bounces.text - entry / bounce.ironport1@company.com?

Pat_ironport · ‎04-30-2008

I found the following line in the logfile:
bounces.text.@20080429T102300.c
[size=9:0df6008a7f]

Wed Apr 30 09:46:19 2008 Info: Bounced: DCID 0 MID 2500703 From:sales@arizonaprint.com To: bounce.ironport1@ourcompanydomain.com RID 0 - 5.1.1 - Bad destination email address ('000', ['reject'])

[/size:0df6008a7f]
Is this "bounce.ironport1"-mailadress just a good guess from the SPAM-Sender? (In fact, we dont have such a mail-adress).

The above entry with sales@arizonaprint.com appears nearly every second in the above log...
What do you think, is this just a new 'SPAM-wave'?

kluu_ironport · ‎04-30-2008

Try search for the MID in the mail_logs

grep -i "MID 2500703" mail_logs

to see how the mail originated.

I found the following line in the logfile:
bounces.text.@20080429T102300.c
[size=9:967f5b4596]Wed Apr 30 09:46:19 2008 Info: Bounced: DCID 0 MID 2500703 From:sales@arizonaprint.com To: bounce.ironport1@ourcompanydomain.com RID 0 - 5.1.1 - Bad destination email address ('000', ['reject']) 
[/size:967f5b4596]
Is this "bounce.ironport1"-mailadress just a good guess from the SPAM-Sender? (In fact, we dont have such a mail-adress).

The above entry with sales@arizonaprint.com appears nearly every second in the above log...
What do you think, is this just a new 'SPAM-wave'?

Pat_ironport · ‎05-01-2008

Thank you kluu. I found the following lines in the logfile around MID 2500703:

Wed Apr 30 09:46:19 2008 Info: Start MID 2500703 ICID 1921372
Wed Apr 30 09:46:19 2008 Info: MID 2500703 ICID 1921372 From: sales@arizonaprint.com
Wed Apr 30 09:46:19 2008 Info: MID 2500703 ICID 1921372 RID 0 To: bounce.ironport1@ourcompany.com
Wed Apr 30 09:46:19 2008 Info: MID 2500703 Message-ID '200804300746.m3U7kIS3004543@host.hostadomainname.com'
Wed Apr 30 09:46:19 2008 Info: MID 2500703 Subject 'MESSAGE NOT DELIVERED: Delivery Status Notification (Failure)'
Wed Apr 30 09:46:19 2008 Info: MID 2500703 ready 1184 bytes from sales@arizonaprint.com
Wed Apr 30 09:46:19 2008 Info: LDAP: Bounce query accept MID 2500703 RID 0 address bounce.ironport1@ourcompany.com
Wed Apr 30 09:46:19 2008 Info: Bounced: DCID 0 MID 2500703 to RID 0 - Bounced by destination server with response: 5.1.1 - Bad destination email address ('000', ['reject']) 
Wed Apr 30 09:46:19 2008 Info: Start MID 2500704 ICID 0
Wed Apr 30 09:46:19 2008 Info: MID 2500704 was generated for bounce of MID 2500703
Wed Apr 30 09:46:19 2008 Info: MID 2500704 ICID 0 From: <>
Wed Apr 30 09:46:19 2008 Info: MID 2500704 ICID 0 RID 0 To: sales@arizonaprint.com
Wed Apr 30 09:46:19 2008 Info: ICID 1921372 close
Wed Apr 30 09:46:19 2008 Info: MID 2500704 ready 2350 bytes from <>
Wed Apr 30 09:46:19 2008 Info: MID 2500704 queued for delivery
Wed Apr 30 09:46:19 2008 Info: Message finished MID 2500703 done
Wed Apr 30 09:46:19 2008 Info: New SMTP DCID 1090090 interface 1.2.3.4 address 111.222.111.123 port 25
Wed Apr 30 09:46:19 2008 Info: Delivery start DCID 1090090 MID 2500704 to RID [0]
Wed Apr 30 09:46:19 2008 Info: Message done DCID 1090090 MID 2500704 to RID [0] 
Wed Apr 30 09:46:19 2008 Info: MID 2500704 RID [0] Response '2.0.0 m3U7kJ9e029311 Message accepted for delivery'
Wed Apr 30 09:46:19 2008 Info: Message finished MID 2500704 done

(The IP 1.2.3.4 is our internal address from our Ironport and the 111.222.111.123 is the IP-address from our ASP-sendmail.)
Could you please help me and explain, what this lines should 'tell' me?
Do we have a relationship to my post https://www.ironportnation.com/forums/viewtopic.php?t=808 ?
Sorry for asking again, but how can I stop this 'loop'?

kluu_ironport · ‎05-01-2008

grep -i "ICID 1921372" mail_logs

who is the original sender of this message? Is it an automated program/host/print server inside your network?

And another thing, this entry:

Wed Apr 30 09:46:19 2008 Info: LDAP: Bounce query accept MID 2500703 RID 0 address bounce.ironport1@ourcompany.com

You currently have your ldap accept query setting to "bounce" an email where there is an invalid recipient. You may want to consider simply dropping them. You can configure this in "Network > Listener > Inbound listener > ldap queries"

Pat_ironport · ‎05-02-2008

who is the original sender of this message?  Is it an automated program/host/print server inside your network?

I can't find more lines around ICID 1921372 then I already have posted above. What should I looking for exactly?

You currently have your ldap accept query setting to "bounce" an email where there is an invalid recipient.  You may want to consider simply dropping them.  You can configure this in "Network > Listener > Inbound listener > ldap queries"

This would prevent a message to customers who have misspelled a mail-address from our company by mistake as well, right?
What would you suggest? What is the 'best practice' for invalid recipients: Drop or Bounce?

Donald Nash · ‎05-02-2008

I can't find more lines around ICID 1921372 then I already have posted above. What should I looking for exactly?

Look for the line "New SMTP ICID 1921372". That will tell you where the connection originated.

This would prevent a message to customers who have misspelled a mail-address from our company by mistake as well, right?
What would you suggest? What is the 'best practice' for invalid recipients: Drop or Bounce?

Correct. I recommend rejecting them at SMTP time rather than accept/bounce or accept/drop (see my post in the other thread you started).

Pat_ironport · ‎05-02-2008

I recommend rejecting them at SMTP time rather than accept/bounce or accept/drop (see my post in the other thread you started).

Just to be sure: You have never received customer feedback about a "missing reaction" to a misspelled mail-address?

And with your help, I found the two lines above the already posted log-entries:

Wed Apr 30 09:46:19 2008 Info: New SMTP ICID 1921372 interface Incoming (1.2.3.4) address 111.222.111.123 reverse dns host unknown verified no
Wed Apr 30 09:46:19 2008 Info: ICID 1921372 ACCEPT SG None match 111.222.111.123 SBRS rfc1918

How should this give me an answer to kluus question:

who is the original sender of this message? Is it an automated program/host/print server inside your network?

I just believe, that this is not originated inside our network.

Donald Nash · ‎05-02-2008

Just to be sure: You have never received customer feedback about a "missing reaction" to a misspelled mail-address?

If you reject at SMTP time, then they will be notified of misspelled addresses. It will simply be their own mail server (usually) that generates the bounce instead of yours.

interface Incoming (1.2.3.4) address 111.222.111.123

It looks like you obfuscated the IP addresses, since both 1.2.3.4 and 111.222.111.123 are within ranges that are reserved by IANA. That makes it harder to help you, but this part:

SBRS rfc1918

helps quite a bit. It demonstrates that the sender must be somewhere inside your network because it's using an RFC 1918 address, and those are only for internal use (i.e. they are not routed across the Internet).

Pat_ironport · ‎05-02-2008

interface Incoming (1.2.3.4) address 111.222.111.123

It looks like you obfuscated the IP addresses, since both 1.2.3.4 and 111.222.111.123 are within ranges that are reserved by IANA. That makes it harder to help you

I obfuscated it the same way as in the older posts above:
(The IP 1.2.3.4 is our internal address from our Ironport and the 111.222.111.123 is the IP-address from our Application Service Provider-sendmail.) Sorry that this make it harder to read, but I don't wanna make public our productive IP.

I assume, that this indicate the following way for the specific mail:
Our ASP (111.222.111.123) makes a SMTP-connection to our IronPort (1.2.3.4) and creates the log-entry: New SMTP ICID 1921372.
But I still don't understand (or can not verify for sure) kluu's question, if this message could come from our internal network.

Btw: We don't have a direct connection to the internet. Just our ASP has one to the biggest ISP in our country. :wink:

Donald Nash · ‎05-02-2008

Sorry that this make it harder to read, but I don't wanna make public our productive IP.

If both addresses are in RFC 1918 space, then it doesn't matter because no one could reach them anyway.

But I still don't understand (or can not verify for sure) kluu's question, if this message could come from our internal network.

I suspect he's just trying to nail down where the connection (and therefore the message) is coming from. You say it's coming from your ASP? Then maybe you should ask them what's going on.

kluu_ironport · ‎05-02-2008

Yes, I'm more interested on who is connecting to the Ironport appliance, and the ICID ##### will help provide that info.

If you're not getting any helpful from the ICID ####, you may want to use "Network > Incoming Relay" to find what the IP address of the previous hops are.

Pat_ironport · ‎05-03-2008

Thank you kluu. I will check that Monday @work.

Pat_ironport · ‎05-03-2008

Due to the "urgent" advice from IronPort about the Bounce-Verification problem, I had to go to work and change the value from "Reject" to "Add Header and Deliver".

In the actual appliance configuration, I see for the incoming relay:

Parse the "Received" header  
Begin parsing after: from
Hop: 2

How can this help to find the IP address of the previous hops :?: Should I change the number of Hops?

BTW: The relay points to "outbound-mta.ourcompanyname.com
This resolve the same IP-Address '111.222.111.123' as above.