> I am assuming its a spammer forging my stuff. However I want to insure that
Just to recap: Yes, this is forged: > In: HELO 68.156.89.114 Note, this is IN, not OUT. If you are on mx666.wirelesscommunitynetworks.com [68.156.89.114], and a HELO comes in saying it is from 68.156.89.114 to 68.156.89.114, it is very obvious what is happening, and only requires one thing to check, the logged IP of the client. In your logs, you should have the IP of what connected to you. Not the HELO, but the actual IP. Let me try and put it another way. Lets say your phone number is 555-1212. Someone calls and says, "Hi, this is Joe at 555-1212, and I am calling you, Mark at 555-1212 to sell you some garbage." You then look at your caller ID box and see the number they called from. Lets say it is 555-9999. Well, 555-9999 is not 555-1212! They are lying. Now on the segment you pasted into the email, you started with the second part of the connection. I am not sure if you are seeing the first part. The first part would be their IP hooking up to your IP to open a connection between you. That is when you see their real IP. (Or in my example, they dialed your phone number. It does not ring till they call you.) After that inbound connection happens, your server sends out the banner, which is "mx666.wirelesscommunitynetworks.com - ESMTP - Postfix - Attn: UCE trespassers will be pursued." in your case. (You pick up the phone and say, "This is Mark.") That is the missing piece that I think is eluding you. Your server does not just broadcast "mx666.wirelesscommunitynetworks.com - ESMTP..." all day long to every machine on the net. Instead it waits for a connection to be opened, an inbound request. Then it sends out the banner. (You do not call everyone in the world and ask them if they need to telephone to you.) What you see after that in the section you posted is a forged HELO, how naughty of them. Then there is a little chatter back and forth. Finally, you punish them for using an IP in the HELO. Now, you are NOT punishing them for using YOUR IP. You do not care if it is your IP or any other IP. It is an IP in the HELO. It is bad. By by. I hope that helps clear up the concept a little. --Eric ps. Fortunately I has more than 3 hours sleep last night, so I am thinking clearly today. The above should be accurate. Too many long days and short nights this last.... herm, I don't know how long. Weeks? Months?
