Re: [exim] netzero forgeries?

Dennis Davis wrote:

*trimmed*

>
> Most of the ones I've seen have been fingered by the RBLs I
> use. For example, here's one for me that was hit by the
> JANET subscription to MAPS:
>
> 2006-06-15 15:38:55 H=(netzero.com) [220.171.78.157]
> I=[138.38.32.23]:25 F=<lupapa@???> rejected RCPT
> <ccsdhd@???>: 220.171.78.157 is listed in
> rbl-plus.mail-abuse.ja.net
>

ACK, BUT:

- these can usually be stopped more 'cheaply' and faster w/o
need of an RBL lookup on the basis of Exim's own tests.


> 220.171.78.157 appears to be registed to a Chinese network.

- Which is in a WHOIS (separate note, off-list), but fails
forward/reverse DNS lookup, indicates a forged EHLO/HELO, fails
sender verify, almost certainly would also fail recipient
verification as well, and might also have syntax, 'payload', or
other protocol errors worthy of denial - or progrssive delays
until they loose patience and drop off the teat.

- all well before hitting SA or such, or - in our case -
checking any RBL's. [1]

Bill


[1] - or, as we have never had a legit netzero inbound, hitting
our local BL since shortly after this thread started...