|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Mike Morris (mike
opennix.com)
Date: Wed Mar 19 2008 - 11:59:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 03/19/2008 09:30 AM, Terry Carmen wrote:
> Mike Morris wrote:
>> Hi Everyone,
>>
>> I realize this is off topic for this list, but I'm hoping someone has
>> some insight in to the issue we're seeing on our MX servers.
>>
>> Remote email servers matching the pattern
>> [a-z]{2}-out-[0-9]{4}\.google\.com are attempting to deliver to a high
>> number of non-existent email addresses in our system. More correctly,
>> the percentage of attempted deliveries to non-existent email addresses
>> is quite high. Roughly 75% of the email traffic from these Google.com
>> servers consists of a null envelope sender address with a non-existent
>> envelope recipient. In my experience this generally means backscatter
>> or possibly SAV probes. Our MX servers properly reject messages to
>> non-existent users, so that is not the problem. Still, the traffic is
>> high enough to take notice.
>>
>> This appears to have begun in December of 2007. The amount of
>> attempts to non-existent addresses and the number of source email
>> servers increased significantly sometime in February, by a few orders
>> of magnitude.
>>
>> Does anyone know what Google may be doing here? Could this have
>> anything to do with Google's acquisition of Postini? We're still
>> getting traffic from servers with the old Postini host names, like
>> *.obsmtp.com, so it doesn't look like those services have been
>> converted to use host names in the google.com domain. Attempts to
>> contact Google have thus far gone unanswered. Any insight would be
>> appreciated.
> Post some maillog entries, including the IP addresses.
>
> Anybody can say they're "whatever.google.com" What they say is
> irrelevant. What matters is the reverse DNS lookup, and whois info for
> the IP address.
>
> Terry
>
Sorry for not being more clear. When I said "Remote email servers
matching the pattern [a-z]{2}-out-[0-9]{4}\.google\.com...", I never
made it clear that the PTR records for the remote email servers are what
match that pattern and a whois lookup of the IP addresses lists Google
Inc. as the organization name. Not that you have any reason to believe
me, so here are some log entries with only recipient domains altered:
Mar 18 20:39:41 mx1 postfix/smtpd[17875]: NOQUEUE: reject: RCPT from
an-out-0708.google.com[209.85.132.247]: 550 5.1.1
<StuartalumPageexample.com>: Recipient address rejected: User unknown;
from=<> to=<StuartalumPageexample.com> proto=ESMTP
helo=<an-out-0708.google.com>
Mar 18 21:03:08 mx1 postfix/smtpd[18452]: NOQUEUE: reject: RCPT from
hs-out-0708.google.com[64.233.178.251]: 550 5.1.1
<VicentebutyricSawyerexample.com>: Recipient address rejected: User
unknown; from=<> to=<VicentebutyricSawyerexample.com> proto=ESMTP
helo=<hs-out-0708.google.com>
Mar 18 21:09:13 mx1 postfix/smtpd[18561]: NOQUEUE: reject: RCPT from
wx-out-0506.google.com[66.249.82.228]: 550 5.1.1
<DanaitalianCurryexample.com>: Recipient address rejected: User
unknown; from=<> to=<DanaitalianCurryexample.com> proto=ESMTP
helo=<wx-out-0506.google.com>
These are definitely Google servers.
Thanks,
Mike
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]