[clue-admin] Fwd: [spry.com #430594] [SpamCop (64.79.210.234)
id:3189128524]The results of your email commands
Jed S. Baer
cluemail at jbaer.cotse.net
Thu Jun 12 19:15:44 MDT 2008
On Thu, 12 Jun 2008 12:21:31 -0600
Jeff Cann wrote:
> This looks not good...
I'm not going to just keep reposting the offending e-mails in all replies.
I'm looking at /etc/maillog, actually don't know what to make of some of
this stuff, and AFAIK, there's no way to "look backward" and see what
exact e-mail messages (meaning the full e-mail envelope of the message)
are involved.
There's a bunch of these sorts of sequences:
Jun 12 05:29:42 cluedenver postfix/cleanup[26198]: 8CA362D4C0CE:
message-id=<37c401c8cc7f$9cf95d00$4d2929fd at Chris>
Jun 12 05:29:42 cluedenver postfix/qmgr[10096]: 8CA362D4C0CE:
from=<agretope at oe-consulting.com>, size=1801, nrcpt=1 (queue active)
Jun 12 05:29:42 cluedenver postfix/cleanup[24056]: D3CEB2D4C0CA:
message-id=<37c401c8cc7f$9cf95d00$4d2929fd at Chris>
Jun 12 05:29:42 cluedenver postfix/qmgr[10096]: D3CEB2D4C0CA:
from=<agretope at oe-consulting.com>, size=1936, nrcpt=1 (queue active)
then:
Jun 12 05:29:36 cluedenver postfix/smtp[26255]: 7261B2D4C0B8:
to=<chris at oe-consulting.com>, relay=mail.ops-netman.net[71.246.230.124],
delay=8, status=sent (250 2.0.0 Ok: queued as 78F51C380F9)
Then more "from=<agretope at oe-consulting.com>"
I don't see any oe-consulting addresses in the CLUE-Cert mailing list
membership.
Grepping for "oe-consulting" in all files in the /var/log/mailman
directory gets nothing.
>From the complaint, here's these headers:
> Received: from tee.gr (unknown [77.41.41.253])
> by cluedenver.org (Postfix) with SMTP id 2D4CB2D4C0B8
> for <x>;
> Thu, 12 Jun 2008 05:29:25 -0600 (MDT)
> Received: from 144.202.0.38 (HELO mail02.ops-netman.net)
> by cluedenver.org with esmtp ({nChar[8-12]} {nChar[4-6]})
> id tRCxg-Qn6Ge0-Tj
> for x; Thu, 12 Jun 2008 15:29:29 +0400
And I note these:
Jun 12 05:29:42 cluedenver postfix/local[24084]: 8CA362D4C0CE:
to=<sponsors at cluedenver.org>, relay=local, delay=1, status=sent
(forwarded as D3CEB2D4C0CA)
Jun 12 05:29:42 cluedenver postfix/qmgr [10096]: 8CA362D4C0CE: removed
Jun 12 05:29:43 cluedenver postfix/smtpd [26534]: disconnect from unknown
[77.41.41.253]
Jun 12 05:29:43 cluedenver postfix/smtpd[26170]:
disconnect from unknown[77.41.41.253]
jbaer at robinson:~$ host 77.41.41.253
253.41.41.77.in-addr.arpa domain name pointer host-77-41-41-253.qwerty.ru.
That IP address is showing up a lot in the logs. Looks like it connects
before any of the oe-consulting messages, and disconnects just after.
I just noticed that it looks like maybe some of the mail coming from that
IP is going to the tech account Linux-ETC uses, so I'll ping Crawford to
see if that sheds any light.
Maybe banning abusive IP addresses would be a good thing.
Anyways, any thoughts on this are welcome.
jed
More information about the clue-admin
mailing list