You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Andrew Hearn <an...@aaisp.net.uk> on 2007/12/11 12:03:38 UTC

HELO_DYNAMIC_SPLIT_IP

Hi,

Can anyone explain why this email:
http://pastebin.ca/811938
is getting a hit on HELO_DYNAMIC_SPLIT_IP.

I'm seeing a few ham message being caught by this....

(SpamAssassin version 3.2.3, sa-update)

Thanks!

Andrew

Re: HELO_DYNAMIC_SPLIT_IP

Posted by Andrew Hearn <an...@aaisp.net.uk>.

Giampaolo Tomassoni wrote:
>> -----Original Message-----
>> From: Andrew Hearn [mailto:andrew.hearn@aaisp.net.uk]
>> Sent: Tuesday, December 11, 2007 12:04 PM
>>
>> Hi,
>>
>> Can anyone explain why this email:
>> http://pastebin.ca/811938
>> is getting a hit on HELO_DYNAMIC_SPLIT_IP.
>>
>> I'm seeing a few ham message being caught by this....
>>
>> (SpamAssassin version 3.2.3, sa-update)
> 
> smtp.aaisp.net.uk maps to two IP addresses (81.187.81.51 and 81.187.81.52).
> 
> An outgoing mail server is supposed to announce itself via HELO with its
> own, specific name, not with a service name (like smtp.etc.etc).
> 
> aaisp.net.uk could define the following:
> 
> 	smtp1		A	81.187.81.51
> 	smtp2		A	81.187.81.52
> 	smtp		A	81.187.81.51
> 			A	81.187.81.52
> 
> where the latter name is only suitable to their customers, in order to
> accept mail to be delivered. Then, when delivery occurs, the SMTP server
> should identify itself with its unique name. Like, in example:
> 
> 	EHLO smtp1.aaisp.net.uk
> 
> This allows also to define two different entries in aaisp.net.uk's DNS
> reverse mappings:
> 
> 	51	PTR	smtp1.aaisp.net.uk.
> 	52	PTR	smtp2.aaisp.net.uk.
> 
> which may help in better identifying the abused host, whenever it happens.
> 
> Giampaolo
> 


Thanks for the reply and explanation, I'll look in to this!

RE: HELO_DYNAMIC_SPLIT_IP

Posted by Giampaolo Tomassoni <g....@libero.it>.

> -----Original Message-----
> From: Andrew Hearn [mailto:andrew.hearn@aaisp.net.uk]
> Sent: Tuesday, December 11, 2007 12:04 PM
> 
> Hi,
> 
> Can anyone explain why this email:
> http://pastebin.ca/811938
> is getting a hit on HELO_DYNAMIC_SPLIT_IP.
> 
> I'm seeing a few ham message being caught by this....
> 
> (SpamAssassin version 3.2.3, sa-update)

smtp.aaisp.net.uk maps to two IP addresses (81.187.81.51 and 81.187.81.52).

An outgoing mail server is supposed to announce itself via HELO with its
own, specific name, not with a service name (like smtp.etc.etc).

aaisp.net.uk could define the following:

	smtp1		A	81.187.81.51
	smtp2		A	81.187.81.52
	smtp		A	81.187.81.51
			A	81.187.81.52

where the latter name is only suitable to their customers, in order to
accept mail to be delivered. Then, when delivery occurs, the SMTP server
should identify itself with its unique name. Like, in example:

	EHLO smtp1.aaisp.net.uk

This allows also to define two different entries in aaisp.net.uk's DNS
reverse mappings:

	51	PTR	smtp1.aaisp.net.uk.
	52	PTR	smtp2.aaisp.net.uk.

which may help in better identifying the abused host, whenever it happens.

Giampaolo

> 
> Thanks!
> 
> Andrew