Re: [Exim] Possible Malice on the Internet??

Página Inicial
Delete this message
Reply to this message
Autor: dman
Data:  
Para: exim-users
CC: Odhiambo G. Washington
Assunto: Re: [Exim] Possible Malice on the Internet??
On Tue, Mar 05, 2002 at 10:56:13AM +0300, Odhiambo G. Washington wrote:
| hello exim users,

|
| I think there is possible malice going on on the Internet.


This is well known.

| However, I'd like to tap on the expert advise that I know is
| available on this list.
| Twice I've had TWO hosts that are on my network blacklisted via
| spamcop. Normally someone does report to spamcop. I would expect
| that spamcop (or whatever it is) does a check before doing whatever
| it does. I have one client whom I've given a static IP
| (62.8.67.146). I am receiving a report that this is being used as an
| open relay. Can any of you successfully relay through it?

|
| Spamcop have this:

|
| http://spamcop.net/sc?id=z32887626ze7c799345e0b3a3cb5751c725568648dz


I took a look at it. I can't find any reverse DNS lookup for that IP,
but 'whois' shows that it is part of your block. I looked at all the
forward DNS records for wananchi.com (paying particular attention to
MX records) and nothing points to that IP. If I telnet to it on port
25 it claims to be "tntkenya.com" and running "MDaemon". Is that what
you expect? I tried to make it relay to myself in a couple of ways,
but it rejected it. The key to finding and fixing the hole is to know
_how_ the tester managed to make your system relay.

| All the headers were forged, how? I am not sure..


It is trivial to forge headers, especially when you're the one writing
to the socket (to see for yourself, use telnet). I don't know whether
spamcop forged those headers or not, but spammers do it all the time
so it is a valid way to test a server's config.

-D

--

Religion that God our Father accepts as pure and faultless is this: to
look after orphans and widows in their distress and to keep oneself from
being polluted by the world.
        James 1:27