[Tfug] Tracking down a miscreant

John Gruenenfelder johng at as.arizona.edu
Sat May 31 15:57:09 MST 2008 

Hello all,

Okay, maybe not a miscreant.  I don't think there's any ill-will here, just
some improperly configured software.

Some time ago I posted to TFUG asking for help about some bizarre Exim MTA
error messages I was getting each day when cron.daily was processed.  I just
couldn't figure out what was generating them.  I get three subjects daily:

Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
        /usr/sbin/exim_tidydb /var/spool/exim retry >/dev/null; fi
Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
        /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp >/dev/null; fi
Subject: Cron <root at foxstar> test -x /usr/sbin/anacron || run-parts --report
        /etc/cron.daily

With short message bodies.  From and To have my machine's name.  There's also
a fourth one that cron.weekly seems to spit out.

After spending some time with the friendly friends at #debian on IRC, one of
them suggested looking at the message envelope and... what do you know?  My
machine isn't making these!  D'oh!

If I had been paying attention, I probably should have noticed that the
timezone in the Date: header was off by three hours, too.  Anyway, the
envelope contains this:

Received: from 206-169-90-30.static.twtelecom.net ([206.169.90.30]
        helo=foxstar) by foxstar.merseine.nu with esmtp (Exim 4.69)
        (envelope-from <root at foxstar.merseine.nu>) id 1K2RM9-0003vW-EJ for
        root at foxstar.merseine.nu; Sat, 31 May 2008 09:42:49 -0400
Received: from root by foxstar with local (Exim 3.36 #1 (Debian))
        id 1K2RC6-0002nG-00
        for <root at foxstar.merseine.nu>; Sat, 31 May 2008 06:32:35 -0700

So, somebody has an improperly configured Exim 3.36 with the same hostname as
my machine.  That's fine.  But, they *also* seem to have their FQDN set the
same as mine and so these messages leave localhost and find their way to me.

It's not a company, though, just somebody on Time-Warner cable.  How might I
track this person down?  It would seem that I can't send mail to root or mail
because it will just end up coming back to me.

I've been deleting these things for many months.  My machine was exhibiting no
problems and I was just ignoring it.  It would be nice, though, to be able to
tell this guy to stop nosing in on my free domain.  :)


-- 
--John Gruenenfelder    Research Assistant, UMass Amherst student
                        Systems Manager, MKS Imaging Technology, LLC.
Try Weasel Reader for PalmOS  --  http://weaselreader.org
"This is the most fun I've had without being drenched in the blood
of my enemies!"
        --Sam of Sam & Max

More information about the tfug mailing list