[TriLUG] Sendmail question

Jeff Groves jgroves at krenim.org
Sun Jan 23 21:14:14 EST 2005


Mark:

Someone/something is doing either an address book scan of your machine (not very likely) or a 
virus/worm has gotten a hold of your domain name and is generating fake email address 
messages that will cause false "delivery failure" messages to be default delivered to some 
other target domain postmaster (not you) in the hope that the postmaster, usually a 
privileged user, will open one of the attachments and infect their system as well.

Best bet in my opinion is to put an entry in your /etc/mail/access file to discard messages 
from the IP address/DNS name that is generating these messages:

From:123.123.123.123	                DISCARD
From:infected.machine.bellsouth.net	DISCARD

This only works if you have:

   FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl

included in your sendmail.mc file when you create your sendmail.cf file.

Jeff G.

Mark Fowle wrote:
> Are there any sendmail guru's out there?  I've seen this in my maillogs 
> and I'm not sure what's going on - I have tested the environment for 
> relaying (and it doesn't - except for what's authorized) - plus I have 
> added my SPF records to the zone files....
> ... clip....
> Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: 
> <fletcher at thefowles.com>... no
> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input 
> channel from [222.233.142.168] to MTA after data
> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: 
> from=<marylou.wigginsel at 163.net>, size=0, class=0, nrcpts=0, 
> proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <barber at thefowles.com>... no
> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <battle at thefowles.com>... no
> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <barr at thefowles.com>... no
> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <benjamin at thefowles.com>... no
> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <huber at thefowles.com>... no
> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <howe at thefowles.com>... no
> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <houston at thefowles.com>... no
> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
> <ibarra at thefowles.com>... no
> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
> from=<YZUOMGCYA at earthlink.net>, size=0, class=0, nrcpts=0, proto=SMTP, 
> daemon=MTA, relay=96.250.216.81.pite.siwnet.net [81.216.250.96]
> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
> <hurley at thefowles.com>... no
> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
> from=<zbgwfnrgf at telusplanet.net>, size=0, class=0, nrcpts=0, proto=SMTP, 
> daemon=MTA, relay=96.250.216.81.pite.siwnet.net [81.216.250.96]
> ....clip.....
> They don't appear to be getting in.. but the non-exsitent users @ my 
> domain are my concern....   or am I worrying over nothing?
> 
> Thanks,
> Mark
> 

-- 
Law of Procrastination:
         Procrastination avoids boredom; one never has
         the feeling that there is nothing important to do.



More information about the TriLUG mailing list