Re: [exim] Interesting log entry

Pàgina inicial
Delete this message
Reply to this message
Autor: Mike Cardwell
Data:  
A: exim users
Assumpte: Re: [exim] Interesting log entry
Jeroen van Aart wrote:
> Hello,
>
> I noticed this log entry, which I have not seen before:
>
> 2007-08-23 11:17:49 SMTP protocol synchronization error (next input sent
> too soon: pipelining was not advertised): rejected "Subject:¡erelay
> ok¡f66.252.xxx.xxx" H=219-84-61-136-adsl-tpe.dynamic.so-net.net.tw
> [219.84.61.136] next input="MIME-Version: 1.0\r\nContent-Type:
> text/html;charset="big5"\r\nContent-Transfer-Encoding:7bit\r\n\263o\253\312\253H
> relay from : 66.252.xxx.xxx\r\n.\r\n"
>
> The 66.252 IP address is the IP address of our email server. This seems
> to me like some attempt to exploit some vulnerability (looking at the
> subject). But I don't expect exim to have problems with it.
>
> Anyone know what it means and has seen something similar before? I am
> just curious, not really concerned.


The sending server didn't wait for your 354 response after they sent
"DATA", before they started sending the message content. Your log entry
just shows the first part of the headers because that's what tripped the
synchronisation error.

Nothing nefarious. Just another idiot spam tool. It never ceases to
amaze me how people can't get SMTP right. It's such a simple protocol ;)

Mike