[Exim] Exim 4.22 rejecting EHLO CE_HAMM

Top Page
Delete this message
Reply to this message
Author: Ralph Siemsen
Date:  
To: exim-users
Subject: [Exim] Exim 4.22 rejecting EHLO CE_HAMM
Running exim 4.22 on armv4l with exiscan patch applied, I am seeing
several thousand log entries per day similar to:

2003-09-09 17:06:23 rejected HELO from pd951f633.dip.t-dialin.net
[217.81.246.51]: syntactically invalid argument(s): CE_HAMM

where the hostname and IP varies considerably. Tcpdump indicates that
the failed command is always one of:

    EHLO CE_HAMM<CR><LF>
    HELO CE_HAMM<CR><LF>
    EHLO PERSONAL_DT<CR><LF>
    HELO PERSONAL_DT<CR><LF>


The client always tries an EHLO first, exim returns a 501, then the
client tries HELO, exim returns another 501, then the client
disconnects abruptly. Several seconds later the same pattern repeats.

My guess is this is a spambot or virus of some sort, but I'm not sure.
I cannot find any record of these strings on Google or in the archives
here, so I am hoping someone can shed some light on this.

Incidentally, sending the same EHLO/HELO sequence to several other MTAs
does not produce a 501 (but probably should since it isn't a valid
hostname). Is it a case of Exim being more picky? Or are these magic
commands to unlock features in other MTAs?

--
Ralph Siemsen
www.netwinder.org