I was recently reviewing my mail logs from last month, and found
something odd in the summary produced from Eximstats:
> Top 50 rejected ips by message count
> ------------------------------------
> Messages Rejected ip
> 180 [192.168.2.33]
> 24 [114.36.128.171]
> 22 [218.80.250.34]
Taken literally, this would imply a massive failure of both my firewall
and my ISP, as 192.168.2.33 is in the well-known 192.168/16 private use
area. I'm not using that range in my network (I drew from 172.16/12
instead).
Looking closely at the raw logs, I see that there was a lot of open-relay
probing of my server on 2012-12-02 and 2012-12-03, which in fact came
from 37 different real IPs. They just happened to all HELO as
"[192.168.2.33]".
So eximstats has a bug -- it sometimes trusts a HELO over the actual IP
address exim has logged.
---- Michael Deutschmann <michael@???>
