[luau] Blocking mail relayers

Mike Ballon calzonie at hotmail.com
Thu Sep 26 08:24:01 PDT 2002 

This doesn't look like a relay attempt but normal spam using an e-mail
address generator destained for your domain and the user(s) didn't exist.


----- Original Message -----
From: "Erich S." <sharky at websharx.com>
To: <luau at videl.ics.hawaii.edu>
Sent: Wednesday, September 25, 2002 7:22 PM
Subject: Re: [luau] Blocking mail relayers


> On Wed, 25 Sep 2002, Mike Ballon wrote:
>
> > Sendmail does NOT need to be restarted when updating the access file, it
> > does need to be built of course 'make access.db' but that's it.
> >
> > I'd like to see a snip of the maillog to see if he was actually being
> > allowed to relay though.
> >
>
> Hmmm I didn't do a 'make access.db', I did a '/sbin/service sendmail
> restart'. Does that force a 'make access.db'?
>
> Anyway, here's a partial snippet of maillog. There were quite a few
> attempts, each appearing to use different namesets within my domain.
>
> ==============================================================
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<showman at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<martinet at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<donblack at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<bradman at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<poden at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<wtang at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<bruening at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<riverside at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<kjoseph at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
<kellee at websharx.com>... User unknown
> Sep 23 02:01:44 tiger sendmail[27409]: g8NC1eV27409:
from=<john at blaze.bc.ca>, size=0, class=0, nrcpts=0, proto=SMTP,
> daemon=MTA, relay=rlkal1a046.comtech-data.se [194.198.208.46] (may be
forged)
> ==============================================================
>
> After putting in the hosts.deny entry, restarting XINETD and putting in
> the entry in /etc/mail/access, and restarting sendmail. This is what turns
> up in the log about every 20 minutes or so:
>
> ==============================================================
> Sep 25 13:07:10 tiger sendmail[31999]: g8PN79P31999: ruleset=check_relay,
arg1=rlkal1a009.comtech-data.se, arg2=194.198.208.9,
> relay=rlkal1a009.comtech-data.se [194.198.208.9] (may be forged),
reject=550 5.7.1 Access denied
> Sep 25 13:07:11 tiger sendmail[31999]: NOQUEUE: rlkal1a009.comtech-data.se
[194.198.208.9] (may be forged)
> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
> Sep 25 13:51:22 tiger sendmail[32024]: g8PNpLP32024: ruleset=check_relay,
arg1=rlkal1a009.comtech-data.se, arg2=194.198.208.9,
> relay=rlkal1a009.comtech-data.se [194.198.208.9] (may be forged),
reject=550 5.7.1 Access denied
> Sep 25 13:51:25 tiger sendmail[32024]: NOQUEUE: rlkal1a009.comtech-data.se
[194.198.208.9] (may be forged)
> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
> Sep 25 14:36:46 tiger sendmail[32062]: g8Q0agP32062: ruleset=check_relay,
arg1=rlkal1a009.comtech-data.se, arg2=194.198.208.9,
> relay=rlkal1a009.comtech-data.se [194.198.208.9] (may be forged),
reject=550 5.7.1 Access denied
> Sep 25 14:36:47 tiger sendmail[32062]: NOQUEUE: rlkal1a009.comtech-data.se
[194.198.208.9] (may be forged)
> did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
> ==============================================================
>
> Not sure what else I can do. Most Euro's I've dealt with are scum so being
> able to block this dood is at least gratifying in a small way. Euro's like
> to talk big about the evil USA but to date most problems I've had with
> outside intruders have been from Euro's who seem to have nothing better to
> do with their time.
>
> Thanks all for the comments and advice. And sorry if this type of dialogue
> isn't very interesting...I'll try and think of a obligatory MS Bash or
> Linux Boast later when I'm finished having fun learning this stuff.
> (tongue placed firmly in cheek)
>
> Sharky
>
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
>

More information about the LUAU mailing list