[TriLUG] Spam Probes. How does abc%xyz.com at mydomain.org work?

Tanner Lovelace lovelace at wayfarer.org
Wed Apr 9 10:16:24 EDT 2003


On Wed, 2003-04-09 at 09:00, bp wrote:
> I know the discussion has been had about RR probing networks for open 
> relays and I personally don't have a problem with RR or anyone doing 
> this so long as it's a legitimate test not an attempt to actually relay 
> spam.
> 
> Today I noticed these entries in my mail log,   30 lines from today 
> actually.  The only reason I bring this subject up is to ask why they 
> format the to line like this: 
> to=<relaytest%rr.njabl.org at itchy.kicks-ass.org>   Is that expected to 
> proxy through on some mail servers?  How does that type of addr work?
> 
> Apr  8 17:23:34 Itchy postfix/smtpd[25618]: 62570A4200: 
> client=before-reporting-as-abuse-please-see-www.njabl.org[209.208.0.15]
> Apr  8 17:23:45 Itchy postfix/smtpd[25618]: reject: RCPT from 
> before-reporting-as-abuse-please-see-www.njabl.org[209.208.0.15]: 554 
> <relaytest%rr.njabl.org at itchy.kicks-ass.org>: Recipient address 
> rejected: Relay access denied; from=<relaytestsend at itchy.kicks-ass.org> 
> to=<relaytest%rr.njabl.org at itchy.kicks-ass.org>
> Apr  8 17:29:08 Itchy postfix/smtpd[25618]: timeout after RCPT from 
> before-reporting-as-abuse-please-see-www.njabl.org[209.208.0.15]
> Apr  8 17:29:08 Itchy postfix/smtpd[25618]: disconnect from 
> before-reporting-as-abuse-please-see-www.njabl.org[209.208.0.15]

The mail specification from a long time ago specified that if you wanted
an address to be routed through a specific computer you would 
specify the final e-mail address with a % instead of an @, and then
put an @ at the end and then the name of the computer you wanted it
routed through.  This was useful if, for instance, you were trying
to e-mail someone on bitnet, which only had a few gateways between
it and the internet.  You would specify the address as
username%bitnet at bitnet.gateway.host.

Most modern smtp servers, though, don't honor this protocol anymore
because most relays are not open anymore.  So, basically, what they
are trying to discover is if your smtp server will relay the message
back to them at relaytest at rr.njabl.org.  If it does, they classify
you as an open relay and blacklist you.

Personally, I think this is a misuse of my smtp servers resources.
If they want to send me an e-mail, fine, but probing my server like
this is not kosher.

Tanner
-- 
Tanner Lovelace | lovelace(at)wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA  BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
   He who receives an idea from me, receives instruction himself 
   without lessening mine; as he who lights his taper at mine, 
   receives light without darkening me.  --  Thomas Jefferson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030409/4f27cdc6/attachment.pgp>


More information about the TriLUG mailing list