[Mailman-Users] investigating attack-like "mail failures"

2005-03-13 Thread Nick Levine 
Hi.

I've noticed a number of attack-like "mail failures". The rate at
which we see them comes and goes at different times of the day; when
they're active they pass through at the rate of 1 or 2 per minute.

Here's an example, for the list [EMAIL PROTECTED] (we've seen
this for other alu.org lists too).

/var/log/maillog:
Mar 13 02:56:28 bibop postfix/smtpd[17886]: connect from 
localhost[127.0.0.1]
Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: 
client=localhost[127.0.0.1]
Mar 13 02:56:28 bibop postfix/smtpd[17886]: 12C1C12CCEB: reject: RCPT from 
localhost[127.0.0.1]: 450 <[EMAIL PROTECTED]>: User unknown in local recipient 
table; from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP 
helo=
Mar 13 02:56:29 bibop postfix/smtpd[17886]: disconnect from 
localhost[127.0.0.1]

/usr/local/mailman/smtp-failure:
Mar 13 02:56:29 2005 (2547) All recipients refused: {'[EMAIL PROTECTED]': 
(450, '<[EMAIL PROTECTED]>: User unknown in local recipient table')}, msgid: 
<[EMAIL PROTECTED]>
Mar 13 02:56:29 2005 (2547) delivery to [EMAIL PROTECTED] failed with code 
450: <[EMAIL PROTECTED]>: User unknown in local recipient table

/usr/local/mailman/smtp:
Mar 13 02:56:29 2005 (2547) <[EMAIL PROTECTED]> smtp for 1 recips, 
completed in 1.027 seconds

/usr/local/mailman/post:
Mar 13 02:56:29 2005 (2547) post to alu-board-only from [EMAIL PROTECTED], 
size=1066, message-id=<[EMAIL PROTECTED]>, 1 failures

What I'd like to know is where (and from apparantly who) this message
originated, but I can't figure out from these logs what's going on.

It looks like an attempt from the Outgoing qrunner to send mail to
alu-board-only (hence the alu-board-only-bounces return address), with
[EMAIL PROTECTED] as one of the addressees, which doesn't make sense.

Any ideas?

Thanks,

- nick
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] investigating attack-like "mailfailures"

2005-03-14 Thread Nick Levine 
Mark / Brad,

Many thanks for your mails.

I have tracked down (most of) what's going on.

vette:48:Mar 12 01:20:18 2005 (2549) alu-board-only post from
[EMAIL PROTECTED] held,
message-id=<[EMAIL PROTECTED]> : Post by
non-member to a members-only list

Because the sender was spoofed as coming from alu.org, the "you are on
hold" message went to bibop's mail server, which happens to return the
code 450 (= temporary failure?) for unknown users. It looks like
mailman keeps trying to resend a 450 bounce, every 15(?) minutes.

Bounces from other mail servers tend to carry the 550 code (=
permanent failure?) and mailman gives up.

Uhm, will it keep on doing this forever? It's tried sending to
beverley over 130 times since yesterday morning. 

Regards,

- nick
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp

Re: [Mailman-Users] investigating attack-like "mailfailures"

2005-03-14 Thread Nick Levine 
Brad,

It's not Mailman trying to resend the message.  It's your MTA,
to which Mailman handed over the message.

Aha.

   However, the MTA-specific aspects of this process are
   something you should pursue on a mailing list or newsgroup that is
   appropriate to your MTA (e.g., postfix-users), and not here.

Of course. Thanks again.

- nick
--
Mailman-Users mailing list
Mailman-Users@python.org
http://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://www.python.org/cgi-bin/faqw-mm.py
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: 
http://mail.python.org/mailman/options/mailman-users/archive%40jab.org

Security Policy: 
http://www.python.org/cgi-bin/faqw-mm.py?req=show&file=faq01.027.htp