On 4 Sep 2021, at 3:00 pm, Andrew C Aitchison <andrew@???> wrote:
> > The greet pause test is *specifically* designed to detect botnet spam
> > engines that don't wait for the complete multi-line response, and start
> > talking as soon as they detect the first line of the response. That's
> > why the pause is after, and not before, "220-". This is also why the
> > final response code is unavoidably different from the initial.
>
> Are you saying that applies in this case ?
> If so, then exim is replying during the greet pause, which is a real bug ?
No, in this case, during or at the end of the greet pause this particular
systems was likely also configured to perform RBL checks and the like, and
the final "go away" response is a result of IP reputation, not a greet-pause
violation. I expect that Exim handles multi-line responses correctly.
Regardless, the final status was not known at the time of the initial
"220-" greeting, and the "521" final line was the earliest opportunity
for the bad news. At that point there is no point in continuing an SMTP
conversation, the client is presumed to be a botnet node or equivalent.
Rather than just drop the connection, a "521 go away" is used to finish
the multi-line response.
--
Viktor.
