[Mimedefang] Testing HELO

Cormack, Ken kcormack at acs.roadway.com
Tue Oct 14 09:31:04 EDT 2003 

A gateway machine with both an internal and external interface, may be
greating you with it's internal address.  The admin of that system would
need to correct, but from your prespective it might be trying to send valid
mail.

-----Original Message-----
From: Joseph Brennan [mailto:brennan at columbia.edu]
Sent: Tuesday, October 14, 2003 9:27 AM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] Testing HELO



I'm testing that when a host says HELO with an IP, that the IP is
actually that host's IP.

    # Don't HELO some other IP address
    if ($Helo =~ 
/^\[*([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\]*$/) {
        if ($1 ne $RelayAddr) {
            md_graphdefang_log('test',"Claimed_to_be_$Helo",$RelayAddr)
        }
    }

Most of what this gets is spam, as I expected.  But amazingly,
some legit hosts HELO with an IP that is not their own.  Or
not so amazingly maybe.



Some messages, spam and seeming legit, give a reserved 192.168 IP,
13 out of 45 mismatches logged so far:

Oct 14 08:40:42 marionberry.cc.columbia.edu mimedefang.pl[29719]:
 MDLOG,h9ECef1Z005069,test,Claimed_to_be_192.168.1.18,64.253.39.152,

Oct 14 08:50:07 marionberry.cc.columbia.edu mimedefang.pl[29719]:
 MDLOG,h9ECo51Z007601,test,Claimed_to_be_192.168.1.101,141.149.51.21,

Look at this one-- a mail bounce!--

Oct 14 09:09:30 marionberry.cc.columbia.edu mimedefang.pl[5698]:
 MDLOG,h9ED9U1Z013196,test,1000 Claimed_to_be_[192.168.1.10],4.43.118.150,
 <mailer-daemon at rollingstone.com>,<x at columbia.edu>,Delivery problems!



This one is interesting...

Oct 14 06:15:42 marionberry.cc.columbia.edu mimedefang.pl[7847]: 
MDLOG,h9EAFe1Z011414,test,Claimed_to_be_[140.32.132.66],131.120.18.61

...because the host seems to be confused what its own IP is:

Received: from [140.32.132.66] (ellis.ad.nps.navy.mil [131.120.18.61])
        by marionberry.cc.columbia.edu (8.12.10/8.12.8) with ESMTP id 
h9EAFe1Z011414
        for <x at columbia.edu>; Tue, 14 Oct 2003 06:15:41 -0400 (EDT)
Received: from no.name.available by [140.32.132.66]
          via smtpd (for [128.59.59.105]) with ESMTP; Tue, 14 Oct 2003 
03:14:17 -0700



So I don't think we can reject for this.  I might give it some
Spamassassin points.  I'm going to collect more data.



Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu


_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list