mail from forum coming in with bogus HELO

Discussion about the board itself, forums organization and site bugs.
Post Reply
bill_mcgonigle
Posts: 2
Joined: Sun May 03, 2009 12:27 am

mail from forum coming in with bogus HELO

Post by bill_mcgonigle » Sun May 03, 2009 4:16 am

Mail from this forum is coming from ariel.informaction.com but when that machine HELO's, it's calling itself e82-103-134-102s.easyspeedy.dk, which has no DNS entry. This causes mail servers which check for consistency to reject all mail from ariel. e.g.:

Code: Select all

2009-05-02T23:53:23.165543-04:00 borlaug postfix/smtpd[5622]: NOQUEUE: reject: RCPT from ariel.informaction.com[82.103.134.102]: 450 4.7.1 <e82-103-134-102s.easyspeedy.dk>: Helo command rejected: Host not found; from=<forums@informaction.com> to=<me> proto=ESMTP helo=<e82-103-134-102s.easyspeedy.dk>                                        


If this is a shared host, the ISP should put in a proper DNS entry for the host. Otherwise, something is misconfigured.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042708 Fedora/3.0.10-1.fc10 Firefox/3.0.10

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: mail from forum coming in with bogus HELO

Post by GµårÐïåñ » Sun May 03, 2009 5:05 am

It is shared hosted on easyspeedy and the mail is being sent probably by the built in mail function, so if there might be a misconfig by the host or somewhere in the config, I am sure Giorgio will look into it. Thanks for the report, I had not heard of any problems until you mentioned this, so not sure what's going on.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: mail from forum coming in with bogus HELO

Post by Tom T. » Sun May 03, 2009 5:51 am

I use Yahoo! web mail, so my mileage probably differs from yours. But Yahoo has gotten very strict on spam, etc., and no problems here with receiving notification. Header:

Code: Select all

<forums@informaction.com>
Authentication-Results: mta562.mail.mud.yahoo.com from=informaction.com; domainkeys=neutral (no sig); from=informaction.com; dkim=neutral (no sig)
Received:       from 82.103.134.102 (EHLO e82-103-134-102s.easyspeedy.dk) (82.103.134.102) by mta562.mail.mud.yahoo.com with SMTP; Sat, 02 May 2009 15:56:54 -0700
Received:       (qmail 21906 invoked by uid 89); 2 May 2009 22:56:07 -0000
Received:       from unknown (HELO ariel.informaction.com) (127.0.0.1) by ariel.informaction.com with SMTP; 2 May 2009 22:56:07 -0000


I admit to being not that deep into header interpretation, but.... The domainkeys is a Yahoo tool for authenticating as "not forged address" mail either within the Yahoo domain or from cooperating mails that subscribe to Yahoo domain keys. Informaction is clearly its own server, no subscription, but not on a blacklist either ("neutral").

I note the "EHLO" in the top Received vs. HELO later. Perhaps you can explain the significance of this, or is this possibly the source of the error?
I can only guess that including thestandard localhost address 127... indicates origination from Giorgio's machine, correct? And perhaps Yahoo accepts that as the originator, while yours finds this unacceptable?

As said, I'm way outside of my knowledge base here, and welcome any education you care to share. Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: mail from forum coming in with bogus HELO

Post by GµårÐïåñ » Mon May 04, 2009 1:26 am

Ok, here is the header form one of the messages I receive from the forum (I receive everything in Outlook). Anywhere you see <XXX> it is my own personally identifiable information that I have intentionally removed from the display as it serves no purpose for this discussion.

Return-Path: <forums@informaction.com>
Delivery-Date: Sun, 03 May 2009 20:01:09 -0400
Received: from e82-103-134-102s.easyspeedy.dk (ariel.informaction.com [82.103.134.102])
by <XXX> (node=mxus1) with ESMTP (<XXX>)
id 0MKoXI-1M0lcK0uim-000YmA for <XXX>; Sun, 03 May 2009 20:01:08 -0400
Received: (qmail 12047 invoked by uid 89); 4 May 2009 00:00:44 -0000
Received: from unknown (HELO ariel.informaction.com) (127.0.0.1)
by ariel.informaction.com with SMTP; 4 May 2009 00:00:44 -0000
Subject: =?UTF-8?B?VG9waWMgcmVwbHkgbm90aWZpY2F0aW9uIC0gIkxhdGVzdCBOb1NjcmlwdCB2ZXJz?= =?UTF-8?B?aW9uICgxLjkuMikgYnJlYWtzIEFkYmxvY2sgUGx1cyI=?=
To: =?UTF-8?B?R8K1w6Vyw5DDr8Olw7E=?= <XXX>
From: <forums@informaction.com>
Reply-To: <forums@informaction.com>
Return-Path: <forums@informaction.com>
Sender: <forums@informaction.com>
MIME-Version: 1.0
Message-ID: <def1610a4462eb10f071e56fd1df41ca@forums.informaction.com>
Date: Mon, 04 May 2009 02:00:15 +0200
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PhpBB3
X-MimeOLE: phpBB3
X-phpBB-Origin: phpbb://forums.informaction.com
Envelope-To: <XXX>


The red highlight shows you the name of the server which as you can see from the syntax is hosted on easyspeedy.dk and you will further notice that the numbers in the front are a match to the IP of the hosted server name in green highlight. This is either a virtual hosted account or VPS with either a dedicated or possible shared IP, regardless it is pointing to where it is supposed to and accurately reflects the information. You can further see in the orange highlight that it is indeed using the localhost/mail function to send the message and hence the 127.0.0.1 ip designation.

To sum it all up, its not bogus, its all good and people need to relax.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10

User avatar
piker
Posts: 7
Joined: Sat Mar 21, 2009 7:14 am
Location: Cyberspace
Contact:

Re: mail from forum coming in with bogus HELO

Post by piker » Thu Jun 04, 2009 8:46 am

This topic/thread was very helpful by the way... as in, pointers to what IP space should be known for allowing people to properly modify any black/white lists or firewall rules on their servers or PC's to allow signup/forum related communication to be all groovy and kosher. Also, even though this particular forums' server IP address reverses properly to what we'd expect, knowing the general "end-user-ish" default-like hostname and domain is also helpful, since many administrators and RBLs may treat similar/neighboring hosts as end-user IP space to be blocked or weighed heavily against towards spam filter rules.

In short.. both the IP and (bogus HELO) were helpful to know had I needed to create exceptions to any anti-spam/attack blocklists as I'm sure may be the case with people in the future.. especially since this forum is indeed neighbored by or at least part of a /16 (cidr) range that can be, at times, questionable as to behavior, etc.. etc...

thanks! .. it might be worthy to mention in the forum's official notes somewhere is my point.

..enough babbling for me.

peace!

...p
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.21) Gecko/20090410

Post Reply