At 12:27 PM -0700 1/17/02, Warren Michelsen imposed structure on a stream of electrons, yielding: >From one MTA in particular, I seem to not be able to receive mail. >the log, on one occasion, shows: > >11:28:05 3 SMTP-875(grits.valdosta.peachnet.edu) Failed to verify. >Real address is [168.18.130.246:58492] >11:29:05 3 SMTP-875([168.18.130.246]) Return-Path-A Search Error. >Error Code=-3162 >11:34:05 3 SMTP-875([168.18.130.246]) Time-Out. Read: > >On other days, there are many more connection attempts as indicated >by the first two log lines but no corresponding "Time-Out. Read: " >entries. > >The DNS seems to be pretty screwed up for these folks and that's >causing the Failed to verify and Return-Path-A Search Error entries. >Could the time-out problem be that grits.valdosta.peachnet.edu >becomes impatient waiting for SIMS to finish its return path check >and gives up before SIMS writes the Return-Path-A Search Error to >the log? > >Does SIMS ignore anything from grits.valdosta.peachnet.edu between >initial connection and when it concludes that the return path cannot >be verified? Or, as the verification is going on, is >grits.valdosta.peachnet.edu waiting on SIMS? Perhaps "grits" gives >up within that first minute?
The action you are not seeing (level 4 and 5 entries...) is a MAIL FROM command with the return-path (aka sender address), which SIMS checks for validity. The 'A search error' means that SIMS did not find an MX for the domain part of that address, had to look for an A record, and found nothing there either. The next unseen bit is SIMS sending back a rejection of the mail (probably a 472, since I think 3162 means that SIMS didn't get any real answer) and then something that took 5 minutes. I suspect that what took 5 minutes is the sender attempting to blast ahead with the message, and finally SIMS giving up on getting anything it understood. In other words: I think this really is a spammer. The reason I think this is a spammer is that the machine you are talking to has a name in rDNS that looks like someone's dorm room DHCP client. It is running some services including FTP and SSH but not SMTP. It does appear to be running Solaris, but the presence of SSH is interesting since that's not a standard part of the Solaris distribution. I suspect that if you increase the verbosity of your logging you will see the sender going ahead with a RCPT and DATA command and attempting to send a message despite getting errors from you. -- Bill Cole [EMAIL PROTECTED] ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
