Re: Excess SMTP traffic to non-mail host

From: Chris Wilkes (cwilkes@ladro.com)
Date: 03/27/02 

Date: Wed, 27 Mar 2002 08:56:37 -0800
From: Chris Wilkes <cwilkes@ladro.com>
To: incidents@securityfocus.com

On Wed, Mar 27, 2002 at 12:10:39PM -0000, Basil Hussain wrote:
>
> Has anyone any clues what's going on here? Misconfigured remote mail hosts?
> Missing MX records somewhere out there? DDoS against mail hosts?

To see if it is a wacky MX record out there you could install a minimal
SMTP server config that doesn't actually do anything beyond taking in
the email and recording who it was set To:.

You could do this by installing your favorite mail server and setting it
up to not accept any domain's email. You'll get the info up to the To:
which is what you want to look at.

I had a problem with an errant DNS record pointing to my new set of IP
addresses. Kept on getting web requests for some /manual/... pages which I
knew I didn't have. I modified Apache's logging so that it would print
out the exact host it was trying to go to (in a nutshell I made the 404
return go to a cgi script which dumped Apache's environment variables so
I can pick out %HTTP_HOST) and found the offending name. Contacted the
admin and worked it out.

Chris

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com