[brlug-general] is google really spamming?

Alvaro Zuniga gentooman at gmail.com
Thu Feb 28 11:45:00 CST 2008 

Nice! A box was under an apparent DNS attack. Here is a tiny sample of what was found.

Feb 27 15:05:39 interceptor3 postfix-rx/smtpd[5192]: timeout after END-OF-MESSAGE from py-out-1112.google.com[64.233.166.179]
Feb 27 15:05:39 interceptor3 postfix-rx/smtpd[5192]: disconnect from py-out-1112.google.com[64.233.166.179]
Feb 27 15:07:36 interceptor3 postfix-rx/smtpd[6839]: connect from py-out-1112.google.com[64.233.166.179]
Feb 27 15:07:39 interceptor3 postfix-rx/smtpd[6839]: NOQUEUE: discard: RCPT from py-out-1112.google.com[64.233.166.179]: <-thompe at removed.com <mailto:-thompe at removed.com>>: Receipient Address rxx-002-d17; from=<> to=<-thompe at removed.com <mailto:-thompe at removed.com>> proto=ESMTP helo=<py-out-1112.google.com>
Feb 27 15:07:39 interceptor3 postfix-rx/smtpd[6839]: E948CE4746: client=py-out-1112.google.com[64.233.166.179]
Feb 27 15:07:52 interceptor3 postfix-rx/smtpd[6839]: timeout after END-OF-MESSAGE from py-out-1112.google.com[64.233.166.179]
Feb 27 15:07:52 interceptor3 postfix-rx/smtpd[6839]: disconnect from py-out-1112.google.com[64.233.166.179]
Feb 27 15:35:46 interceptor3 postfix-rx/smtpd[6889]: connect from py-out-1112.google.com[64.233.166.179]
Feb 27 15:35:46 interceptor3 postfix-rx/smtpd[6889]: NOQUEUE: discard: RCPT from py-out-1112.google.com[64.233.166.179]: <_gasca at removed.com <mailto:_gasca at removed.com>>: Receipient Address rlx-102-d22; from=<> to=<_gasca at removed.com <mailto:_gasca at removed.com>> proto=ESMTP helo=<py-out-1112.google.com> Feb 27 15:35:46 interceptor3 postfix-rx/smtpd[6889]: 9EC4DE46C2: client=py-out-1112.google.com[64.233.166.179]
Feb 27 15:35:56 interceptor3 postfix-rx/smtpd[6889]: NOQUEUE: discard: RCPT from py-out-1112.google.com[64.233.166.179]: <-thompe at removed.com <mailto:-thompe at removed.com>>: Receipient Address rzx-801-d1h; from=<> to=<-thompe at removed.com

There are about 2K rejections an hour from google alone. Already looked into DNS posioning. Mailer daemons due to domain spoofing hopefully is the reason. Does anyone know anything about this?

Alvaro Zuniga

More information about the General mailing list