Issue qmail failure notices from Sender: #@[]

[stevland]

Forgive me if this has been covered before... I can't find anything related through searching the forum or Google.

My server receives hundreds of failure notices a day from Sender: #@[]

They all look like this:

Received: (qmail 22073 invoked for bounce); 15 May 2019 12:13:48 -0700
Date: 15 May 2019 12:13:48 -0700
From: [email protected]
To: [email protected]
Subject: failure notice

Are these the result of a qmail misconfiguration?

 

[Monty]

This is a bounce message. So your mail server was not able to deliver a mail, either locally or remotely. Have a look at the content of the bounce mail (just what comes after the part you've posted), it will tell you where the original mail came from and where it was supposed to be sent to.
Also, check your maillog file (/var/log/maillog or /var/log/mail.log or /usr/local/psa/var/log/maillog) to see what's going on on your mail server. Maybe you have a compromised mailbox on your server that is being abused to send spam.

Also, have a look here: Fighting Spam on a Qmail Mail Server

 

[stevland]

Hi @Monty ,

Thanks for the tips, but what I posted is the entirety of what I'm shown... there is nothing past the headers.

I have been digging into the maillog a bit, but it is a bit daunting.

Are the special characters (#@[]) I'm seeing instead of the Sender's email address normal?

Like I said, I get hundreds of these a day. I seem to recall that this started around the time that I upgraded Plesk years ago, but I didn't get around to looking into it until now.

 

[stevland]

BTW the maillogs have the same special characters instead of a legit sender address:

May 15 05:21:50 rede /var/qmail/bin/relaylock[14819]: /var/qmail/bin/relaylock: mail from 185.222.211.54:9702 (mail-serv.info)
May 15 05:21:52 rede qmail: 1557922912.975863 starting delivery 3049: msg 1704730 to local [email protected]
May 15 05:21:52 rede qmail: 1557922912.975919 status: local 1/10 remote 0/20
May 15 05:21:53 rede qmail-local-handlers[14828]: Handlers Filter before-local for qmail started ...
May 15 05:21:53 rede qmail-local-handlers[14828]: from=#@[]
May 15 05:21:53 rede qmail-local-handlers[14828]: [email protected]
May 15 05:21:53 rede qmail-local-handlers[14828]: mailbox: /var/qmail/mailnames/mydomain.com
May 15 05:21:53 rede dk_check[14829]: Starting the dk_check filter...
May 15 05:21:53 rede dk_check[14829]: DKIM verify result: DKIM Feed: No signature
May 15 05:21:53 rede qmail: 1557922913.024963 delivery 3049: deferral: ./Maildir:_No_such_file_or_directory/
May 15 05:21:53 rede qmail: 1557922913.025381 status: local 0/10 remote 0/20
May 15 05:21:53 rede /var/qmail/bin/relaylock[14831]: /var/qmail/bin/relaylock: mail from 185.222.211.54:39060 (mail-serv.info)
May 15 05:21:54 rede /var/qmail/bin/relaylock[14835]: /var/qmail/bin/relaylock: mail from 185.222.211.54:19436 (mail-serv.info)
May 15 05:21:54 rede smtp_auth[14836]: SMTP connect from softdnserror [103.231.139.176]
May 15 05:21:54 rede smtp_auth[14836]: No such user '[email protected]' in mail authorization database
May 15 05:21:54 rede smtp_auth[14836]: FAILED: [email protected] - password incorrect from softdnserror [103.231.139.176]

 

[Monty]

OK, the server 185.222.211.54 (mail-serv.info) is trying to deliver a mail to [email protected] but this fails because this user does not have a mailbox directory ("Maildir").

I suggest you first start by rebuilding the mail config of your plesk by doing:
# plesk repair mail

After that, keep monitoring your maillog to see if there are further errors like "deferral: ./Maildir:_No_such_file_or_directory/". If no new errors occur then your issue could be solved. But still, keep monitoring your maillog to see if there are any other issues like a compromised mailbox.

 

[stevland]

Thanks, but the repair didn't help.

# plesk repair mail

Repairing the mail server configuration

Reconfigure all domains and mailboxes? [Y/n] y
Reconfiguring all domains and mailboxes ......................... [OK]

Error messages: 0; Warnings: 0; Errors resolved: 0

And I'm still seeing a ton of deferrals. Here is a brief sample:

May 16 10:34:35 rede qmail: 1558028075.294738 delivery 285: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:34:40 rede qmail: 1558028080.359338 delivery 286: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:35:21 rede qmail: 1558028121.534945 delivery 288: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:36:03 rede qmail: 1558028163.684131 delivery 290: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:36:03 rede qmail: 1558028163.693746 delivery 289: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:36:16 rede qmail: 1558028176.750477 delivery 291: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:37:22 rede qmail: 1558028242.096979 delivery 295: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:39:04 rede qmail: 1558028344.205011 delivery 296: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:39:31 rede qmail: 1558028371.312485 delivery 297: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:39:40 rede qmail: 1558028380.164026 delivery 301: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:40:04 rede qmail: 1558028404.245995 delivery 304: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:40:37 rede qmail: 1558028437.380945 delivery 308: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:41:16 rede qmail: 1558028476.458101 delivery 309: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:41:45 rede qmail: 1558028505.229625 delivery 313: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:42:18 rede qmail: 1558028538.085357 delivery 316: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:43:15 rede qmail: 1558028595.147639 delivery 318: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:43:19 rede qmail: 1558028599.228823 delivery 319: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:43:54 rede qmail: 1558028634.772831 delivery 320: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP
_connection._(#4.4.1)/
May 16 10:44:08 rede qmail: 1558028648.697239 delivery 323: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:44:08 rede qmail: 1558028648.698293 delivery 324: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:44:58 rede qmail: 1558028698.523152 delivery 338: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:46:45 rede qmail: 1558028805.679125 delivery 339: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:47:18 rede qmail: 1558028838.750634 delivery 340: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:48:00 rede qmail: 1558028880.735339 delivery 343: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:48:00 rede qmail: 1558028880.735668 delivery 344: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:48:52 rede qmail: 1558028932.871185 delivery 345: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:49:17 rede qmail: 1558028957.483977 delivery 347: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:49:36 rede qmail: 1558028976.538531 delivery 348: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:51:03 rede qmail: 1558029063.104316 delivery 350: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:51:05 rede qmail: 1558029065.203116 delivery 351: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:51:05 rede qmail: 1558029065.204319 delivery 352: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:52:50 rede qmail: 1558029170.395287 delivery 353: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:53:07 rede qmail: 1558029187.679115 delivery 355: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:53:07 rede qmail: 1558029187.680004 delivery 356: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:53:42 rede qmail: 1558029222.034448 delivery 359: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:55:05 rede qmail: 1558029305.412758 delivery 362: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:55:38 rede qmail: 1558029338.477156 delivery 363: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:56:06 rede qmail: 1558029366.524569 delivery 364: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:56:30 rede qmail: 1558029390.574424 delivery 366: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:57:34 rede qmail: 1558029454.638980 delivery 367: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:57:48 rede qmail: 1558029468.770482 delivery 369: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:57:51 rede qmail: 1558029471.803230 delivery 370: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:58:11 rede qmail: 1558029491.837466 delivery 371: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:58:27 rede qmail: 1558029507.444049 delivery 374: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:59:40 rede qmail: 1558029580.568326 delivery 375: deferral: ./Maildir:_No_such_file_or_directory/
May 16 10:59:50 rede qmail: 1558029590.613417 delivery 376: deferral: ./Maildir:_No_such_file_or_directory/

I really have no clue what to do about these. I've always thought these were attempts to send an email to an non-existent mailbox, no? Correct me if I'm wrong, but I've always understood that there is no way to prevent spammers from sending mail to randomly generated or stale email addresses.

 

[Ales]

Hm. These look like double bounces that have nowhere to go, although qmail thinks that they have a valid destination.

Monty was right to suspect a corrupt mailbox, but it seems that this is not the cause.

What are the contents of the following files (you might not have the last or the last two, that's OK as they are not mandatory):

cat /var/qmail/alias/.qmail-postmaster
cat /var/qmail/control/doublebounceto
cat /var/qmail/alias/.qmail-doublebounce

Does the e-mail address from the .qmail-postmaster exist?

You can edit the .qmail-postmaster file and change the address if necessary. There can be more than one address in there too (just make sure that each is on its own line and that the line starts with a & ):

# cat /var/qmail/alias/.qmail-postmaster
&[email protected]
&[email protected]

If the address in the .qmail-postmaster is wrong, you might want to check the other files in /var/qmail/alias/, they should all contain a valid e-mail address.

Also, you might want to check the administrator's profile in your Plesk control panel (the "Profile & Preferences" in the left menu) and see if the correct e-mail address has been set. That's where the addresses for the /var/qmail/alias/.qmail-* files initially came from.

BTW, just like Monty suggested, if you do get a lot of double bounces, you might have a spammer misusing your server to send spam. There might be a vulnerable script somewhere, a badly written contact form, WordPress that hasn't been updated, etc..

 

[stevland]

Yes, the address in .qmail-postmaster is my primary email address.

It is the same email address as set in Plesk > Profile & Preferences.

/var/qmail/control/doublebounceto and /var/qmail/alias/.qmail-doublebounce do not exist

>if you do get a lot of double bounces, you might have a spammer misusing your server to send spam.

Any tips on how to verify this and track down the source?