On Thu, 29 Dec 2005, Bill wrote:
> 2005-12-28 16:51:08 no IP address found for host
> smtp05.dc2.safesecureweb.com (during SMTP connection from
> (81.161.250.78) [81.161.250.78])
>
> 2005-12-28 16:51:08 H=(81.161.250.78) [81.161.250.78]
> F=<xddukiakwlat@???> rejected RCPT
> <asqctqzmrewfgafaije@???>: Unrestricted relaying not
> permitted
Something is provoking your exim into attempting to look up
the name smtp05.dc2.safesecureweb.com in the early stages of
the transaction from IP 81.161.250.78.
Could it be that these abusers are trying to present that domain in
the HELO/EHLO, and your exim configuration causes it to be verified?
If I attempt to look-up smtp05.dc2.safesecureweb.com from here:
$ host smtp05.dc2.safesecureweb.com
Host smtp05.dc2.safesecureweb.com not found: 3(NXDOMAIN)
so the report seems to be correct; the specific puzzle is what's
prompting exim to attempt the lookup.
[Btw: if I attempt to look up the PTR record of 81.161.250.78 from
here, then after a brief delay I get the answer
FDIBA10100-2.tu-sofia.bg. which also looks-up the other way. Your
logging shows no sign of this name. However, that's probably a
side-issue: the question whether exim would attempt to verify that
bothways lookup depends on your configuration setting. I'd expect to
see the name in our logs, but your configuration is probably
different.]
See also
http://cbl.abuseat.org/lookup.cgi?ip=81.161.250.78
I would block the whole IP range or hostname pattern: it doesn't look
like anything that has any business to be presenting itself on the
Internet as a bona fide MTA.
good luck