Mark Nipper wrote:
> On 24 Feb 2011, Phil Pennock wrote:
>> On 2011-02-23 at 17:45 -0800, WJCarpenter wrote:
>>> 250-my.server.name Hello his.dynamic.address.bellsouth.net [111.222.333.444]
>>> 250-SIZE 52428800
>>> 250-PIPELINING
>>> 250-AUTH PLAIN LOGIN
>>> 250-HELP
>>> 250 STARTTLS
>>
>> This has been tampered with by an intermediary.
>>
>> In Exim, the "HELP" EHLO keyword is always last.
>
> Antivirus software the user's box possibly?
>
I recall seeing a config that pointed to a virtual POP that was indeed ON the
Luser's box. Symantec's Norton AV IIRC.
I don't recall the same being used for outbound smtp submission. At that time.
So 'maybe'.
Suggest doing a telnet into that Luser's ISP, same port, to see if the same
pattern is advertised...
CAVEAT: No guarantee that whatever critter serves the ports from WITHIN the
ring-fenced backside IP pool is the same animal as talks to the 'outside' /
public-facing world. But a match to the above probably rules out on-workstation
AV as the perp.
Bill
