Jeff -
Thanks. I didn't know about these. My acces was done more out of desperation - I'd stop one and another one would start up. I couldn't figure out where it was coming from - it was all over -- no rhyme or reason.
Thanks, mark
Jeff Groves wrote:
No, it is doubtful that someone has taken the domain. These email worms are tenacious and spam the hell out of your server trying to freak-out the postmaster on the other end.
On a separate note, I noticed that your DISCARD entries are pretty harsh.
What you have now will prevent ANY hotmail.com, pacbell.net, or shawcable.net user from ever getting an email through to you in the future. Is that what you intended?
Perhaps you might be more happy with implementing some DNS Blackhole lists in your sendmail.mc file? Here are just two of many that I use. These two knock-out a LARGE number of spam for me. The cn-kr.blackholes.us entry rejects pretty much any email that originates from a Chinese or Korean machine. The cbl.abuseat.org entry is fed by a pretty intense system of spam-traps:
FEATURE(`enhdnsbl', `cn-kr.blackholes.us', `"554 Rejected "$&{client_addr} " -- We do not accept email from hosts in China or Korea."')dnl
FEATURE(`enhdnsbl', `cbl.abuseat.org', `"554 Rejected "$&{client_addr} " -- We do not accept email from hosts controlled by known spammers."')dnl
Hope this helps,
Jeff G.
Mark Fowle wrote:
Here's what I've had so far based on what I have been seeing in the files...
Connect:127 RELAY hotmail.com DISCARD bluebottle.com DISCARD mailebs.com DISCARD *.tw DISCARD hush.ai DISCARD supernal.net DISCARD maxinet.net DISCARD imexo.be DISCARD pacbell.net DISCARD shawcable.net DISCARD FROM: 80.218.224.69 DISCARD
Based on the number of times this occurs I would say someone has taken the domain - I'm not sure how to get it back....
Thanks, Mark
Jeff Groves wrote:
Mark:
Someone/something is doing either an address book scan of your machine (not very likely) or a virus/worm has gotten a hold of your domain name and is generating fake email address messages that will cause false "delivery failure" messages to be default delivered to some other target domain postmaster (not you) in the hope that the postmaster, usually a privileged user, will open one of the attachments and infect their system as well.
Best bet in my opinion is to put an entry in your /etc/mail/access file to discard messages from the IP address/DNS name that is generating these messages:
From:123.123.123.123 DISCARD From:infected.machine.bellsouth.net DISCARD
This only works if you have:
FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
included in your sendmail.mc file when you create your sendmail.cf file.
Jeff G.
Mark Fowle wrote:
Are there any sendmail guru's out there? I've seen this in my maillogs and I'm not sure what's going on - I have tested the environment for relaying (and it doesn't - except for what's authorized) - plus I have added my SPF records to the zone files....
... clip....
Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: <[EMAIL PROTECTED]>... no
Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input channel from [222.233.142.168] to MTA after data
Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net [81.216.250.96]
Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: <[EMAIL PROTECTED]>... no
Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: from=<[EMAIL PROTECTED]>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net [81.216.250.96]
....clip.....
They don't appear to be getting in.. but the non-exsitent users @ my domain are my concern.... or am I worrying over nothing?
Thanks, Mark
-- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
