SMTP1 clearly took the connection.

Received: from excite.com (x-x-x-170.dsl.telesp.net.br [x.x.x.170])

This is the key...it says excite.com, but obviously isn't. (unless you changed it).

This is easily done in to an improperly configured mail server, upon making the connection to the mail server, you would just say:

HELO excite.com

Lovely how no checking, huh? I am not sure if you can configure sendmail to do this or not, I would assume you can, but I know some servers can be setup to do a reverse lookup on the IP connecting, and then compare the two and if they don't match, reject the connection.

The only thing that really bothers me about the header that indicates something more might be up is that you don't see the HELO in there...I would have expected to see that...and I would have expected to see it on the aforementioned line. If you didn't accidentally delete it, it is possible that all of the headers are forged, which is harder to do, but is possible. If I had to guess, I would say that your mail server is setup to allow relay (default for older versions).

Check your /etc/mail/sendmail.cf for:

Fw/etc/mail/local-host-names


and

FR-o /etc/mail/relay-domains


Then check those filenames. On all the boxes I have setup, I don't have relay-domains set, so there isn't anyone that should be able to use my server this way. Your needs may vary. The local-hosts-names will allow the machine itself to send the mail. When you combine this with the relay-domains, it shouldn't allow anyone to do this anymore...



/nebulus