Autor: Kaz Kylheku Data: Dla: Always Learning CC: Exim Temat: Re: [exim] Meaning of addresses in rejectlog
On 21.06.2014 19:02, Always Learning wrote:
> On Sat, 2014-06-21 at 10:38 -0700, Kaz Kylheku wrote:
>
>> 2014-06-21 09:29:45 H=static-96-243-137-36.tampfl.fios.verizon.net
>> ([192.168.2.33]) [96.243.137.36] F=<test@???> rejected RCPT
>> <therichsheickc@???>:
>
> It is a perpetual spammer sending emails from compromised computer
> systems all round the world.
>
>> What is the ([192.168.2.33])?
>
> It is a bogus HELO/EHLO. The IP range is for internal-usage only. Not
> to
> be used on the Internet.
Hi,
I know what the range 192.168 is; but what is the syntax of the log? The
Exim reject logs vary in their structure. I have seen variations like:
H=X [Z]
H=(X) [Z]
H=X ([Y]) [Z]
H=([Y]) [Z]
and possibly others. The address Z in square brackets is consistent.
Between the H= and that, sometimes there are two tokens and sometimes
only one, with various combinations of brackets or parentheses.
How can we parse all these variations? In the case of ([192.168.2.33]),
if that is the HELO string, what came from the host? Just the numeric
address, or with the square brackets? Or are the square brackets Exim's
convention for logging IP addresses?
Do parentheses always denote the HELO information?
I'm guessing:
H=X [Z] -- host gave no HELO; X is a reverse lookup from Z.
H=(X) [Z] -- X was given as HELO; but matches Z
H=X ([Y]) [Z] -- X was reversed from Z; host gave Y numeric IP as HELO
H=X (Y) [Z] -- X was reversed from Z; host gave Y non-numeric item as
HELO