Loading ...
Sorry, an error occurred while loading the content.
 

Re: mail lost

Expand Messages
  • mouss
    ... In fact, a more probable hole is an anti-virus silently quarantining mail. if you are running an AV, look in its quarantine. another possibility is a
    Message 1 of 13 , Apr 1, 2007
      pobox@... wrote:
      >
      >> if you are "lucky", the mail was delivered to a mailbox instead of to
      >> cyrus. look in /var/mail/ (or whatever is the default delivery
      >> directory for your MTA).
      >
      > No, it was intended to recipients outside of the mail server.
      >

      In fact, a more probable "hole" is an anti-virus silently quarantining
      mail. if you are running an AV, look in its quarantine.

      another possibility is a honeypot triggerred by an IDS system.
    • mouss
      ... try resending the _same_ message from the same machine. if the AV quarantines it, then you get the guilty. now, the AV config may have changed (or it may
      Message 2 of 13 , Apr 1, 2007
        pobox@... wrote:
        >
        > There is a FreeBSD dedicated server with Postfix/Cyrus, Squirrelmail
        > and another php application - the Squirrelmail and the php application
        > did not have any problems to send mail. And there is a Windows
        > workstation where I tried Thunderbird (my primary mail client) and
        > Outlook Express (which I set for the test) - during this period both
        > gave the impression that mail is sent, but mail did not arrive,
        > neither was logged in maillog, nor was it in the queue, to my
        > experience (I might have missed something) I could not find any trace
        > of the mail with 'grep'. Somebody advised me to try to send mail using
        > telnet from the Workstation, but at this moment I did not know how and
        > when I found out how on the next day, the problem did not exist
        > anymore. So I can't tell if telnet would have worked (resp. I do not
        > know what telnet would have reported, i.e. somebody mentioned that it
        > might be a DNS problem).

        try resending the _same_ message from the same machine. if the AV
        quarantines it, then you get the guilty. now, the AV config may have
        changed (or it may have dynamic rules....) so you are not guaranteed to
        reproduce the problem, but it's worth to try. and as I said in my
        previous post, check the AV quarantine. of course, this all assumes you
        are (were) running an AV on the client box.
      • pobox@verysmall.org
        ... Oh, thanks. This is a good hint. I check the guaranteed messages and there weren t such. But added it to my debug list for next time it happens. ... What
        Message 3 of 13 , Apr 2, 2007
          mouss wrote:
          > pobox@... wrote:
          >>
          >>> if you are "lucky", the mail was delivered to a mailbox instead of to
          >>> cyrus. look in /var/mail/ (or whatever is the default delivery
          >>> directory for your MTA).
          >>
          >> No, it was intended to recipients outside of the mail server.
          >
          > In fact, a more probable "hole" is an anti-virus silently quarantining
          > mail. if you are running an AV, look in its quarantine.

          Oh, thanks. This is a good hint. I check the guaranteed messages and
          there weren't such. But added it to my debug list for next time it happens.

          > another possibility is a honeypot triggerred by an IDS system.

          What is this?
        • mouss
          ... a honeypot is a trap. an IDS is an Intrusion Detection System. some IDS software will listen on known ports and acts like a server, except that it doesn t
          Message 4 of 13 , Apr 2, 2007
            pobox@... wrote:
            > mouss wrote:
            > > pobox@... wrote:
            > >>
            > >>> if you are "lucky", the mail was delivered to a mailbox instead of to
            > >>> cyrus. look in /var/mail/ (or whatever is the default delivery
            > >>> directory for your MTA).
            > >>
            > >> No, it was intended to recipients outside of the mail server.
            > >
            > > In fact, a more probable "hole" is an anti-virus silently quarantining
            > > mail. if you are running an AV, look in its quarantine.
            >
            > Oh, thanks. This is a good hint. I check the guaranteed messages and
            > there weren't such. But added it to my debug list for next time it
            > happens.
            >
            > > another possibility is a honeypot triggerred by an IDS system.
            >
            > What is this?
            >
            >

            a honeypot is a trap. an IDS is an Intrusion Detection System. some IDS
            software will listen on known ports and acts like a server, except that
            it doesn't really do what the attacker expects.

            This is not very probable, but you never know.
          • pobox@verysmall.org
            ... OK Got it. Thanks a lot for this and for all your previous help. Iv
            Message 5 of 13 , Apr 5, 2007
              mouss wrote:
              > a honeypot is a trap. an IDS is an Intrusion Detection System. some IDS
              > software will listen on known ports and acts like a server, except that
              > it doesn't really do what the attacker expects.
              >
              > This is not very probable, but you never know.

              OK Got it.

              Thanks a lot for this and for all your previous help.

              Iv
            Your message has been successfully submitted and would be delivered to recipients shortly.