Testing "Rejecting spam mail"

1. Without modifying the source of qmail.c

I've sent a spam message from remote_server (1.1.1.1) running qmail to my_server (2.2.2.2) running qmail with qmail-scanner-1.20st, This is what I see in the logs:

  [root@remote_server root]# /var/qmail/bin/qmail-inject -ftoribio@tin.it tori@myserver.it < mess2

  [root@remote_server root]# tail -f /var/log/qmail/current
  2003-12-07 16:37:12 new msg 81932
  2003-12-07 16:37:12 info msg 81932: bytes 2811 from <toribio@tin.it> qp 27067 uid 0
  2003-12-07 16:37:12 starting delivery 6425: msg 81932 to remote tori@myserver.it
  2003-12-07 16:37:12 status: local 0/10 remote 1/20
  2003-12-07 16:37:13 delivery 6425: failure: 2.2.2.2_failed_after_I_sent_the_message./
                      Remote_host_said:_554_mail_server_permanently_rejected_message_(#5.3.0)/
  2003-12-07 16:37:13 status: local 0/10 remote 0/20
  2003-12-07 16:37:13 bounce msg 81932 qp 27069
  2003-12-07 16:37:13 end msg 81932
  
  2003-12-07 16:37:13 new msg 81934
  2003-12-07 16:37:13 info msg 81934: bytes 3400 from <> qp 27069 uid 85
  2003-12-07 16:37:13 starting delivery 6426: msg 81934 to remote toribio@tin.it
  2003-12-07 16:37:13 status: local 0/10 remote 1/20
  2003-12-07 16:37:13 delivery 6426: success: 62.211.72.32_accepted_message./
                      Remote_host_said:_250_<3FD30FD100073E63>_Mail_accepted/
  2003-12-07 16:37:13 status: local 0/10 remote 0/20
  2003-12-07 16:37:13 end msg 81934
  
  ...............
  
  [root@my_server root]# tail -f /var/log/qmail/smtpd/current
  2003-12-07 16:37:12 tcpserver: status: 1/10
  2003-12-07 16:37:12 tcpserver: pid 31143 from 1.1.1.1
  2003-12-07 16:37:13 tcpserver: ok 31143 0:2.2.2.2:25 remote_server.it:1.1.1.1::37797
  2003-12-07 16:37:13 X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM
  2003-12-07 16:37:13 tcpserver: end 31143 status 0
  2003-12-07 16:37:13 tcpserver: status: 0/10
  ...............
  
  [root@myserver root]# tail -f /var/spool/qmailscan/qmail-queue.log
  07/12/2003 16:37:13:31144: +++ starting debugging for process 31144 by uid=81
  07/12/2003 16:37:13:31144: w_c: elapsed time from start 0.005233 secs
  07/12/2003 16:37:13:31144: return-path='toribio@tin.it', recips='tori@myserver.it'
  07/12/2003 16:37:13:31144: from='"Ollie Hammer" <312olprcx@qwest.com>', 
                             subj='Re:Secrets Of Real Estate Investing pxqicbyu mf', via SMTP from 1.1.1.1
  07/12/2003 16:37:13:31144: p_s:  finished scan in 0.006952 secs
  07/12/2003 16:37:13:31144: sophie: finished scan in 0.026474 secs
  07/12/2003 16:37:13:31144: SA: yup, this smells like SPAM - rejecting message...
  07/12/2003 16:37:13:31144: r_e: X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM
  07/12/2003 16:37:13:31144: ------ all finished. Total of 0.280166 secs

The remote user (if he is real) will receive this bounce:

  Date: 7 Dec 2003 15:37:13 -0000
  From: MAILER-DAEMON@remote_server.it
  To: toribio@tin.it
  Subject: failure notice

  Hi. This is the qmail-send program at remote_server.it.
  I'm afraid I wasn't able to deliver your message to the following addresses.
  This is a permanent error; I've given up. Sorry it didn't work out.

  <tori@myserver.it>:
  2.2.2.2 failed after I sent the message.
  Remote host said: 554 mail server permanently rejected message (#5.3.0)
  (...... skip......)

 

2. After modifying the source of qmail.c

  [root@remote_server root]# /var/qmail/bin/qmail-inject -ftoribio@tin.it tori@myserver.it < mess2

  [root@remote_server root]# tail -f /var/log/qmail/current
  2003-12-07 17:42:11 new msg 81932
  2003-12-07 17:42:11 info msg 81932: bytes 2811 from <toribio@tin.it> qp 27337 uid 0
  2003-12-07 17:42:11 starting delivery 16: msg 81932 to remote tori@myserver.it
  2003-12-07 17:42:11 status: local 0/10 remote 1/20
  2003-12-07 17:42:12 delivery 16: failure: 2.2.2.2_failed_after_I_sent_the_message./
                      Remote_host_said:_554_We_have_reasons_to_believe_this_mail_is_SPAM_(#5.7.1)/
  2003-12-07 17:42:12 status: local 0/10 remote 0/20
  2003-12-07 17:42:12 bounce msg 81932 qp 27339
  2003-12-07 17:42:12 end msg 81932

  2003-12-07 17:42:12 new msg 81934
  2003-12-07 17:42:12 info msg 81934: bytes 3404 from <> qp 27339 uid 85
  2003-12-07 17:42:12 starting delivery 17: msg 81934 to remote toribio@tin.it
  2003-12-07 17:42:12 status: local 0/10 remote 1/20
  2003-12-07 17:42:13 delivery 17: success: 62.211.72.32_accepted_message./
                      Remote_host_said:_250_<3FD0DD3E005B3510>_Mail_accepted/
  2003-12-07 17:42:13 status: local 0/10 remote 0/20
  2003-12-07 17:42:13 end msg 81934
  
  ...............
  
  [root@my_server root]# tail -f /var/log/qmail/smtpd/current
  2003-12-07 17:42:12.477504500 tcpserver: status: 1/10
  2003-12-07 17:42:12.477632500 tcpserver: pid 1005 from 1.1.1.1
  2003-12-07 17:42:12.479646500 tcpserver: ok 1005 0:2.2.2.2:25 remote_server.it:1.1.1.1::51193
  2003-12-07 17:42:13.540254500 X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM
  2003-12-07 17:42:13.595452500 tcpserver: end 1005 status 0
  2003-12-07 17:42:13.595458500 tcpserver: status: 0/10
  ...............
  
  [root@myserver root]# tail -f /var/spool/qmailscan/qmail-queue.log
  07/12/2003 17:42:13:1006: +++ starting debugging for process 1006 by uid=81
  07/12/2003 17:42:13:1006: w_c: elapsed time from start 0.005277 secs
  07/12/2003 17:42:13:1006: return-path='toribio@tin.it', recips='tori@myserver.it'
  07/12/2003 17:42:13:1006: from='"Ollie Hammer" <312olprcx@qwest.com>',
                            subj='Re:Secrets Of Real Estate Investing pxqicbyu mf', via SMTP from 1.1.1.1
  07/12/2003 17:42:13:1006: p_s:  finished scan in 0.006884 secs
  07/12/2003 17:42:13:1006: sophie: finished scan in 0.026429 secs
  07/12/2003 17:42:13:1006: SA: yup, this smells like SPAM - hits=9.3 - rejecting message...
  07/12/2003 17:42:13:1006: r_e: X-Antivirus-PUSC-1.20: We have reasons to believe this mail is SPAM
  07/12/2003 17:42:13:1006: ------ all finished. Total of 0.284837 secs

The remote user (if he is real) will receive this bounce:

  Date: 7 Dec 2003 16:42:12 -0000
  From: MAILER-DAEMON@remote_server.it
  To: toribio@tin.it
  Subject: failure notice

  Hi. This is the qmail-send program at remote_server.it.
  I'm afraid I wasn't able to deliver your message to the following addresses.
  This is a permanent error; I've given up. Sorry it didn't work out.

  <tori@myserver.it>:
  2.2.2.2 failed after I sent the message.
  Remote host said: 554 We have reasons to believe this mail is SPAM (#5.7.1)
  (...... skip......)

This is a very nice bounce messages from SIMS (a good old mail server for Macintosh)

  Subject: Undeliverable mail: Re:Secrets Of Real Estate Inves
  From: MAILER-DAEMON@remote_server2.it
  To: 312olprcx@qwest.com
  Date: Mon, 08 Dec 2003 17:48:51 +0100
  Message-Id: <AUTOS.0000066148-66149@remote_server2.it>
  X-Mailer: Stalker Internet Mail Server 1.8b8js
  MIME-Version: 1.0
  Content-Type: multipart/report; report-type=delivery-status;
   boundary="_=receipt=_=66149=_"

  --_=receipt=_=66149=_
  Content-Type: text/plain

  Failed to deliver your message to tori@myserver.it:
  SMTP: The letter body is rejected by host
  Host '2.2.2.2' says:
  554 We have reasons to believe this mail is SPAM (#5.7.1)
  (...... skip......)

 

NOTE: I've had noticed that a qmail server always close the connection when it receives a 5xx code, but other servers keep the connection open for 10-15 seconds. To avoid this situation, that leaves my servers busy, I wrote a patch for qmail that outs the 553 code and drops the connection immediately, you can find it here.

Back

Salvatore Toribio

20031218

Updated 20050327