You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by jon1234 <sh...@afnsecurity.com> on 2011/03/23 00:19:09 UTC
Bad Helo Host impersonating
Hey Guys,
I'm fairly new to this spamassassin lark as I've just taken a new job so
please bear with me if my question is unrelated.
In a nutshell when my exchange users try to send to certain domains they get
the following bounce message.
<afnsecurity.com #5.5.0 smtp;550 "REJECTED - Bad HELO - Host impersonating
[afnsecurity.com]">
I do have spam assassin installed but it was setup by my predecessor. After
googling the above error it has returned mostly results regarding exim. This
has caused me to suspect that maybe spamassassin has something to do with it
as I'm just running a SBS Exchange mailserver.
Any help/points in the right direction would be very appreciated.
Cheers.
Jon
--
View this message in context: http://old.nabble.com/Bad-Helo-Host-impersonating-tp31214638p31214638.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bad Helo Host impersonating
Posted by jon1234 <sh...@afnsecurity.com>.
Dominic Benson wrote:
>
>
> On 23 Mar 2011, at 08:09, Dave Funk wrote:
>
>> On Tue, 22 Mar 2011, jon1234 wrote:
>>
>>>
>>>
>>>> From where do they get that bounce message? From a host internal to
>>>> your
>>>> network or from hosts out on the Internet?
>>>
>>> The bounce message is only when they send certain domains that are
>>> external
>>> to our network.
>>>
>>>>
>>>> If that's coming from an internal MTA, I'd suggest that MTA doesn't
>>>> believe your Exchange server is a legitimate source for mail from your
>>>> domain. If that's coming from external MTA(s) then others on the public
>>>> Internet apparently don't believe your public IP address is a
>>>> legitimate
>>>> source for mail from your domain. Do you publish SPF information or use
>>>> Domainkeys? Has your public MTA's internet IP address changed recently?
>>>
>>> AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our
>>> SPF
>>> records gives
>>>
>>> "The TXT records found for your domain are:
>>> v=spf1 ip4:202.44.190.48/28 ~all
>>>
>>> SPF records should also be published in DNS as type SPF records.
>>>
>>> No type SPF records found.
>>>
>>> Checking to see if there is a valid SPF record.
>>>
>>> Found v=spf1 record for afnsecurity.com:
>>> v=spf1 ip4:202.44.190.48/28 ~all "
>>>
>>> the external IP of the exchange server is 202.44.190.49.. could this be
>>> the
>>> cause? If so why would only certain domains be giving the error?
>>>
>>> Regards,
>>> Jon
>>
>> Some people may have their level of paranoia WRT SPF mis-match cranked
>> up.
>
> Surely that's an SPF pass (excluding possible recipient forwarding)?
> 202.44.190.48/28 = 202.44.190.48-202.44.190.63
> Maybe I'm being dense...
>
>
>>
>> The other possible cause of those rejects is that your full-circle-DNS is
>> FUBAR. EG:
>>
>> $ host afnsecurity.com
>> afnsecurity.com has address 202.44.190.61
>> afnsecurity.com mail is handled by 50 mx2.mailhop.org.
>> afnsecurity.com mail is handled by 60 mx1.afnsecurity.com.
>> afnsecurity.com mail is handled by 10 mx1.afnsecurity.com.
>> $ host 202.44.190.61
>> 61.190.44.202.in-addr.arpa domain name pointer
>> 202.44.190.61.static.nexnet.net.au.
>> $ host 202.44.190.49
>> 49.190.44.202.in-addr.arpa domain name pointer
>> 202.44.190.49.static.nexnet.net.au.
>>
>> afnsecurity.com != 202.44.190.61.static.nexnet.net.au
>>
>> Thus the claim that you are an imposterer
>>
>> any chance you can get your ISP to fix that DNS reverse map and those SPF
>> records?
>
> mx1.afnsecurity.com resolves to 202.44.190.50 and HELOs:
> 220 afnwall01.afnsecurity.com ESMTP spamd IP-based SPAM blocker
>
> Now afnwall01.afnsecurity.com doesn't resolve *at all*, and the rDNS is in
> the same format as the above.
>
> Does your exchange server relay out through this filter? If not, what name
> does it announce itself as?
> If it does, or if that name is also invalid, or resolves to a different IP
> then you may also encounter this kind of error.
>
Thanks for the feedback guys. I think its very possible it may be a DNS
issue as the DNS is a complete mess ATM. We use DynDNS so would I have to
ask them to make the changes?
To clarify how would I find out what my exchange server is announcing itself
as? AFAIK the exchange server isnt set to relay, although the mxtoolbox does
show me as an open relay.
Apologies for somewhat fuzzy grasp on the big picture.
Jon
--
View this message in context: http://old.nabble.com/Bad-Helo-Host-impersonating-tp31214638p31233694.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bad Helo Host impersonating
Posted by Dominic Benson <do...@lenny.cus.org>.
On 23 Mar 2011, at 08:09, Dave Funk wrote:
> On Tue, 22 Mar 2011, jon1234 wrote:
>
>>
>>
>>> From where do they get that bounce message? From a host internal to your
>>> network or from hosts out on the Internet?
>>
>> The bounce message is only when they send certain domains that are external
>> to our network.
>>
>>>
>>> If that's coming from an internal MTA, I'd suggest that MTA doesn't
>>> believe your Exchange server is a legitimate source for mail from your
>>> domain. If that's coming from external MTA(s) then others on the public
>>> Internet apparently don't believe your public IP address is a legitimate
>>> source for mail from your domain. Do you publish SPF information or use
>>> Domainkeys? Has your public MTA's internet IP address changed recently?
>>
>> AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our SPF
>> records gives
>>
>> "The TXT records found for your domain are:
>> v=spf1 ip4:202.44.190.48/28 ~all
>>
>> SPF records should also be published in DNS as type SPF records.
>>
>> No type SPF records found.
>>
>> Checking to see if there is a valid SPF record.
>>
>> Found v=spf1 record for afnsecurity.com:
>> v=spf1 ip4:202.44.190.48/28 ~all "
>>
>> the external IP of the exchange server is 202.44.190.49.. could this be the
>> cause? If so why would only certain domains be giving the error?
>>
>> Regards,
>> Jon
>
> Some people may have their level of paranoia WRT SPF mis-match cranked up.
Surely that's an SPF pass (excluding possible recipient forwarding)?
202.44.190.48/28 = 202.44.190.48-202.44.190.63
Maybe I'm being dense...
>
> The other possible cause of those rejects is that your full-circle-DNS is FUBAR. EG:
>
> $ host afnsecurity.com
> afnsecurity.com has address 202.44.190.61
> afnsecurity.com mail is handled by 50 mx2.mailhop.org.
> afnsecurity.com mail is handled by 60 mx1.afnsecurity.com.
> afnsecurity.com mail is handled by 10 mx1.afnsecurity.com.
> $ host 202.44.190.61
> 61.190.44.202.in-addr.arpa domain name pointer 202.44.190.61.static.nexnet.net.au.
> $ host 202.44.190.49
> 49.190.44.202.in-addr.arpa domain name pointer 202.44.190.49.static.nexnet.net.au.
>
> afnsecurity.com != 202.44.190.61.static.nexnet.net.au
>
> Thus the claim that you are an imposterer
>
> any chance you can get your ISP to fix that DNS reverse map and those SPF records?
mx1.afnsecurity.com resolves to 202.44.190.50 and HELOs:
220 afnwall01.afnsecurity.com ESMTP spamd IP-based SPAM blocker
Now afnwall01.afnsecurity.com doesn't resolve *at all*, and the rDNS is in the same format as the above.
Does your exchange server relay out through this filter? If not, what name does it announce itself as?
If it does, or if that name is also invalid, or resolves to a different IP then you may also encounter this kind of error.
Re: Bad Helo Host impersonating
Posted by Dave Funk <db...@engineering.uiowa.edu>.
On Tue, 22 Mar 2011, jon1234 wrote:
>
>
>> From where do they get that bounce message? From a host internal to your
>> network or from hosts out on the Internet?
>
> The bounce message is only when they send certain domains that are external
> to our network.
>
>>
>> If that's coming from an internal MTA, I'd suggest that MTA doesn't
>> believe your Exchange server is a legitimate source for mail from your
>> domain. If that's coming from external MTA(s) then others on the public
>> Internet apparently don't believe your public IP address is a legitimate
>> source for mail from your domain. Do you publish SPF information or use
>> Domainkeys? Has your public MTA's internet IP address changed recently?
>
> AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our SPF
> records gives
>
> "The TXT records found for your domain are:
> v=spf1 ip4:202.44.190.48/28 ~all
>
> SPF records should also be published in DNS as type SPF records.
>
> No type SPF records found.
>
> Checking to see if there is a valid SPF record.
>
> Found v=spf1 record for afnsecurity.com:
> v=spf1 ip4:202.44.190.48/28 ~all "
>
> the external IP of the exchange server is 202.44.190.49.. could this be the
> cause? If so why would only certain domains be giving the error?
>
> Regards,
> Jon
Some people may have their level of paranoia WRT SPF mis-match cranked up.
The other possible cause of those rejects is that your full-circle-DNS is
FUBAR. EG:
$ host afnsecurity.com
afnsecurity.com has address 202.44.190.61
afnsecurity.com mail is handled by 50 mx2.mailhop.org.
afnsecurity.com mail is handled by 60 mx1.afnsecurity.com.
afnsecurity.com mail is handled by 10 mx1.afnsecurity.com.
$ host 202.44.190.61
61.190.44.202.in-addr.arpa domain name pointer 202.44.190.61.static.nexnet.net.au.
$ host 202.44.190.49
49.190.44.202.in-addr.arpa domain name pointer 202.44.190.49.static.nexnet.net.au.
afnsecurity.com != 202.44.190.61.static.nexnet.net.au
Thus the claim that you are an imposterer
any chance you can get your ISP to fix that DNS reverse map and those SPF
records?
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Bad Helo Host impersonating
Posted by John Hardin <jh...@impsec.org>.
On Tue, 22 Mar 2011, jon1234 wrote:
>> From where do they get that bounce message? From a host internal to your
>> network or from hosts out on the Internet?
>
> The bounce message is only when they send certain domains that are external
> to our network.
Shall I assume you meant to say "send _to_ certain domains"?
>> If that's coming from an internal MTA, I'd suggest that MTA doesn't
>> believe your Exchange server is a legitimate source for mail from your
>> domain. If that's coming from external MTA(s) then others on the public
>> Internet apparently don't believe your public IP address is a
>> legitimate source for mail from your domain. Do you publish SPF
>> information or use Domainkeys? Has your public MTA's internet IP
>> address changed recently?
>
> AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our SPF
> records gives
>
> "The TXT records found for your domain are:
> v=spf1 ip4:202.44.190.48/28 ~all
>
> SPF records should also be published in DNS as type SPF records.
>
> No type SPF records found.
>
> Checking to see if there is a valid SPF record.
>
> Found v=spf1 record for afnsecurity.com:
> v=spf1 ip4:202.44.190.48/28 ~all "
>
> the external IP of the exchange server is 202.44.190.49.. could this be the
> cause? If so why would only certain domains be giving the error?
Because not everyone rejects on SPF fail. Additionally, your SPF is set to
soft fail, so mail _shouldn't_ be rejected outright on an SPF failure,
but may be depending on site policy.
To verify that I understand correctly: your outbound IP address is
dynamic? Are you confident that the IP addresses you can be assigned will
be covered by 202.44.190.48/28? If you got assigned and IP outside that
range your mail would suddenly fail SPF.
One of the problems with SPF is it breaks trivial forwarding. Is it
possible that the mail sent to those domains is being forwarded and the
forwarder isn't properly handling the necessary modifications to pass SPF?
Do the rejects include enough trace information to show whether the mail
is coming into the rejecting MTA from an IP address covered by your SPF
range?
Very likely you have two options:
(1) Contact the rejecting sites and ask them why they are rejecting on
soft fail (assuming the trace shows an MTA between you and the rejecting
MTA), or
(2) stop publishing an SPF record.
As a verification you might consider temporarily suspending your SPF
record or changing it to +all and see if the rejects stop.
This isn't related to SA. If SA scoring was causing the reject the MTA
would probably say something about the message being spammy. You might get
better help on a mailing list dedicated to SPF issues.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The third basic rule of firearms safety:
Keep your booger hook off the bang switch!
-----------------------------------------------------------------------
7 days until the M1911 is 100 years old - and still going strong!
Re: Bad Helo Host impersonating
Posted by jon1234 <sh...@afnsecurity.com>.
>>From where do they get that bounce message? From a host internal to your
>network or from hosts out on the Internet?
The bounce message is only when they send certain domains that are external
to our network.
>
>If that's coming from an internal MTA, I'd suggest that MTA doesn't
>believe your Exchange server is a legitimate source for mail from your
>domain. If that's coming from external MTA(s) then others on the public
>Internet apparently don't believe your public IP address is a legitimate
>source for mail from your domain. Do you publish SPF information or use
>Domainkeys? Has your public MTA's internet IP address changed recently?
AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our SPF
records gives
"The TXT records found for your domain are:
v=spf1 ip4:202.44.190.48/28 ~all
SPF records should also be published in DNS as type SPF records.
No type SPF records found.
Checking to see if there is a valid SPF record.
Found v=spf1 record for afnsecurity.com:
v=spf1 ip4:202.44.190.48/28 ~all "
the external IP of the exchange server is 202.44.190.49.. could this be the
cause? If so why would only certain domains be giving the error?
Regards,
Jon
--
View this message in context: http://old.nabble.com/Bad-Helo-Host-impersonating-tp31214638p31216483.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bad Helo Host impersonating
Posted by John Hardin <jh...@impsec.org>.
On Tue, 22 Mar 2011, jon1234 wrote:
> Hey Guys,
>
> I'm fairly new to this spamassassin lark as I've just taken a new job so
> please bear with me if my question is unrelated.
>
> In a nutshell when my exchange users try to send to certain domains they get
> the following bounce message.
>
> <afnsecurity.com #5.5.0 smtp;550 "REJECTED - Bad HELO - Host impersonating
> [afnsecurity.com]">
>From where do they get that bounce message? From a host internal to your
network or from hosts out on the Internet?
> I do have spam assassin installed but it was setup by my predecessor. After
> googling the above error it has returned mostly results regarding exim. This
> has caused me to suspect that maybe spamassassin has something to do with it
> as I'm just running a SBS Exchange mailserver.
SA doesn't have anything to do with that.
> Any help/points in the right direction would be very appreciated.
If that's coming from an internal MTA, I'd suggest that MTA doesn't
believe your Exchange server is a legitimate source for mail from your
domain. If that's coming from external MTA(s) then others on the public
Internet apparently don't believe your public IP address is a legitimate
source for mail from your domain. Do you publish SPF information or use
Domainkeys? Has your public MTA's internet IP address changed recently?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If guards and searches and metal detectors can't keep a gun out of
a maximum-security solitary confinement prisoner's cell, how will
a disciplinary policy and some signs keep guns out of a university?
-----------------------------------------------------------------------
7 days until the M1911 is 100 years old - and still going strong!