Environment
Novell GroupWise Internet Agent (GWIA) 7
Novell GroupWise 7
Situation
Symptoms:
1. DMN: Recipient unknown: userID@domain.com on GWIA
2. Some recipients are valid and read 'Queuing to MTA' in the GWIA log.
1. DMN: Recipient unknown: userID@domain.com on GWIA
2. Some recipients are valid and read 'Queuing to MTA' in the GWIA log.
3. Most recipients are not valid, but have what look to
be valid types of ID's.
4. Mail may or may not be flowing in and out through the GWIA.
5. Senders may or may not be receiving 550 errors after send failure.
4. Mail may or may not be flowing in and out through the GWIA.
5. Senders may or may not be receiving 550 errors after send failure.
Resolution
1. Check mail flow.
a. If the messages are not even making it into the GWIA, check the firewall or spam filter.
b. If the messages are reaching the GWIA, and reading as queued to the MTA, look in the MSHOLD directory underneath the MTA and/or search for large groups of messages in the MTA and GWIA subdirectories.
Always search for groups of messages from the date of the failure point.
c. Wherever the messages are found, stop the corresponding agent and rename the appropriate queues.
a. If the messages are not even making it into the GWIA, check the firewall or spam filter.
b. If the messages are reaching the GWIA, and reading as queued to the MTA, look in the MSHOLD directory underneath the MTA and/or search for large groups of messages in the MTA and GWIA subdirectories.
Always search for groups of messages from the date of the failure point.
c. Wherever the messages are found, stop the corresponding agent and rename the appropriate queues.
In the
GWIA, the queues are SEND, RECEIVE, RESULT, DEFER.
In the
MTA, the queues are MSLOCAL, WPCSIN, WPCSOUT
NOTE: A WPCSIN/WPCSOUT directory structure exists under the
GWIA. Sweep this, but don't rename these queues as they
sometimes will not recreate on agent restart.
d. Once agents are restarted,
check to see if mail is correctly flowing again. If so,
piecemeal the 'old' messages back into the queue from whence they
came. Watch them disappear as they are transferred
appropriately.
2. If inbound and outbound are functioning, but the GWIA
still receives many 'Recipient unknown' messages, the GWIA may be
experiencing a 'Dictionary Attack'. See 'Notes' section for
more information.
Additional Information
Dictionary Attack - If a spammer discovers the allowed address
formats for a gateway and/or they discover the actual email address
of someone in a company they wish to spam, they may use a
Dictionary Attack to push information toward the gateway.
That is, they will use a list of hundreds of thousands of logical
addresses addressed to the domain using the discovered address
format. Spammer gateways will note the successfully delivered
mails versus the mail that is refused, as the recipient gateway
(via RFC) will show the sender what users are 'known' and which are'unknown'. Spam filters can counteract this by accepting all
mail and then discarding those that are false and that trigger the
spam signature on the filter. These mails will be shown as'accepted' by the spam gateway and the spammer will end up not
getting a good recipient list because of this. The spam
filter usually does a good job of noticing which email is'legitimate' and thus can send, in the case of a problem, a
legitimate undeliverable to a sender. Unprotected gateways,
however, are vulnerable to these types of attacks and spammers
may be able to get a list of 30% or more of the populace from this
type of attack. This list is then sold or used for later
spamming. The Novell GWIA is not set up to deal with this
type of occurrence. See spamcop.net for more details on
what to do.