Here's what I've had so far based on what I have been seeing in the files...
Connect:127 RELAY hotmail.com DISCARD bluebottle.com DISCARD mailebs.com DISCARD *.tw DISCARD hush.ai DISCARD supernal.net DISCARD maxinet.net DISCARD imexo.be DISCARD pacbell.net DISCARD shawcable.net DISCARD FROM: 80.218.224.69 DISCARD
Based on the number of times this occurs I would say someone has taken the domain - I'm not sure how to get it back....
Thanks, Mark
Jeff Groves wrote:
Mark:
Someone/something is doing either an address book scan of your machine (not very likely) or a virus/worm has gotten a hold of your domain name and is generating fake email address messages that will cause false "delivery failure" messages to be default delivered to some other target domain postmaster (not you) in the hope that the postmaster, usually a privileged user, will open one of the attachments and infect their system as well.
Best bet in my opinion is to put an entry in your /etc/mail/access file to discard messages from the IP address/DNS name that is generating these messages:
From:123.123.123.123 DISCARD From:infected.machine.bellsouth.net DISCARD
This only works if you have:
FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
included in your sendmail.mc file when you create your sendmail.cf file.
Jeff G.
Mark Fowle wrote:
Are there any sendmail guru's out there? I've seen this in my maillogs and I'm not sure what's going on - I have tested the environment for relaying (and it doesn't - except for what's authorized) - plus I have added my SPF records to the zone files....
... clip....
Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: <[EMAIL PROTECTED]>... no
Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input channel from [222.233.142.168] to MTA after data
Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net [81.216.250.96]
Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net [81.216.250.96]
....clip.....
They don't appear to be getting in.. but the non-exsitent users @ my domain are my concern.... or am I worrying over nothing?
Thanks, Mark
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
