On Sat, 2009-09-26 at 23:12 +0200, Heiko Schlittermann wrote:
> Hello John,
>
> John Horne <john.horne@???> (Sa 26 Sep 2009 22:39:37 CEST):
> > Hello,
> >
> > Received this a couple of times in our mailhub logs today:
> >
> > 2009-09-26 04:00:10 1MrNW6-0006xp-K0 failed to
> > open //your.greetingwiz.com/E-Greetings.exe"@saturne.pearl-online.com
> > when checking
> > ""google.comhttp://your.greetingwiz.com/E-Greetings.exe"@saturne.pearl-online.com":
> > No such file or directory
>
> Do you try to open some files (for lookups/searches) based on
> $local_part, $domain, $sender_address* in your ACL checks?
>
No. We do file lookups, but the file that is looked up is not based on
any part of the address (local part, domain etc).
Given that the log message says 'open //your' without the 'http:' part,
I am assuming that it is failing during some 'match' which is using
expecting a colon-separated list. So it is seeing 'google.comhttp' and
then '//your.greeting...' as a different item.
> > Look's like exim is trying to 'open' the local part? There is nothing in
> > the mail queue, nor any other reference to the exim message id in the
> > logs. The dumped SpamAssassin scanned file shows (part of) the headers:
> >
> > Date: Sat, 26 Sep 2009 05:00:07 +0200
> > Message-Id: <200909260300.n8Q307v4009869@???>
> > From:
> > "google.comhttp://your.greetingwiz.com/E-Greetings.exe"@saturne.pearl-online.com
> > To: ...
> > Subject: Hey, you have a new Greeting !!!
> > Content-Type: text/html
>
> This does not have to be the RCPT/MAIL addresses that where used.
>
Correct. This address (
http://...) only appears in the From: header
field. The dumped eml file shows:
X-Envelope-From: <postgres@???>
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001
