From owner-freebsd-stable  Sat Sep 28 18:42:39 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id BAE7137B404
	for <freebsd-stable@FreeBSD.ORG>; Sat, 28 Sep 2002 18:42:36 -0700 (PDT)
Received: from home.24cl.com (174.113.sn.ct.dsl.thebiz.net [216.238.113.174])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AF84F43E6A
	for <freebsd-stable@FreeBSD.ORG>; Sat, 28 Sep 2002 18:42:35 -0700 (PDT)
	(envelope-from myraq@mgm51.com)
Received: from winbloat (winbloat.24cl.home [10.0.1.10])
	by home.24cl.com (Postfix) with ESMTP
	id 559732B28A; Sat, 28 Sep 2002 21:42:34 -0400 (EDT)
Message-ID: <200209282142340414.000E4F35@home.24cl.com>
In-Reply-To: <20020929003417.5322C83@CRWdog.demon.co.uk>
References: <20020929003417.5322C83@CRWdog.demon.co.uk>
X-Mailer: Calypso Version 3.20.01.01 (4)
Date: Sat, 28 Sep 2002 21:42:34 -0400
Reply-To: myraq@mgm51.com
From: "MikeM" <myraq@mgm51.com>
To: freebsd-stable@FreeBSD.ORG, "Andy Sparrow" <spadger@best.com>,
	"Mike Tibor" <tibor@tibor.org>
Cc: "Heywood Jblome" <provencial1@yahoo.com>,
	freebsd-stable@FreeBSD.ORG, andy@CRWdog.demon.co.uk
Subject: Re: Possible trojan since upgrade
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

On 9/28/2002 at 5:34 PM Andy Sparrow wrote:

>> On Fri, 27 Sep 2002, Heywood Jblome wrote:
>> 
>> > -----------This is the entry in question--------
>> > Sep 27 13:44:40 medusa sm-mta[1742]: g8RIiXgt001742:
>> > from=<root@zzzzzz.com>, size=0, class=0, nrcpts=1,
>> > proto=ESMTP, daemon=MTA, relay=[202.80.192.29]
>> 
>> Could this just be someone doing the following:
>> 
>>  telnet mx1.zzzzzz.com 25
>>  helo blah
>>  mail from: <root@zzzzzz.com>
>>  quit
>
>Increasinly common spammer trick, as is hitting the lowest-numbered MX

>in DNS /first/ (and often only) on the principle that it's less likely

>to be well-secured....
 =============


Do you mean the MX with the higher number, rather than lower number?
For my domain, my backup MX is priority 100, my main MX is priority 0.
Or do I have these critters set up backwards?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message