You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ben Wylie <sa...@benwylie.co.uk> on 2005/05/31 16:37:18 UTC

forged-HELO and uridnsbl_skip_domain

In the logs i have been seeing some forged-HELO lines, and sometimes
couldn't work out why they were triggered. I disabled my trusted paths and
sent an email from one address with my isp "email@ntlworld.tld" to a work
email address "email@clara.tld" which was downloaded and forwarded to a
local email address "email@arkbb.co.spam.uk". It's a bit complicated, but
basically these are the hops the email took:
1) From a local pc (192.168.0.12) to our server (arkbb.co.uk)
2) from our mailserver (arkb.co.uk) to our isp (ntl.com)
3) from ntl.com to ntl.com internal relay
4) from ntl.com to clara.net
5) we downloaded it from clara.net and relayed to local AV gateway (server)
6) from AV gateway (server) to local mailserver (arkbb.co.uk)

A nice circular trip.
Here are the received headers for that email:

Received: from  [127.0.0.1] by arkbb.co.spam.uk with SMTP (HELO server.)
  (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.7.8)); Tue,
31 May 2005 12:26:57 +0100
Received: from exchange-pop3-connector.com ([127.0.0.1])
 by server. (NAVGW 2.5.2.12) with SMTP id M2005053112260423877
 for <em...@arkbb.co.spam.uk>; Tue, 31 May 2005 12:26:05 +0100
Return-Path: <em...@ntlworld.tld>
Envelope-to: email@clara.tld
Delivery-date: Tue, 31 May 2005 12:14:50 +0100
Received: from smtpout16.mailhost.ntl.com ([212.250.162.16]
helo=mta08-winn.mailhost.ntl.com)
	by mx3.mail.uk.clara.net with esmtp (Exim 4.46)
	id 1Dd4hu-0003LP-DY
	for email@clara.tld; Tue, 31 May 2005 12:14:50 +0100
Received: from aamta02-winn.mailhost.ntl.com ([212.250.162.8])
          by mta08-winn.mailhost.ntl.com with ESMTP
          id
<20050531111449.GCZZ26549.mta08-winn.mailhost.ntl.com@aamta02-winn.mailhost.
ntl.com>
          for <em...@clara.tld>; Tue, 31 May 2005 12:14:49 +0100
Received: from arkbb.co.spam.uk ([81.104.195.141])
          by aamta02-winn.mailhost.ntl.com with ESMTP
          id
<20...@arkbb.co.spam.uk>
          for <em...@clara.tld>; Tue, 31 May 2005 12:14:49 +0100
Received: from  [192.168.0.12] by arkbb.co.spam.uk with SMTP (EHLO
[127.0.0.1])

This is the debug log showing the parsing of the received headers. As i had
disabled my trusted path, only 127.0.0.1 was detected as trusted.

debug: IP is reserved, not looking up PTR: 127.0.0.1
debug: received-header: parsed as [ ip=127.0.0.1 rdns= helo=
by=arkbb.co.spam.uk ident= envfrom= intl=0 id= auth= ]
debug: received-header: parsed as [ ip=127.0.0.1
rdns=exchange-pop3-connector.com helo=exchange-pop3-connector.com by=server.
ident= envfrom= intl=0 id=M2005053112260423877 auth= ]
debug: received-header: parsed as [ ip=212.250.162.16
rdns=smtpout16.mailhost.ntl.com helo=mta08-winn.mailhost.ntl.com
by=mx3.mail.uk.clara.net ident= envfrom= intl=0 id=1Dd4hu-0003LP-DY auth= ]
debug: looking up PTR record for '212.250.162.8'
debug: PTR for '212.250.162.8': 'mailhost.ntl.com'
debug: received-header: parsed as [ ip=212.250.162.8 rdns=mailhost.ntl.com
helo=aamta02-winn.mailhost.ntl.com by=mta08-winn.mailhost.ntl.com ident=
envfrom= intl=0
id=20050531111449.GCZZ26549.mta08-winn.mailhost.ntl.com@aamta02-winn.mailhos
t.ntl.com auth= ]
debug: looking up PTR record for '81.104.195.141'
debug: PTR for '81.104.195.141': 'cpc1-cmbg5-4-0-cust141.cmbg.cable.ntl.com'
debug: received-header: parsed as [ ip=81.104.195.141
rdns=cpc1-cmbg5-4-0-cust141.cmbg.cable.ntl.com helo=arkbb.co.spam.uk
by=aamta02-winn.mailhost.ntl.com ident= envfrom= intl=0
id=20050531111449.VEIL10462.aamta02-winn.mailhost.ntl.com@arkbb.co.spam.uk
auth= ]
debug: IP is reserved, not looking up PTR: 192.168.0.12
debug: received-header: parsed as [ ip=192.168.0.12 rdns= helo=
by=arkbb.co.spam.uk ident= envfrom= intl=0 id= auth= ]
debug: received-header: relay 127.0.0.1 trusted? yes internal? yes
debug: received-header: relay 127.0.0.1 trusted? yes internal? yes
debug: received-header: relay 212.250.162.16 trusted? no internal? no
debug: received-header: relay 212.250.162.8 trusted? no internal? no
debug: received-header: relay 81.104.195.141 trusted? no internal? no
debug: received-header: relay 192.168.0.12 trusted? no internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=127.0.0.1 rdns= helo=
by=arkbb.co.spam.uk ident= envfrom= intl=1 id= auth= ] [ ip=127.0.0.1
rdns=exchange-pop3-connector.com helo=exchange-pop3-connector.com by=server.
ident= envfrom= intl=1 id=M2005053112260423877 auth= ]
debug: metadata: X-Spam-Relays-Untrusted: [ ip=212.250.162.16
rdns=smtpout16.mailhost.ntl.com helo=mta08-winn.mailhost.ntl.com
by=mx3.mail.uk.clara.net ident= envfrom= intl=0 id=1Dd4hu-0003LP-DY auth= ]
[ ip=212.250.162.8 rdns=mailhost.ntl.com helo=aamta02-winn.mailhost.ntl.com
by=mta08-winn.mailhost.ntl.com ident= envfrom= intl=0
id=20050531111449.GCZZ26549.mta08-winn.mailhost.ntl.com@aamta02-winn.mailhos
t.ntl.com auth= ] [ ip=81.104.195.141
rdns=cpc1-cmbg5-4-0-cust141.cmbg.cable.ntl.com helo=arkbb.co.spam.uk
by=aamta02-winn.mailhost.ntl.com ident= envfrom= intl=0
id=20050531111449.VEIL10462.aamta02-winn.mailhost.ntl.com@arkbb.co.spam.uk
auth= ] [ ip=192.168.0.12 rdns= helo= by=arkbb.co.spam.uk ident= envfrom=
intl=0 id= auth= ]

Here is the log showing the SPF tests and showing the forged-HELO lines:


debug: registering glue method for check_for_spf_helo_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed20))
debug: SPF: checking HELO (helo=mta08-winn.mailhost.ntl.com,
ip=212.250.162.16)
debug: SPF: trimmed HELO down to 'ntl.com'
debug: SPF: query for /212.250.162.16/ntl.com: result: none, comment: SPF:
domain of sender ntl.com does not designate mailers
debug: all '*From' addrs: email@ntlworld.tld
debug: registering glue method for check_hashcash_value
(Mail::SpamAssassin::Plugin::Hashcash=HASH(0x268528c))
debug: all '*To' addrs: bw@arkbb.co.spam.uk email@clara.tld
debug: registering glue method for check_for_spf_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed20))
debug: SPF: relayed through one or more trusted relays, cannot use
header-based Envelope-From, skipping
debug: registering glue method for check_for_spf_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed20))
debug: registering glue method for check_for_spf_helo_softfail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed20))
debug: forged-HELO: from=ntl.com helo=ntl.com by=clara.net
debug: forged-HELO: from=ntl.com helo=ntl.com by=ntl.com
debug: forged-HELO: from=ntl.com helo=arkbb.co.spam.uk by=ntl.com
debug: forged-HELO: mismatch on HELO: 'arkbb.co.spam.uk' != 'ntl.com'
debug: forged-HELO: from= helo= by=arkbb.co.spam.uk
debug: forged-HELO: mismatch on from: 'ntl.com' != 'arkbb.co.spam.uk'
debug: registering glue method for check_for_spf_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed20))
debug: registering glue method for check_for_spf_helo_fail
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed20))

Can someone tell me what these forged-HELO lines mean? Is it comparing the
helo command with the rDNS entry?
Does it matter that all of these fail? SA didn't appear to give it any
scores due to these fails, but do some people block emails if there is a
discrepency between the helo command and the rDNS? Presumably anyone does,
my emails are unlikely to get through.


On a completely different note, i have this in my local.cf file:

uridnsbl_skip_domain pipex.com vigay.com

Which is giving me this in the log:
debug: config: read file F:\Documents and
Settings\LocalService/.spamassassin/user_prefs
debug: config: SpamAssassin failed to parse line, skipping:
uridnsbl_skip_domain pipex.com vigay.com

This seems to be the format in 25_uribl.cf. Is there a reason why it doesn't
work?
Thanks
Ben

RE: forged-HELO and uridnsbl_skip_domain

Posted by Ben Wylie <sa...@benwylie.co.uk>.

> Ben Wylie wrote:
>> In the logs i have been seeing some forged-HELO lines, and sometimes
>> couldn't work out why they were triggered. I disabled my trusted paths 
>> and sent an email from one address with my isp "email@ntlworld.tld" to a
>> work email address "email@clara.tld" which was downloaded and forwarded
>> to a local email address "email@arkbb.co.spam.uk". It's a bit 
>> complicated, but basically these are the hops the email took:
>> 1) From a local pc (192.168.0.12) to our server (arkbb.co.uk)
>> 2) from our mailserver (arkb.co.uk) to our isp (ntl.com)
>
> but it says it's from from arkbb.co.spam.uk, not arkbb.co.uk.

Sorry for the inconsistencies - I replaced arkbb.co.uk with arkbb.co.spam.uk
to avoid spam, but didn't replace them all. Where it says spam, please
ignore the word spam.

Thanks
Ben

Re: forged-HELO and uridnsbl_skip_domain

Posted by mouss <us...@free.fr>.

Ben Wylie wrote:
> In the logs i have been seeing some forged-HELO lines, and sometimes
> couldn't work out why they were triggered. I disabled my trusted paths and
> sent an email from one address with my isp "email@ntlworld.tld" to a work
> email address "email@clara.tld" which was downloaded and forwarded to a
> local email address "email@arkbb.co.spam.uk". It's a bit complicated, but
> basically these are the hops the email took:
> 1) From a local pc (192.168.0.12) to our server (arkbb.co.uk)
> 2) from our mailserver (arkb.co.uk) to our isp (ntl.com)

but it says it's from from arkbb.co.spam.uk, not arkbb.co.uk.