In the course of looking through my log files I discovered some log
lines which are falsely recording an IP address of 127.0.0.1. The lines
in question look like this.
2000-07-16 05:22:07 13DnQr-0000Dw-00 <= foo@???
H=localhost (family2) [127.0.0.1] P=smtp S=3384
id=001101bfef1e$e94f2a00$2100a8c0@family2
2000-07-16 05:51:41 13DntU-0000xc-00 <= bar@???
H=localhost (nn) [127.0.0.1] P=smtp S=1361
id=015401bfef23$b6cf5c80$14f4dc83@nn
In both cases the actual username has been changed by me. Everything
else in the line is as it appears in the logs. As some of the other
messages had some information that showed the users were on cable modems
and using Outlook or Outlook express I'm suspecting that this is coming
from a masquerading program for Windows that allows multiple machines to
share an IP address, but my understanding from the docs is that the IP
address logged in square brackets came from a lookup on the incoming
connection. The chapter on logging in 48.3 says this is the only field
that can be relied on. I'd like to know if anyone else has seen this
yet and if there's any way we can prevent exim from getting fooled like
this. Among other things this makes tracking the source of incoming spam
very difficult.
--
Artificial Intelligence stands no chance against Natural Stupidity.
GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*
