[Mailman-Users] investigating attack-like "mail failures"

Sun, 13 Mar 2005 06:23:19 -0800 

Hi.

I've noticed a number of attack-like "mail failures". The rate at
which we see them comes and goes at different times of the day; when
they're active they pass through at the rate of 1 or 2 per minute.

Here's an example, for the list [EMAIL PROTECTED] (we've seen
this for other alu.org lists too).

    /var/log/maillog:
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from 
localhost[127.0.0.1]
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: 
client=localhost[127.0.0.1]
    Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: reject: RCPT from 
localhost[127.0.0.1]: 450 <[EMAIL PROTECTED]>: User unknown in local recipient 
table; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP 
helo=<bibop.alu.org>
    Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from 
localhost[127.0.0.1]

    /usr/local/mailman/smtp-failure:
    Mar 13 02:56:29 2005 (2547) All recipients refused: {'[EMAIL PROTECTED]': 
(450, '<[EMAIL PROTECTED]>: User unknown in local recipient table')}, msgid: 
<[EMAIL PROTECTED]>
    Mar 13 02:56:29 2005 (2547) delivery to [EMAIL PROTECTED] failed with code 
450: <[EMAIL PROTECTED]>: User unknown in local recipient table

    /usr/local/mailman/smtp:
    Mar 13 02:56:29 2005 (2547) <[EMAIL PROTECTED]> smtp for 1 recips, 
completed in 1.027 seconds

    /usr/local/mailman/post:
    Mar 13 02:56:29 2005 (2547) post to alu-board-only from [EMAIL PROTECTED], 
size=1066, message-id=<[EMAIL PROTECTED]>, 1 failures

What I'd like to know is where (and from apparantly who) this message
originated, but I can't figure out from these logs what's going on.

It looks like an attempt from the Outgoing qrunner to send mail to
alu-board-only (hence the alu-board-only-bounces return address), with
[EMAIL PROTECTED] as one of the addressees, which doesn't make sense.

Any ideas?

Thanks,

- nick
------------------------------------------------------
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&amp;file=faq01.027.htp

Reply via email to