[server-admins] CBL spam list

Greg Hellings greg.hellings at gmail.com
Fri Jul 13 06:58:32 MST 2018 

So are you looking for a way to properly configure spamassassin? What do
you want it to be configured to do?

--Greg

On Fri, Jul 13, 2018 at 2:23 AM Troy A. Griffitts <scribe at crosswire.org>
wrote:

> Hey guys. Peter has not received mail from us at his gmx address for a
> while now (I get all the automated bounce messages from jira) and looking
> into gmx uses spamhaus to detect so servers. Spamhaus says we're ok but
> they defer to CBL is we're listed there and then also list. We appear in
> CBL for a 2 reasons. #2 I can probably figure out. #1 stems from my utter
> failure to properly configure spamassassin. I was putting this off until I
> get mail over to the host machine, but any help would be appreciated. Here
> is most of the CBL report. It goes on even longer about the same thing, if
> you can believe it:
>
>
>
> RESULTS OF LOOKUP
>
> 209.250.6.226 is listed
>
> This IP address was detected and listed 2 times in the past 28 days, and 0
> times in the past 24 hours. The most recent detection was at Tue Jul 3
> 07:05:00 2018 UTC +/- 5 minutes
>
> This IP is infected (or NATting for a computer that is infected) with an
> infection that is emitting spam.
>
> 209.250.6.226 was found to be using the following name as the HELO/EHLO
> parameter during connections: "localhost.localdomain".
>
> The CBL does not list for RFC violations per-se. This _particular_
> behaviour, however, correlates strongly to spambot infections. In other
> words, out of thousands upon thousands of IP addresses HELO'ing this way,
> all but a handful are infected and spewing junk. Even if it isn't an
> infection, it's a misconfiguration that should be fixed, because many spam
> filtering mechanisms operate with the same rules, and it's best to fix it
> regardless of whether the CBL notices it or not.
>
> DO NOT TELNET TO YOUR SERVER TO SEE WHAT IT SAYS. Telnet will show you the
> banner, not the HELO.
>
> EVEN IF YOU TEST YOUR MAIL SERVER SOFTWARE AND IT HELOS PROPERLY, THAT
> DOES NOT MEAN THAT THIS LISTING IS IN ERROR - YOUR IP REALLY DID HELO
> AS "localhost.localdomain". Our system doesn't make mistakes about this.
> This just means that something OTHER than your mail server software is
> making the connections. In fact, finding that your mail server
> is NOT HELO'ing as "localhost.localdomain" essentially proves this is an
> infection, not a misconfiguration.
>
> There is often confusion between the SMTP "banner" and the SMTP "HELO" (or
> EHLO) command. These are completely different things, and proper
> understanding is important.
>
> First some terminology (somewhat simplified to aid understanding):
>
> A "SMTP client" is a piece of software that makes SMTP connections to SMTP
> servers to send a piece of email to the server. Most E-mail servers consist
> of an "SMTP listener" (to listen for and handle connections made to them by
> SMTP clients), an SMTP client (to send emails to other mail servers) and a
> local delivery agent (LDA) to deliver email to "local" users (eg: via POP
> or IMAP).
>
> Thus, SMTP clients make connections to SMTP listeners, and issue SMTP
> commands to the listener.
>
> The "HELO" (or "EHLO") command (see RFC2821) is a command issued by the
> SMTP client to an SMTP server to identify the name of the client. "HELO
> mail.example.com" means, essentially, "Hi there, my name is
> mail.example.com".
>
> The "SMTP banner" is what the listener says in response the initial
> connection or in response to the HELO command.
>
> The CBL works in many cases by seeing what SMTP clients say (in the
> HELO/EHLO command) when the client connects to a CBL detector. Since the
> CBL NEVER does SMTP probes, it has no way of knowing how a given IP banners.
>
> You can test SMTP banners with telnet and other similar diagnostic tools,
> but you CANNOT test SMTP HELO/EHLO with telnet.
>
> For that, you can send an email to helocheck at abuseat.org. That will
> reject the email (as an error), and the error will show you what the
> HELO/EHLO was.
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my
> brevity._______________________________________________
> server-admins mailing list
> server-admins at crosswire.org
> http://www.crosswire.org/mailman/listinfo/server-admins
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.crosswire.org/pipermail/server-admins/attachments/20180713/4fc3af48/attachment.html>

More information about the server-admins mailing list