Issue Lot of MAILER-DAEMON@ messages in mail queue

[TorbHo]

After upgrading from Plesk 17.0 to 17.8 (Ubuntu 14.4 lts) we have a lot of bounce messages in our mail queue.

After a look in the mail header, these mails don't seem to be outgoing spam-mails, but they are bounce messages from spam which was sent to our customers.
They are just the error message, that the spam could not be delivered or the mail was deleted.

We didn't have these type of bounce-mails with Plesk 17.0, why do we have them with 17.8 ?
This messages are flooding our mail queue.

So, what can we do?

 

[TorbHo]

The same today. A lot of MAILER-DAEMON@ messages.
None of them are outgoing spam, but error messages to the sender which can not be reached of course.

Why didn't we have these messages with Plesk 17.0? Is there anything different in the mail configuration?

 

[MarkM]

These domains don't even have valid MX records. It's clearly spam being sent from spoofed senders. You need to find the source. The Plesk version is irrelevant. Check your mail log. You likely have a compromised mail password.

 

[TorbHo]

No, these mails are no outgoing spam. I checked the mail body via ssh.

A mail doesn't need a valid mx record to be sent. The "from" address can of course be spoofed.

For example: the message from [email protected] is sent to our client [email protected]. This mailadress is forwarded to [email protected]. T-Online than decides that this mail is spam and the mail can't be sent to the forwarder mailadress. So our Server sends back an error message to [email protected].

Because there is no mx record for spamdomain.com the mail stays in our mailqueue.

So, the real question is: why did this not happen for Plesk 17.0? What is different to 17.8 that our mailqueue is now full of these error messages. And what can we do?

 

[MarkM]

In your example, your server shouldn't of accepted the message in the first place. It doesn't sound like you're even using basic DNSBL's. These domains are both in Spamhaus for example.

 

[TorbHo]

We use spamhaus. Maybe the domain was not in the list as the mail arrived.

Although i don't like SPF protection that much, I activated it now.
As far as I know, Plesk now supports SRS for forwarded mails, so I gave it a try.

Up to now: no more error mails in the queue for some hours. Maybe that solved our problem. I'll report after the weekend.

Thank you.

 

[TorbHo]

Remarked as unresolved.
Now, after the weekend, again we have a lot of these bounce messages. What can we do?

 

[TorbHo]

The problem is not solved yet.

But, I use a cron-job to flush the messages and so the symptoms don't bother me anymore. But I still would like to know, why the messages appear in 17.8, when they didn't appear in 17.0.

The cron looks like this: #mailq |awk '/MAILER-DAEMON/{gsub("*","");printf("postsuper -d %s\n",$1)}'|bash
It clears the mailqueue from MAILER-DAEMON messages.