here's a little gem from some logs for a large ISP from Monday....
Someone generates a bounce to "Xavier@???" (that's what
customers sometimes do, especially with spam -- one lives with it)
This domain is set up with 15 MX records most of which resolve to
hundreds (yes hundreds -- go look!) of A records... there is also
some commonality between these lists of IP addresses and those listed
for other domains to which bounces are also being sent
eg (incomplete list of similar domains, from a very quick scan):
aboutusjobs.com
authentictoday.com
beyondreliable.com
carconvoy.com
crurl.com
cyberserversusa.com
expiresanyday.com
netserversusa.com
netutilization.com
otcdistribution.com
roadsideartists.com
roadsideaudio.com
teachdaily.com
timesrunningout.com
ugotaccess.com
urhometown.com
usaanalysis.com
usaaudiobooks.com
usabachelors.com
visualacoustic.com
weekendadvice.com
weekendalert.com
weekendcowboy.com
whatsnewdaily.com
viz: this isn't an accident, it's intentional :( and there's a fair
amount of traffic (dozens of messages a day, even on a "Bank Holiday",
to these domains)
BTW: the domains appear to be linked (perhaps tenuously) to a ROKSO
listing ... so the intention is probably not entirely benign, but
whatever the intention -- the effect is impressive :(
well -- what happens is this sort of thing...
11:38:33 1CitCq-000OBb-6f <= <> H=(ntserv01.xxx.com) [x.x.x.x] P=esmtp S=14324
id=x@NTSERV01 from <> for Xavier@???
11:40:11 1CitCq-000OBb-6f bounce.nowheredirect.com [69.150.222.11]: Connection
refused
11:41:26 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.17]: Operation
timed out
11:42:41 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.13]: Operation
timed out
11:43:56 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.16]: Operation
timed out
11:43:56 1CitCq-000OBb-6f bounce2.nowheredirect.com [69.150.222.10]: Connection
refused
those were the two lowest MX machines, so now on to the 12(!) at MX=500
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.48]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.63]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.200]:
Connection refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.54]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.178]:
Connection refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.20]: Connection
refused
11:43:57 1CitCq-000OBb-6f mailer12.nowheredirect.com [69.150.220.6]: Connection
refused
snip 120 more delivery attempts to other IP addresses; all are refused
11:45:26 1CitCq-000OBb-6f mailer07.nowheredirect.com [69.150.223.50]: Connection
refused
11:45:26 1CitCq-000OBb-6f mailer07.nowheredirect.com [69.150.223.68]: Connection
refused
snip 36 more of these attempts
11:46:45 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.246]: Operation
timed out
11:48:00 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.254]: Operation
timed out
11:49:15 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.248]: Operation
timed out
11:50:30 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.247]: Operation
timed out
11:51:45 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.251]: Operation
timed out
11:53:00 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.249]: Operation
timed out
11:54:15 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.250]: Operation
timed out
11:55:30 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.253]: Operation
timed out
11:56:45 1CitCq-000OBb-6f aol.nowheredirect.com [69.150.221.252]: Operation
timed out
that was quick! that's timing out for you, rather than refusal!
11:56:45 1CitCq-000OBb-6f mailer09.nowheredirect.com [69.150.223.118]:
Connection refused
snipped 36 more failures to the many names of mailer09
11:56:49 1CitCq-000OBb-6f mailer10.nowheredirect.com [69.150.223.167]:
Connection refused
this is getting boring -- there's 36 more to mailer10
11:58:09 1CitCq-000OBb-6f mailer01.nowheredirect.com [69.150.222.176]:
Connection refused
and then 110 more to mailer01
11:58:21 1CitCq-000OBb-6f mailer06.nowheredirect.com [69.150.223.11]: Connection
refused
and 35 more to mailer06
11:59:40 1CitCq-000OBb-6f mailer03.nowheredirect.com [69.150.222.242]: Operation
timed out
12:00:55 1CitCq-000OBb-6f mailer03.nowheredirect.com [69.150.222.245]: Operation
timed out
and after just those 2 to mailer03 at very long last, what we
wanted all along finally happens -- and the fallback machine gets it
12:00:55 1CitCq-000OBb-6f => xavier@??? <Xavier@???>
F=<> R=error_message T=remote_smtp H=post-fallback.mail.demon.net
[194.217.242.94] C="250 2.0.0 accepted; S577121AbUL0MAz"
12:00:56 1CitCq-000OBb-6f Completed
so after 22 minutes cluttering up the machine and 399 delivery attempts
(imagine the time would be with more timeouts and fewer refusals) it
finally goes to the fallback machine where it doesn't get in the way of
the real service that is being provided.
Anyway, I'd suggest that hosts_max_try (at its default setting of 5)
isn't really sufficient in the face of (effectively) malicious DNS
contents... perhaps a hosts_total_try of 20 or so would be a useful
addition to the tuning toolkit ? or is there something like that
already that I missed in the fine documentation ??
From what I have read, there certainly seems to have been some tweaking
down the years to deal with properly configured hosts -- so I suspect
that this may need careful adjustment to avoid throwing babies out with
the 399 gallons of bath-water!
--
richard @ highwayman . com "Nothing seems the same
Still you never see the change from day to day
And no-one notices the customs slip away"
