Exim Log: Tell me what this is...

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
Hi, I am running Cpanel (Current Release) on RH9 with Apache

I am using an exim mod that rejects incoming mail to the server based on RBL black list sites.

I see the following in logs quite often and I am trying to decipher this type of entry. The question is, I am wondering why my server IP # is being listed as "H=". In the below example, my server main ip is listed in parentheses. I have x'd out the main server IP so I can display the log entry here.

----------- From /var/log/exim_mainlog ----------
2004-08-11 09:31:34 H=(xx.xx.xx.xx) [219.94.59.189] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected because (xx.xx.xx.xx) [219.94.59.189] is blacklisted at list.dsbl.org see http://dsbl.org/listing?ip=219.94.59.189
-------------------------------------------------------

So, this is telling me that IP #219.94.59.189 is black listed at dsbl.org. I get that. I get that IP 219.94.59.189 is the REAL sender or the origin IP of the incoming email. Right?

Okay. Why then, is my server IP number listed as "H=(xx.xx.xx.xx)"? Is this email being sent THROUGH my web server from a person at IP # 219.94.59.189? If so, is it likely a formprocessor script, or could it be a mailman mailing list?

I guess "H" stands for "HELO"?


I noticed that my server IP is NOT listed as "H=" in every log entry. So, I am guessing that when my IP is listed as "H=", that it means my server is being used as a relay? Maybe through a form?

-------- My Server IP is not listed as "H=" in every log entry. -----------
2004-08-11 09:41:29 H=(zipolite.com) [210.205.144.78] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected because (zipolite.com) [210.205.144.78] is blacklisted at dnsbl.njabl.org see open proxy -
2004-08-11 09:31:34 H=(xx.xx.xx.xx) [219.94.59.189] F=<[email protected]> rejected RCPT <[email protected]>: Message rejected because (xx.xx.xx.xx) [219.94.59.189] is blacklisted at list.dsbl.org see http://dsbl.org/listing?ip=219.94.59.189
------------------------------------------------------------------

Any help from you will be much appreciated. I have searched these forums and others and have not been able to find this specific info.
 

largolam

Active Member
May 16, 2003
36
0
156
bmcpanel said:
Hi, I am running Cpanel (Current Release) on RH9 with Apache

I am using an exim mod that rejects incoming mail to the server based on RBL black list sites.

I see the following in logs quite often and I am trying to decipher this type of entry. The question is, I am wondering why my server IP # is being listed as "H=".

H just means the string that the sending host gave as 'HELO'. Some spammers like to use the IP of the host they are sending to. Its meaningless really.
 

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
dsbl is not a good blacklist they dont keep up to date.

look at those reports of the IPs you listed.
the reports are from 2003 i doubt there still sending out spam over a year later