You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by mouss <us...@free.fr> on 2004/11/16 22:48:09 UTC

FORGED_RCVD_HELO question

Sometimes, SA (using 3.0.1) reports a FORGED_RCVD_HELO but checking the 
headers show no evidence of helo forgery (I only saw this on fraud419 
messages, which were missed by SA). Here is an example (other headers 
are shown at end of this message):
---------------
    Received: from unknown (HELO mail.gemari.or.id) (202.150.4.20)
          by mrelay3-2.free.fr with SMTP; 14 Nov 2004 03:26:43 -0000
    Received: (qmail 33883 invoked from network); 13 Nov 2004 18:52:48 -0000
    Received: from localhost.vision.net.id (HELO mail.gemari.or.id) 
(127.0.0.1)
          by localhost.vision.net.id with SMTP; 13 Nov 2004 18:52:48 -0000
    Received: from 81.58.46.194 (proxying for unknown)
        (SquirrelMail authenticated user bellindad@gemari.or.id)
        by mail.gemari.or.id with HTTP;
        Sun, 14 Nov 2004 01:52:48 +0700 (WIT)
-----------------
    DNS resolution:
        localhost.vision.net.id => 127.0.0.1
        mail.gemari.or.id => 202.150.4.20
        202.150.4.20 => NOT FOUND
        81.58.46.194 => unlabelled-194-46-58-81.versatel.net
        unlabelled-194-46-58-81.versatel.net => NOT FOUND
    DNSBL lookup
        202.150.4.20 is in spam.sorbs and spamcop
        81.58.46.194 is in spamhaus sbl and spamcop
   SA results
        Content analysis details:   (3.8 points)
        RCVD_IN_BL_SPAMCOP_NET, SUB_HELLO,  US_DOLLARS_3,
        NO_REAL_NAME, FORGED_RCVD_HELO
    SA debug:
        debug: forged-HELO: from= helo=gemari.or.id by=free.fr
        debug: forged-HELO: from=vision.net.id helo=gemari.or.id 
by=vision.net.id
        debug: forged-HELO: mismatch on HELO: 'gemari.or.id' != 
'vision.net.id'
---------------

However, the Received lines only say that the message was sent using 
squirrelmail, which handed it to an MTA (qmail?) on the same machine  
which then forwarded it to my msp. I can hardly see why someone would 
forge a HELO=mail.gemari.or.id and connect to my msp using the IP 
addresse of mail.gemari.or.id!
So unless I am missing something, it is more a misconfiguration issue 
than a forgery.

Is there any way to detect such situations?
Would it be ok to ignore helo in local transmission lines (if it's "from 
foo by foo", we don't care of helos). This may be restricted to cases 
when 'foo' resolves to 127.0.0.1.

PS. I didn't get an FP because of that. I'm just curios to see how to 
improve the test.


mouss