spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jon1234 <shi...@afnsecurity.com>
Subject Re: Bad Helo Host impersonating
Date Thu, 24 Mar 2011 22:57:38 GMT



Dominic Benson wrote:
> 
> 
> On 23 Mar 2011, at 08:09, Dave Funk wrote:
> 
>> On Tue, 22 Mar 2011, jon1234 wrote:
>> 
>>> 
>>> 
>>>> From where do they get that bounce message? From a host internal to
>>>> your
>>>> network or from hosts out on the Internet?
>>> 
>>> The bounce message is only when they send certain domains that are
>>> external
>>> to our network.
>>> 
>>>> 
>>>> If that's coming from an internal MTA, I'd suggest that MTA doesn't
>>>> believe your Exchange server is a legitimate source for mail from your
>>>> domain. If that's coming from external MTA(s) then others on the public
>>>> Internet apparently don't believe your public IP address is a
>>>> legitimate
>>>> source for mail from your domain. Do you publish SPF information or use
>>>> Domainkeys? Has your public MTA's internet IP address changed recently?
>>> 
>>> AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our
>>> SPF
>>> records gives
>>> 
>>> "The TXT records found for your domain are:
>>> v=spf1 ip4:202.44.190.48/28 ~all
>>> 
>>> SPF records should also be published in DNS as type SPF records.
>>> 
>>> No type SPF records found.
>>> 
>>> Checking to see if there is a valid SPF record.
>>> 
>>> Found v=spf1 record for afnsecurity.com:
>>> v=spf1 ip4:202.44.190.48/28 ~all "
>>> 
>>> the external IP of the exchange server is 202.44.190.49.. could this be
>>> the
>>> cause? If so why would only certain domains be giving the error?
>>> 
>>> Regards,
>>> Jon
>> 
>> Some people may have their level of paranoia WRT SPF mis-match cranked
>> up.
> 
> Surely that's an SPF pass (excluding possible recipient forwarding)?
> 202.44.190.48/28 = 202.44.190.48-202.44.190.63
> Maybe I'm being dense...
> 
> 
>> 
>> The other possible cause of those rejects is that your full-circle-DNS is
>> FUBAR. EG:
>> 
>> $ host afnsecurity.com
>> afnsecurity.com has address 202.44.190.61
>> afnsecurity.com mail is handled by 50 mx2.mailhop.org.
>> afnsecurity.com mail is handled by 60 mx1.afnsecurity.com.
>> afnsecurity.com mail is handled by 10 mx1.afnsecurity.com.
>> $ host 202.44.190.61
>> 61.190.44.202.in-addr.arpa domain name pointer
>> 202.44.190.61.static.nexnet.net.au.
>> $ host 202.44.190.49
>> 49.190.44.202.in-addr.arpa domain name pointer
>> 202.44.190.49.static.nexnet.net.au.
>> 
>>  afnsecurity.com != 202.44.190.61.static.nexnet.net.au
>> 
>> Thus the claim that you are an imposterer
>> 
>> any chance you can get your ISP to fix that DNS reverse map and those SPF
>> records?
> 
> mx1.afnsecurity.com resolves to 202.44.190.50 and HELOs:
> 220 afnwall01.afnsecurity.com ESMTP spamd IP-based SPAM blocker
> 
> Now afnwall01.afnsecurity.com doesn't resolve *at all*, and the rDNS is in
> the same format as the above.
> 
> Does your exchange server relay out through this filter? If not, what name
> does it announce itself as? 
> If it does, or if that name is also invalid, or resolves to a different IP
> then you may also encounter this kind of error.
> 


Thanks for the feedback guys. I think its very possible it may be a DNS
issue as the DNS is a complete mess ATM. We use DynDNS so would I have to
ask them to make the changes?

To clarify how would I find out what my exchange server is announcing itself
as? AFAIK the exchange server isnt set to relay, although the mxtoolbox does
show me as an open relay. 

Apologies for somewhat fuzzy grasp on the big picture.
Jon
-- 
View this message in context: http://old.nabble.com/Bad-Helo-Host-impersonating-tp31214638p31233694.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


Mime
View raw message