I've just cleared still more dynamic blacklist entry for Oracle's MX
servers, including rcsinet11.oracle.com [148.87.113.123]. If someone
from within Oracle could please send me mail, I'd like to test that
the way here is truly cleared again.
This is happening because you have a compromised machine within Oracle
that is using your outbound MX to deliver spam from; see the appended
tracelog below by signature.
I believe Alan Bateman sent me mail, but it never got here. He was only
greylisted, not blacklisted, but his MTA "hung up the phone" and has not
yet called back:
Jan 21 08:53:06 chthon spamd[4395]: 148.87.113.121: connected (37/34)
Jan 21 08:53:23 chthon spamd[4395]: (GREY) 148.87.113.121:
<[email protected]> -> <[email protected]>
Jan 21 08:53:27 chthon spamd[4395]: 148.87.113.121: disconnected after 21
seconds.
As I said, I have manually whitelisted some of these now. However, I do
not know what all of Oracle's outbound MX IPs are, and from Alan's (failed)
mail delivery attempt I can tell that there are some that are *not* the
same as the inbound MX IPs, as revealed by:
$ nslookup -q=mx oracle.com u-ns1.oracle.com.
Server: u-ns1.oracle.com.
Address: 204.74.108.1#53
oracle.com mail exchanger = 200 acsinet11.oracle.com.
oracle.com mail exchanger = 200 rcsinet12.oracle.com.
oracle.com mail exchanger = 200 rcsinet11.oracle.com.
oracle.com mail exchanger = 200 acsinet12.oracle.com.
I can clear out more if you could but tell me what they are. However,
there are still two problems:
1. Legitimate outbound MX servers need to be more patient (you
can't hang up the phone after only a few seconds) and more compliant
(you must call back on status 451 EX_TEMPFAIL per the spec).
2. Because you have several compromised outbound MX servers within
Oracle, by whitelisting these compromised hosts, I have incurred
a significant load on my machine as it goes through the trouble
of accepting all the spam that you're spewing. I wish you would
fix your system not to allow spammers to use you this way!!
--tom
[ This is output from the OpenBSD spamd(8) greylister; all times UTC-0700=MST ]
Jan 21 08:53:27 chthon spamd[4395]: 148.87.113.121: disconnected after 21
seconds.
Jan 21 08:53:23 chthon spamd[4395]: (GREY) 148.87.113.121:
<[email protected]> -> <[email protected]>
Jan 21 08:53:06 chthon spamd[4395]: 148.87.113.121: connected (37/34)
Jan 21 00:03:06 chthon spamd[4395]: 148.87.113.124: disconnected after 395
seconds. lists: spamd-greytrap
Jan 21 00:01:55 chthon spamd[4395]: 148.87.113.124: Subject: Email
attachment rejected by MM
Jan 21 00:01:55 chthon spamd[4395]: 148.87.113.124: To: [email protected]
Jan 21 00:01:55 chthon spamd[4395]: 148.87.113.124: From:
[email protected]
Jan 21 00:00:00 chthon spamd[4395]: (BLACK) 148.87.113.124:
<[email protected]> -> <[email protected]>
Jan 20 23:56:33 chthon spamd[4395]: 141.146.126.233: disconnected after 12
seconds.
Jan 20 23:56:32 chthon spamd[4395]: (GREY) 141.146.126.233:
<[email protected]> -> <[email protected]>
Jan 20 23:56:32 chthon spamd[4395]: 141.146.126.234: disconnected after 12
seconds.
Jan 20 23:56:32 chthon spamd[4395]: (GREY) 141.146.126.234:
<[email protected]> -> <[email protected]>
Jan 20 23:56:31 chthon spamd[4395]: 148.87.113.124: connected (33/30),
lists: spamd-greytrap
Jan 20 23:56:28 chthon spamd[4395]: 148.87.113.123: disconnected after 12
seconds.
Jan 20 23:56:28 chthon spamd[4395]: (GREY) 148.87.113.123:
<[email protected]> -> <[email protected]>
Jan 20 23:56:21 chthon spamd[4395]: 141.146.126.233: connected (35/30)
Jan 20 23:56:20 chthon spamd[4395]: 141.146.126.234: connected (34/30)
Jan 20 23:56:16 chthon spamd[4395]: 148.87.113.123: connected (33/30)
Jan 20 19:53:23 chthon spamd[4395]: 148.87.113.124: disconnected after 377
seconds. lists: spamd-greytrap
Jan 20 19:52:17 chthon spamd[4395]: 148.87.113.124: Subject: Email
attachment rejected by MM
Jan 20 19:52:17 chthon spamd[4395]: 148.87.113.124: To: [email protected]
Jan 20 19:52:17 chthon spamd[4395]: 148.87.113.124: From:
[email protected]
Jan 20 19:50:33 chthon spamd[4395]: (BLACK) 148.87.113.124:
<[email protected]> -> <[email protected]>
Jan 20 19:50:13 chthon spamd[4395]: 141.146.126.233: disconnected after 13
seconds.
Jan 20 19:50:13 chthon spamd[4395]: (GREY) 141.146.126.233:
<[email protected]> -> <[email protected]>
Jan 20 19:50:00 chthon spamd[4395]: 141.146.126.233: connected (27/26)
Jan 20 19:47:06 chthon spamd[4395]: 148.87.113.124: connected (24/24),
lists: spamd-greytrap
Jan 20 19:45:34 chthon spamd[4395]: 148.87.113.123: disconnected after 12
seconds.
Jan 20 19:45:34 chthon spamd[4395]: (GREY) 148.87.113.123:
<[email protected]> -> <[email protected]>
Jan 20 19:45:22 chthon spamd[4395]: 148.87.113.123: connected (27/26)
Jan 20 19:44:19 chthon spamd[4395]: 141.146.126.234: disconnected after 13
seconds.
Jan 20 19:44:19 chthon spamd[4395]: (GREY) 141.146.126.234:
<[email protected]> -> <[email protected]>
Jan 20 19:44:06 chthon spamd[4395]: 141.146.126.234: connected (29/28)
