From owner-freebsd-questions Tue Mar 18 10:16:37 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC23237B401 for ; Tue, 18 Mar 2003 10:16:32 -0800 (PST) Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19D1443FDD for ; Tue, 18 Mar 2003 10:16:29 -0800 (PST) (envelope-from freebsduser@attbi.com) Received: from attbi.com (12-225-141-88.client.attbi.com[12.225.141.88]) by rwcrmhc52.attbi.com (rwcrmhc52) with SMTP id <2003031818162805200ptfi0e>; Tue, 18 Mar 2003 18:16:28 +0000 Message-ID: <3E77627B.7020108@attbi.com> Date: Tue, 18 Mar 2003 10:16:27 -0800 From: K Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: lists@3bags.com Cc: freebsd-questions@freebsd.org Subject: Re: rejected mail hosts? References: <001c01c2ed56$c737f9e0$aeb423cf@3bagsmedia> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Phillip Smith (mailing list) wrote: > I've started getting an seemingly large amount of these... last week it > was one or two a day, no this: > > Should I be concerned? > > Checking for rejected mail hosts: > 8 21cn.com > 4 xinhuanet.com > 4 msa.hinet.net > 4 19.com.cn > 3 yahoo.com > 2 wargameclub.com > 2 tamil.com > 2 singapore.net > 2 seckinmail.com > 2 qdice.com > 2 portugalnet.com > 2 pakistans.com > 2 netcityhk.com > 2 mybaby.com.hk > 2 mawardy.com > 2 matsutakako.org > 2 malaysia.net > 2 lissamail.com > 2 irishharvest.net > 2 indiya.com > 2 indiadivine.com > 2 ilovetocollect.net > 2 humayunsaeed.net > 2 gillian-chung.com > 2 flytecrew.com > 2 ethailand.com > 2 ebixmail.com > 2 domvista.net > 2 crewstart.com > 2 china139.com > 2 326.cc > 1 wombles.com > 1 williamso.net > 1 virtualmail.com > 1 ulaanbaatar.i-p.com > 1 thepretender.com > 1 thehod.com > 1 thechaplains.com > 1 thaiezone.com > 1 thai-kid.com > 1 tare-panda.com > 1 tabo.ws > 1 soccerpitch.com > 1 sammimail.com > 1 ryokohirosue.com > 1 regards.net > 1 rain-li.net > 1 portugues.org > 1 pigpig.net > 1 pigletmail.com > 1 outgun.com > 1 nativestar.net > 1 myshopfinger.com > 1 myfunnymail.com > 1 miczone.com > 1 michelle-yu.com > 1 mcdull.net > 1 martialmail.com > 1 mandrakelinux.org > 1 mail.com > 1 kunmail.com > 1 jpopmail.com > 1 i611.com > 1 guju.net > 1 ezagenda.com > 1 e-hkma.com > 1 doramail.com > 1 ceciliacheung.com > 1 bkkmail.com > 1 baptistmail.com > 1 alemail.com > 1 9394.com > 1 7.co.kr > 1 168city.com > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > I get some of those messages as well from time to time. Those come from soneone trying to use your email server as a relay. Probably some spammer. if you check your /var/log/maillog, or one of the maillog.?.gz files you might need to check the gzipped ones as well, by either grepping or zgrepping for the pattern "baptistmail" (use zgrep if you're looking in to one of the maillog.?.gz files). When it finds it, it should say Relay denied or something close to that. Now for the neat part. Within that is the actual address of the host that tried to connect and perpitrate the attempt at spamming and making you look like the person sending it, or at least pretty close to sending it. Gotta be carefull because that's how you get your IP address on some of those blackhole lists and soon nobody, if they subscribe to one of those services, will be able to send you email. If your grepping does actually turn up something then you find out who's ISP or network has ownership of the host and send them an email with the log entries, be sure to include your timezonee (uunet for instance wants to know these things). My last experience actually was from UU net. One of their users was, well you know, trying to use my sendmail as a relay. If they all come from the same host, or not, then maybe create a firewall rule to block them from your SMTP port. I would suggest telling you to set sendmail up to do the work but they will keep trying, actually they will keep trying anyway so you might as well firewall them. Now you're probably wondering, how did you get some spammer to find this out? Probably the usual means, port scanning, posting to the web, posting to mail/news lists. If your email sent through your sendmail perhaps your ip address has been harvested. So yes, pat your sendmail on the back. Happy hunting and HTH. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message