Bounces to

Hi all :slight_smile:

Apologies if this isn’t the best category for my post.

I’ve checked the status page (mostly green, some yellow - DNSSEC and custom DNS), re-ran setup, and I reboot the box regularly.

I’ve been running a MIAB instance on DO for many many years (“work”) and about 6 months ago moved to Hetzner (“personal”).
The work instance used to host my main personal domain too (and a bunch of others). My personal instance hosts additional domains.

Since 13 September 2021 (and never before) I have received 52 “bounce” emails (Undelivered Mail and Delayed Mail) to (I’ve changed my domain to for privacy) on my personal MIAB instance. I have never seen this happen on the work instance.

Question: Is this normal? Does it indicate a domain on my box is sending spam? If this is (potentially) malicious, how can I find out more?

Many thanks
tobes :slight_smile:

PS: I’ve decided against posting the full message in case it contains anything malicious.
PPS: Yes I can tell this one says the recipients’ mailbox is full. Others that I have received are “connection timed out” or “554 Email rejected due to security policies” bounces etc.

Return-Path: <>
Received: from ([])
	by with LMTP id 2M9DNwb/rWELRwAArhdI8g
	for <>; Tue, 07 Dec 2021 01:16:06 +1300
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_MSPIKE_H2,SPF_PASS autolearn=ham autolearn_force=no
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
	*, no trust
	*      [ listed in]
	* -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
	*      [ listed in]
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	* -0.1 SPF_PASS SPF check passed
	* -0.1 DMARC_PASS DMARC check passed
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
X-Spam-Score: -2.2
Received: from ( [])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by (Postfix) with ESMTPS id 0E859612E0
	for <>; Tue,  7 Dec 2021 01:16:06 +1300 (NZDT)
Authentication-Results:; dmarc=pass (p=reject dis=none)
Authentication-Results:; spf=pass
	dkim=pass (1024-bit key; unprotected) header.b="H2Hx2hv1";
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;;
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass
 action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1;
MIME-Version: 1.0
From: <>
To: <>
Date: Mon, 6 Dec 2021 12:16:02 +0000
Content-Type: multipart/report; report-type=delivery-status;
Content-Language: en-US
In-Reply-To: <>
References: <>
Subject: Undeliverable: FW: Ocean Freight Payment Notification Of 06_12_2021
Auto-Submitted: auto-replied
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: KL1P104MB0117:
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Dec 2021 12:16:02.9571
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-AuthSource: KL1P104MB0117.NAMP104.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1P104MB0117

Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Delivery has failed to these recipients or groups:<>
The recipient's mailbox is full and can't accept messages now. Please try r=
esending your message later, or contact the recipient directly.

Diagnostic information for administrators:

Generating server: KL1P104MB0117.NAMP104.PROD.OUTLOOK.COM
Remote Server returned '554 5.2.2 mailbox full; STOREDRV.Deliver.Exception:=
QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process=
 message due to a permanent exception with message The process failed to ge=
t the correct properties. 0.35250:DB600000, 1.36674:01000000, 1.61250:00000=
000, 1.45378:02000000, 1.44866:00000000, 1.36674:02000000, 1.61250:00000000=
, 1.45378:05000000, 1.44866:14000000, 1.36674:06000000, 1.61250:00000000, 1=
.45378:12000000, 1.44866:0B000000, 1.36674:A1000000, 1.61250:00000000, 1.45=
378:21000000, 1.44866:39000000, 1.36674:09000000, 1.61250:00000000, 1.45378=
:5D000000, 1.44866:00010000, 1.36674:08000000, 1.61250:00000000, 1.45378:60=
000000, 1.44866:00100000, 16.55847:DE000000, 17.43559:00000000F603000000000=
0000000000000000000, 20.52176:140F9392160010100D610000, 20.50032:140F939286=
1700004B000000, 0.35180:12610000, 255.23226:0A008430, 255.27962:02000000, 2=
55.27962:06000000, 255.17082:DD040000, 0.24929:59000000, 4.21921:DD040000, =
255.27962:FA000000, 255.1494:6A000000, 0.38698:0F010480, 1.41134:86000000, =
1.41134:86000000, 7.36354:010000000000010C86000000, 1.41134:86000000, 7.363=
54:010000000000010C01000000, 7.36354:010000000000010C01000000, 0.58678:0100=
0000, 5.29818:0000000063306663326361392D353361622D343030642D396234322D33313=
066383061363432613400040480, 5.55446:00000000333A300001000000, 7.29828:F698=
8C041A00000001040480, 7.29832:000000001900000001040480, 4.45884:DD040000, 4=
.29880:DD040000, 4.59420:DD040000, 7.49544:010000000000010C01040480, 8.4543=
4:A92CFCC0AB530D409B42310F80A642A401040480, 1.46798:04000000, 5.10786:00000=
652D353565662D343831372D616531632D3163336237666366336336393A343832313600, 7=
.51330:8CBDBB2BB2B8D90801040480, 0.39570:01040480, 1.64146:02000000, 1.3301=
0:02000000, 2.54258:00000000, 0.58802:18000000, 1.64146:06000000, 1.33010:0=
6000000, 2.54258:DD040000, 255.1750:0A00A330, 255.27962:A1000000, 255.17082=
:B9040000, 0.27745:0A00B731, 4.21921:B9040000, 255.27962:09000000, 0.26881:=
0A002332, 255.21817:B9040000, 0.60978:85610000, 0.36402:0A002432, 4.38450:D=
D040000, 0.47602:8A610000, 4.63986:DD040000, 0.22945:D0000000, 4.31137:DD04=
0000, 0.26529:40000F32, 4.29953:DD040000, 0.32768:98610000, 4.33024:DD04000=
0 [Stage: CreateMessage]'

Original message headers:

[ removed for posting ... ]

Do these “bounce” emails have an attachment?

Okay, I misread the message, itself.

It looks like what is happening is MiaB is receiving mail from the domain The DMARC record for requests DMARC reports, but the mailbox for receiving the reports is bouncing the requested messages.

About the only thing I can think of to do about this is to blacklist the address so it always gets 100.0 points of spamscore, so just goes straight to spam.

Hi there,
Thanks for the response.
My main concern is whether this is indicative of any “bad stuff” happening on my MIAB.
Yes I could block that one specific sender but most of the bounces actually come from which I don’t want to block :slight_smile:

Why is my MIAB sending attempting to send anything to Or to as in the below example?
Can I / should I try to prevent these mails (that eventually bounce) going out from my MIAB?

Return-Path: <>
Received: from ([])
	by with LMTP id WP5TGcSIXmHbPgAArhdI8g
	for <>; Thu, 07 Oct 2021 18:42:28 +1300
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RELAYS
	autolearn=ham autolearn_force=no version=3.4.2
	* -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
	*      [score: 0.0000]
	* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
X-Spam-Score: -1.9
Received: by (Postfix)
	id 5F10960BED; Thu,  7 Oct 2021 18:42:28 +1300 (NZDT)
Date: Thu,  7 Oct 2021 18:42:28 +1300 (NZDT)
From: (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
Content-Transfer-Encoding: 8bit
Message-Id: <>

This is a MIME-encapsulated message.

Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

This is the mail system at host

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<>: connect to[2607:5300:201:3100::299e]:25: Connection

Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns;
X-Postfix-Queue-ID: CF8FA658E0
X-Postfix-Sender: rfc822;
Arrival-Date: Tue,  5 Oct 2021 17:37:02 +1300 (NZDT)

Final-Recipient: rfc822;
Original-Recipient: rfc822;
Action: failed
Status: 4.4.1
Diagnostic-Code: X-Postfix; connect to[2607:5300:201:3100::299e]:25: Connection

Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <>
Received: by (Postfix, from userid 116)
	id CF8FA658E0; Tue,  5 Oct 2021 17:37:02 +1300 (NZDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;
	s=mail; t=1633408622;
From: OpenDMARC Filter <>
Date: Tue,  5 Oct 2021 17:37:02 +1300 (NZDT)
Subject: FW: Wir kaufen dein Auto!
MIME-Version: 1.0
Content-Type: multipart/report;
Message-Id: <>
Content-Type: text/plain

This is an authentication failure report for an email message received from IP on Tue,  5 Oct 2021 17:37:02 +1300 (NZDT).
Content-Type: message/feedback-report

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results:; dmarc=fail
Original-Envelope-Id: 8BE2660E72
Source-IP: (
Content-Type: text/rfc822-headers

	dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.b="PrsTNnuH";
Received: from ( [])
	by (Postfix) with ESMTPA id 6BB23A2D3
	for <>; Tue,  5 Oct 2021 00:36:52 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 6BB23A2D3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1633408612;
From: "Rolf Bader" <>
Subject: Wir kaufen dein Auto!
To: "address" <>
Content-Type: multipart/alternative; boundary="TD6gM3Blv=_XBZYNFT7dCsH1DHHOKUuSyA"
MIME-Version: 1.0
Reply-To: "Rolf Bader" <>
Organization: AutoTEAM24
Date: Tue, 5 Oct 2021 06:36:51 +0200


This has to do with how DMARC works.

$ dig +short txt
"v=DMARC1; p=none; pct=100;;"

The sending of these messages is automated and is actually requested by the domain owner, as per this record.

You can see the original message transaction in MiaB:

$ grep interpublication /var/log/mail.log

There you can see an entry something like

opendmarc[27193]: D901E5E0CA: fail

You can see that all the logs for that transaction with grep D901E5E0CA /var/log/mail.log. The first entry should show the IP address that connected. Search the file for that IP address and see if they have a lot of DMARC failures.

You can see all of the outbound opendmarc messages with this:

$ grep 'from=<opendmarc>' /var/log/mail.log
Dec  5 19:20:15 mail postfix/pickup[14479]: A5D375FF95: uid=119 from=<opendmarc>
Dec  5 20:49:39 mail postfix/pickup[23403]: 9548F5FF96: uid=119 from=<opendmarc>
Dec  6 02:23:10 mail postfix/pickup[17602]: 87AB65FF9B: uid=119 from=<opendmarc>
Dec  6 03:50:30 mail postfix/pickup[30399]: 1DD7E5FFA2: uid=119 from=<opendmarc>
Dec  6 05:34:06 mail postfix/pickup[7189]: 7DA695FFA3: uid=119 from=<opendmarc>
Dec  6 18:39:03 mail postfix/pickup[14644]: 0855B5FFAF: uid=119 from=<opendmarc>
Dec  7 00:59:55 mail postfix/pickup[17620]: C8C5B5FFB0: uid=119 from=<opendmarc>
Dec  7 01:08:02 mail postfix/pickup[17620]: 08A735FFB1: uid=119 from=<opendmarc>
Dec  7 07:40:27 mail postfix/pickup[16338]: E859D5F86E: uid=119 from=<opendmarc>
Dec  7 14:38:43 mail postfix/pickup[20176]: 348825FFB8: uid=119 from=<opendmarc>
Dec  8 01:30:25 mail postfix/pickup[17176]: 4D2EE5FFBF: uid=119 from=<opendmarc>

Search any of those strings to see the all logs for that message.

1 Like

Thanks for the detailed background info.

So, it looks like someone from that domain is trying to email one of my mailboxes?
With the subjects / message content here I would assume it is junk mail and not legitimate messages.
Could the sender potentially be spoofed and tricking MIAB into sending a reply to a third party (i.e. a host that has not been involved originally)?

Overall it sounds like there’s nothing really I can do about the bounces, and the dmarc response is a good thing in general.

Many thanks again!

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.