Hi,
Someone is using 203.98.24.1 (pcombo.co.nz) to relay mail to the CLEAR Net
MX hosts. Since 00:16:57 this morning there have been several hundreds of
thousands of attempts to deliver mail to CLEAR Net, which have been blocked
at CLEAR Net since the senders' domain is not real.
Oct 17 00:16:57 fep4 sendmail[25135]: Ruleset check_mail ()
rejection: 451 ... Sender domain (udie.com) not found in DNS,
or not compliant with section 6 of RFC822
Oct 17 00:16:57 fep4 sendmail[25135]: AAA25135: from=,
size=0, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pcombo.co.nz
[203.98.24.1]
Oct 17 00:16:57 fep3 sendmail[1621]: Ruleset check_mail ()
rejection: 451 ... Sender domain (udie.com) not found in DNS,
or not compliant with section 6 of RFC822
Oct 17 00:16:57 fep3 sendmail[1621]: AAA01621: from=, size=0,
class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pcombo.co.nz [203.98.24.1]
The offending relay is reached from CLEAR via Xtra and onthenet:
traceroute to 203.98.24.1 (203.98.24.1), 30 hops max, 40 byte packets
1 router (203.97.2.225) 3.125 ms 2.839 ms 2.940 ms
2 d1.test.clear.net.nz (203.167.224.30) 26.798 ms 27.121 ms 26.944 ms
3 ba1-atm1-0-1.acld.clix.net.nz (203.167.224.1) 27.307 ms ba2-atm1-0-1.acld.clix.net.nz (203.167.224.2) 27.199 ms 27.307 ms
4 ba1-ser0-15.hmtn.clix.net.nz (203.97.1.70) 37.072 ms s3-0.akcr1.netgate.net.nz (202.37.245.33) 30.615 ms 29.995 ms
5 xtra.akcr1.netgate.net.nz (202.37.245.46) 29.765 ms ngthn1-b1.nzix.waikato.ac.nz (140.200.128.9) 34.387 ms 36.746 ms
6 192.168.200.241 (192.168.200.241) 35.184 ms 35.428 ms s6-1.akcr1.netgate.net.nz (202.37.245.125) 42.860 ms
7 xtra.akcr1.netgate.net.nz (202.37.245.46) 38.670 ms 34.878 ms 53.744 ms
8 192.168.30.18 (192.168.30.18) 65.403 ms 192.168.200.241 (192.168.200.241) 42.500 ms 192.168.30.18 (192.168.30.18) 100.988 ms
9 otn2.gw.onthenet.co.nz (210.55.215.247) 48.387 ms 72.757 ms pcombo.co.nz (203.98.24.1) 131.373 ms
I have just checked 203.98.24.1 from tardis.patho.gen.nz, and it is indeed
a promiscuous relay:
tardis[5]% telnet pcombo.co.nz 25
Trying 203.98.24.1...
Connected to pcombo.co.nz.
Escape character is '^]'.
220 pcombo.co.nz ESMTP Sendmail 8.8.7/8.8.5; Sat, 17 Oct 1998 10:01:33 +1245
HELO blah
250 pcombo.co.nz Hello tardis.patho.gen.nz [203.97.2.226], pleased to meet you
MAIL FROM:
250 ... Sender ok
RCPT TO:
250 ... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: moo(a)cow.dog.horse
To: jabley(a)patho.gen.nz
Subject: oh no
This is an open relay
.
250 KAA19201 Message accepted for delivery
QUIT
221 pcombo.co.nz closing connection
Connection closed by foreign host.
which resulted in the following delivery attempt to tardis:
Oct 17 10:05:58 tardis sendmail[21233]: KAA21233: ruleset=check_mail,
arg1=, relay=root(a)pcombo.co.nz [203.98.24.1], reject=501
... Sender domain must exist
Until it is evident that these antics have stopped, we have applied packet
filters to refuse connections from 203.98.24.1 on tcp/25.
We would be grateful if appropriate people at Xtra and/or onthenet could
take similar action or otherwise arrange for this to stop.
Joe
--
Joe Abley
---------
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads:
unsubscribe nznog