From owner-freebsd-security  Tue Sep 21 12:27:36 1999
Delivered-To: freebsd-security@freebsd.org
Received: from inbox.org (inbox.org [216.22.145.8])
	by hub.freebsd.org (Postfix) with ESMTP id B922714F13
	for <security@FreeBSD.ORG>; Tue, 21 Sep 1999 12:27:33 -0700 (PDT)
	(envelope-from bsd@a.servers.aozilla.com)
Received: from localhost (bsd@localhost)
	by inbox.org (8.9.3/8.9.3) with ESMTP id PAA03746;
	Tue, 21 Sep 1999 15:26:26 -0400 (EDT)
Date: Tue, 21 Sep 1999 15:26:26 -0400 (EDT)
From: "Mr. K." <bsd@a.servers.aozilla.com>
X-Sender: bsd@inbox.org
To: Mike Tancsa <mike@sentex.net>
Cc: security@FreeBSD.ORG
Subject: Re: hackers?
In-Reply-To: <3.0.5.32.19990921145047.013e24b0@staff.sentex.ca>
Message-ID: <Pine.BSF.4.10.9909211518030.3358-100000@inbox.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 21 Sep 1999, Mike Tancsa wrote:

> At 08:31 PM 9/19/99 -0400, Mr. K. wrote:
> >I've just recently upgraded to sendmail 8.9, as my host was being used as
> >a mail relay.  I think I am now under some kind of attack.  When I do a ps
> >-x I get the following listings:
> >
> 
> They (the spammers) are probably still trying to relay off you.  Make sure
> your server is indeed setup to block unauthorized third party relays, and
> then contact AOL and inform them one of their users is trying to abuse your
> resources.
> 
> Look through your maillogs and verify they are indeed being rejected.
> 
I think I figured out what is happening.  The relaying is indeed getting
denied, but unfortunately some of the spammers software is waiting blindly
for a positive response (and thus keeping a connection until they time
out).  My choices seem to be ipfw (which I don't want to do as I don't
want to block all aol users), or somehow getting sendmail to disconnect on
a "relaying denied" (instead of sitting there until they timeout).  I
can't figure out how to do the latter (doesn't seem to be possible).  And
of course calling AOL and bitching, at least that will feel good if I can
get a bunch of these spammers booted.

Sep 21 15:17:23 a sendmail[3421]: PAA03421: ruleset=check_rcpt,
arg1=<tackinq@yahoo.com>, relay=98A89A1C.ipt.aol.com [152.168.154.28], reject=550
<tackinq@yahoo.com>... Relaying denied
Sep 21 15:17:59 a sendmail[1445]: OAA01445: from=bihungstud@aol.net,
size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=98A7D5DA.ipt.aol.com
[152.167.213.218]
Sep 21 15:18:12 a sendmail[3438]: PAA03438: ruleset=check_rcpt,
arg1=<tformwoa@yahoo.com>, relay=98CB0B15.ipt.aol.com [152.203.11.21], reject=550
<tformwoa@yahoo.com>... Relaying denied




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message