From owner-freebsd-questions  Tue Apr 25 21:56:40 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from tucu.net (adsl-63-194-67-246.dsl.snfc21.pacbell.net [63.194.67.246])
	by hub.freebsd.org (Postfix) with ESMTP id 27D5A37B5AE
	for <freebsd-questions@FreeBSD.ORG>; Tue, 25 Apr 2000 21:56:37 -0700 (PDT)
	(envelope-from cadaver@tucu.net)
Received: from localhost (cadaver@localhost)
	by tucu.net (8.9.3/8.9.3) with ESMTP id VAA31511;
	Tue, 25 Apr 2000 21:56:29 -0700 (PDT)
	(envelope-from cadaver@tucu.net)
Date: Tue, 25 Apr 2000 21:56:29 -0700 (PDT)
From: Michael <cadaver@tucu.net>
To: Chris Fedde <chris@fedde.littleton.co.us>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Need help reading my maillog 
In-Reply-To: <200004260316.e3Q3GOi01208@fedde.littleton.co.us>
Message-ID: <Pine.BSF.4.10.10004252149380.31128-100000@tucu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 25 Apr 2000, Chris Fedde wrote:

> On Tue, 25 Apr 2000 17:18:37 -0700 (PDT)  Michael wrote:
>  +------------------
>  | Apr 25 10:09:52 tucu sendmail[29625]: KAA29625: ruleset=check_mail,
>  | arg1=<mike1123@2hb.ne>, relay=lucy.fukuda.is.uec.ac.jp [130.153.154.151],
> reject=501 <mike1123@2hb.ne>... Sender domain must exist
>  | Apr 25 10:09:52 tucu sendmail[29625]: KAA29625: from=<mike1123@2hb.ne>,
>  | size=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
>  | relay=lucy.fukuda.is.uec.ac.jp [130.153.154.151]
>  | 
>  | Apr 25 13:46:42 tucu sendmail[29869]: NAA29869: ruleset=check_mail,
>  | arg1=<mike1123@2hb.ne>, relay=IDENT:root@olderman.analytic.ru
>  | [212.5.87.200], reject=501 <mike1123@2hb.ne>... Sender domain must exist
>  | Apr 25 13:46:42 tucu sendmail[29869]: NAA29869: from=<mike1123@2hb.ne>,
>  | size=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
>  | relay=IDENT:root@olderman.analytic.ru [212.5.87.200]
>  +------------------
> 
> After looking at this closer I think that I have a better scenario
> of what is going on here.  In the first case someone apparently at
> at lucy.fukuda.is.uec.ac.jp attempted to queue mail for mike1123@2hb.ne on
> tucu.   That mail was rejected and no mail was ever queued.
> The second case is another occurance of the same thing from a different
> address.  Are there any other records for either envelope?
> 
> That both have the same from= is puzzling.  I'm wondering if this is part
> of a probe from one of the mail spamming tools.
> 
> good luck
> chris
> --
>     Chris Fedde
>     303 773 9134

I don't have records of any envelopes but I came to the same conclusion
you did after messing around a bit. I used rlytest from the ports
collection and test both lucy.fukuda.is.uec.ac.jp and
olderman.analytic.ru. I couldn't connect to the ac.jp host but the russian
host relays mail. I think someone was trying to realy mail through me
using mike1123@2hb.ne as a forged From: address.

I don't think anything bad happened to my system and I am going to take
the advice of Bryan Bradsby and install RBL, DUL, RSS.

thanks for everyones help,

michael






To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message