Mark Nipper wrote:
On 24 Feb 2011, Phil Pennock wrote:
On 2011-02-23 at 17:45 -0800, WJCarpenter wrote:
250-my.server.name Hello his.dynamic.address.bellsouth.net [111.222.333.444]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-HELP
250 STARTTLS
This has been tampered with by an intermediary.
In Exim, the "HELP" EHLO keyword is always last.
Antivirus software the user's box possibly?
I recall seeing a config that pointed to a virtual POP that was indeed ON the
Luser's box. Symantec's Norton AV IIRC.
I don't recall the same being used for outbound smtp submission. At that time.
So 'maybe'.
Suggest doing a telnet into that Luser's ISP, same port, to see if the same
pattern is advertised...
CAVEAT: No guarantee that whatever critter serves the ports from WITHIN the
ring-fenced backside IP pool is the same animal as talks to the 'outside' /
public-facing world. But a match to the above probably rules out on-workstation
AV as the perp.
Bill
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/