Re: [cobalt-users] Pop before SMTP - I've had enough.

[flash22@xxxxxxx]

On Sat, 30 Mar 2002, David Lucas wrote:

> Ok everyone.  I may regret this.  Here are two lines out of my maillog.
> 
> My customer is cs<at>cdbyrd.net.  adelphia.net has nothing to do with
>me.  No 

adelphia.net seems to be home to some spammers/idiots, their lax abuse@
handling doesn't help much

> 
> Oh, here is another.  Notice the sender is the same ip but different 
> company.  This one is for an ezine, and he did not reply to it.
> 
> Mar 29 07:09:39 www sendmail[2813]: g2TD9d902813: ruleset=check_rcpt, 
> arg1=<join-ezine-tips@xxxxxxxxxxxxx>, relay=fl-del1c1-117.pbc.adelphia.net 
> [24.50.1.117], reject=550 5.7.1 <join-ezine-tips@xxxxxxxxxxxxx>... Relaying 
> denied. Please check your mail first.

Someone is attempting to auto subscribe him using a bounce with his from
address in it, if your server had deferred queuing, it would have accepted
the message and sent out a bounce later, some lists are too stupid to
understand that a bounce message is not a valid confirmation/subscribe
request

[sparclist seems to ring a bell as one that is/was a bit sloppy, not sure]

> 
> Mar 29 07:09:39 www sendmail[2813]: g2TD9d902813: 
from=<cs@xxxxxxxxxx >, 
^^^^^^^^^^^^^^^^^^^!

Note the space in the username, interesting...might be a hint it was
scraped from somewhere


> size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, 
> relay=fl-del1c1-117.pbc.adelphia.net [24.50.1.117]

I'v had *.adelphia.net blocked for over a year now ;P

That ip is a dialup btw, it has no business talking to your mailserver at
all, unless it's your customer, and even then ;P

One of their users likes scanning IP's for open relays also....

> I do have entries for a couple of other senders.  NO cs@xxxxxxxxxx is not 
> sending anything in either case.

He probably annoyed some kiddie ;)

pps: Remember, the pop-before relay thinggy *logs* the pop access and the
authentication, with the timestamp, if it's not there, it's not your user,
that's the whole point ;P

gsh