Hi all, Note that after lulling us into enough of a sense of security for me to remove the access filters, this has now started again, exactly the same MO as before. Could someone at Xtra or onthenet _please_ make this stop - it's irritating. Joe On Sat, Oct 17, 1998 at 10:23:39AM +1300, Joe Abley wrote:

Hi,

Someone is using 203.98.24.1 (pcombo.co.nz) to relay mail to the CLEAR Net MX hosts. Since 00:16:57 this morning there have been several hundreds of thousands of attempts to deliver mail to CLEAR Net, which have been blocked at CLEAR Net since the senders' domain is not real.

Oct 17 00:16:57 fep4 sendmail[25135]: Ruleset check_mail () rejection: 451 ... Sender domain (udie.com) not found in DNS, or not compliant with section 6 of RFC822

Oct 17 00:16:57 fep4 sendmail[25135]: AAA25135: from=, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pcombo.co.nz [203.98.24.1]

Oct 17 00:16:57 fep3 sendmail[1621]: Ruleset check_mail () rejection: 451 ... Sender domain (udie.com) not found in DNS, or not compliant with section 6 of RFC822

Oct 17 00:16:57 fep3 sendmail[1621]: AAA01621: from=, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP, relay=pcombo.co.nz [203.98.24.1]

The offending relay is reached from CLEAR via Xtra and onthenet:

traceroute to 203.98.24.1 (203.98.24.1), 30 hops max, 40 byte packets 1 router (203.97.2.225) 3.125 ms 2.839 ms 2.940 ms 2 d1.test.clear.net.nz (203.167.224.30) 26.798 ms 27.121 ms 26.944 ms 3 ba1-atm1-0-1.acld.clix.net.nz (203.167.224.1) 27.307 ms ba2-atm1-0-1.acld.clix.net.nz (203.167.224.2) 27.199 ms 27.307 ms 4 ba1-ser0-15.hmtn.clix.net.nz (203.97.1.70) 37.072 ms s3-0.akcr1.netgate.net.nz (202.37.245.33) 30.615 ms 29.995 ms 5 xtra.akcr1.netgate.net.nz (202.37.245.46) 29.765 ms ngthn1-b1.nzix.waikato.ac.nz (140.200.128.9) 34.387 ms 36.746 ms 6 192.168.200.241 (192.168.200.241) 35.184 ms 35.428 ms s6-1.akcr1.netgate.net.nz (202.37.245.125) 42.860 ms 7 xtra.akcr1.netgate.net.nz (202.37.245.46) 38.670 ms 34.878 ms 53.744 ms 8 192.168.30.18 (192.168.30.18) 65.403 ms 192.168.200.241 (192.168.200.241) 42.500 ms 192.168.30.18 (192.168.30.18) 100.988 ms 9 otn2.gw.onthenet.co.nz (210.55.215.247) 48.387 ms 72.757 ms pcombo.co.nz (203.98.24.1) 131.373 ms

I have just checked 203.98.24.1 from tardis.patho.gen.nz, and it is indeed a promiscuous relay:

tardis[5]% telnet pcombo.co.nz 25 Trying 203.98.24.1... Connected to pcombo.co.nz. Escape character is '^]'. 220 pcombo.co.nz ESMTP Sendmail 8.8.7/8.8.5; Sat, 17 Oct 1998 10:01:33 +1245 HELO blah 250 pcombo.co.nz Hello tardis.patho.gen.nz [203.97.2.226], pleased to meet you MAIL FROM: 250 ... Sender ok RCPT TO: 250 ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself From: moo(a)cow.dog.horse To: jabley(a)patho.gen.nz Subject: oh no

This is an open relay . 250 KAA19201 Message accepted for delivery QUIT 221 pcombo.co.nz closing connection Connection closed by foreign host.

which resulted in the following delivery attempt to tardis:

Oct 17 10:05:58 tardis sendmail[21233]: KAA21233: ruleset=check_mail, arg1=, relay=root(a)pcombo.co.nz [203.98.24.1], reject=501 ... Sender domain must exist

Until it is evident that these antics have stopped, we have applied packet filters to refuse connections from 203.98.24.1 on tcp/25.

We would be grateful if appropriate people at Xtra and/or onthenet could take similar action or otherwise arrange for this to stop.

-- Joe Abley --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog