<i18n dev> more Oracle MX troubles

Tom Christiansen tchrist at perl.com
Fri Jan 21 12:19:29 PST 2011 

I've just cleared still more dynamic blacklist entry for Oracle's MX
servers, including rcsinet11.oracle.com  [148.87.113.123].  If someone
from within Oracle could please send me mail, I'd like to test that 
the way here is truly cleared again.


This is happening because you have a compromised machine within Oracle
that is using your outbound MX to deliver spam from; see the appended
tracelog below by signature.

I believe Alan Bateman sent me mail, but it never got here.  He was only
greylisted, not blacklisted, but his MTA "hung up the phone" and has not
yet called back:

    Jan 21 08:53:06 chthon spamd[4395]: 148.87.113.121: connected (37/34)
    Jan 21 08:53:23 chthon spamd[4395]: (GREY) 148.87.113.121: <Alan.Bateman at oracle.com> -> <tchrist at perl.com>
    Jan 21 08:53:27 chthon spamd[4395]: 148.87.113.121: disconnected after 21 seconds.

As I said, I have manually whitelisted some of these now.  However, I do
not know what all of Oracle's outbound MX IPs are, and from Alan's (failed)
mail delivery attempt I can tell that there are some that are *not* the
same as the inbound MX IPs, as revealed by:

    $ nslookup -q=mx oracle.com u-ns1.oracle.com.
    Server:         u-ns1.oracle.com.
    Address:        204.74.108.1#53

    oracle.com      mail exchanger = 200 acsinet11.oracle.com.
    oracle.com      mail exchanger = 200 rcsinet12.oracle.com.
    oracle.com      mail exchanger = 200 rcsinet11.oracle.com.
    oracle.com      mail exchanger = 200 acsinet12.oracle.com.

I can clear out more if you could but tell me what they are.  However,
there are still two problems:

 1. Legitimate outbound MX servers need to be more patient (you
    can't hang up the phone after only a few seconds) and more compliant 
    (you must call back on status 451 EX_TEMPFAIL per the spec).

 2. Because you have several compromised outbound MX servers within 
    Oracle, by whitelisting these compromised hosts, I have incurred
    a significant load on my machine as it goes through the trouble
    of accepting all the spam that you're spewing.  I wish you would
    fix your system not to allow spammers to use you this way!!

--tom

 [ This is output from the OpenBSD spamd(8) greylister; all times UTC-0700=MST ]

    Jan 21 08:53:27 chthon spamd[4395]: 148.87.113.121: disconnected after 21 seconds.
    Jan 21 08:53:23 chthon spamd[4395]: (GREY) 148.87.113.121: <Alan.Bateman at oracle.com> -> <tchrist at perl.com>
    Jan 21 08:53:06 chthon spamd[4395]: 148.87.113.121: connected (37/34)
    Jan 21 00:03:06 chthon spamd[4395]: 148.87.113.124: disconnected after 395 seconds. lists: spamd-greytrap
    Jan 21 00:01:55 chthon spamd[4395]: 148.87.113.124: Subject: Email attachment rejected by MM
    Jan 21 00:01:55 chthon spamd[4395]: 148.87.113.124: To: bush at mox.perl.com
    Jan 21 00:01:55 chthon spamd[4395]: 148.87.113.124: From: no-reply at oracle.com
    Jan 21 00:00:00 chthon spamd[4395]: (BLACK) 148.87.113.124: <no-reply at oracle.com> -> <bush at mox.perl.com>
    Jan 20 23:56:33 chthon spamd[4395]: 141.146.126.233: disconnected after 12 seconds.
    Jan 20 23:56:32 chthon spamd[4395]: (GREY) 141.146.126.233: <no-reply at oracle.com> -> <bush at mox.perl.com>
    Jan 20 23:56:32 chthon spamd[4395]: 141.146.126.234: disconnected after 12 seconds.
    Jan 20 23:56:32 chthon spamd[4395]: (GREY) 141.146.126.234: <no-reply at oracle.com> -> <bush at mox.perl.com>
    Jan 20 23:56:31 chthon spamd[4395]: 148.87.113.124: connected (33/30), lists: spamd-greytrap
    Jan 20 23:56:28 chthon spamd[4395]: 148.87.113.123: disconnected after 12 seconds.
    Jan 20 23:56:28 chthon spamd[4395]: (GREY) 148.87.113.123: <no-reply at oracle.com> -> <bush at mox.perl.com>
    Jan 20 23:56:21 chthon spamd[4395]: 141.146.126.233: connected (35/30)
    Jan 20 23:56:20 chthon spamd[4395]: 141.146.126.234: connected (34/30)
    Jan 20 23:56:16 chthon spamd[4395]: 148.87.113.123: connected (33/30)
    Jan 20 19:53:23 chthon spamd[4395]: 148.87.113.124: disconnected after 377 seconds. lists: spamd-greytrap
    Jan 20 19:52:17 chthon spamd[4395]: 148.87.113.124: Subject: Email attachment rejected by MM
    Jan 20 19:52:17 chthon spamd[4395]: 148.87.113.124: To: grassie at perl.com
    Jan 20 19:52:17 chthon spamd[4395]: 148.87.113.124: From: no-reply at oracle.com
    Jan 20 19:50:33 chthon spamd[4395]: (BLACK) 148.87.113.124: <no-reply at oracle.com> -> <grassie at perl.com>
    Jan 20 19:50:13 chthon spamd[4395]: 141.146.126.233: disconnected after 13 seconds.
    Jan 20 19:50:13 chthon spamd[4395]: (GREY) 141.146.126.233: <no-reply at oracle.com> -> <grassie at perl.com>
    Jan 20 19:50:00 chthon spamd[4395]: 141.146.126.233: connected (27/26)
    Jan 20 19:47:06 chthon spamd[4395]: 148.87.113.124: connected (24/24), lists: spamd-greytrap
    Jan 20 19:45:34 chthon spamd[4395]: 148.87.113.123: disconnected after 12 seconds.
    Jan 20 19:45:34 chthon spamd[4395]: (GREY) 148.87.113.123: <no-reply at oracle.com> -> <grassie at perl.com>
    Jan 20 19:45:22 chthon spamd[4395]: 148.87.113.123: connected (27/26)
    Jan 20 19:44:19 chthon spamd[4395]: 141.146.126.234: disconnected after 13 seconds.
    Jan 20 19:44:19 chthon spamd[4395]: (GREY) 141.146.126.234: <no-reply at oracle.com> -> <grassie at perl.com>
    Jan 20 19:44:06 chthon spamd[4395]: 141.146.126.234: connected (29/28)

More information about the i18n-dev mailing list