Hello,

A few spams get through all filters. When I look at the header I cannot see
which of my alias it is sent to. As far as I can see, it is not sent to
anyone at all.

Below is the header (xxx is used to mask internal information):

Return-Path: <debra9terry [at] hotmail.com>
Received: from maler.dahl-stamnes.net (maler.dahl-stamnes.net
[xxx.xxx.xxx.xxx])
by xxx.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id l8DJnxfQ025420
for <xxx [at] xxx.dahl-stamnes.net>; Thu, 13 Sep 2007 21:49:59 +0200
Received: from 80.203.206.38 ([60.53.116.124])
by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id l8DJnpn5006990;
Thu, 13 Sep 2007 21:49:55 +0200
X-Originating-IP: 52.152.210.248 by smtp.60.53.116.124; Thu, 13 Sep 2007
15:50:

Normally the last "Received" contain a "for <alias [at] host.domain>" but this
does not.

Any tip of how to stop this?

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 13 Sep 2007, Jørn Dahl-Stamnes wrote:

> Return-Path: <debra9terry [at] hotmail.com>
> Received: from maler.dahl-stamnes.net (maler.dahl-stamnes.net
> [xxx.xxx.xxx.xxx])
> by xxx.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id l8DJnxfQ025420
> for <xxx [at] xxx.dahl-stamnes.net>; Thu, 13 Sep 2007 21:49:59 +0200

- ----->^^^^^^^^^^^^^^^^^^^^^^^^^

You answered your own question


- --

Cheers
Res

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG6a8IsWhAmSIQh7MRAuHNAKCO33q/AhcML1H7ud5un/Wlg/X+FQCg izjT
fhUDngsQpjWbM3ArnvLY57c=lxzX
-----END PGP SIGNATURE-----

Jørn Dahl-Stamnes wrote:
> Hello,
>
> A few spams get through all filters. When I look at the header I cannot see
> which of my alias it is sent to. As far as I can see, it is not sent to
> anyone at all.
>
> Below is the header (xxx is used to mask internal information):
>
> Return-Path: <debra9terry [at] hotmail.com>
> Received: from maler.dahl-stamnes.net (maler.dahl-stamnes.net
> [xxx.xxx.xxx.xxx])
> by xxx.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id l8DJnxfQ025420
> for <xxx [at] xxx.dahl-stamnes.net>; Thu, 13 Sep 2007 21:49:59 +0200
> Received: from 80.203.206.38 ([60.53.116.124])
> by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id l8DJnpn5006990;
> Thu, 13 Sep 2007 21:49:55 +0200
> X-Originating-IP: 52.152.210.248 by smtp.60.53.116.124; Thu, 13 Sep 2007
> 15:50:
>
> Normally the last "Received" contain a "for <alias [at] host.domain>" but this
> does not.

It will only contain the "for <alias [at] host.domain>" part if the message
was addressed to only one recipient at mailer.dahl-stamnes.net.
The mail log file on mailer.dahl-stamnes.net will show all recipients
though.

Regards,

Kees.

--
Kees Theunissen.

In article <46ea2d3b$0$240$e4fe514c [at] news.xs4all.nl> Kees Theunissen
<theuniss [at] rijnh.nl> writes:
>Jørn Dahl-Stamnes wrote:
>> Hello,
>>
>> A few spams get through all filters. When I look at the header I cannot see
>> which of my alias it is sent to. As far as I can see, it is not sent to
>> anyone at all.
>>
>> Below is the header (xxx is used to mask internal information):
>>
>> Return-Path: <debra9terry [at] hotmail.com>
>> Received: from maler.dahl-stamnes.net (maler.dahl-stamnes.net
>> [xxx.xxx.xxx.xxx])
>> by xxx.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id l8DJnxfQ025420
>> for <xxx [at] xxx.dahl-stamnes.net>; Thu, 13 Sep 2007 21:49:59 +0200
>> Received: from 80.203.206.38 ([60.53.116.124])
>> by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id
>l8DJnpn5006990;
>> Thu, 13 Sep 2007 21:49:55 +0200
>> X-Originating-IP: 52.152.210.248 by smtp.60.53.116.124; Thu, 13 Sep 2007
>> 15:50:
>>
>> Normally the last "Received" contain a "for <alias [at] host.domain>" but this
>> does not.
>
>It will only contain the "for <alias [at] host.domain>" part if the message
>was addressed to only one recipient at mailer.dahl-stamnes.net.
>The mail log file on mailer.dahl-stamnes.net will show all recipients
>though.

....but only after aliasing, unfortunately (I'm assuming that that's
where aliasing happens, otherwise the "for" clause on the first
Received: header would have the answer). For a one-shot-check on a not
overly busy server, it might be OK to crank up LogLevel so it shows the
SMTP dialogue.

--Per Hedeland
per [at] hedeland.org

Res wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Thu, 13 Sep 2007, Jørn Dahl-Stamnes wrote:
>
>> Return-Path: <debra9terry [at] hotmail.com>
>> Received: from maler.dahl-stamnes.net (maler.dahl-stamnes.net
>> [xxx.xxx.xxx.xxx])
>> by xxx.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id l8DJnxfQ025420
>> for <xxx [at] xxx.dahl-stamnes.net>; Thu, 13 Sep 2007 21:49:59 +0200
>
> - ----->^^^^^^^^^^^^^^^^^^^^^^^^^
>
> You answered your own question

No, this is added by *my machine* before it is sendt to my workstation.

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

Jørn Dahl-Stamnes wrote:

> Hello,
>
> A few spams get through all filters. When I look at the header I cannot
> see which of my alias it is sent to. As far as I can see, it is not sent
> to anyone at all.
>
> Below is the header (xxx is used to mask internal information):
>
> Return-Path: <debra9terry [at] hotmail.com>
> Received: from maler.dahl-stamnes.net (maler.dahl-stamnes.net
> [xxx.xxx.xxx.xxx])
> by xxx.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id
> l8DJnxfQ025420 for <xxx [at] xxx.dahl-stamnes.net>; Thu, 13 Sep 2007
> 21:49:59 +0200
> Received: from 80.203.206.38 ([60.53.116.124])
> by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id
> l8DJnpn5006990; Thu, 13 Sep 2007 21:49:55 +0200
> X-Originating-IP: 52.152.210.248 by smtp.60.53.116.124; Thu, 13 Sep 2007
> 15:50:
>
> Normally the last "Received" contain a "for <alias [at] host.domain>" but this
> does not.
>
> Any tip of how to stop this?
>

To explain how I get my mail:

The MX record for dahl-stamnes.net is pointing to mailer.dahl-stamnes.net,
which happens to be my firewall. It contains a rule that redirect the SMTP
traffic to the mailer.

The mailer contain a set of rules (in the access database) and a set of
aliases (aliases file). I use several aliases and all is redirected to my
workstation (both machines are linux machines).

The first Received: line in the header tells me that the mail has been
delivered from mailer.dahl-stamnes.net to my workstation (here called
host.dahl-stamnes.net):

|Return-Path: <debra9terry [at] hotmail.com>
|Received: from mailer.dahl-stamnes.net (mailer.dahl-stamnes.net
|[xxx.xxx.xxx.xxx])
| by host.dahl-stamnes.net (8.13.4/8.13.4) with ESMTP id l8DJnxfQ025420
| for <username [at] host.dahl-stamnes.net>; Thu, 13 Sep 2007 21:49:59 +0200

The second Received: line is the one I don't understand:

|Received: from 80.203.206.38 ([60.53.116.124])
| by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id l8DJnpn5006990;
| Thu, 13 Sep 2007 21:49:55 +0200

It does not contain any for... It should contain some more reasonable
content, like this one:

|Received: from mail.slb.com (eurmta02.london.eur.slb.com [136.250.0.20])
by mailer.dahl-stamnes.net (8.13.1/8.13.1) with ESMTP id l8E7oq3A011182
for <some.alias [at] dahl-stamnes.net>; Fri, 14 Sep 2007 09:50:52 +0200

I miss the "for <some.alias [at] dahl-stamnes.net>" in the header
--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

> The second Received: line is the one I don't understand:
>
> |Received: from 80.203.206.38 ([60.53.116.124])
> | by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id l8DJnpn5006990;
> | Thu, 13 Sep 2007 21:49:55 +0200
>

The is actually the first Received header.

Host 60.53.116.124 connected. It has no PTR record, so there is no
name inside the ( ). When it started SMTP, it said "HELO
80.203.206.38" which is broken since that is not its name.

Since there is no "for", there must have been at least 2 recipients.
To see them, look for the syslog records containing the queue id,
l8DJnpn5006990.

Probably spam sent to many recipients [at] your domain, and they got
lucky, one was valid.

Joseph Brennan

Joe Brennan wrote:

>> The second Received: line is the one I don't understand:
>>
>> |Received: from 80.203.206.38 ([60.53.116.124])
>> | by mailer.dahl-stamnes.net (8.13.1/8.13.1) with SMTP id
>> | l8DJnpn5006990; Thu, 13 Sep 2007 21:49:55 +0200
>>
>
> The is actually the first Received header.
>
> Host 60.53.116.124 connected. It has no PTR record, so there is no
> name inside the ( ). When it started SMTP, it said "HELO
> 80.203.206.38" which is broken since that is not its name.
>
> Since there is no "for", there must have been at least 2 recipients.
> To see them, look for the syslog records containing the queue id,
> l8DJnpn5006990.
>
> Probably spam sent to many recipients [at] your domain, and they got
> lucky, one was valid.

If find five different messages in /var/log/maillog with the queue id
l8DJnpn5006990, three of them says "User unknown", one is the message
saying who the messages is from while the fifth is the one that is created
when the message is forwared to my workstation.

I have checked the three aliases which the spammer has tried to use at my
domain, but non of them exists in the /etc/mail/aliases file.

So I still can't explain why this message is forwared to my workstation.

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/

Jørn Dahl-Stamnes wrote:

> If find five different messages in /var/log/maillog with the queue id
> l8DJnpn5006990, three of them says "User unknown", one is the message
> saying who the messages is from while the fifth is the one that is created
> when the message is forwared to my workstation.
>
> I have checked the three aliases which the spammer has tried to use at my
> domain, but non of them exists in the /etc/mail/aliases file.

Yes. That's why the log says "User unknown".

> So I still can't explain why this message is forwared to my workstation.

The message was sent to two or more valid aliases.
At that moment sendmail has more than one recipient for the message and
won't put the "for ..." part in the received header.

After alias expansion there is only one recipient left (all aliasses
the spam was sent to resolve to the same account at your workstation)
and the message is only forwarded once.

You'll get more detailed logging at your front end server if you set
up your aliases to just forward to an alias with the same name at your
workstation:
aliasname1: aliasname1 [at] workstation
aliasname2: aliasname2 [at] workstation
aliasname3: aliasname3 [at] workstation
...
and let sendmail on the workstation resolve those aliases to your
user account. Of course this involves maintaining two different
alias files at two different places.


Regards,

Kees.

--
Kees Theunissen.

Kees Theunissen wrote:

> After alias expansion there is only one recipient left (all aliasses
> the spam was sent to resolve to the same account at your workstation)
> and the message is only forwarded once.
>
> You'll get more detailed logging at your front end server if you set
> up your aliases to just forward to an alias with the same name at your
> workstation:
> aliasname1: aliasname1 [at] workstation
> aliasname2: aliasname2 [at] workstation
> aliasname3: aliasname3 [at] workstation
> ...
> and let sendmail on the workstation resolve those aliases to your
> user account. Of course this involves maintaining two different
> alias files at two different places.

Yes, it does double the maintenace work. But I can try this to find out what
is going on. Thanks for the tip.

--
Jørn Dahl-Stamnes
http://www.dahl-stamnes.net/dahls/