How common is this? Receiving mail server checks website

General public discussion.

Moderators: BBear, theunknownhost, flaguy

Post Reply
User avatar
Official Test Penquin
Posts: 3337
Joined: Tue Nov 19, 2002 2:50 am
Location: Canada

How common is this? Receiving mail server checks website

Post by Sapphyre » Wed Sep 04, 2013 5:55 pm

Monitoring caught these in an account's visitor log - - [04/Sep/2013:13:41:33 -0400] "CONNECT HTTP/1.0\\r\\n\\r\\n" 400 299 "-" "-" - - [04/Sep/2013:13:41:47 -0400] "POST HTTP/1.0\\r\\nContent-Type: text/plain\\r\\nContent-Length: 6\\r\\n\\r\\nRSET\\r\\n" 400 299 "-" "-"
Checking for other activity from this IP, found the below - which are valid outgoing email from one of our clientele by SMTP to a couple of folks at slpipe. They accepted the mail, but is it a technical issue or misconfiguration on their end - what are they doing trying to get at port 25 on an internal IP which wouldn't work here, correct, and attempting to do this thru client's website? I assume maybe that's a valid IP in their network ... or is it some way to help determine if mail is coming from a legitimate source? I haven't seen anything like this before. Thoughts?
Sep 4 11:58:06 host sendmail[22130]: r84Fs6iT020942: to=<>, delay=00:00:05, xdelay=00:00:04, mailer=esmtp, pri=129946, [], dsn=2.0.0, stat=Sent (<> Queued mail for delivery)

Sep 4 13:31:05 host sendmail[16349]: r84HRrMF015365: to=<>, delay=00:00:05, xdelay=00:00:05, mailer=esmtp, pri=129935, [], dsn=2.0.0, stat=Sent (<> Queued mail for delivery)
Oh, wait, they came 10 minutes after the second mail, so it's not spam-checking on the fly at the time a mail is received after all. Care to guess at what they're doing?
It's a crested auklet

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest