Dropping email on the floor?

Rick Stevens rstevens at vitalstream.com
Fri Apr 15 18:33:35 UTC 2005 

Jeff Kinz wrote:
> Hi Guys,
> I've just recently started seeing large numbers of emails being dropped,
> but only from specific sources
> 
> Here is what sendmail verbose mode is showing (two examples):
> 
> 26969 >>> 220 redline.kinz.org ESMTP Sendmail 8.11.6/8.11.6; Fri, 15 Apr
> 2005 13:29:23 -0400
> 26969 <<< EHLO nl-mail5.internet.com
> 26969 >>> 250-redline.kinz.org Hello nl-mail5.internet.com [64.62.164.185], pleased to meet you
> 26969 >>> 250-ENHANCEDSTATUSCODES
> 26969 >>> 250-8BITMIME
> 26969 >>> 250-SIZE
> 26969 >>> 250-DSN
> 26969 >>> 250-ONEX
> 26969 >>> 250-ETRN
> 26969 >>> 250-XUSR
> 26969 >>> 250-AUTH GSSAPI
> 26969 >>> 250 HELP
> 26969 <<< MAIL FROM:<newsletter at nl.internet.com>
> 26970 >>> 250 2.1.0 <newsletter at nl.internet.com>... Sender ok
> 26970 <<< [EOF]
> 26970 >>> 421 4.4.1 redline.kinz.org Lost input channel from nl-mail5.internet.com [64.62.164.185]
> 26968 >>> 220 redline.kinz.org ESMTP Sendmail 8.11.6/8.11.6; Fri, 15 Apr 2005 13:29:25 -0400
> 26968 <<< HELO n19a.bulk.scd.yahoo.com
> 26968 >>> 250 redline.kinz.org Hello n19a.bulk.scd.yahoo.com [66.94.237.48], pleased to meet you
> 26968 <<< MAIL FROM:<sentto-311578-3615-1113585173-jkinz=kinz.org at returns.groups.yahoo.com>
> 26971 >>> 250 2.1.0 <sentto-311578-3615-1113585173-jkinz=kinz.org at returns.groups.yahoo.com>...  Sender ok
> 26971 <<< RSET
> 26971 >>> 250 2.0.0 Reset state
> 26968 <<< QUIT
> 26968 >>> 221 2.0.0 redline.kinz.org closing connection
> 
> 
> There seem to be two failure modes, one is the "Lost input channel" and
> the other is getting a SMTP "RSET" command from the MTA of the sending
> side.

The first one is a fairly common probe by machines looking for open
relays--especially MS Exchange servers.  I'd consider that an attack.
The second one looks like a similar attack, but more along the lines of
an attempted SMTP DOS attack.  I'm willing to bet that the IP addresses
are spoofed as well.

> NOTE: "<<<" seems to indicate messages sent by the external SMTP party and
> ">>>" seems to indicate responses by my side (the "inside")

Yes, "<<<" refers to INCOMING traffic TO your machine, ">>>" refers to
OUTGOING traffic FROM your machine (think of the arrows as relative
to your system).

> NOTE:  Comcast is having DNS server problems, Can that be affecting
> this? and if so, why only for internet.com and yahoo groups bulk mail
> servers?

No, these are not DNS issues (otherwise you'd get only the IP address
of the remote machines and not a reverse DNS resolution giving the host
names).  The reverse resolution is correct, BTW, but the IPs are
probably spoofed.

> ONEMORENOTE:
> I have turned off all my sorbs style email blocking while trying to
> figure this out.  It seems to make no difference.  FPIA

As I said, these look like probes to see if YOU are an open relay.
Welcome to the world of mail administration.  Remember, I get this
crap every day and we process over 1M legitimate messages per day (and
reject about 2M due to spam, viruses or probes such as you're seeing).
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-           What is a "free" gift?  Aren't all gifts free?           -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list