]

I have a similar situation with a user that keeps getting undeliverable (failure) messages for spam that appears to be originating from their account.

1. Is the only way this is possible is by the acocunt being compromised?

2. Which log/s would we check to research which IP address used this account to send out this spam? I assume the SMTP log but I don't see hwo to tell which local acocunt is used to send outgoing mail

[rob]

There is no known bug that can change a password to blank is there?

We have had no reports of a bug where users passwords can get reset like this. However, with the interface, it could be possible to accidently clear the password box when editing a user. But glad at least you found the source of your SPAM issue.

I have a similar situation with a user that keeps getting undeliverable (failure) messages for spam that appears to be originating from their account.
1. Is the only way this is possible is by the acocunt being compromised?
2. Which log/s would we check to research which IP address used this account to send out this spam? I assume the SMTP log but I don't see hwo to tell which local acocunt is used to send outgoing mail

The kind of SPAM you indiciate doesn't require your users details to be hacked. Basically SPAM systems can quite easily imitate mail from your system, even though it likely never has touched your system, and some external mail servers will return failure notices to your domain regardless. To help reduce this, I would recommend setting up SPF for your domain, as this would reduce the effectiveness of SPAM attempting to fake mail from your domain. However, to check if your users details have been compromised, the best step is to watchy our outgonig mail queue size. If this seems higher than it should, then I would recommend looking at the outmail log first to identify which mails are potential SPAM. You can then cross reference these with the SMTP log (searchign for the sender or recipient addresses) and identify when and who (if they logging into the SMTP) sent the mail. If the same user seems to be logging in various times on the SMTP sending lots of mail, its possbile their login details are being used to send SPAM.

[centralusa]

Thanks for the reply, I understand that spammers can forge a users email but our situation is not this, the mail is actually originating from our mail server as the user is getting failure notices ("The following mail failed to be delivered...") directly from our mail server that the message could not be sent so this would confirm the compromise of the account as far as I can tell right?

[rob]

Ah no problem, then this could indeed be a users details being compromised. It would therefore be wise to examine your Outmail/SMTP logs as I described to try and track the source.