[TriLUG] Sendmail question

Mark Fowle mark at thefowles.com
Sun Jan 23 21:56:07 EST 2005 

Here's what I've had so far based on what I have been seeing in the files...

Connect:127     RELAY
hotmail.com     DISCARD
bluebottle.com  DISCARD
mailebs.com     DISCARD
*.tw            DISCARD
hush.ai         DISCARD
supernal.net    DISCARD
maxinet.net     DISCARD
imexo.be        DISCARD
pacbell.net     DISCARD
shawcable.net   DISCARD
FROM: 80.218.224.69     DISCARD

Based on the number of times this occurs I would say someone has taken 
the domain -  I'm not sure how to get it back....

Thanks,
Mark


Jeff Groves wrote:

> Mark:
>
> Someone/something is doing either an address book scan of your machine 
> (not very likely) or a virus/worm has gotten a hold of your domain 
> name and is generating fake email address messages that will cause 
> false "delivery failure" messages to be default delivered to some 
> other target domain postmaster (not you) in the hope that the 
> postmaster, usually a privileged user, will open one of the 
> attachments and infect their system as well.
>
> Best bet in my opinion is to put an entry in your /etc/mail/access 
> file to discard messages from the IP address/DNS name that is 
> generating these messages:
>
> From:123.123.123.123                    DISCARD
> From:infected.machine.bellsouth.net    DISCARD
>
> This only works if you have:
>
>   FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
>
> included in your sendmail.mc file when you create your sendmail.cf file.
>
> Jeff G.
>
> Mark Fowle wrote:
>
>> Are there any sendmail guru's out there?  I've seen this in my 
>> maillogs and I'm not sure what's going on - I have tested the 
>> environment for relaying (and it doesn't - except for what's 
>> authorized) - plus I have added my SPF records to the zone files....
>> ... clip....
>> Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>> <fletcher at thefowles.com>... no
>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input 
>> channel from [222.233.142.168] to MTA after data
>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>> from=<marylou.wigginsel at 163.net>, size=0, class=0, nrcpts=0, 
>> proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <barber at thefowles.com>... no
>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <battle at thefowles.com>... no
>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <barr at thefowles.com>... no
>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <benjamin at thefowles.com>... no
>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <huber at thefowles.com>... no
>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <howe at thefowles.com>... no
>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <houston at thefowles.com>... no
>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> <ibarra at thefowles.com>... no
>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>> from=<YZUOMGCYA at earthlink.net>, size=0, class=0, nrcpts=0, 
>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>> [81.216.250.96]
>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>> <hurley at thefowles.com>... no
>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>> from=<zbgwfnrgf at telusplanet.net>, size=0, class=0, nrcpts=0, 
>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>> [81.216.250.96]
>> ....clip.....
>> They don't appear to be getting in.. but the non-exsitent users @ my 
>> domain are my concern....   or am I worrying over nothing?
>>
>> Thanks,
>> Mark
>>
>

More information about the TriLUG mailing list