[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Portsentry/Logcheck
- Subject: RE: [cobalt-security] Portsentry/Logcheck
- From: storage@xxxxxxxxxx
- Date: Fri, 6 Apr 2001 12:25:09 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Simon Wilson <simon@xxxxxxxxxxxxx> said:
> > Below is a snip from Logcheck. I don't have SMPT set up on any of my
> > virtual sites and use my local ISP for sending mail. So, does the message
> > below, mean that somebody else is trying to send mail from my server?
>
> I get a similar Logcheck snip. Is this guy doing the same thing? If he is
> what can I do to stop him as he attempts to do this almost every day.
>
> Mar 30 06:43:26 ns1 sendmail[19040]: f2U5hPu19040: ruleset=check_rcpt,
> arg1=<ken.tak@xxxxxxxxxxx>, relay=ppp-209-144-213-245.dialup.pcmagic.net
> [209.144.213.245], reject=550 5.7.1 <ken.tak@xxxxxxxxxxx>... Relaying denied
>
The first was someone trying to send spam through the posters server. The
application blocked it because the domain name used in the From header of the
spam message was unresolvable. Your message is different - verizon.net is a
resolvable host - in that someone is trying to send mail using your SMTP
server, which is also known as relaying. Relaying is denied by default by
most modern mailers, because spammers use it to "steal" service and cover
their tracks. In fact, a lot of servers won't even accept mail from "open
relays" now, as they use the ORBS (look it up in Google) database by default.
The RBL (again, look it up) is also widely recommended. Also note that all of
these protections can be configured from your mailer. You don't need to
change anything though, the guy is already being blocked from your server,
and he's using negligible resources.
adam