daily run output questions - rejected mail hosts?

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Apr 23 06:42:24 PDT 2003


On Wed, Apr 23, 2003 at 09:20:47AM -0400, Louis LeBlanc wrote:
> Just checking the daily run output today, and I found something
> confusing:
> 
> Checking for rejected mail hosts:
>    1 relays.osirusoft.com
>    1 ordb.org
>    1 dsbl.org
>    1 [61.175.162.203]
> 
> I'm pretty sure I didn't block the first three explicitly, and the
> last one is a chinese IP block, which I am rejecting altogether, but I
> don't allow relaying without authentication.  I also know that the
> first three are blacklist/spam relay reporting sites.  Is there a way
> for me to tell *why* these relays were rejected?  I'm guessing, but I
> want to make sure, that these entries are a sign that these sites are
> checking out my SMTP setup and I passed muster.

The names you get in the periodic output are just what the remote site
has told your system about where the messages come from.  Which means
that they may well be forged.

Grep for 'check_' in /var/log/maillog -- or use zgrep if the logs have
been cycled since you got the nightly e-mail. Eg:

    % zgrep check_ /var/log/maillog*
    /var/log/maillog.1.gz:Apr 21 04:09:50 happy-idiot-talk sm-mta[28836]: h3L39l8x028836: ruleset=check_rcpt, arg1=<china9988 at 21cn.com>, relay=[220.116.163.233], reject=550 5.7.1 <china9988 at 21cn.com>... Relaying denied. IP name lookup failed [220.116.163.233]
    /var/log/maillog.1.gz:Apr 21 14:18:52 happy-idiot-talk sm-mta[32717]: h3LDIn8w032717: ruleset=check_rcpt, arg1=<bobra47 at ananzi.co.za>, relay=1Cust173.tnt1.san-fernando.ca.da.uu.net [67.227.10.173], reject=550 5.7.1 <bobra47 at ananzi.co.za>... Relaying denied
    [...etc...]

This will pick up everything denied by sendmail's anti-relaying,
anti-spam rulesets, plus anything you forbid by entries in the
/etc/mail/access.db database.

Note that the 'relay=addr' field is much more reliable in this case,
as it's the hostname and IP number of the machine that connected to
yours to deliver the message.  You get just the IP number if it
doesn't have a corresponding PTR record or doesn't match what the
other machine says in it's SMTP HELO greeting --- either way, you
probably don't want to accept e-mail from such a site.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030423/4de9d7bb/attachment.bin


More information about the freebsd-questions mailing list