> On Feb 10, 2021, at 9:38 PM, Eugene Podshivalov <yauge...@gmail.com> wrote:
>
> Are there any wise cases for a legitimate client to provide a valid ehlo
> hostname (which maps to some address) but that address will differ from
> the address it connects from?
I don't know about "wise", but this is not uncommon.
As an example of a less blatant mismatch, today I received a legitimate
newsletter from Cornell:
Received: from mm.list.cornell.edu (vs-01.mm.list.cornell.edu
[128.253.150.167])
The EHLO name resolves to the same IP as the connecting client, but
the PTR is a variant of that name.
Here the sort of mismatch you're asking about:
Received: from NAM12-MW2-obe.outbound.protection.outlook.com
(mail-mw2nam12on2072c.outbound.protection.outlook.com
[IPv6:2a01:111:f400:fe5a::72c])
The EHLO name (presently) resolves to:
$ getent hosts NAM12-MW2-obe.outbound.protection.outlook.com
2a01:111:f400:fe5a::200 NAM12-MW2-obe.outbound.protection.outlook.com
$ getent hosts mail-mw2nam12on2072c.outbound.protection.outlook.com
2a01:111:f400:fe5a::72c
mail-mw2nam12on2072c.outbound.protection.outlook.com
$ getent hosts 2a01:111:f400:fe5a::72c
2a01:111:f400:fe5a::72c
mail-mw2nam12on2072c.outbound.protection.outlook.com
--
Viktor.
