On Sat, 2002-12-07 at 19:18, Alan J. Flavell wrote:
>
> There's a class of event which shows up in the logs as e.g
>
> 2002-12-07 00:42:43 H=(nric) [200.160.36.13] (CacheFlow Server)
> F=<wvdvn@???> rejected RCPT...
>
> Am I right in thinking that "CacheFlow Server" here is always
> indicative of an open proxy? What actually _is_ this item of data in
CacheFlow is a rather popular caching proxy device used by ISPs. A lot
of ISPs, however, seem pretty dumb about locking it down.
Yup - any sign of this you see in your Exim logs is likely to be spam
through an open proxy.
> the mainlog, I'm having a hard time finding it documented in chapter
> 44. I'm suspicious that it might be the rfc1413 "ident", but then why
> isn't it prefixed with "U=" as indicated in 44.12?
What you might do is an after the fact thing :) Just grep your logs for
any instances of %CacheFlow% and throw those IPs into your local
blocklist / submit them to one of the better open proxy dnsbls.
You can use Chip Rosenthal's pxytest script to check open proxies.
srs