Re: [cobalt-security] Security violations - SPAM

[Mike Vanecek <nospam99@xxxxxxxxxxxx>]

On Tue, 16 Oct 2001 00:49:51 -0400, "Gerald Waugh" <gerald@xxxxxxxxx> wrote:

:>> Hi, fellow RaQ users,
:>>
:>> I'm getting seriously cheesed off by the fact that most of my security
:>> violations are caused by an unending stream of attempts to use my mail
:>> server as a relay for spam, almost all of it originating from AOL or YAHOO.
:>>
:>> I'm considering blocking both sites - do you experience the same thing?
:>>
:>sample:
:>Oct 17 22:01:02 fsn1 sendmail[28991]: WAA28991: ruleset=check_rcpt,
:>arg1=<MLB_20011004_CIN@xxxxxxx>, relay=AC81C4DC.ipt.aol.com [172.129.196.220],
:>reject=550 <MLB_20011004_CIN@xxxxxxx>... Relaying denied.  Please POP before
:>sending.
:>
:>Yes, and the thing that really hacks me off, is that there are hundreds at
:>a time. "relaying denied" You would think they would run a test case of
:>one, before sending hundreds at a smtp server that was going to reject
:>everything.

I get the same thing. Looks like someone at aol was really banging my system.
One thing that puzzles me however, is a couple of the below items do not say
relaying denied. I have surrounded them in ???????? marks. My assumption is
that since size=0, class=0, pri=0, nrcpts=0, proto=SMTP are all zero, that no
relay occurred and the entry simply means the previous error session was
closed. Am I reading the log correctly or do I have a hole open of which I was
not aware?


Oct 18 00:43:29 vanecek sendmail[14744]: AAA14744: ruleset=check_rcpt,
arg1=<tester@xxxxxxx>, relay=x98A3A02C.pix.aol.com [152.163.160.44],
reject=550 <tester@xxxxxxx>... Relaying denied.  Please check your mail first.

Oct 18 00:43:30 vanecek sendmail[14744]: AAA14744: ruleset=check_rcpt,
arg1=<tester%aol.net@xxxxxxxxxxxxxx>, relay=x98A3A02C.pix.aol.com
[152.163.160.44], reject=550 <tester%aol.net@xxxxxxxxxxxxxx>... Relaying
denied.  Please check your mail first.

Oct 18 00:43:30 vanecek sendmail[14744]: AAA14744: ruleset=check_rcpt,
arg1=<tester%aol.net@xxxxxxxxxxxxxx>, relay=x98A3A02C.pix.aol.com
[152.163.160.44], reject=550 <tester%aol.net@xxxxxxxxxxxxxx>... Relaying
denied.  Please check your mail first.

???????????????????????????????????????????????????????????????
Oct 18 00:43:30 vanecek sendmail[14744]: AAA14744: from=<tester@xxxxxxx>,
size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=x98A3A02C.pix.aol.com
[152.163.160.44]
???????????????????????????????????????????????????????????????

Oct 18 00:43:30 vanecek sendmail[14745]: AAA14745: ruleset=check_mail,
arg1=<tester@xxxxxxxxxxxxxx>, relay=x98A3A02C.pix.aol.com [152.163.160.44],
reject=501 <tester@xxxxxxxxxxxxxx>... Sender domain must exist

???????????????????????????????????????????????????????????????
Oct 18 00:43:30 vanecek sendmail[14745]: AAA14745:
from=<tester@xxxxxxxxxxxxxx>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
 relay=x98A3A02C.pix.aol.com [152.163.160.44]
???????????????????????????????????????????????????????????????

Oct 18 00:43:30 vanecek sendmail[14746]: AAA14746: ruleset=check_rcpt,
arg1=<tester@xxxxxxx>, relay=x98A3A02C.pix.aol.com [152.163.160.44],
reject=550 <tester@xxxxxxx>... Relaying denied.  Please check your mail first.

Oct 18 00:43:30 vanecek sendmail[14746]: AAA14746: ruleset=check_rcpt,
arg1=<tester%aol.net@xxxxxxxxxxxxxx>, relay=x98A3A02C.pix.aol.com
[152.163.160.44], reject=550 <tester%aol.net@xxxxxxxxxxxxxx>... Relaying
denied.  Please check your mail first.

Oct 18 00:43:30 vanecek sendmail[14746]: AAA14746: ruleset=check_rcpt,
arg1=<tester%aol.net@xxxxxxxxxxxxxx>, relay=x98A3A02C.pix.aol.com
[152.163.160.44], reject=550 <tester%aol.net@xxxxxxxxxxxxxx>... Relaying
denied.  Please check your mail first.

???????????????????????????????????????????????????????????????
Oct 18 00:43:30 vanecek sendmail[14746]: AAA14746:
from=<tester@xxxxxxxxxxxxxx>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP,
relay=x98A3A02C.pix.aol.com [152.163.160.44]
???????????????????????????????????????????????????????????????