[Shorewall-users] OT how to Make Sendmail Speak

Cowles, Steve Steve at SteveCowles.com
Fri Jul 11 09:14:38 PDT 2003


John Andersen wrote:
> I've noticed a lot of connections to my sendmail with an aledged TO
> address of
> BCFaun9enYd-khansen-norcomsoftware.com at cdbjcvcwrql.searchresul
> tzdelivered.com  
> 
> The actual name varies, but the end bit is always
> searchresultzdelivered.com.
> Because my sendmail insists that the from address be resolvable,
> these don't get thru.
> 
> However my machine tries to connect back to the mx of
> searchresultzdelivered.com, which is
> relay=bounce.searchresultzdelivered.com.

Be interesting to see all of your logfile entries for this. Are you sure its
not just sendmail sending a DSN back? Which is just as bad.

> 
> Being sort of suspicous, I blacklisted the entire subnet of
> searchresultz. I suspect they are looking for open relays.

Either that or they are trying to verify a valid e-mail address.

> 
> So I ask, who are these people?  (I know all about dig and whois
> guys). Why does google have nothing on them?

probably because the domain was created last week.

> 
> Also, I want to know how I can make sendmail cought up the originating
> IP for a connection so I can ban that subnet too. Clearly its not
> originating from anywhere in 4.17.77.0/24 as that is blacklisted.

As far as realtime scanning, that would probably require the use of a
specialized milter. You could always write a cron job that scanned your
logfiles and updated sendmail's access map. At least you could stop further
probes.

> 
> Anyone else seeing connections from that bunch?

I just checked a months worth of logfiles and did not see any hits. Whew! At
least for now. I'm sure these bastards will find me before long. :-(

Steve Cowles


More information about the Shorewall-users mailing list