On Wednesday 01 June 2005 01:24 pm, Declan Moriarty wrote: > I saved off one of your mails here, and tried it. That header gioves a > FORGED_RCVD_HELO. This one > Received: from [24.148.198.211] (helo=www) etc. > > does not. Your host does not ping when it is not online. I have just > pinged www.ccolton.com, and nothing is there, because, I presume, your > box is off :-/.
This machine is always on. If it doesn't ping - something else is wrong. It pings from here, but without alot of effort, its hard to tell whether it's and external or internal ping. > But just having the helo from a hostname solves the > problem. Windows boxen only know about their hostname, and a domain is > only associated with specific settings on an interface. They pass this > test, and they haven't a breeze about their fqdn. I have postfix saying > helo as a host, not an fqdn, and the sky doesn't fall in. Your actual > fqdn from the internet is going to be > > user-0c99hmj.cable.mindspring.com (according to djb's dnsname) Hee, hee - I tried that one. > > and you can't set up the appropiate record for www.ccolton.com because > earthlink.net or mindspring.com already has. What smtp mail program > are you running? I am not running a mail server. The only thing between me and earthlink would be Kmail and my router. > I'll bet you haven't tried that mindspring.com > in your settings. Well, I did, and after the wait for dns tests, I got > > Content analysis details: (1.5 points, 5.0 required) > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 1.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) > -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to' > 6.0 USER_IN_BLACKLIST_TO User is listed in 'blacklist_to' > > So you lost the FORGED_RCVD_HELO (by giving the genuine one) but picked > up this HELO_DYNAMIC_HCC :-/. Changing the one last time to > meerkats.mindspring.com killed that. Way to go!! > -- > Thanks for that investigation. Through "nslookup" I had found the mindspring - earthlink tie-in, but something else had been screwing up my own tests (see below). So even if I had been smart enough to find the right hostname I would have gotten a negative. You've been more than helpful. Long and NotRequiredReading Sidenote: When I first got a broadband connection about a year ago, I decided to keep my old dialup acount going, since it only costs me about 5.00 a month with a package deal through my phone company. I thought it would make a good backup, and it allowed me keep my email account. So I set things up to use earthlink (cable) to send mail and bellsouth (dialup) to recieve. That way I didn't have to change my email address for mailing lists or other interested parties. Here's an email header of mine (mangled from word wrap): Return-Path: <[EMAIL PROTECTED]> Received: from ibm31aec.bellsouth.net ([209.86.89.67]) by imf09aec.mail.bellsouth.net with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Wed, 1 Jun 2005 19:31:52 -0400 Received: from smtpauth07.mail.atl.earthlink.net ([209.86.89.67]) by ibm31aec.bellsouth.net with ESMTP id <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]>; Wed, 1 Jun 2005 19:31:51 -0400 Received: from [24.148.198.211] (helo=meerkats.mindspring.com) by smtpauth07.mail.atl.earthlink.net with asmtp (TLSv1:RC4-MD5:128) (Exim 4.34) id 1Ddcgh-0006Mv-KK for [EMAIL PROTECTED]; Wed, 01 Jun 2005 19:31:51 -0400 From: Craig Colton <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: test21 I think this is probably very similar to the headers you see except for the first record (and I guess belgarath is in there somewhere). I followed your suggestion, and deleted these records one by one and retested each time with SA. It wasn't until I ditched the top record - where earthlink hands off to bellsouth - that I got a clean score from SpamAssasin. It took a minute (okay, an hour) to sink in. Not only was the HELO request from my system to earthlink goofy, but apparently, so was the request from earthlink to bellsouth. That means that every piece of mail that I get that makes this exchange, will come back with a FORGED_RCVD_HELO. This explains why, during my own tests, no matter what hostname I asked my client to send - it wouldn't work. And it explains why I had so much incoming mail flagged by SA. The only mail _not_ flagged, was stuff from my earthlink mailbox that didn't come through bellsouth. What a mess, huh? One more thing. I haven't tested any others, but I'm wondering now whether "anything_I_want.mindspring.com" or "this_computer's_hostname_only" (per Matthew), or even "localhost" might work. Bernstein says the HELO parameter should be "a valid principal host domain name for the client host" (see http://cr.yp.to/smtp/helo.html - this doesn't seem exactly the same as fqdn), or a bracketed IP address. But I guess this is more about satisfying SpamAssassin than getting our SMTP protocol exactly right. This has been fun. Thanks to you Declan, I now have almost enough information to start my own spam intensive _almost_legitimate_ drug company. I knew I was destined for the Big Time :-) Regards, Craig -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page