Please help my mailinabox account is getting 400-500 Undelivered Mail Returned to Sender per minute

ravenstar68 · December 30, 2018, 6:34am

What I would do is consider how the account could have been compromised. So you will need to consider things such as:

How secure is my email password. When helping people I’ve seen people post full SMTP logs online including the authentication lines. While these lines look encrypted, they are in fact encoded instead, it takes a few seconds to extract an email address and password from such logs, so I’m aware that some people continue to use extremely weak passwords that they might foolishly believe to be secure such as Leicester123 (and before you ask, I did tell the user in question to change their password, although I did find out that they were still using the same one a month later :().

You also need to consider possibilities such as an individual device having malware, or the server itself being compromised, (which is why I recommend ensuring SSH access is locked down as much as possible, my server for eaxmple can only be accessed using an SSH key and the root account itself is not publicly accessible remotely). The server supports SSH keys generated by Putty as well as OpenSSH, so if you haven’t done so already, I would check to make sure that when your admin page has this line showing in the status.

✓ SSH disallows password-based login.

If not you need to make sure you can access using an SSH keypair and then edit the /etc/ssh/sshd_config file so that the line

PasswordAuthentication yes

becomes

PasswordAuthentication no

Note: ONLY DO THIS ONCE YOU HAVE SET UP A SSH LOGIN KEYPAIR AND VERIFIED IT’S WORKING (failure to do so can lock you out of your server).

Tim

ravenstar68 · January 1, 2019, 2:10pm

One thing I wanted to add is that reading email headers, while appearing daunting at first is actually easier then you think.

The actual Email itself contains the first headers, Any other headers are then added to the start of the email by each SMTP server the mail passes through,

So looking at the headers posted. This part was added by the first SMTP server the mail passed through (i.e. your box)

Return-Path: <****@dahbura.com>
Received: from authenticated-user (box.fullmoonmanor.net [34.239.193.170])
    (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested)
    by box.fullmoonmanor.net (Postfix) with ESMTPSA id E70166BB80;
  Wed, 26 Dec 2018 10:45:24 -0500 (EST) 
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dahbura.com; s=mail; t=1545839134;   
    bh=vMyLkFC9bfhxv9PdliL9NRZMf63869IpqUmjRca0SeQ=; h=Date:Subject:From:To:Cc:From;   
    b=Abj5AWSOxkffPd5i9SVWVwArEWKT6RGuApkVaHMO2rf0C617K087rRM09QZXrJGGH 
    sxxpQSRYE7yjGWpAk3emze3JILat/x  +PfSqliLcBRCvHD80DU/rQjAbGDsHsZQl2Hf 
    InV4l/V5lN4D5rzuhn7baf1kjF/4za2YiyfOPx2gtYh/JPQ5SlWiutw9R6RoxNUgTw   
    UMFgYM3OafR2v2OCr7GuSLpN8IOV//t/1oU3e7IaKHW12nAHcX7aZ7TH36w/CVUqkF   
    EDSfVfh7r9SsbOBuqpCN6ZZy9JDdBYVbpcBDKY6V9JwRhW61+hb2Ko17Ah9X+52Tjl
    XLse5LwPHfZeA==

This part was the start of the original email (the Date: and the Message-ID: headers are typically added by the mailer-program when it actually sends the mail.

Date: Wed, 26 Dec 2018 16:45:33 +0100 
Subject: ONLINE STORE WEBSITE - that denote an opportunity new 70% 
From: “CANADIAN PHARMACY” <****@dahbura.com> To: takanori432@gmail.com 
Cc: nan_433@hotmail.com, amadoreynald433@gmail.com, jcaskey433@gmail.com,
    ekirchner433@comcast.net, bowes0433@aol.com, jreesela433@gmail.com, 
    mdwatkinsb433@sbcglobal.net 
Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 
Message-ID: <vutpdtf-8lmqhf-11@dahbura.com>

Each time a mail passes an SMTP server, the server adds trace headers to the start of the mail but SHOULD otherwise leave the email as it found it. (In fact the RFC5321 standard states it MUST NOT change the email except to add the trace headers, however I know of certain servers that do break this rule - such as Google Apps)

So the secret to finding out which SMTP servers an email has passed through is as follows.

Find out where the email begins by locating the From: Date: To: headers and then from there read upwards.

For example here’s a mail I sent from my box to a blueyonder email address.

Return-Path: <xxxxx@timothydutton.co.uk>
Delivered-To: xxxxx@blueyonder.co.uk
Received: from md8.tb.ukmail.iss.local ([212.54.57.68])
	by mc8.tb.ukmail.iss.local with LMTP id EMdyLjlTClzNbgAAVqD7fw
	for <xxxxx@blueyonder.co.uk>; Fri, 07 Dec 2018 12:02:17 +0100
Received: from smtpclienthelo ([212.54.57.68])
	by md8.tb.ukmail.iss.local with LMTP id mKxFGzhTClxbBQAAkRb9eQ
	; Fri, 07 Dec 2018 12:02:17 +0100
Authentication-Results: ukmail.iss.as9143.net;
 spf=pass (77.68.89.100;timothydutton.co.uk);
 dkim=pass header.d=timothydutton.co.uk;
 dmarc=pass header.from=timothydutton.co.uk (p=quarantine sp=quarantine dis=pass);
X-Env-Mailfrom: xxxxx@timothydutton.co.uk
X-Env-Rcptto: xxxxx@blueyonder.co.uk
X-SourceIP: 77.68.89.100
X-CNFS-Analysis: v=2.3 cv=VJqjYOHX c=1 sm=1 tr=0
 a=0OLw87qtdMDg28/XYPXStA==:117 a=0OLw87qtdMDg28/XYPXStA==:17
 a=2ur7OfE09M0A:10 a=QNGSuValVZ5WP85NjNMA:9 a=CjuIK1q_8ugA:10
 a=quBxwbfpUynTCDI0mTMA:9 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10
 a=pHzHmUro8NiASowvMSCR:22 a=nt3jZW36AmriUCFCBwmW:22
Received: from box.timothydutton.co.uk ([77.68.89.100])
	by mx1.tb.ukmail.iss.as9143.net with ESMTP
	id VDtfg6GQKjxPOVDtfgwgpY; Fri, 07 Dec 2018 12:02:17 +0100
Received: from authenticated-user (box.timothydutton.co.uk [77.68.89.100])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by box.timothydutton.co.uk (Postfix) with ESMTPSA id 2D24C120A68
	for <xxxxx@blueyonder.co.uk>; Fri,  7 Dec 2018 11:02:15 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=timothydutton.co.uk;
	s=mail; t=1544180535;
	bh=VKNw8S84HpqVWJWqZ5uhkdpp7TnG1esUI+pfjeSeROI=;
	h=Date:From:To:Subject:From;
	b=kfeLqIrflXs8RXeVzIGifTW8Vx+KhVvqAZ18kibOTWm/yIpTotMWEPxpOjoevAG9h
	 kDFncPsmcy5Oh+ik+AjVyZzV0WgWg/svyWkh+mcfqoYCq7jJurE+OlrSrcvqvewoBQ
	 ADERi2VLyey8pA40BRnMBRHsjMDfN1TQIJThmqDMnCbS1iwVcL65qEAATKeezHe5uV
	 /SGU6uaFxwe/db8S0g9GLv8GItl4ux51LSFmhJcGb6kbRiQf0uZno3UE1vrF5//977
	 qKYTY8MQPX0j8thEmmGmeevibT3UyeFC6B5WenwApomnbgg2UxuPM6KBQ3nxQCxosX
	 AQEOqTZnBevGw==
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_a845b8575466b37398b0a5448c4a7ee3"
Date: Fri, 07 Dec 2018 11:02:15 +0000
From: xxxxx <xxxxx@timothydutton.co.uk>
To: xxxxx <xxxxx@blueyonder.co.uk>
Subject: Test send
Message-ID: <39011e03d198dbcc8dde3aaf598fd043@timothydutton.co.uk>
X-Sender: xxxxx@timothydutton.co.uk
X-CMAE-Envelope: MS4wfGpTr3TdXmDQaBJipjqo6gTDuUq9ovrsgoNjfWAU/p3BqjH5ffQaQwfLE02b46sgZQZdkNruIK6W9kLwWJziQj9OMqQBpZuEQIXjdMTgksU/xoDnA85S
 8oWCXFE7mtayp5WGZAl1+cvwox9R5tRxLwktsOr28RefHjDVltRDeijQYktsfZh9P7UcrBbdjfYF6Z6KSPjNrcJsdxAt80l+0iE=

--=_a845b8575466b37398b0a5448c4a7ee3
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

Sending me a mail

-- 
_Timothy George Dutton_
--=_a845b8575466b37398b0a5448c4a7ee3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p>Sending me a mail</p>
<div>-- <br />
<div class=3D"pre" style=3D"margin: 0; padding: 0; font-family: monospace">=
<span style=3D"font-size: 12pt;"><em><span style=3D"font-family: 'book anti=
qua', palatino, serif;">Timothy George Dutton</span></em></span></div>
</div>
</body></html>

--=_a845b8575466b37398b0a5448c4a7ee3--

Note that Virgin’s email system actually breaks some rules here in where it adds some of it’s diagnostic headers, but because it doesn’t change the body or critical headers, the mail still passes muster.

Finding the From: and To: headers and reading up. The first Received: line is my box, which also adds the DKIM signature.

Received: from authenticated-user (box.timothydutton.co.uk [77.68.89.100])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by box.timothydutton.co.uk (Postfix) with ESMTPSA id 2D24C120A68
	for <xxxxx@blueyonder.co.uk>; Fri,  7 Dec 2018 11:02:15 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=timothydutton.co.uk;
	s=mail; t=1544180535;
	bh=VKNw8S84HpqVWJWqZ5uhkdpp7TnG1esUI+pfjeSeROI=;
	h=Date:From:To:Subject:From;
	b=kfeLqIrflXs8RXeVzIGifTW8Vx+KhVvqAZ18kibOTWm/yIpTotMWEPxpOjoevAG9h
	 kDFncPsmcy5Oh+ik+AjVyZzV0WgWg/svyWkh+mcfqoYCq7jJurE+OlrSrcvqvewoBQ
	 ADERi2VLyey8pA40BRnMBRHsjMDfN1TQIJThmqDMnCbS1iwVcL65qEAATKeezHe5uV
	 /SGU6uaFxwe/db8S0g9GLv8GItl4ux51LSFmhJcGb6kbRiQf0uZno3UE1vrF5//977
	 qKYTY8MQPX0j8thEmmGmeevibT3UyeFC6B5WenwApomnbgg2UxuPM6KBQ3nxQCxosX
	 AQEOqTZnBevGw==

Reading upwards we can see that the next connection is between the box and Virgin Media’s mail exchanger.

 Received: from box.timothydutton.co.uk ([77.68.89.100])
	by mx1.tb.ukmail.iss.as9143.net with ESMTP
	id VDtfg6GQKjxPOVDtfgwgpY; Fri, 07 Dec 2018 12:02:17 +0100

We also see authentication checks done as well as spam checking scores with cloudmark

 Authentication-Results: ukmail.iss.as9143.net;
    spf=pass (77.68.89.100;timothydutton.co.uk);
    dkim=pass header.d=timothydutton.co.uk;
    dmarc=pass header.from=timothydutton.co.uk (p=quarantine sp=quarantine dis=pass);
X-Env-Mailfrom: xxxxx@timothydutton.co.uk
X-Env-Rcptto: xxxxx@blueyonder.co.uk
X-SourceIP: 77.68.89.100
X-CNFS-Analysis: v=2.3 cv=VJqjYOHX c=1 sm=1 tr=0
 a=0OLw87qtdMDg28/XYPXStA==:117 a=0OLw87qtdMDg28/XYPXStA==:17
 a=2ur7OfE09M0A:10 a=QNGSuValVZ5WP85NjNMA:9 a=CjuIK1q_8ugA:10
 a=quBxwbfpUynTCDI0mTMA:9 a=_W_S_7VecoQA:10 a=QEXdDO2ut3YA:10
 a=pHzHmUro8NiASowvMSCR:22 a=nt3jZW36AmriUCFCBwmW:22
Received: from box.timothydutton.co.uk ([77.68.89.100])
	by mx1.tb.ukmail.iss.as9143.net with ESMTP
	id VDtfg6GQKjxPOVDtfgwgpY; Fri, 07 Dec 2018 12:02:17 +0100

We do also see another couple of mail transports above this, but these are actually part of Virgin Media’s email system.

Return-Path: <xxxxx@timothydutton.co.uk>
Delivered-To: xxxxx@blueyonder.co.uk
Received: from md8.tb.ukmail.iss.local ([212.54.57.68])
	by mc8.tb.ukmail.iss.local with LMTP id EMdyLjlTClzNbgAAVqD7fw
	for <xxxxx@blueyonder.co.uk>; Fri, 07 Dec 2018 12:02:17 +0100
Received: from smtpclienthelo ([212.54.57.68])
	by md8.tb.ukmail.iss.local with LMTP id mKxFGzhTClxbBQAAkRb9eQ
	; Fri, 07 Dec 2018 12:02:17 +0100

So long as you learn to break the message down like this, it’s not that daunting. But there are tools that can help such as MX toolboxes Email header analyzer.

https://mxtoolbox.com/EmailHeaders.aspx

Tim

system · January 8, 2019, 2:10pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.