Re: [exim] my IP blacklisted at CBL issues with HELO'ing

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Markus Hardiyanto
Date:  
À: Graeme Fowler, exim-users
Sujet: Re: [exim] my IP blacklisted at CBL issues with HELO'ing
i found this on EXIM log after implementing the HELO'ing ACL:

2007-01-20 11:30:50 H=localhost (keris.revti.net) [127.0.0.1] F=<mailman-bounces@???> rejected RCPT <lindseymthg@???>: "REJECTED - Bad
HELO - Host impersonating [keris.revti.net]"
2007-01-20 11:30:50 H=localhost (keris.revti.net) [127.0.0.1] F=<mailman-bounces@???> rejected RCPT <root@???>: "REJECTED - Bad HELO
- Host impersonating [keris.revti.net]"
2007-01-20 11:30:50 H=localhost (keris.revti.net) [127.0.0.1] F=<mailman-bounces@???> rejected RCPT <sudramaspoy@???>: "REJECTED - Ba
d HELO - Host impersonating [keris.revti.net]"
2007-01-20 11:30:50 H=localhost (keris.revti.net) [127.0.0.1] F=<mailman-bounces@???> rejected RCPT <root@???>: "REJECTED - Bad HELO
- Host impersonating [keris.revti.net]"
2007-01-20 11:30:50 H=localhost (keris.revti.net) [127.0.0.1] F=<mailman-bounces@???> rejected RCPT <kvlrrs@???>: "REJECTED - Bad
HELO - Host impersonating [keris.revti.net]"

it seems that it came from mailman. how to fix this?

Best Regards,
Markus

----- Original Message ----
From: Graeme Fowler <graeme@???>
To: exim-users <exim-users@???>
Sent: Friday, January 19, 2007 8:23:28 PM
Subject: Re: [exim] my IP blacklisted at CBL issues with HELO'ing

On 19/01/2007 12:48, Markus Hardiyanto wrote:
> no, it's not a gateway. it's a web host server.


The IP you provided was delisted on Wednesday morning, then relisted
yesterday afternoon.

Sounds like time to analyse your Exim logs, doesn't it?

eximstats < /var/log/exim/main.log (or whatever the path to your main
logfile is) will give you a good bit of detail; you should be able to
determine from there which local user is producing the mail.

As it's a hosting server, I'd guess that you either allow
unauthenticated relaying of MAIL FROM: some_valid_address@hosted_domain,
or authenticated relaying of anything. If the former, stop it as it's
easily abused. If the latter, you should be able to work out which
domain or user is doing the authentication before relaying.

If it's user forwarding, that should also be fairly obvious.

Have a go at it. You'll probably work it out straight away.

Graeme

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/




Send instant messages to your online friends http://uk.messenger.yahoo.com