On Wednesday, July 25, 2012 07:05:04, Dr Andrew C Aitchison wrote: > On Wed, 25 Jul 2012, Chris Knadle wrote: > > What I don't understand about this particular situation is that the IP > > address of the attacker is in the RFC 1918 private IP address range > > (192.168.x.x) which would make it seem like the attacker is on the local > > LAN (or via VPN). > > > >> 2012-07-25 07:09:11 no IP address found for host > >> static-216-214-153-238.isp.broadviewnet.net (during SMTP connection > >> from [216.214.153.238]) 2012-07-25 07:09:11 plain authenticator failed > >> for ([192.168.0.232]) [216.214.153.238]: 535 Incorrect authentication > >> data (set_id=aidan) > > Maybe I'm misreading the logs, but isn't 192.168.0.232 > the HELO/EHLO address ?
No, you're right -- I misread this to begin with because I missed the [] inside of the () and also made the mistake of not reading the next line due to the word wrap. [I'm so used to reading "long line" Exim4 logs that unconsciously these seemed to be out-of-place. Ugh.] > In which case the rogue machine is on a private network belonging > to a broadviewnet customer and somewhere behind 216.214.153.238 ? AFAIK the 216.214.153.238 is an internet-routable (i.e. public) address. -- Chris -- Chris Knadle [email protected] -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
