I was recently reviewing my mail logs from last month, and found something odd in the summary produced from Eximstats:
> Top 50 rejected ips by message count > ------------------------------------ > Messages Rejected ip > 180 [192.168.2.33] > 24 [114.36.128.171] > 22 [218.80.250.34] Taken literally, this would imply a massive failure of both my firewall and my ISP, as 192.168.2.33 is in the well-known 192.168/16 private use area. I'm not using that range in my network (I drew from 172.16/12 instead). Looking closely at the raw logs, I see that there was a lot of open-relay probing of my server on 2012-12-02 and 2012-12-03, which in fact came from 37 different real IPs. They just happened to all HELO as "[192.168.2.33]". So eximstats has a bug -- it sometimes trusts a HELO over the actual IP address exim has logged. ---- Michael Deutschmann <[email protected]> -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
