Why mail fails...
This document describes reasons why mail doesn't get delivered on the Internet.
During the outbreak of the Code Red (version 1 and 2) I kept track
of the hosts which tried to infect me. I thought I did people a
favour by telling them about their infected machines, but often I
couldn't get in contact with them because of wrong mail-configurations.
To find out who to contact, I did the following:
- For host like host.domain.TLD...
- For hosts like <ipaddress>...
- ...dig for the SOA record of <ipaddress>.in-addr.arpa
and take the name from there.
- ... went into the arin whois database and hoped it would
give me some information.
At the end there is an overview on which tools used.
Of the more than 250 unique mails I send regarding this worm, I only got
one reply back from somebody who said he would have a look at it... It's
a scary low result.
User unknowns
Mailer problems
Bogus DNS data
Whois problems
Tools used
Back to the index
User unknowns
DNS zone data
nclab.uos.ac.kr - - [08/Aug/2001:17:09:32 +1000] "GET /default.ida?
A SOA dig for uos.ac.kr gave me:
uos.ac.kr. 2h29m47s IN SOA uoscc.uos.ac.kr. uoscc.uos.ac.kr.
|
And mailing to [email protected] gave me:
What is wrong here: the contact-name for this zone does not exist.
How to solve: make all the contact-names in your DNS zones valid.
Whois data
pcd067171.netvigator.com - - [08/Aug/2001:02:39:08 +1000] "GET /def
whois for netvigator.com gave me:
Domain Name: NETVIGATOR.COM
Administrative Contact, Technical Contact:
Chu, Carlson (CC18729) [email protected]
Cable & Wireless HKT IMS
|
And mailing to [email protected] gave me:
[email protected] on Thu, 9 Aug 2001 06:26:28 +0800
The recipient name is not recognized
The MTS-ID of the original message is:
c=hk;a=cwmail;p=cw;l=HKGMSX130108082226QM29HQ97
MSEXCH:IMS:HKT:HK02:HKGMSX13 0 (000C05A6) Unknown Recipient
|
What is wrong here: the administrative and technical contact for
this domainname does not exist. Too bad the billing contact did
exist, otherwise this problem would have solved itself after a
year.
How to solve: make all the contact-email addresses in the whois-database
valid.
Expanding aliases
p18033.shinbiro.com - - [08/Aug/2001:22:29:05 +1000] "GET /default.
I just spammed [email protected] and got:
Reporting-MTA: dns; mail5.shinbiro.com
Received-From-MTA: DNS; topaz.mdcc.cx
Arrival-Date: Thu, 9 Aug 2001 07:17:12 +0900 (KST)
Final-Recipient: RFC822; <[email protected]>
Action: expanded (to multi-recipient alias)
Status: 2.0.0
Last-Attempt-Date: Thu, 9 Aug 2001 07:17:25 +0900 (KST)
Final-Recipient: RFC822; <[email protected]>
X-Actual-Recipient: RFC822; [email protected]
Action: failed
Status: 5.1.1
Remote-MTA: DNS; mail.9netave.com
Diagnostic-Code: SMTP; 553 <[email protected]>... no such user
Last-Attempt-Date: Thu, 9 Aug 2001 07:17:25 +0900 (KST)
|
What is wrong here: although the email address
[email protected] does exist and has one or more
mailboxes it forwards to, there is one mailbox which isn't valid
anymore.
How to solve: check all the aliases in your alias-file for validity.
Mailer problems
Just full
[email protected]
The intended recipient's mailbox is full.
mail.local: mailbox for user 'clixadmin' is full
554 ... Service unavailable
|
What is wrong here: The mailboxes of these users are full, they're
probably even never read.
How to solve: make aliases from these users to real address.
Procmail
----- Transcript of session follows -----
procmail: Quota exceeded while writing "/var/spool/mail/admcc"
550 admcc... Can't create output: Error 0
|
What is wrong here: The diskspace allocated for this user is full.
He probably never reads his email anyway.
How to solve: See previous section.
Incorrectly configured mailers - 1
ap-203.167.12.19.sysads.com - - [08/Aug/2001:10:51:13 +1000] "GET /
The SOA record for this domain tells me to contact [email protected]:
sysads.com. 22h9m26s IN SOA ns.sysads.com. root.ns.sysads.com. (
|
When mailing root, I get:
----- Transcript of session follows -----
553 5.3.5 ns.sysads.com. config error: mail loops back to me (MX problem?)
554 5.3.5 ... Local configuration error
|
ns.sysads.com doesn't have an MX record, just a A record:
ns.sysads.com. 1d49m14s IN A 203.167.0.17
|
Looking at the SMTP session:
[~] edwin@k7>telnet ns.sysads.com smtp
Trying 203.167.0.17...
Connected to ns.sysads.com.
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.10.2/8.10.2; Thu, 9 Aug 2001 08:03:22 +0800
|
localhost.localdomain... Says enough...
What is wrong here: The mailer on ns.sysads.com isn't
configured correctly. It should accept mail for ns.sysads.com.
How to solve: Configure the mailer to accept mail for all its
hostnames. Or create an MX record for all your hosts and make sure
the MX host accepts mail for these hosts. Or change the contact-name
in the DNS zone data.
Incorrectly configured mailers - 2
pigs.paichai.ac.kr - - [09/Aug/2001:00:35:33 +1000] "GET /default.i
The MX record for paichai.ac.kr points to mail.paichai.ac.kr:
paichai.ac.kr. 1d21h29m44s IN MX 0 mail.paichai.ac.kr.
|
But when talking to the mailer itself it says:
rcpt to: [email protected]
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
|
What is wrong here: The MX host for this domain isn't configured
to accept mail for this domain.
How to solve: Change the configuration of the host to accept mail
for that domain.
Incorrectly configured mailers - 3
mignami.ift.ing.unict.it - - [07/Aug/2001:23:08:34 +1000] "GET /dea
[email protected] got forwarded to [email protected], but then:
<[email protected]>:
Sorry. Although I'm listed as a best-preference MX or A for that host,
it isn't in my control/locals file, so I don't treat it as local. (#5.4.6)
|
This is the same kind of message as above, but with a different output.
Incorrectly configured mailers - 4
grad.ssu.ac.kr - - [07/Aug/2001:04:37:00 +1000] "GET /default.ida?X
The MX record for ssu.ac.kr points to:
ssu.ac.kr. 1D IN MX 20 computing.ssu.ac.kr.
ssu.ac.kr. 1D IN MX 30 webmail.ssu.ac.kr.
ssu.ac.kr. 1D IN MX 1 saint.ssu.ac.kr.
ssu.ac.kr. 1D IN MX 10 baekma.ssu.ac.kr.
|
webmail.ssu.ac.kr doesn't exist. computing.ssu.ac.kr,
the next one, tells me:
What is wrong here: The prefered MX record doesn't exist, the
secondary MX record doesn't know it should receive mail for that
domain.
How to solve: Fix your DNS data. Remove all old and obsolete hosts.
Furthermore make sure all hosts which are MX host for a domain
accept mail for that domain.
Error messages Eric P. Allman never expected to see
203.167.87.46 - - [11/Aug/2001:01:55:49 +1000] "GET /default.ida?XX
<[email protected]>: host mail.eastern-tele.com[203.167.127.19] said:
554 5.0.0 rewrite: excessive recursion (max 50), ruleset canonify
|
Bogus DNS data
No reverse lookups
203.250.86.71 - - [05/Aug/2001:20:26:57 +1000] "GET /default.ida?XX
The ipaddress is in use, but there is no reverse data for it.
What is wrong here: In theory, nothing. For real: it will be hard
to track where this user is coming from, who to contact in case of
problems, mail-relays might refuse him access because there is no
reverse lookup.
How to solve: Add a PTR record for this host in the reverse DNS zone.
Invalid reverse lookups
kaset.chandra.ac.th.220.154.203.in-addr.arpa - - [08/Aug/2001:17:50:31 +1000] "GET /default.ida?XXXX
Typical case of a forgotten . at the end:
kaset.chandra.ac.th. 23h58m7s IN A 203.154.220.79
79.220.154.203.in-addr.arpa. 8h29m7s IN PTR kaset.chandra.ac.th.220.154.203.in-addr.arpa.
|
What is wrong here: The reverse data for this host is incorrect.
It's a small configuration error and people will be able to overcome
this. But programs aren't that smart.
How to solve: Make sure your DNS data is correct. Have a . behind
every record.
No MX records
webcam.intercom.com.tw - - [07/Aug/2001:21:58:02 +1000] "GET /defau
Mail to [email protected] gave me:
<[email protected]>: Name service error for domain intercom.com.tw: Host found but no data record of requested type
|
What is wrong here: There are no MX nor A records for intercom.com.tw!
How to solve: add an MX record for your domain.
Whois problems
Unreachable whois-servers
jet.chonbuk.ac.kr - - [08/Aug/2001:19:11:45 +1000] "GET /default.id
Trying to find out about this at whois.krnic.net, I either
got a connection refused, a timed-out connection or no data at all.
Distribution reponsibilities
063.001.dsl.syd.iprimus.net.au - - [09/Aug/2001:10:14:01 +1000] "GE
Normally I would look this up at whois.aunic.net.
[~] edwin@k7>whois -h whois.aunic.net iprimus.net.au
% Copyright 2001 auDA, see http://www.aunic.net/copyright.html
% No entries found for the selected source(s).
|
Australia has a distributed resposibility regarding the
whois-database, net.au should be looked up at
whois.connect.com.au.
What is wrong here: There should be one point of contact for each
TLD and ccTLD.
How to solve: Let whois.<ccTLD>nic.net give references
to the whois-server which is responsible for this domain if it
isn't itself.
whois.<insert strange name here>.ccTLD
Not everybody ccTLD has an intuitive name for its whois-server,
for example whois.dns.be (for Belgium) or
whois.domain-registry.nl (for the Netherlands)
How to solve: make a whois.<ccTLD>nic.net for every
ccTLD.
Tools used
There are no special tools used, everything is available on a modern
unix system.
Dig
Dig is a tool to query DNS servers. The syntax is
dig [@server] <name> [type]
|
For example to query a SOA record:
[~] edwin@k7>dig mavetju.org. soa
; <<>> DiG 8.3 <<>> mavetju.org. soa
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; mavetju.org, type = SOA, class = IN
;; ANSWER SECTION:
mavetju.org. 1D IN SOA ns2.mavetju.org. edwin.mavetju.org. (
2001030006 ; serial
12H ; refresh
15M ; retry
1W ; expiry
1H ) ; minimum
;; AUTHORITY SECTION:
mavetju.org. 1D IN NS ns2.mavetju.org.
mavetju.org. 1D IN NS ns3.mavetju.org.
;; ADDITIONAL SECTION:
ns2.mavetju.org. 1D IN A 198.133.199.3
ns3.mavetju.org. 1D IN A 198.133.199.4
;; Total query time: 1 msec
;; FROM: k7.mavetju.org to SERVER: default -- 127.0.0.1
;; WHEN: Thu Aug 9 11:47:07 2001
;; MSG SIZE sent: 29 rcvd: 139
|
The important data in the SOA field is:
- domain mavetju.org
- contact-name edwin.mavetju.org (the first . should be
translated into a @ by yourself)
For example to query a MX record:
[~] edwin@k7>dig mavetju.org. mx
; <<>> DiG 8.3 <<>> mavetju.org. mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUERY SECTION:
;; mavetju.org, type = MX, class = IN
;; ANSWER SECTION:
mavetju.org. 1D IN MX 10 mail.mavetju.org.
;; AUTHORITY SECTION:
mavetju.org. 1D IN NS ns2.mavetju.org.
mavetju.org. 1D IN NS ns3.mavetju.org.
;; ADDITIONAL SECTION:
mail.mavetju.org. 1D IN A 213.46.9.168
ns2.mavetju.org. 1D IN A 198.133.199.3
ns3.mavetju.org. 1D IN A 198.133.199.4
;; Total query time: 5 msec
;; FROM: k7.mavetju.org to SERVER: default -- 127.0.0.1
;; WHEN: Thu Aug 9 11:50:02 2001
;; MSG SIZE sent: 29 rcvd: 134
|
The important data in the MX field is:
- domain mavetju.org
- MX host and preferences mail.mavetju.org and 10
whois
Whois is a tool to query a whois-database. The syntax is
whois [-h <whois-server>] <object>
|
Without a given whois-server it will take whois.internic.net.
For example to query host in the .com, .edu, .org and .net TLDs:
[~] edwin@k7>whois mavetju.org
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: MAVETJU.ORG
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: NS1.SECONDARY.COM
Name Server: NS2.SECONDARY.COM
Updated Date: 20-feb-2001
|
Maybe the whois-client will go further to whois.gandi.net
now, maybe it stops and you have to do the query again at
whois.gandi.net.
Whois-servers for ccTLDs are often known as
whois.<ccTLD>nic.net, but there are exceptions to that
rule: For Belgium go to whois.dns.be, for the Netherlands
go to whois.domain-registry.nl, for Australia it is partly
known in whois.aunic.net, partly somewhere else.
|