little off topic: Am I an open relay?

Jason Williams jwilliams at COURTESYMORTGAGE.COM
Tue Jun 7 00:17:17 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I think I figured it out.
This should be interesting. I think one of my users here put something 
on their computer and it was sending mail out.
*SIGH*



Raylund Lai wrote:

> you should examine the email headers, not just the syslog.
>
> cheers
> raylund
>
> Jason Williams wrote:
>
>> Alright. Some additional information. This one just came in:
>>
>> Jun  6 15:58:20 mail sm-mta-in[36205]: j56MwKQx036205: 
>> from=<service at 24hourfitness.com>, size=1380, class=0, nrcpts=1, 
>> msgid=<200506062256.j56MuA3x084356 at corpmail.courtesymortgage.com>, 
>> proto=ESMTP, daemon=MTA, relay=corpmail.courtesymortgage.com 
>> [xxx.xxx.xx.xx]
>> Jun  6 15:58:20 mail sm-mta-in[36205]: j56MwKQx036205: 
>> to=<tips at 24hourfitness.com>, delay=00:00:00, mailer=esmtp, pri=31380, 
>> stat=queued
>> Jun  6 15:58:21 mail MailScanner[36016]: New Batch: Scanning 1 
>> messages, 1964 bytes
>> Jun  6 15:58:21 mail MailScanner[36016]: Spam Checks: Starting
>> Jun  6 15:58:21 mail MailScanner[36016]: Virus and Content Scanning: 
>> Starting
>> Jun  6 15:58:22 mail MailScanner[36016]: Found ip-based phishing 
>> fraud from 205.138.199.146 in j56MwKQx036205
>> Jun  6 15:58:22 mail MailScanner[36016]: Content Checks: Detected and 
>> have disarmed HTML message in j56MwKQx036205 from 
>> service at 24hourfitness.com
>> Jun  6 15:58:22 mail MailScanner[36016]: Uninfected: Delivered 1 
>> messages
>> Jun  6 15:58:23 mail sendmail[36216]: j56MwKQx036205: 
>> to=<tips at 24hourfitness.com>, delay=00:00:03, xdelay=00:00:00, 
>> mailer=esmtp, pri=121380, relay=24hourfitness.com.s7a1.psmtp.com. 
>> [64.18.6.10], dsn=5.1.1, stat=User unknown
>>
>> Uh, i'm really confused as to what is going on here. Why is it coming 
>> into my gateway and my gateway turnin around and relaying it?
>> I just checked with www.ordb.org, ran their test as well as 
>> www.abuse.net to ensure I wasn't a open relay and i passed with 
>> flying colors.
>>
>> I'm confused right now.
>>
>> Anyone have any idea? Im annoyed but concerned right now.
>>
>> I appreciate it.
>>
>> Jason
>>
>> Jason Williams wrote:
>>
>>> I ran a few quick open-relay tests and I am denying them.
>>> Either I am way too tired and im missing something blatantly 
>>> obvious, or im just over-reacting.
>>>
>>> I appreciate the help.
>>>
>>> Jason
>>>
>>> Jason Williams wrote:
>>>
>>>> Something very odd is happening and im a little concerned and im 
>>>> turning to the boards here for some help.
>>>>
>>>> I have a mailgateway running here and so far, it has been perfect. 
>>>> All of the sudden, im seeing odd stuff from monster.com and yahoo.com.
>>>>
>>>> Here is a snip:
>>>>
>>>> Jun  6 15:47:56 mail sm-mta-in[34390]: j56Mlt20034390: 
>>>> from=<support at monster.com>, size=1333, class=0, nrcpts=1, 
>>>> msgid=<200506062245.j56Mjj3x084146 at corpmail.courtesymortgage.com>, 
>>>> proto=ESMTP, daemon=MTA, relay=corpmail.courtesymortgage.com 
>>>> [xxx.xxx.xx.xx]
>>>>
>>>> Jun  6 15:47:56 mail sm-mta-in[34390]: j56Mlt20034390: 
>>>> to=<bmalcolm at monster.com>, delay=00:00:01, mailer=esmtp, pri=31333, 
>>>> stat=queued
>>>> Jun  6 15:47:59 mail MailScanner[33566]: New Batch: Scanning 1 
>>>> messages, 1899 bytes
>>>> Jun  6 15:47:59 mail MailScanner[33566]: Spam Checks: Starting
>>>> Jun  6 15:47:59 mail MailScanner[33566]: Virus and Content 
>>>> Scanning: Starting
>>>> Jun  6 15:48:00 mail MailScanner[33566]: Found ip-based phishing 
>>>> fraud from 205.138.199.146 in j56Mlt20034390
>>>> Jun  6 15:48:00 mail MailScanner[33566]: Content Checks: Detected 
>>>> and have disarmed HTML message in j56Mlt20034390 from 
>>>> support at monster.com
>>>> Jun  6 15:48:00 mail MailScanner[33566]: Uninfected: Delivered 1 
>>>> messages
>>>> Jun  6 15:48:02 mail sendmail[34401]: j56Mlt20034390: 
>>>> to=<bmalcolm at monster.com>, delay=00:00:07, xdelay=00:00:02, 
>>>> mailer=esmtp, pri=121333, relay=mailsorter.ma.tmpw.net. 
>>>> [63.112.169.25], dsn=2.0.0, stat=Sent (j56Mq3ei016306 Message 
>>>> accepted for delivery)
>>>>
>>>> I'm looking at this and it almost seems as if im an open relay!!
>>>>
>>>> Ok...great.
>>>>
>>>> here is my setup
>>>>
>>>> MS: 4-41.3
>>>> sendmail: 8.12.11
>>>>
>>>> If I am an open relay,  anyone here that can help me out. Email me 
>>>> at  liquid.proxy at gmail.com while I  determine what the hell is 
>>>> going on.
>>>>
>>>> Thanks
>>>>
>>>> Jason
>>>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list