[Tfug] Tracking down a miscreant
Ronald Sutherland
ronald.sutherland at gmail.com
Sat May 31 17:05:17 MST 2008
On Sat, May 31, 2008 at 3:57 PM, John Gruenenfelder <johng at as.arizona.edu>
wrote:
> Hello all,
>
> Okay, maybe not a miscreant. I don't think there's any ill-will here, just
> some improperly configured software.
>
> Some time ago I posted to TFUG asking for help about some bizarre Exim MTA
> error messages I was getting each day when cron.daily was processed. I
> just
> couldn't figure out what was generating them. I get three subjects daily:
>
> Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
> /usr/sbin/exim_tidydb /var/spool/exim retry >/dev/null; fi
> Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
> /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp >/dev/null;
> fi
> Subject: Cron <root at foxstar> test -x /usr/sbin/anacron || run-parts
> --report
> /etc/cron.daily
>
> With short message bodies. From and To have my machine's name. There's
> also
> a fourth one that cron.weekly seems to spit out.
>
> After spending some time with the friendly friends at #debian on IRC, one
> of
> them suggested looking at the message envelope and... what do you know? My
> machine isn't making these! D'oh!
>
> If I had been paying attention, I probably should have noticed that the
> timezone in the Date: header was off by three hours, too. Anyway, the
> envelope contains this:
>
> Received: from 206-169-90-30.static.twtelecom.net ([206.169.90.30]
> helo=foxstar) by foxstar.merseine.nu with esmtp (Exim 4.69)
> (envelope-from <root at foxstar.merseine.nu>) id 1K2RM9-0003vW-EJ for
> root at foxstar.merseine.nu; Sat, 31 May 2008 09:42:49 -0400
> Received: from root by foxstar with local (Exim 3.36 #1 (Debian))
> id 1K2RC6-0002nG-00
> for <root at foxstar.merseine.nu>; Sat, 31 May 2008 06:32:35 -0700
>
> So, somebody has an improperly configured Exim 3.36 with the same hostname
> as
> my machine. That's fine. But, they *also* seem to have their FQDN set the
> same as mine and so these messages leave localhost and find their way to
> me.
>
> It's not a company, though, just somebody on Time-Warner cable. How might
> I
> track this person down? It would seem that I can't send mail to root or
> mail
> because it will just end up coming back to me.
>
> I've been deleting these things for many months. My machine was exhibiting
> no
> problems and I was just ignoring it. It would be nice, though, to be able
> to
> tell this guy to stop nosing in on my free domain. :)
>
>
> --
> --John Gruenenfelder Research Assistant, UMass Amherst student
> Systems Manager, MKS Imaging Technology, LLC.
> Try Weasel Reader for PalmOS -- http://weaselreader.org
> "This is the most fun I've had without being drenched in the blood
> of my enemies!"
> --Sam of Sam & Max
>
> _______________________________________________
>
can you send to root at 206.169.90.30
I've never tryed to e-mail an ip address so not sure?
and:
http://en.wikipedia.org/wiki/.nu
http://www.gov.nu/
hmmm... New Zealand speaks English, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20080531/3cab4d89/attachment-0002.html>
More information about the tfug
mailing list