04-30-2008 09:06 AM
I found the following line in the logfile:
bounces.text.@20080429T102300.c
[size=9:0df6008a7f]
Wed Apr 30 09:46:19 2008 Info: Bounced: DCID 0 MID 2500703 From:sales@arizonaprint.com To: bounce.ironport1@ourcompanydomain.com RID 0 - 5.1.1 - Bad destination email address ('000', ['reject'])[/size:0df6008a7f]
04-30-2008 11:43 PM
Try search for the MID in the mail_logs
grep -i "MID 2500703" mail_logs
to see how the mail originated.
I found the following line in the logfile:
bounces.text.@20080429T102300.c
[size=9:967f5b4596]Wed Apr 30 09:46:19 2008 Info: Bounced: DCID 0 MID 2500703 From:sales@arizonaprint.com To: bounce.ironport1@ourcompanydomain.com RID 0 - 5.1.1 - Bad destination email address ('000', ['reject'])[/size:967f5b4596]
Is this "bounce.ironport1"-mailadress just a good guess from the SPAM-Sender? (In fact, we dont have such a mail-adress).
The above entry with sales@arizonaprint.com appears nearly every second in the above log...
What do you think, is this just a new 'SPAM-wave'?
05-01-2008 12:47 PM
Thank you kluu. I found the following lines in the logfile around MID 2500703:
Wed Apr 30 09:46:19 2008 Info: Start MID 2500703 ICID 1921372
Wed Apr 30 09:46:19 2008 Info: MID 2500703 ICID 1921372 From: sales@arizonaprint.com
Wed Apr 30 09:46:19 2008 Info: MID 2500703 ICID 1921372 RID 0 To: bounce.ironport1@ourcompany.com
Wed Apr 30 09:46:19 2008 Info: MID 2500703 Message-ID '200804300746.m3U7kIS3004543@host.hostadomainname.com'
Wed Apr 30 09:46:19 2008 Info: MID 2500703 Subject 'MESSAGE NOT DELIVERED: Delivery Status Notification (Failure)'
Wed Apr 30 09:46:19 2008 Info: MID 2500703 ready 1184 bytes from sales@arizonaprint.com
Wed Apr 30 09:46:19 2008 Info: LDAP: Bounce query accept MID 2500703 RID 0 address bounce.ironport1@ourcompany.com
Wed Apr 30 09:46:19 2008 Info: Bounced: DCID 0 MID 2500703 to RID 0 - Bounced by destination server with response: 5.1.1 - Bad destination email address ('000', ['reject'])
Wed Apr 30 09:46:19 2008 Info: Start MID 2500704 ICID 0
Wed Apr 30 09:46:19 2008 Info: MID 2500704 was generated for bounce of MID 2500703
Wed Apr 30 09:46:19 2008 Info: MID 2500704 ICID 0 From: <>
Wed Apr 30 09:46:19 2008 Info: MID 2500704 ICID 0 RID 0 To: sales@arizonaprint.com
Wed Apr 30 09:46:19 2008 Info: ICID 1921372 close
Wed Apr 30 09:46:19 2008 Info: MID 2500704 ready 2350 bytes from <>
Wed Apr 30 09:46:19 2008 Info: MID 2500704 queued for delivery
Wed Apr 30 09:46:19 2008 Info: Message finished MID 2500703 done
Wed Apr 30 09:46:19 2008 Info: New SMTP DCID 1090090 interface 1.2.3.4 address 111.222.111.123 port 25
Wed Apr 30 09:46:19 2008 Info: Delivery start DCID 1090090 MID 2500704 to RID [0]
Wed Apr 30 09:46:19 2008 Info: Message done DCID 1090090 MID 2500704 to RID [0]
Wed Apr 30 09:46:19 2008 Info: MID 2500704 RID [0] Response '2.0.0 m3U7kJ9e029311 Message accepted for delivery'
Wed Apr 30 09:46:19 2008 Info: Message finished MID 2500704 done
05-01-2008 03:13 PM
grep -i "ICID 1921372" mail_logs
who is the original sender of this message? Is it an automated program/host/print server inside your network?
And another thing, this entry:
Wed Apr 30 09:46:19 2008 Info: LDAP: Bounce query accept MID 2500703 RID 0 address bounce.ironport1@ourcompany.com
You currently have your ldap accept query setting to "bounce" an email where there is an invalid recipient. You may want to consider simply dropping them. You can configure this in "Network > Listener > Inbound listener > ldap queries"
05-02-2008 09:56 AM
who is the original sender of this message? Is it an automated program/host/print server inside your network?I can't find more lines around ICID 1921372 then I already have posted above. What should I looking for exactly?
You currently have your ldap accept query setting to "bounce" an email where there is an invalid recipient. You may want to consider simply dropping them. You can configure this in "Network > Listener > Inbound listener > ldap queries"This would prevent a message to customers who have misspelled a mail-address from our company by mistake as well, right?
05-02-2008 02:21 PM
I can't find more lines around ICID 1921372 then I already have posted above. What should I looking for exactly?
This would prevent a message to customers who have misspelled a mail-address from our company by mistake as well, right?
What would you suggest? What is the 'best practice' for invalid recipients: Drop or Bounce?
05-02-2008 03:48 PM
I recommend rejecting them at SMTP time rather than accept/bounce or accept/drop (see my post in the other thread you started).Just to be sure: You have never received customer feedback about a "missing reaction" to a misspelled mail-address?
Wed Apr 30 09:46:19 2008 Info: New SMTP ICID 1921372 interface Incoming (1.2.3.4) address 111.222.111.123 reverse dns host unknown verified noHow should this give me an answer to kluus question:
Wed Apr 30 09:46:19 2008 Info: ICID 1921372 ACCEPT SG None match 111.222.111.123 SBRS rfc1918
who is the original sender of this message? Is it an automated program/host/print server inside your network?I just believe, that this is not originated inside our network.
05-02-2008 04:00 PM
Just to be sure: You have never received customer feedback about a "missing reaction" to a misspelled mail-address?
interface Incoming (1.2.3.4) address 111.222.111.123
SBRS rfc1918
05-02-2008 04:22 PM
interface Incoming (1.2.3.4) address 111.222.111.123
It looks like you obfuscated the IP addresses, since both 1.2.3.4 and 111.222.111.123 are within ranges that are reserved by IANA. That makes it harder to help you
05-02-2008 04:38 PM
Sorry that this make it harder to read, but I don't wanna make public our productive IP.
But I still don't understand (or can not verify for sure) kluu's question, if this message could come from our internal network.
05-02-2008 06:25 PM
Yes, I'm more interested on who is connecting to the Ironport appliance, and the ICID ##### will help provide that info.
If you're not getting any helpful from the ICID ####, you may want to use "Network > Incoming Relay" to find what the IP address of the previous hops are.
05-03-2008 09:36 AM
Thank you kluu. I will check that Monday @work.
05-03-2008 11:41 AM
Due to the "urgent" advice from IronPort about the Bounce-Verification problem, I had to go to work and change the value from "Reject" to "Add Header and Deliver".
In the actual appliance configuration, I see for the incoming relay:
Parse the "Received" headerHow can this help to find the IP address of the previous hops :?: Should I change the number of Hops?
Begin parsing after: from
Hop: 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide