On Wednesday 01 June 2005 01:24 pm, Declan Moriarty wrote:
> I saved off one of your mails here, and tried it. That header gioves a
> FORGED_RCVD_HELO. This one
> Received: from [24.148.198.211] (helo=www) etc.
>
> does not. Your host does not ping when it is not online. I have just
> pinged www.ccolton.com, and nothing is there, because, I presume, your
> box is off :-/.
This machine is always on. If it doesn't ping - something else is wrong. It
pings from here, but without alot of effort, its hard to tell whether it's
and external or internal ping.
> But just having the helo from a hostname solves the
> problem. Windows boxen only know about their hostname, and a domain is
> only associated with specific settings on an interface. They pass this
> test, and they haven't a breeze about their fqdn. I have postfix saying
> helo as a host, not an fqdn, and the sky doesn't fall in. Your actual
> fqdn from the internet is going to be
>
> user-0c99hmj.cable.mindspring.com (according to djb's dnsname)
Hee, hee - I tried that one.
>
> and you can't set up the appropiate record for www.ccolton.com because
> earthlink.net or mindspring.com already has. What smtp mail program
> are you running?
I am not running a mail server. The only thing between me and earthlink would
be Kmail and my router.
> I'll bet you haven't tried that mindspring.com
> in your settings. Well, I did, and after the wait for dns tests, I got
>
> Content analysis details: (1.5 points, 5.0 required)
>
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 1.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC)
> -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
> 6.0 USER_IN_BLACKLIST_TO User is listed in 'blacklist_to'
>
> So you lost the FORGED_RCVD_HELO (by giving the genuine one) but picked
> up this HELO_DYNAMIC_HCC :-/. Changing the one last time to
> meerkats.mindspring.com killed that. Way to go!!
> --
>
Thanks for that investigation. Through "nslookup" I had found the mindspring -
earthlink tie-in, but something else had been screwing up my own tests (see
below). So even if I had been smart enough to find the right hostname I would
have gotten a negative. You've been more than helpful.
Long and NotRequiredReading Sidenote:
When I first got a broadband connection about a year ago, I decided to keep my
old dialup acount going, since it only costs me about 5.00 a month with a
package deal through my phone company. I thought it would make a good backup,
and it allowed me keep my email account.
So I set things up to use earthlink (cable) to send mail and bellsouth
(dialup) to recieve. That way I didn't have to change my email address for
mailing lists or other interested parties. Here's an email header of mine
(mangled from word wrap):
Return-Path: <[EMAIL PROTECTED]>
Received: from ibm31aec.bellsouth.net ([209.86.89.67])
by imf09aec.mail.bellsouth.net with ESMTP
id
<[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Wed, 1 Jun 2005 19:31:52 -0400
Received: from smtpauth07.mail.atl.earthlink.net ([209.86.89.67])
by ibm31aec.bellsouth.net with ESMTP
id
<[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Wed, 1 Jun 2005 19:31:51 -0400
Received: from [24.148.198.211] (helo=meerkats.mindspring.com)
by smtpauth07.mail.atl.earthlink.net with asmtp (TLSv1:RC4-MD5:128)
(Exim 4.34)
id 1Ddcgh-0006Mv-KK
for [EMAIL PROTECTED]; Wed, 01 Jun 2005 19:31:51 -0400
From: Craig Colton <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: test21
I think this is probably very similar to the headers you see except for the
first record (and I guess belgarath is in there somewhere).
I followed your suggestion, and deleted these records one by one and retested
each time with SA. It wasn't until I ditched the top record - where earthlink
hands off to bellsouth - that I got a clean score from SpamAssasin.
It took a minute (okay, an hour) to sink in. Not only was the HELO request
from my system to earthlink goofy, but apparently, so was the request from
earthlink to bellsouth. That means that every piece of mail that I get that
makes this exchange, will come back with a FORGED_RCVD_HELO.
This explains why, during my own tests, no matter what hostname I asked my
client to send - it wouldn't work. And it explains why I had so much incoming
mail flagged by SA. The only mail _not_ flagged, was stuff from my earthlink
mailbox that didn't come through bellsouth. What a mess, huh?
One more thing. I haven't tested any others, but I'm wondering now whether
"anything_I_want.mindspring.com" or "this_computer's_hostname_only" (per
Matthew), or even "localhost" might work. Bernstein says the HELO parameter
should be "a valid principal host domain name for the client host" (see
http://cr.yp.to/smtp/helo.html - this doesn't seem exactly the same as fqdn),
or a bracketed IP address. But I guess this is more about satisfying
SpamAssassin than getting our SMTP protocol exactly right.
This has been fun. Thanks to you Declan, I now have almost enough information
to start my own spam intensive _almost_legitimate_ drug company. I knew I was
destined for the Big Time :-)
Regards,
Craig
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
