[server-admins] CBL spam list
Troy A. Griffitts
scribe at crosswire.org
Fri Jul 13 00:23:28 MST 2018
Hey guys. Peter has not received mail from us at his gmx address for a while now (I get all the automated bounce messages from jira) and looking into gmx uses spamhaus to detect so servers. Spamhaus says we're ok but they defer to CBL is we're listed there and then also list. We appear in CBL for a 2 reasons. #2 I can probably figure out. #1 stems from my utter failure to properly configure spamassassin. I was putting this off until I get mail over to the host machine, but any help would be appreciated. Here is most of the CBL report. It goes on even longer about the same thing, if you can believe it:
RESULTS OF LOOKUP
209.250.6.226 is listed
This IP address was detected and listed 2 times in the past 28 days, and 0 times in the past 24 hours. The most recent detection was at Tue Jul 3 07:05:00 2018 UTC +/- 5 minutes
This IP is infected (or NATting for a computer that is infected) with an infection that is emitting spam.
209.250.6.226 was found to be using the following name as the HELO/EHLO parameter during connections: "localhost.localdomain".
The CBL does not list for RFC violations per-se. This _particular_ behaviour, however, correlates strongly to spambot infections. In other words, out of thousands upon thousands of IP addresses HELO'ing this way, all but a handful are infected and spewing junk. Even if it isn't an infection, it's a misconfiguration that should be fixed, because many spam filtering mechanisms operate with the same rules, and it's best to fix it regardless of whether the CBL notices it or not.
DO NOT TELNET TO YOUR SERVER TO SEE WHAT IT SAYS. Telnet will show you the banner, not the HELO.
EVEN IF YOU TEST YOUR MAIL SERVER SOFTWARE AND IT HELOS PROPERLY, THAT DOES NOT MEAN THAT THIS LISTING IS IN ERROR - YOUR IP REALLY DID HELO AS "localhost.localdomain". Our system doesn't make mistakes about this. This just means that something OTHER than your mail server software is making the connections. In fact, finding that your mail server is NOT HELO'ing as "localhost.localdomain" essentially proves this is an infection, not a misconfiguration.
There is often confusion between the SMTP "banner" and the SMTP "HELO" (or EHLO) command. These are completely different things, and proper understanding is important.
First some terminology (somewhat simplified to aid understanding):
A "SMTP client" is a piece of software that makes SMTP connections to SMTP servers to send a piece of email to the server. Most E-mail servers consist of an "SMTP listener" (to listen for and handle connections made to them by SMTP clients), an SMTP client (to send emails to other mail servers) and a local delivery agent (LDA) to deliver email to "local" users (eg: via POP or IMAP).
Thus, SMTP clients make connections to SMTP listeners, and issue SMTP commands to the listener.
The "HELO" (or "EHLO") command (see RFC2821) is a command issued by the SMTP client to an SMTP server to identify the name of the client. "HELO mail.example.com" means, essentially, "Hi there, my name is mail.example.com".
The "SMTP banner" is what the listener says in response the initial connection or in response to the HELO command.
The CBL works in many cases by seeing what SMTP clients say (in the HELO/EHLO command) when the client connects to a CBL detector. Since the CBL NEVER does SMTP probes, it has no way of knowing how a given IP banners.
You can test SMTP banners with telnet and other similar diagnostic tools, but you CANNOT test SMTP HELO/EHLO with telnet.
For that, you can send an email to helocheck at abuseat.org. That will reject the email (as an error), and the error will show you what the HELO/EHLO was.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/server-admins/attachments/20180713/353ed30c/attachment.html>
More information about the server-admins
mailing list