[svlug] somebody trying to use me for spam?

Tim tim at tetro.net
Fri Apr 18 14:50:19 PDT 2003

Previous message: [svlug] somebody trying to use me for spam?
Next message: [svlug] JOBOFR: datacenter technician at google
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 18, 2003 at 02:06:43PM -0700, Gordon Vrololjak wrote:
> Hello,
> Just wondering if anyone else has been seeing this in their logs?  (More
> detailed log at bottom of email.)
> 
> Apr 17 20:16:50 wilfred sendmail[10340]: NOQUEUE:
> ts003d0158.nyc-ny.xod.concentric.net [66.236.160.158] did not issue
> MAIL/EXPN/VRFY/ETRN during connection to MTA
> 
> Best I could glean from the web was it was someone trying to see if they could
> somehow use our server to relay spam.  

I doubt it.  If they were testing to see if it was an open relay, they'd
issue a:

  MAIL FROM:<some-bogus at address>

followed by an:

  RCPT TO:<non-local at address>

wouldn't they?

> Anyone else have insights?

Just a harmless port scan?  You can check by telnet'ing to your SMTP
server and then closing the connection, and see what turns up in your
logs.

If thats not it, maybe you'd want to run tcpdump logging all SMTP
traffic to a file (if SMTP traffic isn't very heavy), to capture what
the next person that triggers that message in the log file sent to the
server.  Maybe a tcpdump command like:

   tcpdump -pni eth0 -s 1500 -w smtplog.tcpdump tcp port 25

   - Tim

Previous message: [svlug] somebody trying to use me for spam?
Next message: [svlug] JOBOFR: datacenter technician at google
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list