Bounces to opendmarc@box.mydomain.name

tobes · December 8, 2021, 8:08am

Hi all

Apologies if this isn’t the best category for my post.

I’ve checked the status page (mostly green, some yellow - DNSSEC and custom DNS), re-ran setup, and I reboot the box regularly.

I’ve been running a MIAB instance on DO for many many years (“work”) and about 6 months ago moved to Hetzner (“personal”).
The work instance used to host my main personal domain too (and a bunch of others). My personal instance hosts additional domains.

Since 13 September 2021 (and never before) I have received 52 “bounce” emails (Undelivered Mail and Delayed Mail) to opendmarc@box.mydomain.name (I’ve changed my domain to mydomain.name for privacy) on my personal MIAB instance. I have never seen this happen on the work instance.

Question: Is this normal? Does it indicate a domain on my box is sending spam? If this is (potentially) malicious, how can I find out more?

Many thanks
tobes

PS: I’ve decided against posting the full message in case it contains anything malicious.
PPS: Yes I can tell this one says the recipients’ mailbox is full. Others that I have received are “connection timed out” or “554 Email rejected due to security policies” bounces etc.

Return-Path: <>
Delivered-To: myemail@mydomain.name
Received: from box.mydomain.name ([127.0.0.1])
	by box.mydomain.name with LMTP id 2M9DNwb/rWELRwAArhdI8g
	for <myemail@mydomain.name>; Tue, 07 Dec 2021 01:16:06 +1300
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on box.mydomain.name
X-Spam-Level: 
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.2
X-Spam-Report: 
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
	*      https://www.dnswl.org/, no trust
	*      [52.100.165.209 listed in list.dnswl.org]
	* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
	*      [52.100.165.209 listed in wl.mailspike.net]
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	* -0.1 SPF_PASS SPF check passed
	* -0.1 DMARC_PASS DMARC check passed
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
X-Spam-Score: -2.2
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12hn2209.outbound.protection.outlook.com [52.100.165.209])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by box.mydomain.name (Postfix) with ESMTPS id 0E859612E0
	for <opendmarc@box.mydomain.name>; Tue,  7 Dec 2021 01:16:06 +1300 (NZDT)
Authentication-Results: box.mydomain.name; dmarc=pass (p=reject dis=none) header.from=msc.com
Authentication-Results: box.mydomain.name; spf=pass smtp.helo=NAM12-BN8-obe.outbound.protection.outlook.com
Authentication-Results: box.mydomain.name;
	dkim=pass (1024-bit key; unprotected) header.d=msc.com header.i=@msc.com header.b="H2Hx2hv1";
	dkim-atps=neutral
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ZEpDTMLfGozOWa/QpNYo9cTiQJU2494z3twEv4DzuqGsXZHbyc18S85J+aipjMoBx/ZDBkwl5Ur4qcPRKtruVCLtJ6OiZ66LvDjbJTwJJ5JE84aoKZ3ZQMV02uK3T9mKyQH7pXnNyXM7HjZ7y2A/rxvpjqYH07M1/g7meMfHZpZDAp/BH8U6YKASqf0BCzu16Rj1S806yN4LEdQxRglN0m0DWzuF6jkbw6nT1T9on1Q1fxzPcYruAtfyFns4VXvzbLd9kDUfCFEPiHXKneu9MWdjvxdt88Tjv3Zsd1kD78/bBq4oVhoP950aDH1o96e2pP6jt19CzAzyFaV/8wSYjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=MS89XohlxNUShtsMI2EW4P42QPF4SMqwpXdI21V3fH0=;
 b=l0CKbKxXdEesRFy6CUKQcRHbV6bG8RnMncCsA/B+0id75BOnxGH33GnWXXi0eikWo07vyVHsBr3dbNaRIBOkqEJ5y3hqoI7SPV5i1KnpasJmiRh4+dX45crZNsRlK7gzPVl8+w0+4pDc/YbTtkbt66Vxusd86emnjCD0nfs9LyudujOwwMtQnAhoi333SJhmye3+4AG0mw7BbRhvx455b/5KFNbzbryRQZckhs9zuf1lt12uD6kOnO7CrHvvaA2/hLBN8YNoGTTNwkjuhdXRiLcwOHvqGENQfDi4pc3gNSW8GzjjZxMrg24BJaXY7DsWZliJHxARB1CW1ZAt5A4y8g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass; dmarc=pass
 action=none header.from=msc.com; dkim=pass header.d=msc.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=msc.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=MS89XohlxNUShtsMI2EW4P42QPF4SMqwpXdI21V3fH0=;
 b=H2Hx2hv1FF6wd+5JTJu6Hl1Zxk8O/IyT9C6IbCCyHwTK27GxJrasCUPQ8HFqnj6C5KGdm5L62fWIEYOedmSUnJzn/6mV/g9qQTD/Z06ORIEmftM287bIRFogFjl8AV85DSWcVjG6r4rTeE4/1LYLc+yj9cjOvUlflzYauxo7CTI=
MIME-Version: 1.0
From: <postmaster@msc.com>
To: <opendmarc@box.mydomain.name>
Date: Mon, 6 Dec 2021 12:16:02 +0000
Content-Type: multipart/report; report-type=delivery-status;
	boundary="e204c142-f195-4103-8d2b-d77e18be8ac5"
X-MS-Exchange-Message-Is-Ndr:
Content-Language: en-US
Message-ID:
 <447fe7e7-2ce8-4fd7-a71d-f22f093cf6f5@KL1P104MB0117.NAMP104.PROD.OUTLOOK.COM>
In-Reply-To: <20211206121541.5659B66EB4@box.mydomain.name>
References: <20211206121541.5659B66EB4@box.mydomain.name>
Subject: Undeliverable: FW: Ocean Freight Payment Notification Of 06_12_2021
Auto-Submitted: auto-replied
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: KL1P104MB0117:
X-Microsoft-Antispam-PRVS:
	<KL1P104MB011730574FB2B158F6004BFFB86D9@KL1P104MB0117.NAMP104.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	ZvbZp0wTzzAc+mERJWbrK57kqarLPo5vku+aRKZMkGx2Zw7p6jt8RrrnvApk7QfOEbsjsq17ivBLI/EPgQxk0HDwEW4nzikxZIH8bEgz9dKeSXZWpWTNg4NBe2oNWQlv8CiPK6GzydwHKR3L4bMGAWTKJfsn2YFbKHzV5uDgAHt5w9U4sxB4YpNULri9ZPgNLnE64sH220HNTxKZidUg27fEBMJEZI7YMWXKVZBT8JeexfddhQ7ftKvSJG7LI9jBG/ymNhBnp67u/wTVyY/SnEHat2sqrPN2wMwyuLEJipRUQcw6/01OFWgGctgMZVcwu9+rzNtkbptIotGbclYnDvnViqjY9fE9kUwLDJ068FOaiH/FeTZfdAYv8TigQgu7sRnnSU4sjo8076nZhkY2tm1DUR+YZKuLbnK/O8PDN61zrg8afJZw5U1wciWbMfHq1rCz8moYKwPYYd+nhzrp1zboKIvyN0nCKe/pbAb2jGhwHlZDx3PcOJ6NBqd85WuAylJsQJyCxS74to1/y/t1UXmB2DAutbggnFS+tXswIHSA5E2d4sT9ed2ICh+ne24ekuzMFuwhQD883jGYb9i28a5/m8OvfoQF69A6NRfJp0b9JINhaT8pM7yoZB4qlvTKx5QFd276mKVxBFDH+tACZ4U+wpOUPUzdg1795xRHE6rZNPc6cdYs68YFGrH55w91Vq4GORqAgZrFMc/R5tSnAA==
X-Forefront-Antispam-Report:
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:;PTR:;CAT:NONE;SFS:(50650200002)(366004)(1930700014)(6916009)(66574015)(2906002)(53546011)(8676002)(2876002)(42186006)(316002)(78496005)(66946007)(15650500001)(83380400001)(9686003)(31686004)(42882007)(31696002)(78352004)(32400700002)(5660300002)(15843345004)(508600001)(45080400002)(45954011)(201263002);DIR:OUT;SFP:1501;
X-OriginatorOrg: msc.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Dec 2021 12:16:02.9571
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-AuthSource: KL1P104MB0117.NAMP104.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-Network-Message-Id:
	748f091d-a5b8-47c3-611f-08d9b8b22be2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1P104MB0117

--e204c142-f195-4103-8d2b-d77e18be8ac5
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Delivery has failed to these recipients or groups:

dmarc-report@msc.com<mailto:dmarc-report@msc.com>
The recipient's mailbox is full and can't accept messages now. Please try r=
esending your message later, or contact the recipient directly.








Diagnostic information for administrators:

Generating server: KL1P104MB0117.NAMP104.PROD.OUTLOOK.COM

dmarc-report@msc.com
Remote Server returned '554 5.2.2 mailbox full; STOREDRV.Deliver.Exception:=
QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process=
 message due to a permanent exception with message The process failed to ge=
t the correct properties. 0.35250:DB600000, 1.36674:01000000, 1.61250:00000=
000, 1.45378:02000000, 1.44866:00000000, 1.36674:02000000, 1.61250:00000000=
, 1.45378:05000000, 1.44866:14000000, 1.36674:06000000, 1.61250:00000000, 1=
.45378:12000000, 1.44866:0B000000, 1.36674:A1000000, 1.61250:00000000, 1.45=
378:21000000, 1.44866:39000000, 1.36674:09000000, 1.61250:00000000, 1.45378=
:5D000000, 1.44866:00010000, 1.36674:08000000, 1.61250:00000000, 1.45378:60=
000000, 1.44866:00100000, 16.55847:DE000000, 17.43559:00000000F603000000000=
0000000000000000000, 20.52176:140F9392160010100D610000, 20.50032:140F939286=
1700004B000000, 0.35180:12610000, 255.23226:0A008430, 255.27962:02000000, 2=
55.27962:06000000, 255.17082:DD040000, 0.24929:59000000, 4.21921:DD040000, =
255.27962:FA000000, 255.1494:6A000000, 0.38698:0F010480, 1.41134:86000000, =
1.41134:86000000, 7.36354:010000000000010C86000000, 1.41134:86000000, 7.363=
54:010000000000010C01000000, 7.36354:010000000000010C01000000, 0.58678:0100=
0000, 5.29818:0000000063306663326361392D353361622D343030642D396234322D33313=
066383061363432613400040480, 5.55446:00000000333A300001000000, 7.29828:F698=
8C041A00000001040480, 7.29832:000000001900000001040480, 4.45884:DD040000, 4=
.29880:DD040000, 4.59420:DD040000, 7.49544:010000000000010C01040480, 8.4543=
4:A92CFCC0AB530D409B42310F80A642A401040480, 1.46798:04000000, 5.10786:00000=
00031352E32302E343735352E3032323A414D30503130344D42303130303A65663933613539=
652D353565662D343831372D616531632D3163336237666366336336393A343832313600, 7=
.51330:8CBDBB2BB2B8D90801040480, 0.39570:01040480, 1.64146:02000000, 1.3301=
0:02000000, 2.54258:00000000, 0.58802:18000000, 1.64146:06000000, 1.33010:0=
6000000, 2.54258:DD040000, 255.1750:0A00A330, 255.27962:A1000000, 255.17082=
:B9040000, 0.27745:0A00B731, 4.21921:B9040000, 255.27962:09000000, 0.26881:=
0A002332, 255.21817:B9040000, 0.60978:85610000, 0.36402:0A002432, 4.38450:D=
D040000, 0.47602:8A610000, 4.63986:DD040000, 0.22945:D0000000, 4.31137:DD04=
0000, 0.26529:40000F32, 4.29953:DD040000, 0.32768:98610000, 4.33024:DD04000=
0 [Stage: CreateMessage]'

Original message headers:

[ removed for posting ... ]

openletter · December 8, 2021, 2:17pm

Do these “bounce” emails have an attachment?

openletter · December 8, 2021, 4:59pm

Okay, I misread the message, itself.

It looks like what is happening is MiaB is receiving mail from the domain msc.com. The DMARC record for msc.com requests DMARC reports, but the mailbox for receiving the reports is bouncing the requested messages.

About the only thing I can think of to do about this is to blacklist the address postmaster@msc.com so it always gets 100.0 points of spamscore, so just goes straight to spam.

tobes · December 8, 2021, 10:54pm

Hi there,
Thanks for the response.
My main concern is whether this is indicative of any “bad stuff” happening on my MIAB.
Yes I could block that one specific sender but most of the bounces actually come from MAILER-DAEMON@box.mydomain.name which I don’t want to block

Why is my MIAB sending attempting to send anything to msc.com? Or to interpublication.org as in the below example?
Can I / should I try to prevent these mails (that eventually bounce) going out from my MIAB?

Return-Path: <>
Delivered-To: myaddress@mydomain.name
Received: from box.mydomain.name ([127.0.0.1])
	by box.mydomain.name with LMTP id WP5TGcSIXmHbPgAArhdI8g
	for <myaddress@mydomain.name>; Thu, 07 Oct 2021 18:42:28 +1300
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on box.mydomain.name
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS
	autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Report: 
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
X-Spam-Score: -1.9
Received: by box.mydomain.name (Postfix)
	id 5F10960BED; Thu,  7 Oct 2021 18:42:28 +1300 (NZDT)
Date: Thu,  7 Oct 2021 18:42:28 +1300 (NZDT)
From: MAILER-DAEMON@box.mydomain.name (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: opendmarc@box.mydomain.name
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="CF8FA658E0.1633585348/box.mydomain.name"
Content-Transfer-Encoding: 8bit
Message-Id: <20211007054228.5F10960BED@box.mydomain.name>

This is a MIME-encapsulated message.

--CF8FA658E0.1633585348/box.mydomain.name
Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

This is the mail system at host box.mydomain.name.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<postmaster@vericty.interpublication.org>: connect to
    vericty.interpublication.org[2607:5300:201:3100::299e]:25: Connection
    refused

--CF8FA658E0.1633585348/box.mydomain.name
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; box.mydomain.name
X-Postfix-Queue-ID: CF8FA658E0
X-Postfix-Sender: rfc822; opendmarc@box.mydomain.name
Arrival-Date: Tue,  5 Oct 2021 17:37:02 +1300 (NZDT)

Final-Recipient: rfc822; postmaster@vericty.interpublication.org
Original-Recipient: rfc822;postmaster@vericty.interpublication.org
Action: failed
Status: 4.4.1
Diagnostic-Code: X-Postfix; connect to
    vericty.interpublication.org[2607:5300:201:3100::299e]:25: Connection
    refused

--CF8FA658E0.1633585348/box.mydomain.name
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <opendmarc@box.mydomain.name>
Received: by box.mydomain.name (Postfix, from userid 116)
	id CF8FA658E0; Tue,  5 Oct 2021 17:37:02 +1300 (NZDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=box.mydomain.name;
	s=mail; t=1633408622;
	bh=yDlkGfe4dFwlsFeoKaIHG6xiRgQs2/PqPnLtiPm5ewk=;
	h=From:To:Date:Subject:From;
	b=TwXvJJFoFwJDcb6IKMKsxp2BiRDsrjLOESyQPh/Cc4tRZltVAud/k6f0XP4l5a/T8
	 kh0iDOGImc0O1WZNFt0MUcwLsfW4qbYjCBtthQDnbPApvv6MJDASwau+wipu5Nrkjc
	 flg+nMaD97pVgR0LevMoVIWoiy1f5PNC/z0xkY2wnvyoGn91WuDsdocOqyoPo4RmIT
	 A/f3M4CjOv/QmMEAWBIsa7kAZwf+rNmzDahFOtp2vFLqHt0iZi5vs40fa6O/I0snTM
	 fRkv2GMZAug7NMU8MN/MhuO87FV6ATZXvB0Kxvsy9z0zZYK7tM1OYHjiCYot45erG3
	 dlKrYiXsfd3BQ==
From: OpenDMARC Filter <opendmarc@box.mydomain.name>
To: postmaster@vericty.interpublication.org
Date: Tue,  5 Oct 2021 17:37:02 +1300 (NZDT)
Subject: FW: Wir kaufen dein Auto!
MIME-Version: 1.0
Content-Type: multipart/report;
	report-type=feedback-report;
	boundary="box.mydomain.name:8BE2660E72"
Message-Id: <20211005043702.CF8FA658E0@box.mydomain.name>

--box.mydomain.name:8BE2660E72
Content-Type: text/plain

This is an authentication failure report for an email message received from IP
148.163.85.135 on Tue,  5 Oct 2021 17:37:02 +1300 (NZDT).

--box.mydomain.name:8BE2660E72
Content-Type: message/feedback-report

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: box.mydomain.name; dmarc=fail header.from=interpublication.org
Original-Envelope-Id: 8BE2660E72
Original-Mail-From: info@interpublication.org
Source-IP: 148.163.85.135 (sainay.interpublication.org)
Reported-Domain: interpublication.org

--box.mydomain.name:8BE2660E72
Content-Type: text/rfc822-headers

Authentication-Results: box.mydomain.name;
	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=interpublication.org header.i=@interpublication.org header.b="PrsTNnuH";
	dkim-atps=neutral
Received: from dslb-002-202-150-127.002.202.pools.vodafone-ip.de (dslb-188-099-080-029.188.099.pools.vodafone-ip.de [188.99.80.29])
	by sainay.interpublication.org (Postfix) with ESMTPA id 6BB23A2D3
	for <address@myotherdomain.name>; Tue,  5 Oct 2021 00:36:52 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sainay.interpublication.org 6BB23A2D3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=interpublication.org; s=default; t=1633408612;
	bh=q1/OPSn+VXteY2+DHXqOIgs5LsNCJisEcQIKVW9it6I=;
	h=From:Subject:To:Reply-To:Date:From;
	b=PrsTNnuH8D0Ch3gcWqGmXiYc2Kvu1CHGJBsqS521uYazd3G/urp7MHQvmNwK0r1gS
	 DR3A3KwGejI5uuqzxDCqz28Mq6AkdTkOjFyXw65MLlsKTQddWTgciVnoqJempa6yzw
	 PSM5550XqVFqqkNxEcYBUBYEwUdy1tY8rc4zhq8cIrsonQVxJJSbc3cdonICM1kLBV
	 WASv16p3376ZBcKqFLc8UQ58YQKaFm51VZGEjtabfmWbgOQ7VikFFECDG3aRt8fZa6
	 D03MrzUSngwPUdcRQZuqS/sApW/a9N2YwdbR51OFzPBr4ypUEIw/qprgBG4BfQQKeS
	 1PhinNvVtgQpQ==
From: "Rolf Bader" <info@interpublication.org>
Subject: Wir kaufen dein Auto!
To: "address" <address@myotherdomain.name>
Content-Type: multipart/alternative; boundary="TD6gM3Blv=_XBZYNFT7dCsH1DHHOKUuSyA"
MIME-Version: 1.0
Reply-To: "Rolf Bader" <auto24-export@gmx.de>
Organization: AutoTEAM24
Date: Tue, 5 Oct 2021 06:36:51 +0200

--box.mydomain.name:8BE2660E72--

--CF8FA658E0.1633585348/box.mydomain.name--

openletter · December 9, 2021, 12:10am

This has to do with how DMARC works.

$ dig +short txt _dmarc.interpublication.org
"v=DMARC1; p=none; pct=100; ruf=mailto:postmaster@pickys.interpublication.org;  rua=mailto:postmaster@pickys.interpublication.org"

The sending of these messages is automated and is actually requested by the domain owner, as per this record.

You can see the original message transaction in MiaB:

$ grep interpublication /var/log/mail.log

There you can see an entry something like

opendmarc[27193]: D901E5E0CA: interpublication.org fail

You can see that all the logs for that transaction with grep D901E5E0CA /var/log/mail.log. The first entry should show the IP address that connected. Search the file for that IP address and see if they have a lot of DMARC failures.

You can see all of the outbound opendmarc messages with this:

$ grep 'from=<opendmarc>' /var/log/mail.log
Dec  5 19:20:15 mail postfix/pickup[14479]: A5D375FF95: uid=119 from=<opendmarc>
Dec  5 20:49:39 mail postfix/pickup[23403]: 9548F5FF96: uid=119 from=<opendmarc>
Dec  6 02:23:10 mail postfix/pickup[17602]: 87AB65FF9B: uid=119 from=<opendmarc>
Dec  6 03:50:30 mail postfix/pickup[30399]: 1DD7E5FFA2: uid=119 from=<opendmarc>
Dec  6 05:34:06 mail postfix/pickup[7189]: 7DA695FFA3: uid=119 from=<opendmarc>
Dec  6 18:39:03 mail postfix/pickup[14644]: 0855B5FFAF: uid=119 from=<opendmarc>
Dec  7 00:59:55 mail postfix/pickup[17620]: C8C5B5FFB0: uid=119 from=<opendmarc>
Dec  7 01:08:02 mail postfix/pickup[17620]: 08A735FFB1: uid=119 from=<opendmarc>
Dec  7 07:40:27 mail postfix/pickup[16338]: E859D5F86E: uid=119 from=<opendmarc>
Dec  7 14:38:43 mail postfix/pickup[20176]: 348825FFB8: uid=119 from=<opendmarc>
Dec  8 01:30:25 mail postfix/pickup[17176]: 4D2EE5FFBF: uid=119 from=<opendmarc>

Search any of those strings to see the all logs for that message.

tobes · December 9, 2021, 11:26pm

Thanks for the detailed background info.

So, it looks like someone from that domain is trying to email one of my mailboxes?
With the subjects / message content here I would assume it is junk mail and not legitimate messages.
Could the sender potentially be spoofed and tricking MIAB into sending a reply to a third party (i.e. a host that has not been involved originally)?

Overall it sounds like there’s nothing really I can do about the bounces, and the dmarc response is a good thing in general.

Many thanks again!

system · January 18, 2022, 11:26pm

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.