[Tfug] Tracking down a miscreant

Ronald Sutherland ronald.sutherland at gmail.com
Sat May 31 17:05:17 MST 2008 

On Sat, May 31, 2008 at 3:57 PM, John Gruenenfelder <johng at as.arizona.edu>
wrote:

> Hello all,
>
> Okay, maybe not a miscreant.  I don't think there's any ill-will here, just
> some improperly configured software.
>
> Some time ago I posted to TFUG asking for help about some bizarre Exim MTA
> error messages I was getting each day when cron.daily was processed.  I
> just
> couldn't figure out what was generating them.  I get three subjects daily:
>
> Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
>        /usr/sbin/exim_tidydb /var/spool/exim retry >/dev/null; fi
> Subject: Cron <mail at foxstar> if [ -x /usr/sbin/exim_tidydb ]; then
>        /usr/sbin/exim_tidydb /var/spool/exim wait-remote_smtp >/dev/null;
> fi
> Subject: Cron <root at foxstar> test -x /usr/sbin/anacron || run-parts
> --report
>        /etc/cron.daily
>
> With short message bodies.  From and To have my machine's name.  There's
> also
> a fourth one that cron.weekly seems to spit out.
>
> After spending some time with the friendly friends at #debian on IRC, one
> of
> them suggested looking at the message envelope and... what do you know?  My
> machine isn't making these!  D'oh!
>
> If I had been paying attention, I probably should have noticed that the
> timezone in the Date: header was off by three hours, too.  Anyway, the
> envelope contains this:
>
> Received: from 206-169-90-30.static.twtelecom.net ([206.169.90.30]
>        helo=foxstar) by foxstar.merseine.nu with esmtp (Exim 4.69)
>        (envelope-from <root at foxstar.merseine.nu>) id 1K2RM9-0003vW-EJ for
>        root at foxstar.merseine.nu; Sat, 31 May 2008 09:42:49 -0400
> Received: from root by foxstar with local (Exim 3.36 #1 (Debian))
>        id 1K2RC6-0002nG-00
>        for <root at foxstar.merseine.nu>; Sat, 31 May 2008 06:32:35 -0700
>
> So, somebody has an improperly configured Exim 3.36 with the same hostname
> as
> my machine.  That's fine.  But, they *also* seem to have their FQDN set the
> same as mine and so these messages leave localhost and find their way to
> me.
>
> It's not a company, though, just somebody on Time-Warner cable.  How might
> I
> track this person down?  It would seem that I can't send mail to root or
> mail
> because it will just end up coming back to me.
>
> I've been deleting these things for many months.  My machine was exhibiting
> no
> problems and I was just ignoring it.  It would be nice, though, to be able
> to
> tell this guy to stop nosing in on my free domain.  :)
>
>
> --
> --John Gruenenfelder    Research Assistant, UMass Amherst student
>                        Systems Manager, MKS Imaging Technology, LLC.
> Try Weasel Reader for PalmOS  --  http://weaselreader.org
> "This is the most fun I've had without being drenched in the blood
> of my enemies!"
>        --Sam of Sam & Max
>
> _______________________________________________
>

can you send to root at 206.169.90.30
I've never tryed to e-mail an ip address so not sure?
and:
http://en.wikipedia.org/wiki/.nu
http://www.gov.nu/
hmmm... New Zealand speaks English, right?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20080531/3cab4d89/attachment-0002.html>

More information about the tfug mailing list