Autor: W B Hacker Fecha: A: exim users Asunto: Re: [exim] netzero forgeries?
Dennis Davis wrote:
*trimmed*
>
> Most of the ones I've seen have been fingered by the RBLs I
> use. For example, here's one for me that was hit by the
> JANET subscription to MAPS:
>
> 2006-06-15 15:38:55 H=(netzero.com) [220.171.78.157]
> I=[138.38.32.23]:25 F=<lupapa@???> rejected RCPT
> <ccsdhd@???>: 220.171.78.157 is listed in
> rbl-plus.mail-abuse.ja.net
>
ACK, BUT:
- these can usually be stopped more 'cheaply' and faster w/o
need of an RBL lookup on the basis of Exim's own tests.
> 220.171.78.157 appears to be registed to a Chinese network.
- Which is in a WHOIS (separate note, off-list), but fails
forward/reverse DNS lookup, indicates a forged EHLO/HELO, fails
sender verify, almost certainly would also fail recipient
verification as well, and might also have syntax, 'payload', or
other protocol errors worthy of denial - or progrssive delays
until they loose patience and drop off the teat.
- all well before hitting SA or such, or - in our case -
checking any RBL's. [1]
Bill
[1] - or, as we have never had a legit netzero inbound, hitting
our local BL since shortly after this thread started...