[exim] Eximstats fooled by HELO

Top Page
Delete this message
Reply to this message
Author: Michael Deutschmann
Date:  
To: exim-users
Subject: [exim] Eximstats fooled by HELO
I was recently reviewing my mail logs from last month, and found
something odd in the summary produced from Eximstats:

> Top 50 rejected ips by message count
> ------------------------------------
>   Messages   Rejected ip
>        180   [192.168.2.33]
>         24   [114.36.128.171]
>         22   [218.80.250.34]


Taken literally, this would imply a massive failure of both my firewall
and my ISP, as 192.168.2.33 is in the well-known 192.168/16 private use
area. I'm not using that range in my network (I drew from 172.16/12
instead).

Looking closely at the raw logs, I see that there was a lot of open-relay
probing of my server on 2012-12-02 and 2012-12-03, which in fact came
from 37 different real IPs. They just happened to all HELO as
"[192.168.2.33]".

So eximstats has a bug -- it sometimes trusts a HELO over the actual IP
address exim has logged.

---- Michael Deutschmann <michael@???>