from russia with love

A few weeks ago I installed pflogsumm on my mail server in order to automate my mail log scanning. For some time I had been conscious that my mailer had been rejecting a lot of mail with “user unknown” but I had never really investigated that in any depth. Running pflogsumm over the logs on a nightly basis makes analysis easy. It turns out that over 90% of all mail hitting my server is rejected because I have no user with the name given. Moreover, practically all of that rejected mail is for one user (info@baldric.net) and it all appears to come from mailers with .ru domain names.

By creating a temporary alias for the failing address to a real one I was able to capture some of the mail coming in. The example below is faintly amusing:

“From: postmaster@ruschermet.ru
To: info@baldric.net
Subject: Не удается доставить: лучший секс в Вашей жизни
Date: Sun, 27 Mar 2011 21:22:42 +0400

Не удалось выполнить доставку следующим получателям или лицам из следующих списков рассылки:

hr@ruschermet.ru
Адрес электронной почты получателя не найден в почтовой системе получателя. Microsoft Exchange не будет повторять попытку доставки сообщения. Проверьте адрес электронной почты и повторите отправку сообщения или передайте указанное ниже диагностическое сообщение администратору.

________________________________
Отправлено с помощью Microsoft Exchange Server 2007″

(Try running this through an on-line translation service such as babelfish).

Clearly, what I am getting is backscatter from failed spam deliveries in Russia where the spammer has used the non-existent “info” as a spoofed from address. Ho Hum.