Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix

d19dotca

I have recently been digging into the mail server logs for various reasons, and have seen several instances of the example below (seemingly all spam, the rcptTo is always a spammy-looking email address and on a country TLD that we never deal with too. I'm wondering what conditions apply to have the mailFrom address be null? It really makes it difficult to know what app (or which mailbox) is generating the email which makes it difficult to track down where the spam is coming from.

Failed to deliver mail to sephday71@i-brno.cz. Tried all MXs. Will retry in 32768s.

{
  "ts": 1615422409244,
  "type": "deferred",
  "direction": "outbound",
  "uuid": "BF92A429-0383-4A27-A161-4D1480C3ECA7.1",
  "mailFrom": "<>",
  "rcptTo": [
    "<sephday71@i-brno.cz>"
  ],
  "details": {
    "message": "Tried all MXs",
    "delay": 32768
  }
}

(side note: It'd be awesome if we could kill off queued messages like these in the Cloudron UI, another feature request for mail improvements I'll file soon )

And a different message but same thing of missing the mailFrom address (and pretty sure this is another spam one too):

Sent bounce to <> for mail sent to info@woodencrates.org. Some recipients failed: <info@woodencrates.org>

  "ts": 1615391821067,
  "type": "bounce",
  "direction": "outbound",
  "uuid": "AC24AEEB-6828-497B-9AEE-6414616B377E.1",
  "mailFrom": "<>",
  "rcptTo": [
    "<info@woodencrates.org>"
  ],
  "details": {
    "message": "Some recipients failed: <info@woodencrates.org>",
    "mx": {
      "exchange": "woodencrates.org",
      "priority": 0,
      "family": "A",
      "bind_helo": "mail.<domain.tld>"
    },
    "bounced_rcpt": [
      {
        "original": "info@woodencrates.org",
        "user": "info",
        "original_host": "woodencrates.org",
        "host": "woodencrates.org",
        "reason": "550 No Such User Here\"",
        "dsn_action": "failed",
        "dsn_smtp_code": "550",
        "dsn_smtp_response": "No Such User Here\"",
        "dsn_remote_mta": "woodencrates.org"
      }
    ]
  }
}

I can't really try to fix the spam issue if I can't figure out where it's being generated from. Hoping for some help there. Is it a defect that it's null, or is that expected behaviour in certain circumstances?

girish

@d19dotca mailFrom is <> for bounce emails. It seems Cloudron is trying to send a bounce but the destination email server is gone. In general, this is fine, since it will eventually stop retrying. If it bothers you, you can docker exec -ti mail /bin/bash and delete the queue entries in /run/haraka/queue. I agree it will be nice to have some UI to view and clear this queue.

d19dotca

@girish said in Mail server logs: "mailFrom" empty/null in logs on occasion, unclear why and how to fix:

It seems Cloudron is trying to send a bounce but the destination email server is gone

I'm not sure if I understand that part. In order to send a bounce, doesn't there need to be an email the bounce is came from? It almost looks like it's trying to send a bounce to an email address (for whatever reason it may be) but sending without any "from" address, and that's is the part that confuses me.

If we take the woodencrates,org example from above, if I'm understanding it correctly, the workflow was this (putting this together from other logs):

1. Email sent from info@woodencreates.org to an alias hosted on my mail server which forwards to an icloud.com account.
2. Apple rejects the message from info@woodencrates.org to a user's icloud.com address as it deems it to be spam (which I agree that it is), sending a bounce back to info@woodencrates.org via my mail server
3. Bounce sent back to info@woodencrates.org but their mail server reports that info@woodencrates.org does not exist (thus presumably was forced / masqueraded at the source)

It's basically between step 2 and 3 that I see the issue where there's no "from" address. I guess this is because then it's an alias so there's no actual mailbox on my server that's sending the bounce back to info@woodencrates.org since the bounce actually came from an icloud.com account, is that right? But in that case, shouldn't the mailFrom field be filled in with the icloud.com address that initiated the bounce, or is that not technically accurate / RFC-compliant or something? It just seems weird that mailFrom is not filled in, missing that seems like an issue.

Just trying to make sure I understand.

girish

@d19dotca Yes, bounce message/NDR are special. They don't have the mail from filled out. See https://en.wikipedia.org/wiki/Bounce_message#Terminology . This is done so that you don't bounce a bounce message.

edit: found https://serverfault.com/questions/151955/why-an-empty-mail-from-address-can-sent-out-email with more info

d19dotca

@girish Ah that helps explain it. So I guess I just didn't understand the tech-spec then. I tried a quick search last night but didn't find much, I think it's because I was using mailFrom in quotes. haha. Thanks Girish!

d19dotca

@girish Side question actually... how do I see from the logs which alias the email is going to? Because in my case, I see the end email, not the alias email. For example: Email sent from info@woodencrates.com > some alias on my server > icloud.com account the alias forwarded to. In my case though, I have two domains that go to the same end icloud.com account. So I'm trying to figure out which one of them (if only one) is getting the bulk of the spam to it. Any way to figure that part out?

girish

@d19dotca since the email is forwarded , this info is probably lost. One idea is to look into the bounce mail headers. Maybe there is some message I'd or something we can match.