Weird error in exim_mainlog
While scanning through my exim_mainlog I noticed that I was getting the following error:
unexpected disconnection while reading SMTP command from (oneofmydomains.com) [202.22.182.2]
I know that it doesn't look too strange at first glance, but the thing is, that's not the I.P. for the domain in question. It's not even close. . . well, maybe the same /8. Anyone have an idea what's going on? Thanks in advance for the help.
Its just Spammers sending mail to nonexistant users or being blocked by a rbl using a open proxy
I guess my main concern is that the domain in question is actually hosted on the server that is displaying the error, so I don't understand how it can be displaying the wrong I.P. address. Mind you, it doesn't happen all the time, but it has occured more than once, and each time it displayed the same incorrect address. I apologize if I'm not explaining the problem well and thanks again for the assistance.
i *think*
it's one of those smart clients that configured their own domain name on their office network.
check in the daily LogWatch, do you have entries with "Zone update refused?"
Thanks for the input, I appreciate it. I think I may have figured out the problem though. I didn't mention it earlier, but the reason why I was monitoring the exim logs is that I just recently implemented rbls and wanted to be sure that legitimate emails weren't being blocked. The entire error message I was getting in the logs looked something like this:
2004-12-14 22:54:57 no host name found for IP address 202.22.182.2
2004-12-14 22:54:58 H=(mydomain1.com) [202.22.182.2] F=<d11qxbx3xmtrjpy@msn.com> rejected RCPT <validuser@mydomain1.com>: Message rejected because (mydomain1.com) [202.22.182.2] is blacklisted at sbl-xbl.spamhaus.org see http://www.spamhaus.org/query/bl?ip=202.22.182.2
2004-12-14 22:54:59 unexpected disconnection while reading SMTP command from (mydomain1.com) [202.22.182.2]
mydomain1.com is hosted on the cpanel server that I was viewing the logs from. The I.P. address that should have been showing was 202.128.*.*. Instead it was showing 202.22.182.2. I decided to look at the previous week's logs (before I had implemented the rbls) and did a grep for "202.22.182.2" and this is what repeatedly came up:
2004-12-11 05:20:27 1CcqJU-0005xc-E8 H=(mydomain1.com) [202.22.182.2] F=<cham_pride@hotmail.com> rejected after DATA: This message contains a virus or other harmful content (Worm.SomeFool.P)
I guess it's a worm trying to spread? How is it using one of my domains though? Spoofing? I won't even pretend to be an expert at exim so I apologize if the answer is blatantly obvious.
Last edited by sivadc; 12-14-2004 at 07:44 AM.
you get that error because the smtp conection was cut off i nthe middle of transmission... and it's cut off because the sending server is blacklisted.
That sending server is using your domain as it's own helo, when it talks to your mailserver. It's supposed to be the hostname of the ip/server that sent the mail... but it's untrusted (because it can be anyhting and anyone can change it). Spammers and viruses do this, hoping that it will trick your configuration into accepting their mail/giving them relay access/giving them increased access/whatever. I just block any mailserver using my domains or my ips in their helo. No legitimate mailserver does that.
Last edited by dezignguy; 12-15-2004 at 09:01 PM.
Great explanation, it clears up a lot for me. Thanks!
LinkBack URL
About LinkBacks
Reply With Quote