[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Help with semadmail logs
- Subject: RE: [cobalt-users] Help with semadmail logs
- From: "Dan Kriwitsky" <list1@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri Jan 30 14:00:01 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> Is there a reference to help me decipher sendmail log entries? I'm
> trying to make sense out of entries that look like this pair:
>
> Jan 30 11:40:30 mail sendmail[11670]: i0UJeNr11670:
from=<1-345046-metarainc.com?rmXXX@xxxxxxxxxxxxxxxxxxxxxx>, size=8021,
class=0, nrcpts=1, msgid=<153$3E154n1T
sBEB4IMYMp1@xxxxxxxxxxxxxxxxxxxxxx>, proto=SMTP, daemon=MTA,
relay=sun4.rusticsunrise.com [66.111.234.26]
The above is typical of a newsletter subscription where the email
address of the recipient is coded into the address so if it bounces they
know who to remove right away, or if it's automated that can happen.
sun4.rusticsunrise.com is the sending server.
>
> Jan 30 11:40:30 mail sendmail[11671]: i0UJeNr11670:
> to=<rmXXX@xxxxxxxxxxxxx>, del
> ay=00:00:01, xdelay=00:00:00, mailer=local, pri=37639, dsn=2.0.0,
> stat=Sent
It was then delivered to rmXXX@xxxxxxxxxxxxx on your server.
>
> rmXXX is a valid user accessing the system from a remote
> location. The
> "relay" in the first entry bothers me. I'm not aware of who
> the domain
> is, but several such entries appear in the log with different domain
> names, but very similar IP addresses (differing by only a few
> numbers is
> the last octet).
Spammers with lots of domain names it seems. Listed by Spamhaus, SPEWS,
SORBS http://www.spamhaus.org/sbl/sbl.lasso?query=SBL13257
What do you know rusticsunrise.com registered on 21-Jan-2004 and they're
already mailing to your customers. Just do a whois on the domain. That
is enough for me to block that domain on my server.
--
C2003 Dan Kriwitsky
Please reply to the list only. Off list replies are not read.