On Fri, Feb 02, 2007 at 12:45:51PM +0000, Peter Bowyer wrote:
> On 02/02/07, Alexander Shikoff <minotaur@???> wrote:
> > Hello,
> >
> > To discover some strange issue I've put some additional logging into HELO
> > and RCPT ACLs:
> >
> > acl_check_helo:
> > deny
> > # reject IP-addresses IN HELO/EHLO
> > message = Bad HELO/EHLO
> > condition = ${lookup{$sender_helo_name}nwildlsearch{BL_BAD_HELO}{yes}{no}}
> >
> > acl_check_rcpt:
> > warn
> > logwrite = ---$sender_host_address/$sender_helo_name---
> > [...]
> >
> > After that I got in log:
> >
> > Feb 2 14:31:59 crow exim[39322]: 2007-02-02 14:31:59 H=(201.250.198.147) [201.250.198.147] rejected EHLO or HELO 201.250.198.147: Bad HELO/EHLO
> > Feb 2 14:32:01 crow exim[39322]: 2007-02-02 14:32:01 ---201.250.198.147/---
> > Feb 2 14:32:05 crow exim[39322]: 2007-02-02 14:32:05 H=[201.250.198.147] F=<bjoern.wunderlich@???> rejected RCPT <info@???>: 201.250.198.147 listed by list.dsbl.org
> >
> > Now a riddle: what HELO did remote host send?!
> > Any suggestions?
>
> It sent 201.250.194.147.
>
> Since your HELO ACL rejected the HELO, and the client didn't send
> another one, $sender_helo_name is subsequently blank. A rejection of
> the HELO simply causes the transaction to continue as though no HELO
> had been received.
>
> HELO rejection is generally better done at RCPT time, for this reason
> amongst others.
Thanks a lot! I've understood: some spammers ignore 550 code at HELO stage.
I've made additional check in RCPT ACL.
--
Kind Regards, Alexander Shikoff
minotaur@???
Mob.: +380 67 946 31 49
