Apparently, they're not running a very tight ship. I'm seeing:
Jan 15 15:16:04 mail sendmail[17255]: NOQUEUE: connect from
cernmx08.cern.ch [137.138.166.172]
Jan 15 15:16:04 mail sendmail[17255]: AUTH: available mech=DIGEST-MD5
ANONYMOUS
CRAM-MD5, allowed mech=EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Jan 15 15:16:04 mail sendmail[17255]: k0FMG4nc017255: Milter
(mimdefang): init success to negotiate
Jan 15 15:16:04 mail sendmail[17255]: k0FMG4nc017255: Milter: connect to
filtersJan 15 15:16:04 mail mimedefang.pl[16045]: relay:
137.138.166.172, cernmx08.cern.ch
Jan 15 15:16:04 mail mimedefang.pl[16045]: relay: 137.138.166.172
matches 0.0.0.0/0
Jan 15 15:16:04 mail mimedefang.pl[16045]: relay: CONTINUE: OK
Jan 15 15:16:04 mail sendmail[17255]: k0FMG4nc017255: cernmx08.cern.ch
[137.138.166.172] did not issue MAIL/EXPN/VRFY/ETRN during connection to
MTA-v4
So it looks like one or more of their MX servers either has user access on
it, and/or it's been compromised... and this has been going on for months.
I tried to point it out to them, but didn't hear back.
Anyone know what exactly they are probing for, or have they seen this?
I might want to try to transcribe the session next time...
-Philip
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
