GroupWise 7 server flooded with outgoing undeliverable messages.

reicherb

Platinum Member
Nov 22, 2000
2,122
0
0
I'm having a problem with my mail server not being able to keep up with the volume of outgoing mail. I believe it's because the system is trying to send undeliverable messages to mail sent to an invalid address.

I'm running a small GroupWise 7.0 server. and as far as I can tell the default is not to send these messages.

Here is one the messages in the outbound queue. Does that look like a message being sent to service@bankofamerica.com because my server thinks that that address tried to send to bmanning01@snet.net? Can anyone help me stop this?


bankofamerica.com
EHLO server1.mydomain.com
MAIL FROM:<>
RCPT TO:<service@bankofamerica.com>
DATA
Received: from gwdomain-MTA by server1.mydomain.com
with Novell_GroupWise; Sat, 20 Jan 2007 09:32:20 -0500
Message-Id: <s5b1e1a4.051@server1.mydomain.com>
X-Mailer: Novell GroupWise Internet Agent 7.0
Date: Sat, 20 Jan 2007 09:32:20 -0500
From: Mailer-Daemon@server1.mydomain.com
To: service@bankofamerica.com
Subject: Message status - undeliverable
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=__Part5C78A6E4.0__="

This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.

--=__Part5C78A6E4.0__=
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

The message that you sent was undeliverable to the following:

bmanning01@snet.net (553 5.3.0 <bmanning01@snet.net>... Addressee unknown, relay=[XXX.XXX.XXX.XXX])

Possibly truncated original message follows:
--=__Part5C78A6E4.0__=
Content-Type: text/plain
Content-Transfer-Encoding: 8bit

Received: from User (adsl-074-238-016-147.sip.mia.bellsouth.net [74.238.16.147])
by server1.mydomain.com with ESMTP; Thu, 18 Jan 2007 15:41:56 -0500
Reply-To: <no.reply@bankofamerica.com>
From: "Bank of America"<service@bankofamerica.com>
Subject: BankOfAmerica Account Security Measures Notification [TUESDAY, January 18, 2007 02:45:10 DST -0400 UTC]
Date: Thu, 18 Jan 2007 15:40:23 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Bank of AmericaManhattan Bank</title>
</head>

<body>

<div style="width: 600px; margin: 0 auto 0 auto; border: 1px dashed black; padding: 20px 15px 1px 15px; font-size: 12px">
<img******="http://www.bankofamerica.com/global/mvc_objects/images/mhd_reg_logo.gif" width="250" height="69" />
<p style="font-weight: bold; color: #072510; font-family: arial;" >Dear Customer,</p>
<p style="font-weight: bold; color: #072510; font-family: arial;" align="justify">As the Internet and information technology enable us to expand our services, we are committed to maintaining the trust customers have placed in us for protecting the privacy and security of information we have about you. In order to protect your information against unauthorized access, identity theft and account fraud we earnestly ask you to update your profile.</p>
<p style="font-weight: bold; color: #072510; font-family: arial;" align="justify">Currently we are trying to upgrade our on-line security measures. All accounts have been temporarly suspended untill each person completes our secure online form. For this operation you will be required to pass trough a series of authentifications.</p>

--=__Part5C78A6E4.0__=--
.
QUIT
 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
Sounds like one of your computers have become part of a botnet. Is there anything in the logs to help you find out which one it is?
 

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
source ip address, mac, hostname, network, anything that would help to find out where its coming from.

this look familar at all?

Received: from User (adsl-074-238-016-147.sip.mia.bellsouth.net [74.238.16.147])
 

reicherb

Platinum Member
Nov 22, 2000
2,122
0
0
This is what I'm looking for right?
Received: from User (adsl-074-238-016-147.sip.mia.bellsouth.net [74.238.16.147])

That's not on my network.
 

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
OrgName: BellSouth.net Inc.
OrgID: BELL
Address: 575 Morosgo Drive
City: Atlanta
StateProv: GA
PostalCode: 30324
Country: US

ReferralServer: rwhois://rwhois.eng.bellsouth.net:4321

NetRange: 74.224.0.0 - 74.255.255.255
CIDR: 74.224.0.0/11
NetName: BELLSNET-BLK18
NetHandle: NET-74-224-0-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS.BELLSOUTH.NET
NameServer: NS.ATL.BELLSOUTH.NET
NameServer: NS.MIA.BELLSOUTH.NET
NameServer: NS.RDU.BELLSOUTH.NET
Comment:
Comment: For Abuse Issues, email abuse@bellsouth.net. NO ATTACHMENTS. Include IP
Comment: address, time/date, message header, and attack logs.
Comment: For Subpoena Request, email ipoperations@bellsouth.net with "SUBPOENA" in
Comment: the subject line. Law Enforcement Agencies ONLY, please.
RegDate: 2006-01-17
Updated: 2006-03-15

RAbuseHandle: ABUSE81-ARIN
RAbuseName: Abuse Group
RAbusePhone: +1-404-499-5224
RAbuseEmail: abuse@bellsouth.net

RTechHandle: JG726-ARIN
RTechName: Geurin, Joe
RTechPhone: +1-404-499-5240
RTechEmail: ipoperations@bellsouth.net

OrgAbuseHandle: ABUSE81-ARIN
OrgAbuseName: Abuse Group
OrgAbusePhone: +1-404-499-5224
OrgAbuseEmail: abuse@bellsouth.net

OrgTechHandle: JG726-ARIN
OrgTechName: Geurin, Joe
OrgTechPhone: +1-404-499-5240
OrgTechEmail: ipoperations@bellsouth.net

# ARIN WHOIS database, last updated 2007-01-19 19:10


block it on your end or contact their abuse dept.