[Mailman-Users] investigating attack-like "mail failures"
Nick Levine
ndl at ravenbrook.com
Sun Mar 13 12:40:06 CET 2005
Hi.
I've noticed a number of attack-like "mail failures". The rate at
which we see them comes and goes at different times of the day; when
they're active they pass through at the rate of 1 or 2 per minute.
Here's an example, for the list alu-board-only at alu.org (we've seen
this for other alu.org lists too).
/var/log/maillog:
Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from localhost[127.0.0.1]
Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: client=localhost[127.0.0.1]
Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: reject: RCPT from localhost[127.0.0.1]: 450 <beverley at alu.org>: User unknown in local recipient table; from=<alu-board-only-bounces at alu.org> to=<beverley at alu.org> proto=ESMTP helo=<bibop.alu.org>
Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from localhost[127.0.0.1]
/usr/local/mailman/smtp-failure:
Mar 13 02:56:29 2005 (2547) All recipients refused: {'beverley at alu.org': (450, '<beverley at alu.org>: User unknown in local recipient table')}, msgid: <mailman.6.1110619218.2549.alu-board-only at alu.org>
Mar 13 02:56:29 2005 (2547) delivery to beverley at alu.org failed with code 450: <beverley at alu.org>: User unknown in local recipient table
/usr/local/mailman/smtp:
Mar 13 02:56:29 2005 (2547) <mailman.6.1110619218.2549.alu-board-only at alu.org> smtp for 1 recips, completed in 1.027 seconds
/usr/local/mailman/post:
Mar 13 02:56:29 2005 (2547) post to alu-board-only from alu-board-only-bounces at alu.org, size=1066, message-id=<mailman.6.1110619218.2549.alu-board-only at alu.org>, 1 failures
What I'd like to know is where (and from apparantly who) this message
originated, but I can't figure out from these logs what's going on.
It looks like an attempt from the Outgoing qrunner to send mail to
alu-board-only (hence the alu-board-only-bounces return address), with
beverley at alu.org as one of the addressees, which doesn't make sense.
Any ideas?
Thanks,
- nick
More information about the Mailman-Users
mailing list