[TriLUG] Sendmail question

Jeff Groves jgroves at krenim.org
Sun Jan 23 22:24:37 EST 2005


No, it is doubtful that someone has taken the domain.  These email worms are tenacious and 
spam the hell out of your server trying to freak-out the postmaster on the other end.

On a separate note, I noticed that your DISCARD entries are pretty harsh.

What you have now will prevent ANY hotmail.com, pacbell.net, or shawcable.net user from ever 
getting an email through to you in the future.  Is that what you intended?

Perhaps you might be more happy with implementing some DNS Blackhole lists in your 
sendmail.mc file?  Here are just two of many that I use.  These two knock-out a LARGE number 
of spam for me.  The cn-kr.blackholes.us entry rejects pretty much any email that originates 
from a Chinese or Korean machine.   The cbl.abuseat.org entry is fed by a pretty intense 
system of spam-traps:

FEATURE(`enhdnsbl', `cn-kr.blackholes.us', `"554 Rejected "$&{client_addr} " -- We do not 
accept email from hosts in China or Korea."')dnl
FEATURE(`enhdnsbl', `cbl.abuseat.org', `"554 Rejected "$&{client_addr} " -- We do not accept 
email from hosts controlled by known spammers."')dnl

Hope this helps,

Jeff G.

Mark Fowle wrote:
> Here's what I've had so far based on what I have been seeing in the 
> files...
> 
> Connect:127     RELAY
> hotmail.com     DISCARD
> bluebottle.com  DISCARD
> mailebs.com     DISCARD
> *.tw            DISCARD
> hush.ai         DISCARD
> supernal.net    DISCARD
> maxinet.net     DISCARD
> imexo.be        DISCARD
> pacbell.net     DISCARD
> shawcable.net   DISCARD
> FROM: 80.218.224.69     DISCARD
> 
> Based on the number of times this occurs I would say someone has taken 
> the domain -  I'm not sure how to get it back....
> 
> Thanks,
> Mark
> 
> 
> Jeff Groves wrote:
> 
>> Mark:
>>
>> Someone/something is doing either an address book scan of your machine 
>> (not very likely) or a virus/worm has gotten a hold of your domain 
>> name and is generating fake email address messages that will cause 
>> false "delivery failure" messages to be default delivered to some 
>> other target domain postmaster (not you) in the hope that the 
>> postmaster, usually a privileged user, will open one of the 
>> attachments and infect their system as well.
>>
>> Best bet in my opinion is to put an entry in your /etc/mail/access 
>> file to discard messages from the IP address/DNS name that is 
>> generating these messages:
>>
>> From:123.123.123.123                    DISCARD
>> From:infected.machine.bellsouth.net    DISCARD
>>
>> This only works if you have:
>>
>>   FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
>>
>> included in your sendmail.mc file when you create your sendmail.cf file.
>>
>> Jeff G.
>>
>> Mark Fowle wrote:
>>
>>> Are there any sendmail guru's out there?  I've seen this in my 
>>> maillogs and I'm not sure what's going on - I have tested the 
>>> environment for relaying (and it doesn't - except for what's 
>>> authorized) - plus I have added my SPF records to the zone files....
>>> ... clip....
>>> Jan 23 20:15:58 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>>> <fletcher at thefowles.com>... no
>>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: lost input 
>>> channel from [222.233.142.168] to MTA after data
>>> Jan 23 20:15:59 adelie1 sendmail[27321]: j0O1FqAQ027321: 
>>> from=<marylou.wigginsel at 163.net>, size=0, class=0, nrcpts=0, 
>>> proto=ESMTP, daemon=MTA, relay=[222.233.142.168]
>>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <barber at thefowles.com>... no
>>> Jan 23 20:16:05 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <battle at thefowles.com>... no
>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <barr at thefowles.com>... no
>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <benjamin at thefowles.com>... no
>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <huber at thefowles.com>... no
>>> Jan 23 20:16:06 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <howe at thefowles.com>... no
>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <houston at thefowles.com>... no
>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> <ibarra at thefowles.com>... no
>>> Jan 23 20:16:07 adelie1 sendmail[27322]: j0O1G4DF027322: 
>>> from=<YZUOMGCYA at earthlink.net>, size=0, class=0, nrcpts=0, 
>>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>>> [81.216.250.96]
>>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>>> <hurley at thefowles.com>... no
>>> Jan 23 20:16:08 adelie1 sendmail[27322]: j0O1G4DG027322: 
>>> from=<zbgwfnrgf at telusplanet.net>, size=0, class=0, nrcpts=0, 
>>> proto=SMTP, daemon=MTA, relay=96.250.216.81.pite.siwnet.net 
>>> [81.216.250.96]
>>> ....clip.....
>>> They don't appear to be getting in.. but the non-exsitent users @ my 
>>> domain are my concern....   or am I worrying over nothing?
>>>
>>> Thanks,
>>> Mark
>>>
>>

-- 
Law of Procrastination:
         Procrastination avoids boredom; one never has
         the feeling that there is nothing important to do.



More information about the TriLUG mailing list