On Thu, 29 Dec 2005, Bill wrote: > 2005-12-28 16:51:08 no IP address found for host > smtp05.dc2.safesecureweb.com (during SMTP connection from > (81.161.250.78) [81.161.250.78]) > > 2005-12-28 16:51:08 H=(81.161.250.78) [81.161.250.78] > F=<[EMAIL PROTECTED]> rejected RCPT > <[EMAIL PROTECTED]>: Unrestricted relaying not > permitted
Something is provoking your exim into attempting to look up the name smtp05.dc2.safesecureweb.com in the early stages of the transaction from IP 81.161.250.78. Could it be that these abusers are trying to present that domain in the HELO/EHLO, and your exim configuration causes it to be verified? If I attempt to look-up smtp05.dc2.safesecureweb.com from here: $ host smtp05.dc2.safesecureweb.com Host smtp05.dc2.safesecureweb.com not found: 3(NXDOMAIN) so the report seems to be correct; the specific puzzle is what's prompting exim to attempt the lookup. [Btw: if I attempt to look up the PTR record of 81.161.250.78 from here, then after a brief delay I get the answer FDIBA10100-2.tu-sofia.bg. which also looks-up the other way. Your logging shows no sign of this name. However, that's probably a side-issue: the question whether exim would attempt to verify that bothways lookup depends on your configuration setting. I'd expect to see the name in our logs, but your configuration is probably different.] See also http://cbl.abuseat.org/lookup.cgi?ip=81.161.250.78 I would block the whole IP range or hostname pattern: it doesn't look like anything that has any business to be presenting itself on the Internet as a bona fide MTA. good luck -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
