Re: [exim] the great TLS mystery

Góra strony
Delete this message
Reply to this message
Autor: W B Hacker
Data:  
Dla: exim users
Temat: Re: [exim] the great TLS mystery
Mark Nipper wrote:
> On 24 Feb 2011, Phil Pennock wrote:
>> On 2011-02-23 at 17:45 -0800, WJCarpenter wrote:
>>> 250-my.server.name Hello his.dynamic.address.bellsouth.net [111.222.333.444]
>>> 250-SIZE 52428800
>>> 250-PIPELINING
>>> 250-AUTH PLAIN LOGIN
>>> 250-HELP
>>> 250 STARTTLS
>>
>> This has been tampered with by an intermediary.
>>
>> In Exim, the "HELP" EHLO keyword is always last.
>
>     Antivirus software the user's box possibly?

>


I recall seeing a config that pointed to a virtual POP that was indeed ON the
Luser's box. Symantec's Norton AV IIRC.

I don't recall the same being used for outbound smtp submission. At that time.

So 'maybe'.

Suggest doing a telnet into that Luser's ISP, same port, to see if the same
pattern is advertised...

CAVEAT: No guarantee that whatever critter serves the ports from WITHIN the
ring-fenced backside IP pool is the same animal as talks to the 'outside' /
public-facing world. But a match to the above probably rules out on-workstation
AV as the perp.

Bill