Bounce increase

Hugo van der Kooij hvdkooij at vanderkooij.org
Sun Feb 17 11:14:24 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I seem to have an increase in bounces from content scanners that seem to
fully ignore my SPF record and resend garbage. I have not yet identified
the system that is doing this but I have seen it in various places like
ISP's and educational institutions.

Does someone recognize the system using these unwanted bounces? It looks
a tid bit like a Barracuda but those can be easily identified by the
sheer number of added headers in the bounces and the fact that the
reference code in these messages is not at all present.

I guess it is a postfix + amavisd + ...... setup.


What I get back looks something like:

BANNED CONTENTS ALERT

Our content checker found
~    banned name: multipart/mixed | application/octet-stream,.zip,file.zip |
~      .exe,.exe-ms,file.htm ... .pif

in email presumably from you <hugo at vanderkooij.org>
to the following recipient:
- -> admissions at aquinas.edu

Our internal reference code for your message is 64027-04/eRk+KEAvTGY2

First upstream SMTP client IP address: [211.5.2.75] nm01omta06.auone-net.jp
According to a 'Received:' trace, the message originated at: [220.217.50.1],
~  vanderkooij.org ([220.217.50.1])

Return-Path: <hugo at vanderkooij.org>
Message-ID: <200802110849565173190001MAC9 at nm01mta.auone-net.jp>
Subject: Delivery reports about your e-mail

Delivery of the email was stopped!

The message has been blocked because it contains a component
(as a MIME part or nested within) with declared name
or MIME type or contents type violating our access policy.

To transfer contents that may be considered risky or unwanted
by site policies, or simply too large for mailing, please consider
publishing your content on the web, and only sending an URL of the
document to the recipient.

Depending on the recipient and sender site policies, with a little
effort it might still be possible to send any contents (including
viruses) using one of the following methods:

- - encrypted using pgp, gpg or other encryption methods;

- - wrapped in a password-protected or scrambled container or archive
~  (e.g.: zip -e, arj -g, arc g, rar -p, or other methods)

Note that if the contents is not intended to be secret, the
encryption key or password may be included in the same message
for recipient's convenience.

We are sorry for inconvenience if the contents was not malicious.

The purpose of these restrictions is to cut the most common propagation
methods used by viruses and other malware. These often exploit automatic
mechanisms and security holes in more popular mail readers (Microsoft
mail readers and browsers are a common target). By requiring an explicit
and decisive action from the recipient to decode mail, the danger of
automatic malware propagation is largely reduced.




Reporting-MTA: dns; fir.aquinas.edu
Received-From-MTA: smtp; fir.aquinas.edu ([127.0.0.1])
Arrival-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST)

Original-Recipient: rfc822;admissions at aquinas.edu
Final-Recipient: rfc822;admissions at aquinas.edu
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 554-5.7.1 Rejected, id=64027-04 - BANNED:
~ 554-5.7.1 multipart/mixed | application/octet-stream,.zip,file.zip |
~ 554 5.7.1 .exe,.exe-ms,file.htm            ...
Last-Attempt-Date: Mon, 11 Feb 2008 03:49:59 -0500 (EST)



Return-Path: <hugo at vanderkooij.org>
Received: from nm01omta06.auone-net.jp (nm01omta06.auone-net.jp
[211.5.2.75])
	by fir.aquinas.edu (Postfix) with SMTP id 1CB832618AF
	for <admissions at aquinas.edu>; Mon, 11 Feb 2008 03:49:57 -0500 (EST)
Received: from nm01omta06.auone-net.jp ([211.5.2.75]) by
nm01omta06.auone-net.jp
~          via smtpd (for fir.aquinas.edu [198.110.245.41]) with ESMTP;
Mon, 11 Feb 2008 03:49:57 -0500
Received: from vanderkooij.org ([220.217.50.1])
	by nm01mta.auone-net.jp
	id <20080211174956503.MAC9.819B608 at nm01mta.auone-net.jp>;
	Mon, 11 Feb 2008 17:49:56 +0900
From: hugo at vanderkooij.org
To: admissions at aquinas.edu
Subject: Delivery reports about your e-mail
Date: Mon, 11 Feb 2008 17:49:06 +0900
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0004_7D574C9E.4731B847"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <200802110849565173190001MAC9 at nm01mta.auone-net.jp>


- --
hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHuBcOBvzDRVjxmYERAm9xAKCjUQHN5D+afmp09lllxuTyQ3ZFPwCgjj0p
S0bWsslEgw3aY2n0fz9rcHE=
=qQg+
-----END PGP SIGNATURE-----


More information about the MailScanner mailing list