Interpret /var/spool/mqueue entries

Matthew Seaman matthew at FreeBSD.org
Sat Oct 31 20:01:00 UTC 2020 

On 31/10/2020 13:21, Rob Belics wrote:
> I thought this was a solved problem in my sendmail configuration but, over the last few days, I've gotten some entries and I've forgotten how to interpret them. To me, it appears that the first two entries show that I'm relaying some mail and it was refused by the receiver. But I'm wondering if someone is impersonating my email address and that is why I'm getting a bounce back.
> 
> Is that right? What should I check in sendmail configuration? Note that I changed my email in the examples below to me at example.com
> 
>   Mail in local queue:
>                  /var/spool/mqueue (4 requests)
> -----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------
> 09V3c6st046407     5478 Fri Oct 30 22:38 MAILER-DAEMON
>                   (Deferred: Connection refused by mail.distinctionspots.com.)
>                                           <kn95_masks-me=example.com at distinction
> 09V2c6st082929     9067 Fri Oct 30 21:38 MAILER-DAEMON
>                   (Deferred: Connection refused by mail.enlighteneduponhearing.)
>                                           <besthealth-rates-me=example.com at enlig
> 09UNHHsv062419     2449 Fri Oct 30 18:17 <kn95_masks-me=example.com at distinctions
>            7BIT   (Deferred: 421-4.7.0 [107.161.21.234      15] Our system has )
>                                           <me at example.com>
> 09UMHcc1059037     5901 Fri Oct 30 17:17 <besthealth-rates-me=example.com at enligh
>            7BIT   (Deferred)
>                                           <me at example.com>

This looks to me to be spam e-mail that your mail filters have rejected, 
resulting in your mail system trying to bounce the message back to the 
sender.  However, it seems that the sender isn't accepting any bounce 
messages, probably because the headers in the original spam were forged.

Note that bouncing a spam message like this can be a bad thing: some 
spammers deliberately send messages that will be bounced, but they put 
the _real_ targetted victim address into the Sender headers, so their 
spam message gets reflected from some innocent, but real, mail system 
thus avoiding various blacklists or reputation scoring tests.  It's 
called "backscatter" spam.

The way to avoid this is to configure your mail system and spam filters 
so that either:

* Spam messages are rejected in the middle of the SMTP dialogue, before 
receipt has been acknowledged.  Since receipt has not been acknowledged, 
the message is still technically the responsibility of the sending 
system, which should ultimately result in the admins of that system 
getting bounce-o-grammes and (just possibly) getting clued into the fact 
that their system is being used to pump out spam and hence fix it.[*]

* After receipt, any message determined to be spam is either deleted or 
quarantined but _not_ bounced back to the sender

	Cheers,

	Matthew

[*] Actually, spam mail injection frequently comes from compromised 
desktop systems running some malware without a fully capable SMTP server 
being involved, in which case, they usually work by replaying a 
pre-recorded SMTP dialogue and simply can't cope with getting a 
rejection.[**]

[**] Another neat trick here is to add a small delay before your server 
emits its initial greeting message.  Real SMTP servers will wait until 
you have emitted your greeting. Spam bots frequently will not, and if 
anything has the temerity to speak out of turn, you can just bounce the 
message straight away.  It's a very cheap but pretty effective filtering 
mechanism.

More information about the freebsd-questions mailing list