Bounce increase

Hugo van der Kooij hvdkooij at
Sun Feb 17 11:14:24 GMT 2008

Hash: SHA1


I seem to have an increase in bounces from content scanners that seem to
fully ignore my SPF record and resend garbage. I have not yet identified
the system that is doing this but I have seen it in various places like
ISP's and educational institutions.

Does someone recognize the system using these unwanted bounces? It looks
a tid bit like a Barracuda but those can be easily identified by the
sheer number of added headers in the bounces and the fact that the
reference code in these messages is not at all present.

I guess it is a postfix + amavisd + ...... setup.

What I get back looks something like:


Our content checker found
~    banned name: multipart/mixed | application/octet-stream,.zip, |
~      .exe,.exe-ms,file.htm ... .pif

in email presumably from you <hugo at>
to the following recipient:
- -> admissions at

Our internal reference code for your message is 64027-04/eRk+KEAvTGY2

First upstream SMTP client IP address: []
According to a 'Received:' trace, the message originated at: [],
~ ([])

Return-Path: <hugo at>
Message-ID: <200802110849565173190001MAC9 at>
Subject: Delivery reports about your e-mail

Delivery of the email was stopped!

The message has been blocked because it contains a component
(as a MIME part or nested within) with declared name
or MIME type or contents type violating our access policy.

To transfer contents that may be considered risky or unwanted
by site policies, or simply too large for mailing, please consider
publishing your content on the web, and only sending an URL of the
document to the recipient.

Depending on the recipient and sender site policies, with a little
effort it might still be possible to send any contents (including
viruses) using one of the following methods:

- - encrypted using pgp, gpg or other encryption methods;

- - wrapped in a password-protected or scrambled container or archive
~  (e.g.: zip -e, arj -g, arc g, rar -p, or other methods)

Note that if the contents is not intended to be secret, the
encryption key or password may be included in the same message
for recipient's convenience.

We are sorry for inconvenience if the contents was not malicious.

The purpose of these restrictions is to cut the most common propagation
methods used by viruses and other malware. These often exploit automatic
mechanisms and security holes in more popular mail readers (Microsoft
mail readers and browsers are a common target). By requiring an explicit
and decisive action from the recipient to decode mail, the danger of
automatic malware propagation is largely reduced.

Reporting-MTA: dns;
Received-From-MTA: smtp; ([])
Arrival-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST)

Original-Recipient: rfc822;admissions at
Final-Recipient: rfc822;admissions at
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 554-5.7.1 Rejected, id=64027-04 - BANNED:
~ 554-5.7.1 multipart/mixed | application/octet-stream,.zip, |
~ 554 5.7.1 .exe,.exe-ms,file.htm            ...
Last-Attempt-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST)

Return-Path: <hugo at>
Received: from (
	by (Postfix) with SMTP id 1CB832618AF
	for <admissions at>; Mon, 11 Feb 2008 03:49:57 -0500 (EST)
Received: from ([]) by
~          via smtpd (for []) with ESMTP;
Mon, 11 Feb 2008 03:49:57 -0500
Received: from ([])
	id <20080211174956503.MAC9.819B608 at>;
	Mon, 11 Feb 2008 17:49:56 +0900
From: hugo at
To: admissions at
Subject: Delivery reports about your e-mail
Date: Mon, 11 Feb 2008 17:49:06 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <200802110849565173190001MAC9 at>

- --
hvdkooij at     

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on and rate those images.

Version: GnuPG v1.4.7 (GNU/Linux)


More information about the MailScanner mailing list