On 21.06.2014 19:02, Always Learning wrote:
On Sat, 2014-06-21 at 10:38 -0700, Kaz Kylheku wrote:
2014-06-21 09:29:45 H=static-96-243-137-36.tampfl.fios.verizon.net
([192.168.2.33]) [96.243.137.36] F=<[email protected]> rejected RCPT
<[email protected]>:
It is a perpetual spammer sending emails from compromised computer
systems all round the world.
What is the ([192.168.2.33])?
It is a bogus HELO/EHLO. The IP range is for internal-usage only. Not
to
be used on the Internet.
Hi,
I know what the range 192.168 is; but what is the syntax of the log? The
Exim reject logs vary in their structure. I have seen variations like:
H=X [Z]
H=(X) [Z]
H=X ([Y]) [Z]
H=([Y]) [Z]
and possibly others. The address Z in square brackets is consistent.
Between the H= and that, sometimes there are two tokens and sometimes
only one, with various combinations of brackets or parentheses.
How can we parse all these variations? In the case of ([192.168.2.33]),
if that is the HELO string, what came from the host? Just the numeric
address, or with the square brackets? Or are the square brackets Exim's
convention for logging IP addresses?
Do parentheses always denote the HELO information?
I'm guessing:
H=X [Z] -- host gave no HELO; X is a reverse lookup from Z.
H=(X) [Z] -- X was given as HELO; but matches Z
H=X ([Y]) [Z] -- X was reversed from Z; host gave Y numeric IP as HELO
H=X (Y) [Z] -- X was reversed from Z; host gave Y non-numeric item as
HELO
Thanks.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
