Background: I am running QMail 1.03 for several domains. I have a line in
/etc/hosts.allow (tcp-env ...) to allow the local network to relay. The
virtual domains are listed in rcpthosts and virtualdomains, as
appropriate. This is a long time running system.
'locals' contains "localhost", the FQDN for the host, and the
domain portion of the FQDN for the host.
I recently noticed that my /var/log/secure file was filling up
with hits from the same host, like so (names not changed to expose the
guilty):
Nov 7 12:08:36 nylon tcp-env[25358]: connect from labserver01.dls.itap.rmit.edu.au
I checked the /var/log/maillog file and found nothing that I could
relate to those entries.
I immediately added this host to my /etc/hosts.deny file for
tcp-env and the connections stopped after the first two refusals.
Question(s): Am I being used as a relay? If not, why would they
stop trying to connect as soon as they were refused? The sheer quantity of
connect attempts says that they are up to something no good, but I have no
evidence of anything except their connections - nothing more. Are they
attempting to relay, but too stupid to check that my system won't relay
for them? Are they relaying, but I'm too stupid to configure qmail
properly? Enquiring minds want to know :-)
Thanks.
--
Roger Walker <http://www.rat-hole.com>
Voice/Fax 1-780-440-2685 <http://www.man-from-linux.com>
"HIS Pain; YOUR Gain" <http://www.rope.net>
<http://www.rope.net/signature.html>
