Re: [Exim] forgery protection ACLs

Top Page
This message is part of the following thread:
M+++\the complete thread tree sorted by date
MMMMMKevin Reed at <-
Victor Ustugov at ->
Delete this message
Reply to this message
Author: Chris Edwards
Date:  
To: Richard Welty
CC: exim-users
Subject: Re: [Exim] forgery protection ACLs
On Tue, 9 Dec 2003, Richard Welty wrote:

| well, i installed one of the recommended forgery protection ACLs,
| only to get the following:
|
| 2003-12-09 07:10:02 H=[64.4.47.24] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.47.24
| 2003-12-09 07:10:09 H=[64.4.8.80] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.8.80
| 2003-12-09 07:10:21 H=[64.4.15.109] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.15.109
| 2003-12-09 07:11:57 H=[64.4.8.84] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.8.84
| 2003-12-09 07:12:07 H=[64.4.8.87] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.8.87
| 2003-12-09 07:13:26 H=[64.4.14.15] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.14.15
| 2003-12-09 07:15:06 H=[64.4.9.68] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.9.68
| 2003-12-09 07:16:00 H=[64.4.23.114] temporarily rejected EHLO or HELO hotmail.com: Access temporarily denied. Resolve failed PTR for 64.4.23.114
|
| which would be fine, except that 64.4.0.0/18 does actually belong
| to hotmail according to whois records.

For what its worth we've had mail from some of those IPs in recent days,
and all the PTR lookups _have_ worked.

I do recall in the past getting genuine "hot" mail from an IP with no PTR,
and this was reproducible - they'd clearly forgotten to register it.

That was a while ago. A quick trawl thru recent logs shows that the few
messages we've accepted from hotmail senders with unregistered IPs have
all been spam, with the IPs not belonging to hotmail. So we're
considering adding this test.

Then again, all these forgeries (only a handful in total) could trivially
have been repulsed on the grounds of the HELO not being the expected
"hotmail.com".


--
Chris Edwards, Glasgow University Computing Service


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Rerunning messages through eximRe: [Exim] forgery protection ACLs->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)