Author: Bill Hayles Date: To: exim-users Subject: Re: [exim] iForbiddng e-mail coming from bogus address
Hi, Bill,
On Sat, 09 Apr 2011 12:39:47 +0000 in message number <4DA05393.4090007@???>, received here on 09/04/2011 15:38:28, W B Hacker <wbh@???> said:
> Bill Hayles wrote:
> > Hi, fellow Bill,
>
> Greets..
>
> ;-)
>
> *snip*
>
> >> will eventually show up.. see below in re rDNS.
> >
> > OK, not strictly Exim related, but one of my hobbyhorses. If you do
> > that, you block a lot of legitimate servers (including mine!).
>
> Not so! I AM running Exim rDNS check, and did NOT block your direct OFF
> tahini response.
>
> You(r server) passed the rDNS check for the IP from whence you
> connected: craybox.com .....on 80.35.22.107.
>
> From *manual* inspection with 'host' and 'dig', one could argue that
> you should NOT have passed...
Interesting, and thanks for the test. It could be said that I should use
the rDNS result as my primary_hostname, but I don't really want to do that.
> .... but Exim's rDNS checking is very 'wise' w/r not rejecting unless it
> has to..
Fair enough. You know much more about this than me. >
>> Also, this approach does not catch spam mail from infected computers
>> (of which I get plenty).
>
> Oh, but it DOES! Near-as-dammit 100% of it.
I think you're teaching me something, and there's something I'm not
understanding. Correct me if I'm wrong.
I have a (now former) former mailing list subscriber. Let's call them
pest@???. For the last couple of weeks, this address has been
sending me 20 or 30 spam messages per day from 65.54.190.140, which resolves
to hotmail.com. I thought that the easiest way for me to deal with them is
to reject them via a simple deny message.
>
> Wot becomes infected AND NOT noticed or corrected for *long* periods at
> a time are predominantly the ordinary residential or SME user's
> 'Win-desktop'.
That's what I'm dealing with here. >
> Those are *nearly always* on dynamic IP with no PTR RR, hence no way to
> reverse that IP via a PTR RR to an A or MX record match.
Agreed, but that isn't showing up in the Exim logs. The lines are similar
to
2011-04-02 11:57:37 1Q6gXQ-0003pj-33 <= pest@???
H=(bay0-omc3-s2.bay0.hotmail.com) [65.54.190.140] P=esmtp S=6227
id=BAY146-w3525C2A940475E432B764CA4A30@???
> Those WILL fail Exim's rDNS check. As they should do.
But the example above won't, unless I've misunderstood something. >
> Easy enough to check.