On 19 Oct 2006, at 17:00, B. Cook wrote:
> Hello,
>
> I've started seeing a lot of this, and I'm not sure why they are being
> terminated at the helo/ehlo check as I try and do everything at
> rcpt time..
>
> the 84.174.86.75 host is listed in spamhaus (xbl-sbl) and would get
> caught in a different part of the config and be denied by that.. but
> instead b/c they are being dropped at helo, they have to get caught in
> the ratelimit checks and denied that way.. (if that makes sense..) how
> can I allow them to continue on in their conversation, as to find out
> who they are trying to come from or send to and then disconnect them.
> Again if that makes sense..
>
> I guess what I'm looking for is if I have acl_check_helo to accept,
> why
> did it get denied?
> exim -bP | grep helo
> acl_smtp_helo = acl_check_helo
> helo_accept_junk_hosts =
helo_accept_junk_hosts=84.174.86.75
Should do the trick. But I must say I dont realy understand why you
want to, better just block the IP at connect.
<see below>
> helo_allow_chars =
> helo_lookup_domains = @ : @[]
> helo_try_verify_hosts =
> helo_verify_hosts =
>
> 2006-10-19 09:41:08 SMTP connection from [84.174.86.75]:4226
> I=[1.2.3.4]:25 (TCP/IP connection count = 14)
> 2006-10-19 09:41:09 rejected EHLO from [84.174.86.75]:4226
> I=[1.2.3.4]:25: syntactically invalid argument(s):
> |http://mail.oldartero.com:8888/cgi-bin/put
WARNING!!
This is not just a URL as nigel points out
Look it is a pipe and a URL to a cgi script. This is clearly an
attempt to break something and gain some sort of unauthorised access.
I am not saying that exim is vulnerable to this kind of attack, but
it looks like an attack so I would strongly discourage from letting
it any further in to your system. AND I would recommend that you
block that IP at connect or even better on the firewall.
> 2006-10-19 09:41:10 rejected HELO from [84.174.86.75]:4226
> I=[1.2.3.4]:25: syntactically invalid argument(s):
> |http://mail.oldartero.com:8888/cgi-bin/put
> 2006-10-19 09:41:10 SMTP call from [84.174.86.75]:4226 I=[1.2.3.4]:25
> dropped: too many syntax or protocol errors (last command was "HELO
> |http://mail.oldartero.com:8888/cgi-bin/put")
>
> ###
> ### START ACL HELO ###
> ###
> acl_check_helo:
> accept
>
> ###
> ### START ACL RCPT
> ###
> acl_check_rcpt:
>
> ...
>
> # helo check
> drop message = sorry, that helo looks like an ip address
> $sender_helo_name
> condition = ${if isip {$sender_helo_name}{true}{false}}
> log_message = IP HELO
>
> drop message = sorry, that helo looks forged $sender_helo_name
> condition = ${lookup {${lc:$sender_helo_name}}
> cdb{EXIM_DIR/cdb/forged_helos.cdb}{yes} \
> {${lookup {${lc:$sender_helo_name}}
> cdb{EXIM_DIR/cdb/rcpthosts.cdb}{yes}{no}}}}
> log_message = Forged HELO
> # end helo checks
>
> I would also be ok with "don't worry about it, it's fine.."
> :)
>
> Thanks in advance..
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>