Mail queue error

[nivlac]

I've been having some spammer attempts to register on my alumni forum. They are generating failed login attempts in the error log, due to the Join Password mod I have installed, which requires you know the current password before you can register. This filters out non-alumni.

I've been checking the IPs against known spammers on Stop Forum Spam and if they're on the list, I ban them through the CPanel. However, many of the errors had no IP address. Then I realized that there was a reference to the mail queue in the URI that generated the error.

At firist I thought they are being generated by returned email that is being returned due to delivery failures like mailbox full. Each error URI is the same except for the numbers at the end. But the errors also say, "550 No Such User Here", which makes me wonder if it is return mail or a hacker trying to gain access through the mail system.

I've attached a screenshot of one of the errors. Any ideas? Is this being generated by returned email or a hacker?

EDIT: We are using SMF 2.0 RC2 with Simple Portal.

[Ashley S]

That's not a hacker there trying to log in as a guest.

Also get the Modification for posting, When you post you have to put in the letters, This stops the spammers.

[nivlac]

I didn't think it was a hacker trying to login since the error didn't have anything about logging in. I said that we have been having hacking attempts because we have login errors and their IP matches known spammers and I ban them in my host CPanel.

I posted here because I'm hoping to figure out what is causing the error so it can be fixed and stop all the entries in the error log. Also, if it is a bug in SMF the team would need to be aware, so they could make a fix. At this point, I don't know what is causing it, but I'm 99.99% sure it isn't spammers.

Our forum is made up of members that are school alumni that we know. The general public can not join because we have a password system that will not allow registration unless you know the password to register. This password is only given to alumni we know and is changed weekly. Due to this system, we are not getting any spam in the forum so we don't need a captcha system.

No one is using our mail system to send spam as there are no unknown members and no members have access to our mail system except for three admins, which includes myself.

This errors indicate they are generated by a guest, but there is no IP address associated with these errors and about 20 of them were generated last night and this morning, which is about the same time one of the admins sent a notification out with the mail system. The reason I think it may be related to the mail system is because part of the URI for each error "scheduled=mailq;" in the text.

[aED]

The failed login attempts in your error logs is normal it was put there so you can check if someone is trying to bruteforce someone's account.

And the returned mail you are receiving means that someone is registering to your forum with bogus email addresses. IMO there is nothing to worry about your forum just ban those IP addresses used by spammers that tries to login or register to your forum.

I also think that the IP addresses that you can see on those emails are your server's IP and the email server you are trying to send the mail to and not the spammers IP since the mail is generated in your server and was returned by the receiving side.

[nivlac]

aED, thanks for your reply. I'm not too concerned about the hack attempts and believe I have that covered. I am more concerned about the other guest errors that I believe are email related.

I know the returned emails we get are from our members that are either having problems with their email account, gave us a misspelled address, let their inbox get full or are having problems with their ISP because I set up a no-reply mailbox to handle our outgoing mail, but don't have it set to delete returned mail so we can track email address problems and the returned email has a reason for the return from the ISP that rejected them.

The guest errors that I believe are email related have no IP address and also say, "550 No Such User here" (See attached image in the OP) and the number of returned emails do no match the number of guest errors with no IP in the error log.

I don't mean to seem to knock what anyone is saying, I'm just trying to logically deduct the source of this error. I don't see how a guest can not have an IP or why they would generate a 550 error unless they were trying to access the SMF mail system.

Anyone...

Thanks...

[aED]

That error means that the email server you are sending the email to cannot locate the email address used in the to field of the email.


I think this is what happens:

1. Someone registers on your forum with a bogus email address.
2. Your forum sends a confirmation email to the email address used in the registration process (eg: [email protected])
3. Your server sends the email to yahoo's email server  (since the registered bogus mail is  is supposedly from yahoo)
4. Yahoo checks if the email address is correct, since that bogus account does not exist it will return the mail to the return-address declared in the email with an error "550 No such user here" meaning the email address [email protected] does not really exists.

The error "550 No such user here" is not related to the error logs in your forum but it was an error generated by the receiving side of the email. you can also google for "550 No such user here" for more info

You can not stop the mails with 550 no such user message from returning to you since it can only be set by the email administrator on the receiving side of the mail. You can also check if what mail is being sent by your forum by checking the attached original message although some mail servers do  not attach the original message just the subject of the mail or the snipped part of the message.


About your question how a guest having no IP being logged? I also don't know the real reason how that happens but one thing I know is that those are definitely bots and they are trying to hide their IP but not sure how or if it that can even be done and maybe it was really a bug with SMF not being able to detect the IP.

[nivlac]

aED, according to the time stamps on the errors, the guest with no IP has generated an error about every two to fifteen minutes, yet the number of the members in our forum has not changed and remains at 235 members. That would seem to discount successful registrations and confirmation emails being sent; and as I said, no one can register unless we give them the password to register and it is encrypted in the database.

Of course that wouldn't keep a password cracking program from brute force guessing the password but it should delay them for a long time. The mod author claims it is encrypted with SHA1 technology and says it cannot be decrypted.

I would think any server that returns an email would return it to the SMTP no-reply address I set up and not the forum, wouldn't it?

[aED]

It is not just limited to a confirmation email being sent it could also be a notification reply or pm notification sent to an already registered member with a bogus email address or anything else. It can be also caused by spammers (real spammers) using the backscatter technique.

If you want you can attach the returned email here including the headers so I can explain it to you in detail

[nivlac]

We know every member in our forum. None of the returned emails do not match our member list and the admin that tracks members says she verified all current members. I asked her to check to see if there were any new ones and she said the list hadn't changed for some time. I also know we have several members with email problems but the main admin chooses not remove them from the list in the event they figure out they have a problem. Too, these guest with no IP errors started since we upgraded to 2.0 RC2. We didn't have them before. Even though I am an admin, I don't have as much authority as she does. I mainly do webmaster stuff, taking care of forum maintenance and upgrading.

As for attaching a returned email sent to one of our members, I prefer not to do that as it would go against our privacy policy that we won't share member information. Granted I wouldn't necessarily be doing so in those terms, but I don't like to split hairs either.

Could you elaborate on the backscatter technique you referred too? I recall something about sending a bunch of email to an address and it bounces off and returns to the sender as well as the one it was sent to and they sometimes get bites or confirmation of their email list because the unsuspecting recipient answers.

[aED]

As youve said none of the returned emails do not match your member list then it is definitely not backscatter.

As I already said before I still think this is not related to the forum but to the emails recipient address. And because I do not have any sample mail to confirm that then I have nothing more to say about your problem.

[nivlac]

aED, thanks I appreciate your help. It was informative.

[nivlac]

aED, Let me try this. Here is a return email with the personal info changed.

Email Body

Hi. This is the qmail-send program at outbound-ss-###.myhost.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<user##@yahoo.com>:
##.#.###.## failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (user##@yahoo.com)

• - blahblah.mail.sk1.yahoo.com
  
  --- Enclosed are the original headers of the message.
  

Headers

Return-path: <>
Envelope-to: no_reply@#myschoolalumni.org
Delivery-date: Mon, 15 Mar 2010 13:58:54 -0600
Received: from outbound-ss-###.myhost.com ([##.###.###.###])
   by box###.myhost.com with smtp (Exim 4.69)
   id 1NrGRC-####Es-FP
   for no_reply@#myschoolalumni.org; Mon, 15 Mar 2010 13:58:54 -0600
Received: (qmail 6539 invoked for bounce); 15 Mar 2010 19:58:54 -0000
Date: 15 Mar 2010 19:58:54 -0000
From: MAILER-DAEMON@outbound-ss-###.myhost.com
To: no_reply@#myschoolalumni.org
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="1268683132outbound-ss-###.myhost.com14731695"
Subject: failure notice

Will this be of any help?

[nivlac]

Also, since 10:08 am today there have been 80 guest with no IP errors, but only about 30 returned emails in the no-reply inbox.

[aED]

The mail is coming from your mailer daemon. Does the mail have any attachments? can you check what is the original content of the mail (The mail that is not sent) And are you sure the recepients are valid email addresses?

[nivlac]

Some of them have the original post form the forum attached, but as far as I can tell none of the original posts sent had attachments. As far as valid email addresses, the messages in the returned email have several different messages; "User unknown in relay recipient table Giving up on ###.###.###.##", "temporarily over quota", "Request action not taken: mailbox unavailable", "Recipient address rejected: Mailbox Full", "Remote host said: 550 5.1.1 Not our Customer Giving up on ##.##.##.###", "Account not available Giving up on ##.##.##.##", "The user(s) account is temporarily over quota.", and the like.

I'd like her to remove the members that have these errors, but she'd rather not. Her theory is that if they visit they won't be able to login if they are removed or they might get their email fixed and then not get notices and newsletters. Is there a way to at least keep those know to have problems from receiving email and still be able to login if they visit?

It tends to make me think it is something to do with the mail SMF mail system, maybe reacting to a mod we are using, since it first started doing this when we upgraded to 2.0 RC2, but not before? All the mods I use are updated to RC2 or better. Here's a list of the mods, in case you want to know what I have installed.

• Highslide Image Viewer 1.6
• eNinja - Admin Notes 0.9.1
• SMF Links 2.1.1
• Sorted Package Manager Listing 1.0
• SimplePortal 2.3.1
• Topics list support [Taby] 1.05
• Google Verification META Tag 1.101
• Shiny Smiley Icons 1.0
• Automatic Index 2.0
• SMF Staff Page 1.6
• Join Password 1.0.1
• Welcome Back 1.0
• Images On Board 2.2
• BK-SMF Sub-Board 1.5
• Dynamic_Memberlist 2.0.2
• No Reply Emails 1.3
• Admin member list registration date 1.1
• Downloads System 1.2.7
• Aeva ~ Auto-Embed Video & Audio 7.0
• The Rules 1.2
• SMF Media Gallery 2.0.3
• Custom Copyright

We also have the mail queue enabled and set for 2 emails per minute as the hourly limit on my host is set 300 per hour.

[Angelina Belle]

1) You could move the "bad email" members to a "bad email" group and refrain from sending announcements and newsletters to these users.

2) Alternately, you could allow users to disable notification (Allow users to disable announcements in Admin > Features and options), then alter the users' profile>Notifications -- uncheck "Receive forum newsletters, announcements and important notifications by email." PM the users to let them know what you've done and why, so they can fix the problem and re-enable announcements later. http://xxx.yyy.org/index.php?action=profile;area=notification

Option 2 is "set an forget" -- it is up to the user to fix the problem

Option 1 requires admin/mod to remember not to email "bad email" forever, and to move members out when they fix their email problem.