John Andersen wrote:> I''ve noticed a lot of connections to my sendmail with an aledged
TO
> address of
> BCFaun9enYd-khansen-norcomsoftware.com@cdbjcvcwrql.searchresul
> tzdelivered.com
>
> The actual name varies, but the end bit is always
> searchresultzdelivered.com.
> Because my sendmail insists that the from address be resolvable,
> these don''t get thru.
>
> However my machine tries to connect back to the mx of
> searchresultzdelivered.com, which is
> relay=bounce.searchresultzdelivered.com.
Be interesting to see all of your logfile entries for this. Are you sure its
not just sendmail sending a DSN back? Which is just as bad.
>
> Being sort of suspicous, I blacklisted the entire subnet of
> searchresultz. I suspect they are looking for open relays.
Either that or they are trying to verify a valid e-mail address.
>
> So I ask, who are these people? (I know all about dig and whois
> guys). Why does google have nothing on them?
probably because the domain was created last week.
>
> Also, I want to know how I can make sendmail cought up the originating
> IP for a connection so I can ban that subnet too. Clearly its not
> originating from anywhere in 4.17.77.0/24 as that is blacklisted.
As far as realtime scanning, that would probably require the use of a
specialized milter. You could always write a cron job that scanned your
logfiles and updated sendmail''s access map. At least you could stop
further
probes.
>
> Anyone else seeing connections from that bunch?
I just checked a months worth of logfiles and did not see any hits. Whew! At
least for now. I''m sure these bastards will find me before long. :-(
Steve Cowles