[TriLUG] Sendmail question

Mark Fowle mark at thefowles.com
Sun Jan 23 23:16:43 EST 2005


Jeff -

Just adding those two entries made a bit of difference within the time 
it took to add them and rebuild/restart MailScanner and Sendmail -  :-)  
Score one for the good guys!

Mark


Jan 23 23:01:31 adelie1 sendmail[28688]: ruleset=check_relay, 
arg1=[211.230.87.246], arg2=127.0.0.3, relay=[211.230.87.246], 
reject=554 5.7.1 Rejected 211.230.87.246 -- We do not accept email from 
hosts in China or Korea.
Jan 23 23:01:31 adelie1 sendmail[28686]: ruleset=check_relay, 
arg1=[218.49.52.43], arg2=127.0.0.3, relay=[218.49.52.43], reject=554 
5.7.1 Rejected 218.49.52.43 -- We do not accept email from hosts in 
China or Korea.
Jan 23 23:01:32 adelie1 sendmail[28687]: ruleset=check_relay, 
arg1=[61.82.144.95], arg2=127.0.0.3, relay=[61.82.144.95], reject=554 
5.7.1 Rejected 61.82.144.95 -- We do not accept email from hosts in 
China or Korea.
Jan 23 23:01:34 adelie1 sendmail[28689]: ruleset=check_relay, 
arg1=[218.150.37.200], arg2=127.0.0.3, relay=[218.150.37.200], 
reject=554 5.7.1 Rejected 218.150.37.200 -- We do not accept email from 
hosts in China or Korea.
Jan 23 23:01:40 adelie1 sendmail[28690]: ruleset=check_relay, 
arg1=lsanca1-ar52-4-63-150-212.lsanca1.dsl-verizon.net, arg2=127.0.0.2, 
relay=lsanca1-ar52-4-63-150-212.lsanca1.dsl-verizon.net [4.63.150.212], 
reject=554 5.7.1 Rejected 4.63.150.212 -- We do not accept email from 
hosts controlled by known spammers.
Jan 23 23:01:51 adelie1 sendmail[28691]: ruleset=check_relay, 
arg1=[211.225.60.130], arg2=127.0.0.3, relay=[211.225.60.130], 
reject=554 5.7.1 Rejected 211.225.60.130 -- We do not accept email from 
hosts in China or Korea.
Jan 23 23:01:51 adelie1 sendmail[28692]: ruleset=check_relay, 
arg1=[218.50.124.61], arg2=127.0.0.3, relay=[218.50.124.61], reject=554 
5.7.1 Rejected 218.50.124.61 -- We do not accept email from hosts in 
China or Korea.



Jeff Groves wrote:

> No, it is doubtful that someone has taken the domain.  These email 
> worms are tenacious and spam the hell out of your server trying to 
> freak-out the postmaster on the other end.
>
> On a separate note, I noticed that your DISCARD entries are pretty harsh.
>
> What you have now will prevent ANY hotmail.com, pacbell.net, or 
> shawcable.net user from ever getting an email through to you in the 
> future.  Is that what you intended?
>
> Perhaps you might be more happy with implementing some DNS Blackhole 
> lists in your sendmail.mc file?  Here are just two of many that I 
> use.  These two knock-out a LARGE number of spam for me.  The 
> cn-kr.blackholes.us entry rejects pretty much any email that 
> originates from a Chinese or Korean machine.   The cbl.abuseat.org 
> entry is fed by a pretty intense system of spam-traps:
>
> FEATURE(`enhdnsbl', `cn-kr.blackholes.us', `"554 Rejected 
> "$&{client_addr} " -- We do not accept email from hosts in China or 
> Korea."')dnl
> FEATURE(`enhdnsbl', `cbl.abuseat.org', `"554 Rejected "$&{client_addr} 
> " -- We do not accept email from hosts controlled by known 
> spammers."')dnl
>
> Hope this helps,
>
> Jeff G.
>
> Mark Fowle wrote:
>
>> Here's what I've had so far based on what I have been seeing in the 
>> files...
>>
>> Connect:127     RELAY
>> hotmail.com     DISCARD
>> bluebottle.com  DISCARD
>> mailebs.com     DISCARD
>> *.tw            DISCARD
>> hush.ai         DISCARD
>> supernal.net    DISCARD
>> maxinet.net     DISCARD
>> imexo.be        DISCARD
>> pacbell.net     DISCARD
>> shawcable.net   DISCARD
>> FROM: 80.218.224.69     DISCARD
>>
>> Based on the number of times this occurs I would say someone has 
>> taken the domain -  I'm not sure how to get it back....
>>
>> Thanks,
>> Mark
>>
>>
>> Jeff Groves wrote:
>>
>>> Mark:
>>>
>>> Someone/something is doing either an address book scan of your 
>>> machine (not very likely) or a virus/worm has gotten a hold of your 
>>> domain name and is generating fake email address messages that will 
>>> cause false "delivery failure" messages to be default delivered to 
>>> some other target domain postmaster (not you) in the hope that the 
>>> postmaster, usually a privileged user, will open one of the 
>>> attachments and infect their system as well.
>>>
>>> Best bet in my opinion is to put an entry in your /etc/mail/access 
>>> file to discard messages from the IP address/DNS name that is 
>>> generating these messages:
>>>
>>> From:123.123.123.123                    DISCARD
>>> From:infected.machine.bellsouth.net    DISCARD
>>>
>>> This only works if you have:
>>>
>>>   FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
>>>
>>> included in your sendmail.mc file when you create your sendmail.cf 
>>> file.
>>>
>>> Jeff G.
>>>
>>> Mark Fowle wrote:
>>>
>>>> Are there any sendmail guru's out there?  I've seen this in my 
>>>> maillogs and I'm not sure what's going on - I have tested the 
>>>> environment for relaying (and it doesn't - except for what's 
>>>> authorized) - plus I have added my SPF records to the zone files....
>>>> ... clip....
>>>> Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>>>> <fletcher at thefowles.com>... no
>>>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input 
>>>> channel from [222.233.142.168] to MTA after data
>>>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>>>> from=<marylou.wigginsel at 163.net>, size=0, class=0, nrcpts=0, 
>>>> proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
>>>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <barber at thefowles.com>... no
>>>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <battle at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <barr at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <benjamin at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <huber at thefowles.com>... no
>>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <howe at thefowles.com>... no
>>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <houston at thefowles.com>... no
>>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> <ibarra at thefowles.com>... no
>>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>>> from=<YZUOMGCYA at earthlink.net>, size=0, class=0, nrcpts=0, 
>>>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>>>> [81.216.250.96]
>>>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>>>> <hurley at thefowles.com>... no
>>>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>>>> from=<zbgwfnrgf at telusplanet.net>, size=0, class=0, nrcpts=0, 
>>>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>>>> [81.216.250.96]
>>>> ....clip.....
>>>> They don't appear to be getting in.. but the non-exsitent users @ 
>>>> my domain are my concern....   or am I worrying over nothing?
>>>>
>>>> Thanks,
>>>> Mark
>>>>
>>>
>



More information about the TriLUG mailing list