Re: [exim] iForbiddng e-mail coming from bogus address

Top Page
Delete this message
Reply to this message
Author: Bill Hayles
Date:  
To: exim-users
Subject: Re: [exim] iForbiddng e-mail coming from bogus address
Hi, Bill,

On Sat, 09 Apr 2011 12:39:47 +0000 in message number <4DA05393.4090007@???>, received here on 09/04/2011 15:38:28, W B Hacker <wbh@???> said:

> Bill Hayles wrote:
> > Hi, fellow Bill,
>
> Greets..
>
> ;-)
>
> *snip*
>
> >> will eventually show up.. see below in re rDNS.
> >
> > OK, not strictly Exim related, but one of my hobbyhorses. If you do
> > that, you block a lot of legitimate servers (including mine!).
>
> Not so! I AM running Exim rDNS check, and did NOT block your direct OFF
> tahini response.
>
> You(r server) passed the rDNS check for the IP from whence you
> connected: craybox.com .....on 80.35.22.107.
>
> From *manual* inspection with 'host' and 'dig', one could argue that
> you should NOT have passed...


Interesting, and thanks for the test. It could be said that I should use
the rDNS result as my primary_hostname, but I don't really want to do that.


> .... but Exim's rDNS checking is very 'wise' w/r not rejecting unless it
> has to..


Fair enough. You know much more about this than me.
>
>> Also, this approach does not catch spam mail from infected computers
>> (of which I get plenty).
>
> Oh, but it DOES! Near-as-dammit 100% of it.


I think you're teaching me something, and there's something I'm not
understanding. Correct me if I'm wrong.

I have a (now former) former mailing list subscriber. Let's call them
pest@???. For the last couple of weeks, this address has been
sending me 20 or 30 spam messages per day from 65.54.190.140, which resolves
to hotmail.com. I thought that the easiest way for me to deal with them is
to reject them via a simple deny message.

>
> Wot becomes infected AND NOT noticed or corrected for *long* periods at
> a time are predominantly the ordinary residential or SME user's
> 'Win-desktop'.


That's what I'm dealing with here.
>
> Those are *nearly always* on dynamic IP with no PTR RR, hence no way to
> reverse that IP via a PTR RR to an A or MX record match.


Agreed, but that isn't showing up in the Exim logs. The lines are similar
to

2011-04-02 11:57:37 1Q6gXQ-0003pj-33 <= pest@???
H=(bay0-omc3-s2.bay0.hotmail.com) [65.54.190.140] P=esmtp S=6227
id=BAY146-w3525C2A940475E432B764CA4A30@???

> Those WILL fail Exim's rDNS check. As they should do.


But the example above won't, unless I've misunderstood something.
>
> Easy enough to check.


OK, I'll do it. I'll let you know the results.


--
This is Spain. We do things differently here!

Bill Hayles
billnot@???