What is this? Relay usage?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

What is this? Relay usage?

John M. Dlugosz-4
I subscribed my test postfix configuration to this list to start getting
some traffic to it, and it seems I'm getting more than just list
traffic.  I found this in the log:

connect from 118-165-77-220.dynamic.hinet.net[118.165.77.220]
NOQUEUE: reject: RCPT from 118-165-77-220.dynamic.hinet.net[118.165.77.220]: 554 5.7.1 <[hidden email]>: Relay access denied; from=<[hidden email]> to=<[hidden email]> proto=SMTP helo=<207.58.245.194>
lost connection after RCPT from 118-165-77-220.dynamic.hinet.net[118.165.77.220]
disconnect from 118-165-77-220.dynamic.hinet.net[118.165.77.220]

The interesting part being the second line:

        NOQUEUE:
        reject:
        RCPT from 118-165-77-220.dynamic.hinet.net[118.165.77.220]:
        554 5.7.1 <[hidden email]>:
        Relay access denied;
        from=<[hidden email]>
        to=<[hidden email]>
        proto=SMTP helo=<207.58.245.194>


Now I can imagine someone harvesting email addresses for sending spam,
but why would some server somewhere be asking mine to deliver email to
yahoo.com.cn accounts?  Is this related to spam traffic somehow?
Reply | Threaded
Open this post in threaded view
|

Re: What is this? Relay usage?

mouss-2
John M. Dlugosz wrote:

> I subscribed my test postfix configuration to this list to start
> getting some traffic to it, and it seems I'm getting more than just
> list traffic.  I found this in the log:
>
> connect from 118-165-77-220.dynamic.hinet.net[118.165.77.220]
> NOQUEUE: reject: RCPT from
> 118-165-77-220.dynamic.hinet.net[118.165.77.220]: 554 5.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=SMTP
> helo=<207.58.245.194>
> lost connection after RCPT from
> 118-165-77-220.dynamic.hinet.net[118.165.77.220]
> disconnect from 118-165-77-220.dynamic.hinet.net[118.165.77.220]

welcome to the wild internet :)

They use your IP as helo (but do it the wrong way since their syntax is
invalid anywa) in an attempt to find a server that relays based on such
helo.


> The interesting part being the second line:
>
>     NOQUEUE:     reject:     RCPT from
> 118-165-77-220.dynamic.hinet.net[118.165.77.220]:     554 5.7.1
> <[hidden email]>:     Relay access denied;
>     from=<[hidden email]>     to=<[hidden email]>
>     proto=SMTP helo=<207.58.245.194>
>
>
> Now I can imagine someone harvesting email addresses for sending spam,
> but why would some server somewhere be asking mine to deliver email to
> yahoo.com.cn accounts?  Is this related to spam traffic somehow?

yes. just bots desperately seeking Susan^W open relay. you'll see this
from different parts of the world (hinet.net is the winner here).

Reply | Threaded
Open this post in threaded view
|

Re: What is this? Relay usage?

Bjørn Ruberg
In reply to this post by John M. Dlugosz-4
> John M. Dlugosz
> I subscribed my test postfix configuration to this list to start getting
> some traffic to it, and it seems I'm getting more than just list
> traffic.  I found this in the log:
>
> connect from 118-165-77-220.dynamic.hinet.net[118.165.77.220]
> NOQUEUE: reject: RCPT from
> 118-165-77-220.dynamic.hinet.net[118.165.77.220]: 554 5.7.1
> <[hidden email]>: Relay access denied;
> from=<[hidden email]> to=<[hidden email]> proto=SMTP
> helo=<207.58.245.194>
> lost connection after RCPT from
> 118-165-77-220.dynamic.hinet.net[118.165.77.220]
> disconnect from 118-165-77-220.dynamic.hinet.net[118.165.77.220]
>
> The interesting part being the second line:
>
> NOQUEUE:
> reject:
> RCPT from 118-165-77-220.dynamic.hinet.net[118.165.77.220]:
> 554 5.7.1 <[hidden email]>:
> Relay access denied;
> from=<[hidden email]>
> to=<[hidden email]>
> proto=SMTP helo=<207.58.245.194>
>
>
> Now I can imagine someone harvesting email addresses for sending spam,
> but why would some server somewhere be asking mine to deliver email to
> yahoo.com.cn accounts?  Is this related to spam traffic somehow?

118.165.77.220 has tested your server to see whether it can be exploited
for relaying, probably with the intension of sending spam through it if
the test had succeeded (which it did not, as shown in the log).

Probing is very common and it is not related to being signed up to mailing
lists.

--
Bjørn