On 19 Oct 2006, at 17:00, B. Cook wrote: > Hello, > > I've started seeing a lot of this, and I'm not sure why they are being > terminated at the helo/ehlo check as I try and do everything at > rcpt time.. > > the 84.174.86.75 host is listed in spamhaus (xbl-sbl) and would get > caught in a different part of the config and be denied by that.. but > instead b/c they are being dropped at helo, they have to get caught in > the ratelimit checks and denied that way.. (if that makes sense..) how > can I allow them to continue on in their conversation, as to find out > who they are trying to come from or send to and then disconnect them. > Again if that makes sense.. > > I guess what I'm looking for is if I have acl_check_helo to accept, > why > did it get denied? > exim -bP | grep helo > acl_smtp_helo = acl_check_helo > helo_accept_junk_hosts =
helo_accept_junk_hosts=84.174.86.75 Should do the trick. But I must say I dont realy understand why you want to, better just block the IP at connect. <see below> > helo_allow_chars = > helo_lookup_domains = @ : @[] > helo_try_verify_hosts = > helo_verify_hosts = > > 2006-10-19 09:41:08 SMTP connection from [84.174.86.75]:4226 > I=[1.2.3.4]:25 (TCP/IP connection count = 14) > 2006-10-19 09:41:09 rejected EHLO from [84.174.86.75]:4226 > I=[1.2.3.4]:25: syntactically invalid argument(s): > |http://mail.oldartero.com:8888/cgi-bin/put WARNING!! This is not just a URL as nigel points out Look it is a pipe and a URL to a cgi script. This is clearly an attempt to break something and gain some sort of unauthorised access. I am not saying that exim is vulnerable to this kind of attack, but it looks like an attack so I would strongly discourage from letting it any further in to your system. AND I would recommend that you block that IP at connect or even better on the firewall. > 2006-10-19 09:41:10 rejected HELO from [84.174.86.75]:4226 > I=[1.2.3.4]:25: syntactically invalid argument(s): > |http://mail.oldartero.com:8888/cgi-bin/put > 2006-10-19 09:41:10 SMTP call from [84.174.86.75]:4226 I=[1.2.3.4]:25 > dropped: too many syntax or protocol errors (last command was "HELO > |http://mail.oldartero.com:8888/cgi-bin/put";) > > ### > ### START ACL HELO ### > ### > acl_check_helo: > accept > > ### > ### START ACL RCPT > ### > acl_check_rcpt: > > ... > > # helo check > drop message = sorry, that helo looks like an ip address > $sender_helo_name > condition = ${if isip {$sender_helo_name}{true}{false}} > log_message = IP HELO > > drop message = sorry, that helo looks forged $sender_helo_name > condition = ${lookup {${lc:$sender_helo_name}} > cdb{EXIM_DIR/cdb/forged_helos.cdb}{yes} \ > {${lookup {${lc:$sender_helo_name}} > cdb{EXIM_DIR/cdb/rcpthosts.cdb}{yes}{no}}}} > log_message = Forged HELO > # end helo checks > > I would also be ok with "don't worry about it, it's fine.." > :) > > Thanks in advance.. > > -- > ## List details at http://www.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/ > -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
