Hi, I want to start by saying that I don't know if this is an exim issue or a BIND issue. It would seem as though it is a BIND issue because its about DNS but I'm curious if anyone else has seen this.
I get a connection from the following IP. As part of the ACL's I do a hostname look up to resolve the hostname so I can check it for good stuff like "ppp-", "dsl-" etc. to determine if its a home user IP since this is where we get the vast majority of our spam and about one complaint of a false positive every 6 months. My log files show a connection from this one IP address just after the logs were rotated: sid# grep '124\.120\.136\.153' /var/log/exim_main.log.2 |less 2009-02-08 04:02:51 H=ppp-124-120-136-153.revip2.asianet.co.th [124.120.136.153] rejected connection in "connect" ACL: R=Too many spam bots on ISP network [124.120.136.153] 2009-02-08 04:03:25 H=ppp-124-120-136-153.revip2.asianet.co.th [124.120.136.153] rejected connection in "connect" ACL: R=Too many spam bots on ISP network [124.120.136.153] Fair enough. The problem is that from then on until exim is next restarted 24 hours later (log rotation) it keeps thinking that this is the host name for all sorts of IP addresses. This is *really* bad since we reject based on this host name. sid# grep ppp-124-120-136-153.revip2.asianet.co.th /var/log/exim_main.log.2 |wc -l 1113 sid# grep ppp-124-120-136-153.revip2.asianet.co.th /var/log/exim_main.log.2 |tail -5 2009-02-09 03:57:24 no IP address found for host (during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th [195.27.217.250]) 2009-02-09 03:59:54 no IP address found for host 82.112.158.88.radiocom.ro (during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th [88.158.112.82]) 2009-02-09 04:00:32 no IP address found for host 82.112.158.88.radiocom.ro (during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th [88.158.112.82]) 2009-02-09 04:00:43 H=ppp-124-120-136-153.revip2.asianet.co.th [64.191.115.233] rejected connection in "connect" ACL: R=Too many spam bots on ISP network [64.191.115.233] 2009-02-09 04:00:46 no IP address found for host 63.245.8.249.cstmr.multidatahn.net (during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th [63.245.8.249]) As you can see this hostname appeared in the exim log files only 1113 times in that 24 hour period. The strangest thing about it is, as you can see from the middle two entries here the host name still resolves correctly: 2009-02-09 03:59:54 no IP address found for host 82.112.158.88.radiocom.ro (during SMTP connection from ppp-124-120-136-153.revip2.asianet.co.th [88.158.112.82]) It appears to affect hosts which do not fully resolve. That is either the IP doesn't have a PTR record or that the host name from that PTR then doesn't resolve to an IP address. It doesn't appear as though this is a BIND issue as I'm running BIND with a simple config as a caching server only. And of course the fact that the problem goes away when exim is restarted after the log rotation at the end of the day. I'm running the exim 4.69 (-bV below) But I do remember a problem with this coming up in the past on older versions of exim 4.6X (if not older versions still). I can't locate any staff e-mails on this issue, but there is something oddly familiar about this domain name having been the issue in the previous instances of this problem too. I can't for the life of me work out how this is happening. It seems as though the connection is the source of the problems but a simple "exim -bh 124.120.136.153" doesn't trigger the same results. Can anyone shed any light on why IP's which are not full resolvable would end up with the $sender_host_name variable containing a past lookup? It seems like it must be this variable since this incorrect host name is used in the "no IP address found for host" message which comes from exim itself and not a user definable ACL. According to the changelog for 4.61 PH/27 this message used to log the IP as "NULL" but now logs it as the IP instead. Is this a possible problem area? Looking at smtp_get_connection_info() in src/smtp_in.c:758 it uses a variable sender_host_address. If I'm reading src/expand.c:540 correctly then $sender_host_address uses this same sender_host_address variable. However since I have many other connections during this 24 hour period for which the lookups resolve without problem I'm hard pressed so say that there's anything to this. I have updated the logging for my ACL to use the variables SF=$sender_full_address SH=$sender_host_name SI=$sender_host_address In the hope that if it happens again maybe I'll be able to see if sender_host_address contains the wrong value and go from there. Any help is appreciated. Regards, Colin. sid# exim -bV Exim version 4.69 #1 built 25-Jan-2009 00:30:03 Copyright (c) University of Cambridge 2006 Berkeley DB: Sleepycat Software: Berkeley DB 4.4.20: (January 10, 2006) Support for: iconv() Perl move_frozen_messages Content_Scanning Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb Authenticators: Routers: accept dnslookup manualroute redirect Transports: appendfile/maildir autoreply pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /usr/exim/configure -- Then graphics games came along and the computer using portion of the human race forgot all about 500,000 years of language evolution and went straight back to the electronic equivalent of banging rocks together - the point'n'click game - http://www.douglasadams.com/creations/infocomjava.html -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
