#first, don't match smtp and biz under rr.com
/(smtp.*|biz)\.rr\.com/ DUNNO
I ran the following trying to look for other possible valid outbound MTAs
(search for PTR *.rr.com with [EMAIL PROTECTED]
(note: I put USER in place of actual email addresses here... No sense in me
posting other people's addresses to a mailing list)
# zegrep -i '\.rr\.com.*4tuple.*from=<[EMAIL PROTECTED]>'
/var/log/maillog.0.gz | awk '{print $10" "$17}' | sort -f | uniq -I
alb-24-194-105-165.nycap.rr.com[24.194.105.165]: from=<[EMAIL PROTECTED]>
mls03.hawaii.rr.com[66.75.160.40]: from=<[EMAIL PROTECTED]>
ohsmtp02.ogw.rr.com[65.24.7.37]: from=<[EMAIL PROTECTED]>
unknown[218.145.163.110]: from=<[EMAIL PROTECTED]>
Now to compare some smtp banners (screw the one with no PTR.. Comparing the
3 above with PTRs vs acouple of ms-smtp-*.rr.com banners)
Connected to ms-smtp-03.tampabay.rr.com.
220 ms-smtp-03 ESMTP Welcome to RoadRunner.
telnet: connect to alb-24-194-105-165.nycap.rr.com: Connection refused
Connected to mls03.hawaii.rr.com.
220 orngca-mls03.socal.rr.com ESMTP *** FOR AUTHORIZED USE ONLY! ***
Connected to ohsmtp02.ogw.rr.com.
220 ohsmtp02.ogw.rr.com ESMTP *** FOR AUTHORIZED USE ONLY! ***
Connected to ms-smtp-02.rdc-kc.rr.com.
220 ms-smtp-02.rdc-kc.rr.com ESMTP Welcome to Road Runner. WARNING: *** FOR
AUTHORIZED USE ONLY! ***
Based on banners it looks like RR likes to put either 'welcome to roadruner'
or the 'warning' with 3 astrericks on either side...
So the hawaii also looks legit, but isnt covered by the (smtp|biz).
Based on my run here It looks like
/mls.*.hawaii\.rr\.com/ DUNNO
Should also be added
Len maybe you can do some pulls like this on one of your high traffic
systems?
