[Techtalk] [Fwd: Delivery Status Notification (Delay)]

Rudy Zijlstra rudy at grumpydevil.homelinux.org
Sun Dec 9 10:35:47 UTC 2007 

Maria McKinley wrote:
> Hey there,
>
> I received this email, but can't quite figure it out. It is obviously 
> regarding some spam, but I don't understand why I (sysadmin at shadlen.org) 
> am receiving it or who sent what.
>
> Has anyone seen anything like this?
>
>   
Urgh, no...

tried to read it :(

> thanks,
> maria
>
> -------- Original Message --------
> Subject: Delivery Status Notification (Delay)
> Date: Sun, 09 Dec 2007 00:05:46 -0800 (PST)
> From: Mail Delivery Subsystem <mailer-daemon at googlemail.com>
>   
This is one of the things that bugs me. Why should googlemail even 
accept to do anything with this?
I would expect googlemail to refuse to do any relay ?

In the below, its clear the envelope address and from are different then 
the message To and From.
Part of the problem is that the envelope address are not noted in the 
trace messages.

> To: sysadmin at shadlen.org
>
> This is an automatically generated Delivery Status Notification
>
> THIS IS A WARNING MESSAGE ONLY.
>
> YOU DO NOT NEED TO RESEND YOUR MESSAGE.
>
> Delivery to the following recipient has been delayed:
>
>       sysadmin at mail.socialchange.net.au
>
> Message will be retried for 1 more day(s)
>
> Technical details of temporary failure:
> TEMP_FAILURE: Could not initiate SMTP conversation with any hosts:
> [mail.socialchange.net.au. (10): Connection timed out]
>
>     ----- Message header follows -----
>
> Received: by 10.65.139.9 with SMTP id r9mr5603819qbn.1196999494018;
>          Thu, 06 Dec 2007 19:51:34 -0800 (PST)
> Received: by 10.65.139.9 with SMTP id r9mr5603800qbn.1196999493526;
>          Thu, 06 Dec 2007 19:51:33 -0800 (PST)
> Return-Path: <sysadmin at shadlen.org>
>   

This is taken from the envelope address, so the envelope From is 
sysadmin at shadlen.org

> Received: from ain-soph ([200.164.174.210])
>          by mx.google.com with SMTP id a5si151635qbd.2007.12.06.19.51.25;
>          Thu, 06 Dec 2007 19:51:33 -0800 (PST)
>   
Its coming from a net-brazil IP address (200.164.174.210)

> Received-SPF: neutral (google.com: 200.164.174.210 is neither permitted 
> nor denied by best guess record for domain of sysadmin at shadlen.org) 
> client-ip=200.164.174.210;
> Authentication-Results: mx.google.com; spf=neutral (google.com: 
> 200.164.174.210 is neither permitted nor denied by best guess record for 
> domain of sysadmin at shadlen.org) smtp.mail=sysadmin at shadlen.org
> Date: Thu, 06 Dec 2007 19:51:31 -0800 (PST)
> Received: from Elvira Hanna (10.15.14.16) by ain-soph (PowerMTA(TM) 
>   
 From non-routable private address into the ain-soph (which has 
200.164.174.210), so most likely from a private network behind that IP 
address

> v3.2r4) id hzto67d81j41 for <sysadmin at socialchange.net.au>; Fri, 7 Dec 
> 2007 01:51:28 -0300
>   
Apparently to sysadmin at socialchange.net.au
> Message-Id: <20071207-25128.9980.qmail at ain-soph>
> To: <sysadmin at socialchange.net.au>
>   
which is also the apparently destination
> Subject: Doctor Rodrick
> From: Katy at Viagra.com <sysadmin at socialchange.net.au>
>   
This is bogus. Its the message From, not the envelope From and shows 
clearly its spam.
> MIME-Version: 1.0
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: 8bit
>
>     ----- Message body suppressed -----
>   


So none of the From addresses have anything to do with the machine/spam 
user that actually sent it :(
The thing that bugs me is why googlemail is willing to even touch it.

Hopefully some more knowledgeable person will chime in and improve on me :)

Cheers,

Rudy

More information about the Techtalk mailing list