[exim] sender_host_name contains invalid host names whenforw…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Colin Keith
Dátum:  
Címzett: exim-users
Tárgy: [exim] sender_host_name contains invalid host names whenforward-reverse-IP lookups fail

Hi,

I want to start by saying that I don't know if this is an exim issue or a
BIND issue. It would seem as though it is a BIND issue because its about
DNS but I'm curious if anyone else has seen this.

I get a connection from the following IP. As part of the ACL's I do a
hostname look up to resolve the hostname so I can check it for good stuff
like "ppp-", "dsl-" etc. to determine if its a home user IP since this is
where we get the vast majority of our spam and about one complaint of a
false positive every 6 months. My log files show a connection from this one
IP address just after the logs were rotated:


sid# grep '124\.120\.136\.153' /var/log/exim_main.log.2 |less
2009-02-08 04:02:51 H=ppp-124-120-136-153.revip2.asianet.co.th
[124.120.136.153] rejected connection in "connect" ACL: R=Too many spam
bots on ISP network [124.120.136.153]
2009-02-08 04:03:25 H=ppp-124-120-136-153.revip2.asianet.co.th
[124.120.136.153] rejected connection in "connect" ACL: R=Too many spam
bots on ISP network [124.120.136.153]


Fair enough. The problem is that from then on until exim is next restarted
24 hours later (log rotation) it keeps thinking that this is the host name
for all sorts of IP addresses. This is *really* bad since we reject based
on this host name.


sid# grep ppp-124-120-136-153.revip2.asianet.co.th /var/log/exim_main.log.2
|wc -l
1113

sid# grep ppp-124-120-136-153.revip2.asianet.co.th /var/log/exim_main.log.2
|tail -5
2009-02-09 03:57:24 no IP address found for host (during SMTP connection
from ppp-124-120-136-153.revip2.asianet.co.th [195.27.217.250])
2009-02-09 03:59:54 no IP address found for host 82.112.158.88.radiocom.ro
(during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th
[88.158.112.82])
2009-02-09 04:00:32 no IP address found for host 82.112.158.88.radiocom.ro
(during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th
[88.158.112.82])
2009-02-09 04:00:43 H=ppp-124-120-136-153.revip2.asianet.co.th
[64.191.115.233] rejected connection in "connect" ACL: R=Too many spam bots
on ISP network [64.191.115.233]
2009-02-09 04:00:46 no IP address found for host
63.245.8.249.cstmr.multidatahn.net (during SMTP connection from
ppp-124-120-136-153.revip2.asianet.co.th [63.245.8.249])


As you can see this hostname appeared in the exim log files only 1113 times
in that 24 hour period. The strangest thing about it is, as you can see
from the middle two entries here the host name still resolves correctly:

2009-02-09 03:59:54 no IP address found for host 82.112.158.88.radiocom.ro
(during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th
[88.158.112.82])

It appears to affect hosts which do not fully resolve. That is either the
IP doesn't have a PTR record or that the host name from that PTR then
doesn't resolve to an IP address.

It doesn't appear as though this is a BIND issue as I'm running BIND with a
simple config as a caching server only. And of course the fact that the
problem goes away when exim is restarted after the log rotation at the end
of the day.


I'm running the exim 4.69 (-bV below) But I do remember a problem with
this coming up in the past on older versions of exim 4.6X (if not older
versions still). I can't locate any staff e-mails on this issue, but there
is something oddly familiar about this domain name having been the issue
in the previous instances of this problem too.

I can't for the life of me work out how this is happening. It seems as
though the connection is the source of the problems but a simple
"exim -bh 124.120.136.153" doesn't trigger the same results.


Can anyone shed any light on why IP's which are not full resolvable would
end up with the $sender_host_name variable containing a past lookup?

It seems like it must be this variable since this incorrect host name is
used in the "no IP address found for host" message which comes from exim
itself and not a user definable ACL. According to the changelog for 4.61
PH/27 this message used to log the IP as "NULL" but now logs it as the
IP instead. Is this a possible problem area?

Looking at smtp_get_connection_info() in src/smtp_in.c:758 it uses a
variable sender_host_address. If I'm reading src/expand.c:540 correctly
then $sender_host_address uses this same sender_host_address variable.
However since I have many other connections during this 24 hour period
for which the lookups resolve without problem I'm hard pressed so say that
there's anything to this. I have updated the logging for my ACL to use the
variables

SF=$sender_full_address SH=$sender_host_name SI=$sender_host_address

In the hope that if it happens again maybe I'll be able to see if
sender_host_address contains the wrong value and go from there.

Any help is appreciated.

Regards,
Colin.


sid# exim -bV
Exim version 4.69 #1 built 25-Jan-2009 00:30:03
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006)
Support for: iconv() Perl move_frozen_messages Content_Scanning
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
Authenticators:
Routers: accept dnslookup manualroute redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/exim/configure



--
Then graphics games came along and the computer using portion of the human race
forgot all about 500,000 years of language evolution and went straight back to
the electronic equivalent of banging rocks together - the point'n'click game
- http://www.douglasadams.com/creations/infocomjava.html