-----Original Message-----
From: exim-users-bounces@??? [
mailto:exim-users-bounces@exim.org] On
Behalf Of Steven Wayne
Sent: 28 June 2006 13:46
To: exim-users@???
Subject: Re: [exim] Stopping arbitrary traffic
On Tue, Jun 27, 2006 at 02:47:35PM -0700, Dustin Jenkins wrote:
>
> Thanks for the response.
>
> The dc_accept_relay should've been dc_host_accept_relay, I should've taken
that out, thanks for pointing to it.
>
> Here's a snippet from my /var/log/exim4/mainlog, the paniclog and reject
log are empty. As you can see there are all kinds of different addresses
from arbitrary traffic going to arbitrary domains. Mostly it gets denied,
but sometimes it succeeds with a 'Completed' message, but what I want is for
it to not try at all! I would've thought that I shouldn't be seeing any of
this stuff.
>
> <LOG-SNIPPET>
> 2006-06-26 22:14:46 1Fv5uQ-0001ik-2H <= <> R=1FrfGX-0002bI-3K
U=Debian-exim P=local S=2482
> 2006-06-26 22:14:46 1FrfGX-0002bI-3K Completed
> 2006-06-26 22:14:46 1Fv5uQ-0001ik-2H ** tyler@???
<Tyler@???> R=dnslookup T=remote_smtp: retry time
> not reached for any host after a long failure period
> 2006-06-26 22:14:46 1Fv5uQ-0001ik-2H Frozen (delivery error message)
> 2006-06-26 22:14:47 1FrfX0-0003LM-4v => wac1@??? R=dnslookup
T=remote_smtp H=cluster6.us.messagelabs.com [216.82.249.195]
X=TLS-1.0:RSA_AES_256_CBC_SHA1:32
> 2006-06-26 22:14:47 1FrfX0-0003LM-4v Completed
> 2006-06-26 22:14:47 1FrfEe-0002Z2-BA a.mx0.gatewaydefender.com
[209.153.138.190] Connection timed out
> 2006-06-26 22:14:50 1FrfWq-0003L8-M0 ** wackit69@???: an MX or
SRV record indicated no SMTP service
> 2006-06-26 22:14:51 1FrfWq-0003L8-M0 => peggy.haney@??? R=dnslookup
T=remote_smtp H=wppim001.aexp.com [193.32.34.92]
X=TLS-1.0:RSA_AES_256_CBC_SHA1:32
> 2006-06-26 22:14:51 1FrfWq-0003L8-M0 ** cvdlely@??? R=dnslookup
T=remote_smtp: SMTP error from remote mail server after RCPT
TO:<cvdlely@???>: host mailhub-new.vianetworks.nl [212.61.15.154]: 554
Service unavailable; Client host [24.68.130.247] blocked using
safe.dnsbl.sorbs.net; Dynamic IP Addresses See:
http://www.sorbs.net/lookup.shtml?24.68.130.247
> 2006-06-26 22:14:53 1FrfWq-0003L8-M0 ** server@??? R=dnslookup
T=remote_smtp: SMTP error from remote mail server after RCPT
TO:<server@???>: host mx10.uni.net [217.72.103.201]: 550 5.1.1
<server@???> User unknown; rejecting
> 2006-06-26 22:14:54 1FrfWq-0003L8-M0 => server@???
R=dnslookup T=remote_smtp H=mail.atriniti.com [68.15.40.154]
> 2006-06-26 22:14:55 1FrfWq-0003L8-M0 ** embox5@??? R=dnslookup
T=remote_smtp: SMTP error from remote mail server after MAIL
FROM:<Marietta@???> SIZE=2513: host mx2.earthlink.net
[209.86.93.227]: 550 Dynamic IPs/open relays blocked. Contact
<openrelay@???>.
> 2006-06-26 22:14:56 1FrfWq-0003L8-M0 ** server@??? R=dnslookup
T=remote_smtp: SMTP error from remote mail server after RCPT
TO:<server@???>: host URO.COM.INBOUND15.MXLOGIC.NET [208.65.145.3]: 550
Recipient unknown
> 2006-06-26 22:14:57 1FrfWq-0003L8-M0 => k4447@??? R=dnslookup
T=remote_smtp H=mx4.hotmail.com [65.54.245.104]
> 2006-06-26 22:14:58 1FrfWq-0003L8-M0 ** alpll@??? R=dnslookup
T=remote_smtp: SMTP error from remote mail server after initial connection:
host mailin-02.mx.netscape.net [205.188.158.57]: 554- (RTR:BB)
http://postmaster.info.aol.com/errors/554rtrbb.html\n554 Connecting IP:
24.68.130.247
> 2006-06-26 22:14:58 1FrfWq-0003L8-M0 == bookings@???
R=dnslookup T=remote_smtp defer (-44): SMTP error from remote mail server
after RCPT TO:<bookings@???>: host mailwash16.pair.com
[66.39.2.16]: 450 <bookings@???>: Recipient address rejected:
Service temporarily unavailable
> 2006-06-26 22:15:02 1FrfWS-0003Lu-HQ => dog.kobe@??? R=dnslookup
T=remote_smtp H=msa-mx2.hinet.net [168.95.5.113]
> 2006-06-26 22:15:02 1FrfWS-0003Lu-HQ Completed
> 2006-06-26 22:15:04 1FrfWK-0003LL-Hx ** k2000@??? R=dnslookup
T=remote_smtp: SMTP error from remote mail server
> after RCPT TO:<k2000@???>: host mx3.nownuri.net [203.238.128.89]:
550 5.1.1 k2000 Unknown User
> </LOG-SNIPPET>
>
> When you say obfuscated, are you referring to the configuration in general
or specific components?
This doesn't show a complete log of any transaction.
Run
exigrep -l 1FrfWq-0003L8-M0 /var/log/exim4/maillog*
It's the "<=" mark that tells where their coming from.
Are you running a web server on this machine too?
And please don't top-post.
Steven.
--
A new dramatist of the absurd
Has a voice that will shortly be heard.
I learn from my spies
He's about to devise
An unprintable three-letter word.
--
## List details at
http://www.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://www.exim.org/eximwiki/
This message has been scanned for content and viruses by the
DIT Information Services MailScanner Service
and is believed to be clean.
http://www.dit.ie
This message has been scanned for content and viruses by the
DIT Information Services MailScanner Service
and is believed to be clean.
http://www.dit.ie