"Strange" maillog entries - am I being used as a relay?
Robert Slade
fedora at bathnetworks.com
Sat Apr 2 11:39:41 UTC 2005
On Sat, 2005-04-02 at 10:52, Mike Pelley wrote:
> Folks - I noticed some strange errors in my logwatch report and when I checked my maillog I found the entries below. I have SMTPS with TLS set up for authentication. Does this mean I'm being used as a relay?
>
> maillog:Mar 29 09:30:24 zeus postfix/smtpd[26863]: connect from unknown[216.113.195.131]
> maillog:Mar 29 09:30:24 zeus postfix/smtpd[26863]: setting up TLS connection from unknown[216.113.195.131]
> maillog:Mar 29 09:30:24 zeus postfix/smtpd[26863]: TLS connection established from unknown[216.113.195.131]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> maillog:Mar 29 09:30:25 zeus postfix/smtpd[26863]: 0A1267031D: client=unknown[216.113.195.131]
> maillog:Mar 29 09:30:25 zeus postfix/smtpd[26863]: 0A1267031D: reject: RCPT from unknown[216.113.195.131]: 450 <wjwwwdk at pelleys.com>: User unknown in local recipient table; from=<> to=<wjwwwdk at pelleys.com> proto=ESMTP helo=<email.noproblemnetworks.com>
> maillog:Mar 29 09:30:27 zeus postfix/smtpd[26863]: disconnect from unknown[216.113.195.131]
>
> Thanks,
> Mike
Mike,
I would have said no.
This looks to me like a machine at 216.113.195.131
(pd-pd-a.static.uniserve.ca) tried to send a mail to a users at your
domain who did not exist.
Now noproblemnetworks.com is:
Technical Contact:
Diamond, Paul paul at pdiamondinc.com
8771 Myhill Road
Richmond, BC V6Y 2J3
CA
(604) 761-0839
Fax:(604) 448-0218
Record last updated 12-06-2004 10:41:41 AM
Record expires on 02-03-2006
Record created on 02-03-2001
Domain servers in listed order:
NS1.NOPROBLEMNETWORKS.COM 216.113.195.131
NS3.NOPROBLEMNETWORKS.COM 69.90.29.94
Which shows that the sending machine 216.113.195.131 is supposed to be a
NS.
It looks to me that 216.113.195.131 is either an open relay or
compromised.
Rob
More information about the fedora-list
mailing list