At 5:59 PM +0100 8/31/07, Clive Bruton imposed structure on a stream
of electrons, yielding:
Ok, it happened again, and as far as I can tell from the logs there
is no POP log-in by the host sending the spam:
*******
First logged connection:
14:19:13 3 SMTP-522(smtp0000.mail.yahoo.com) Failed to verify. Real
address is [125.82.235.75:2432]
14:19:13 3 SMTP-417([77.123.105.53]) Abort Received, reason=60
14:19:13 3 SMTP-417([77.123.105.53]) Reading Failed. Error Code=-25010. Read:
14:19:14 3 SMTP-399(wicked.com) Failed to connect to
[208.236.11.161:25]. reason=60
14:19:14 3 SMTP [S.0002952391] dequeueing
14:19:14 3 SMTP-419(sohu.com) Failed to connect to
[61.135.132.110:25]. reason=60
14:19:14 3 SMTP-419(sohu.com) No relay address is accessable. Error
Code=-25010
14:19:14 3 SMTP [S.0002950057] dequeueing
14:19:14 3 SMTP [S.0002950080] dequeueing
14:19:14 3 SMTP [S.0002948942] dequeueing
14:19:14 3 SMTP [S.0002949070] dequeueing
14:19:14 3 SMTP [S.0002950104] dequeueing
14:19:14 3 SMTP-414(gzyp21.net) Failed to connect to
[219.137.167.218:25]. reason=60
14:19:14 3 SMTP-413(gzyp21.net) Failed to connect to
[219.137.167.218:25]. reason=60
14:19:14 3 SMTP [S.0002952427] dequeueing
14:19:14 3 SMTP [S.0002948832] dequeueing
14:19:14 3 SMTP [S.0002950248] dequeueing
14:19:14 3 SMTP [S.0002952376] dequeueing
14:19:14 3 SMTP [S.0002952380] dequeueing
14:19:14 3 SMTP [S.0002952387] dequeueing
Spam relay address identified by router:
14:19:16 5 ROUTER Input: lvlin(chinese.com)
14:19:16 5 ROUTER Parser: [EMAIL PROTECTED] -> lvlin(chinese.com)
14:19:16 3 SMTP [S.0002948989] delayed by sina.com.cn: 450 4.1.8
<[EMAIL PROTECTED]>: Sender address rejected: Domain not
found\r
14:19:18 1 SMTP-526([58.65.90.221]) SPAM? Host is blacklisted per
RBL cbl.abuseat.org with result [127.0.0.2]
14:19:20 3 SMTP [S.0002952893] delayed by sina.com.cn: 450 4.1.8
<[EMAIL PROTECTED]>: Sender address rejected: Domain not
found\r
14:19:21 2 SMTP-522([125.82.235.75]) {S.0002956215} received, 964 bytes
14:19:21 5 ROUTER Input: lvlin(chinese.com)
14:19:21 5 ROUTER Parser: [EMAIL PROTECTED] -> lvlin(chinese.com)
Another relay address:
14:19:22 5 ROUTER Input: caowhitneyq(mail.china.com)
14:19:22 5 ROUTER Parser: [EMAIL PROTECTED] ->
caowhitneyq(mail.china.com)
14:19:27 3
SMTP-529(18.186.133.219.broad.sz.gd.dynamic.163data.com.cn) Failed
to verify. Real address is [219.133.186.18:3847]
Another relay address from a different host:
14:19:28 5 ROUTER Input: jlbrisbin(163data.com.cn)
14:19:28 5 ROUTER Parser: [EMAIL PROTECTED] ->
jlbrisbin(163data.com.cn)
14:19:32 3 SMTP-528(sanshui.gd.cn) Failed to get IP addresses. Error
Code=-3162
14:19:32 3 SMTP [S.0002952426] dequeueing
********
Checked logs, closest previous POP log-in from different host is
five minutes previously. Relaying allowed from POP hosts for *one*
minute after log-in.
It looks like you don't really have logging turned up.
Each subsystem (POP, SMTP, SYSTEM, HTTP) in SIMS has its own log
level. The lack of level 4/5 SMTP entries above is proof that you
have SMTP logging set to level 3, since the level 3 entries describe
events between which many other lines would be logged if you had
logging set more verbosely. Since you've got so little there for SMTP
and it includes lines from 10 different sessions, some inbound and
some outbound, I'm having a hard time seeing the relaying...
My best guess on this is that some machines on the LAN were logging
into the POP host via the firewall/router (10.10.250.1) with the
external name of the mail server (mail.indx.co.uk), rather than the
LAN name of the server (mail.battersea.indx.co.uk). This caused the
router/firewall itself to become "authenticated", thus any incoming
SMTP was authenticated because it came through the router. ie:
LAN mail client -> router -> mail server
SIMS logs the LAN IP address of the router when these LAN clients log-in.
That would indeed authorize the router's IP address. Not good.
However, I'm not seeing any SMTP connections from an ything but
external addresses in the log snippets above.
I've changed all the LAN mail clients so that they log-in and send
to mail.battersea.indx.co.uk (the LAN host), watching the logs to
see what happens.
My guess on why someone could still relay five minutes after a POP
log-in is that throughout that period SMTP mail was incoming, so
kept the router authenticated.
Any other ideas?
That sounds reasonable.
You may want to reconsider your network configuration, if it is
really doing what you think.
--
Bill Cole
[EMAIL PROTECTED]
#############################################################
This message is sent to you because you are subscribed to
the mailing list <SIMS@mail.stalker.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
