In the logs i have been seeing some forged-HELO lines, and sometimes
couldn't work out why they were triggered. I disabled my trusted paths and
sent an email from one address with my isp "[EMAIL PROTECTED]" to a work
email address "[EMAIL PROTECTED]" which was downloaded and forwarded to a
local email address "[EMAIL PROTECTED]". It's a bit complicated, but
basically these are the hops the email took:
1) From a local pc (192.168.0.12) to our server (arkbb.co.uk)
2) from our mailserver (arkb.co.uk) to our isp (ntl.com)
3) from ntl.com to ntl.com internal relay
4) from ntl.com to clara.net
5) we downloaded it from clara.net and relayed to local AV gateway (server)
6) from AV gateway (server) to local mailserver (arkbb.co.uk)
A nice circular trip.
Here are the received headers for that email:
Received: from [127.0.0.1] by arkbb.co.spam.uk with SMTP (HELO server.)
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.7.8)); Tue,
31 May 2005 12:26:57 +0100
Received: from exchange-pop3-connector.com ([127.0.0.1])
by server. (NAVGW 2.5.2.12) with SMTP id M2005053112260423877
for <[EMAIL PROTECTED]>; Tue, 31 May 2005 12:26:05 +0100
Return-Path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 31 May 2005 12:14:50 +0100
Received: from smtpout16.mailhost.ntl.com ([212.250.162.16]
helo=mta08-winn.mailhost.ntl.com)
by mx3.mail.uk.clara.net with esmtp (Exim 4.46)
id 1Dd4hu-0003LP-DY
for [EMAIL PROTECTED]; Tue, 31 May 2005 12:14:50 +0100
Received: from aamta02-winn.mailhost.ntl.com ([212.250.162.8])
by mta08-winn.mailhost.ntl.com with ESMTP
id
<[EMAIL PROTECTED]
ntl.com>
for <[EMAIL PROTECTED]>; Tue, 31 May 2005 12:14:49 +0100
Received: from arkbb.co.spam.uk ([81.104.195.141])
by aamta02-winn.mailhost.ntl.com with ESMTP
id
<[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Tue, 31 May 2005 12:14:49 +0100
Received: from [192.168.0.12] by arkbb.co.spam.uk with SMTP (EHLO
[127.0.0.1])
This is the debug log showing the parsing of the received headers. As i had
disabled my trusted path, only 127.0.0.1 was detected as trusted.
debug: IP is reserved, not looking up PTR: 127.0.0.1
debug: received-header: parsed as [ ip=127.0.0.1 rdns= helo=
by=arkbb.co.spam.uk ident= envfrom= intl=0 id= auth= ]
debug: received-header: parsed as [ ip=127.0.0.1
rdns=exchange-pop3-connector.com helo=exchange-pop3-connector.com by=server.
ident= envfrom= intl=0 id=M2005053112260423877 auth= ]
debug: received-header: parsed as [ ip=212.250.162.16
rdns=smtpout16.mailhost.ntl.com helo=mta08-winn.mailhost.ntl.com
by=mx3.mail.uk.clara.net ident= envfrom= intl=0 id=1Dd4hu-0003LP-DY auth= ]
debug: looking up PTR record for '212.250.162.8'
debug: PTR for '212.250.162.8': 'mailhost.ntl.com'
debug: received-header: parsed as [ ip=212.250.162.8 rdns=mailhost.ntl.com
helo=aamta02-winn.mailhost.ntl.com by=mta08-winn.mailhost.ntl.com ident=
envfrom= intl=0
[EMAIL PROTECTED]
t.ntl.com auth= ]
debug: looking up PTR record for '81.104.195.141'
debug: PTR for '81.104.195.141': 'cpc1-cmbg5-4-0-cust141.cmbg.cable.ntl.com'
debug: received-header: parsed as [ ip=81.104.195.141
rdns=cpc1-cmbg5-4-0-cust141.cmbg.cable.ntl.com helo=arkbb.co.spam.uk
by=aamta02-winn.mailhost.ntl.com ident= envfrom= intl=0
[EMAIL PROTECTED]
auth= ]
debug: IP is reserved, not looking up PTR: 192.168.0.12
debug: received-header: parsed as [ ip=192.168.0.12 rdns= helo=
by=arkbb.co.spam.uk ident= envfrom= intl=0 id= auth= ]
debug: received-header: relay 127.0.0.1 trusted? yes internal? yes
debug: received-header: relay 127.0.0.1 trusted? yes internal? yes
debug: received-header: relay 212.250.162.16 trusted? no internal? no
debug: received-header: relay 212.250.162.8 trusted? no internal? no
debug: received-header: relay 81.104.195.141 trusted? no internal? no
debug: received-header: relay 192.168.0.12 trusted? no internal? no
debug: metadata: X-Spam-Relays-Trusted: [ ip=127.0.0.1 rdns= helo=
by=arkbb.co.spam.uk ident= envfrom= intl=1 id= auth= ] [ ip=127.0.0.1
rdns=exchange-pop3-connector.com helo=exchange-pop3-connector.com by=server.
ident= envfrom= intl=1 id=M2005053112260423877 auth= ]
debug: metadata: X-Spam-Relays-Untrusted: [ ip=212.250.162.16
rdns=smtpout16.mailhost.ntl.com helo=mta08-winn.mailhost.ntl.com
by=mx3.mail.uk.clara.net ident= envfrom= intl=0 id=1Dd4hu-0003LP-DY auth= ]
[ ip=212.250.162.8 rdns=mailhost.ntl.com helo=aamta02-winn.mailhost.ntl.com
by=mta08-winn.mailhost.ntl.com ident= envfrom= intl=0
[EMAIL PROTECTED]
t.ntl.com auth= ] [ ip=81.104.195.141
rdns=cpc1-cmbg5-4-0-cust141.cmbg.cable.ntl.com helo=arkbb.co.spam.uk
by=aamta02-winn.mailhost.ntl.com ident= envfrom= intl=0
[EMAIL PROTECTED]
auth= ] [ ip=192.168.0.12 rdns= helo= by=arkbb.co.spam.uk ident= envfrom=
intl=0 id= auth= ]
Here is the log showing the SPF tests and showing the forged-HELO lines:
debug: registering glue method for check_for_spf_helo_pass
(Mail::SpamAssassin::Plugin::SPF=HASH(0x266ed2