[Mimedefang] Impersonated domains
Philip Prindeville
philipp_subx at redfish-solutions.com
Fri Jun 1 18:19:16 EDT 2012
On 6/1/12 1:53 PM, kd6lvw at yahoo.com wrote:
> No idea here. However, as long as the "HELO" hostname is valid (and not your host's name or "localhost" unless the connection is actually from you), it is acceptable under the RFCs/standards. Multi-homed hosts can have mismatches because the name given is supposed to be the "primary" name while DNS will return the interface name (which need NOT match).
>
> Random thought: Both the SPF and MTX solutions to validate sending servers could be applied to the HELO name in some way, but I suggest scoring only -- no outright rejections at this time. See if a further trend develops.
I've noticed that the impersonations inevitably come from DHCP address pools according to ZenBL.
May 27 03:25:33 mail mimedefang.pl[32097]: helo: 89.234.77.188.dynamic.jazztel.es (188.77.234.89:50758) said "helo smtp.jazztel.es"
May 27 03:25:34 mail mimedefang.pl[32097]: filter_helo rejected helo smtp.jazztel.es
May 27 03:25:34 mail sendmail[1719]: q4R9PSpP001719: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 27 04:34:45 mail mimedefang.pl[32097]: helo: [212.231.249.48] (212.231.249.48:1887) said "helo mail.sanmail.ru"
May 27 04:34:45 mail mimedefang.pl[32097]: filter_helo rejected helo mail.sanmail.ru
May 27 04:34:45 mail sendmail[2037]: q4RAYdpX002037: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.4
May 27 04:42:03 mail mimedefang.pl[32097]: helo: 9.66.218.87.dynamic.jazztel.es (87.218.66.9:3248) said "helo smtp.jazztel.es"
May 27 04:42:03 mail mimedefang.pl[32097]: filter_helo rejected helo smtp.jazztel.es
May 27 04:42:03 mail sendmail[2055]: q4RAfsHJ002055: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 27 08:53:35 mail mimedefang.pl[2231]: helo: [85.52.167.76] (85.52.167.76:2689) said "helo smtp.orange.es"
May 27 08:53:35 mail mimedefang.pl[2231]: filter_helo tempfailed helo smtp.orange.es
May 27 08:53:35 mail sendmail[2914]: q4RErTkM002914: Milter: helo=smtp.orange.e, reject=451 4.3.0 No rDNS records found; try again when you've properly configured your DNS.
May 27 18:03:05 mail mimedefang.pl[3534]: helo: 68.246.76.188.dynamic.jazztel.es (188.76.246.68:50912) said "helo smtp.jazztel.es"
May 27 18:03:05 mail mimedefang.pl[3534]: filter_helo rejected helo smtp.jazztel.es
May 27 18:03:05 mail sendmail[4541]: q4S0305B004541: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 27 18:33:23 mail mimedefang.pl[3534]: helo: [190.219.176.232] (190.219.176.232:3182) said "helo mail.sanmail.ru"
May 27 18:33:23 mail mimedefang.pl[3534]: filter_helo rejected helo mail.sanmail.ru
May 27 18:33:23 mail sendmail[4640]: q4S0XHlK004640: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.4
May 27 18:37:43 mail mimedefang.pl[3534]: helo: [90.162.44.156] (90.162.44.156:4974) said "helo mail.sanmail.ru"
May 27 18:37:44 mail mimedefang.pl[3534]: filter_helo rejected helo mail.sanmail.ru
May 27 18:37:44 mail sendmail[4647]: q4S0bc24004647: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 27 18:46:55 mail mimedefang.pl[3534]: helo: [83.231.17.32] (83.231.17.32:55056) said "helo mail.sanmail.ru"
May 27 18:46:55 mail mimedefang.pl[3534]: filter_helo rejected helo mail.sanmail.ru
May 27 18:46:55 mail sendmail[4674]: q4S0knMB004674: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 27 19:34:28 mail mimedefang.pl[3534]: helo: [84.232.23.67] (84.232.23.67:3268) said "helo mail.sanmail.ru"
May 27 19:34:28 mail mimedefang.pl[3534]: filter_helo rejected helo mail.sanmail.ru
May 27 19:34:28 mail sendmail[4778]: q4S1YNwS004778: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.4
May 28 06:01:27 mail mimedefang.pl[6955]: helo: [85.52.167.76] (85.52.167.76:1296) said "helo smtp.orange.es"
May 28 06:01:27 mail mimedefang.pl[6955]: filter_helo tempfailed helo smtp.orange.es
May 28 06:01:27 mail sendmail[7002]: q4SC1LXQ007002: Milter: helo=smtp.orange.e, reject=451 4.3.0 No rDNS records found; try again when you've properly configured your DNS.
May 28 09:07:08 mail mimedefang.pl[6955]: helo: 97.149.23.95.dynamic.jazztel.es (95.23.149.97:61416) said "helo smtp.jazztel.es"
May 28 09:07:08 mail mimedefang.pl[6955]: filter_helo rejected helo smtp.jazztel.es
May 28 09:07:08 mail sendmail[7678]: q4SF73Fg007678: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 28 11:13:36 mail mimedefang.pl[6956]: helo: 198.158.78.188.dynamic.jazztel.es (188.78.158.198:52534) said "helo smtp.jazztel.es"
May 28 11:13:36 mail mimedefang.pl[6956]: filter_helo rejected helo smtp.jazztel.es
May 28 11:13:36 mail sendmail[8118]: q4SHDVCR008118: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 28 21:05:09 mail mimedefang.pl[8618]: helo: 68.246.76.188.dynamic.jazztel.es (188.76.246.68:55329) said "helo smtp.jazztel.es"
May 28 21:05:09 mail mimedefang.pl[8618]: filter_helo rejected helo smtp.jazztel.es
May 28 21:05:09 mail sendmail[9812]: q4T353GM009812: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 28 22:11:12 mail mimedefang.pl[8618]: helo: [89.29.204.100] (89.29.204.100:49774) said "helo mail.sanmail.ru"
May 28 22:11:12 mail mimedefang.pl[8618]: filter_helo rejected helo mail.sanmail.ru
May 28 22:11:12 mail sendmail[9944]: q4T4B7Y6009944: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 29 01:13:30 mail mimedefang.pl[8920]: helo: 136.4.218.87.dynamic.jazztel.es (87.218.4.136:1969) said "helo smtp.jazztel.es"
May 29 01:13:30 mail mimedefang.pl[8920]: filter_helo rejected helo smtp.jazztel.es
May 29 01:13:30 mail sendmail[10504]: q4T7DLGZ010504: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 29 03:56:12 mail mimedefang.pl[10159]: helo: [90.162.44.156] (90.162.44.156:1983) said "helo mail.sanmail.ru"
May 29 03:56:13 mail mimedefang.pl[10159]: filter_helo rejected helo mail.sanmail.ru
May 29 03:56:13 mail sendmail[11532]: q4T9u75U011532: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 29 21:25:41 mail mimedefang.pl[14780]: helo: 164.21.19.95.dynamic.jazztel.es (95.19.21.164:1200) said "helo smtp.jazztel.es"
May 29 21:25:41 mail mimedefang.pl[14780]: filter_helo rejected helo smtp.jazztel.es
May 29 21:25:41 mail sendmail[15794]: q4U3PZXd015794: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 29 23:58:37 mail mimedefang.pl[14780]: helo: 68.246.76.188.dynamic.jazztel.es (188.76.246.68:65382) said "helo smtp.jazztel.es"
May 29 23:58:37 mail mimedefang.pl[14780]: filter_helo rejected helo smtp.jazztel.es
May 29 23:58:37 mail sendmail[16228]: q4U5wVU0016228: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 30 01:19:24 mail mimedefang.pl[15539]: helo: 186.46.78.188.dynamic.jazztel.es (188.78.46.186:3696) said "helo smtp.jazztel.es"
May 30 01:19:24 mail mimedefang.pl[15539]: filter_helo rejected helo smtp.jazztel.es
May 30 01:19:24 mail sendmail[16539]: q4U7JJCZ016539: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.4
May 30 04:22:23 mail mimedefang.pl[16569]: helo: [85.52.167.76] (85.52.167.76:3159) said "helo smtp.orange.es"
May 30 04:22:23 mail mimedefang.pl[16569]: filter_helo tempfailed helo smtp.orange.es
May 30 04:22:23 mail sendmail[17772]: q4UAMIxE017772: Milter: helo=smtp.orange.es, reject=451 4.3.0 No rDNS records found; try again when you've properly configured your DNS.
May 30 06:44:31 mail mimedefang.pl[18111]: helo: 68.246.76.188.dynamic.jazztel.es (188.76.246.68:51478) said "helo smtp.jazztel.es"
May 30 06:44:32 mail mimedefang.pl[18111]: filter_helo rejected helo smtp.jazztel.es
May 30 06:44:32 mail sendmail[18346]: q4UCiQkY018346: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 30 20:08:54 mail mimedefang.pl[21005]: helo: 57.146.16.95.dynamic.jazztel.es (95.16.146.57:2053) said "helo smtp.jazztel.es"
May 30 20:08:54 mail mimedefang.pl[21005]: filter_helo rejected helo smtp.jazztel.es
May 30 20:08:54 mail sendmail[22265]: q4V28nPS022265: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 30 21:56:48 mail mimedefang.pl[21005]: helo: 57.146.16.95.dynamic.jazztel.es (95.16.146.57:4765) said "helo smtp.jazztel.es"
May 30 21:56:48 mail mimedefang.pl[21005]: filter_helo rejected helo smtp.jazztel.es
May 30 21:56:48 mail sendmail[22624]: q4V3uhDw022624: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 04:47:31 mail mimedefang.pl[23008]: helo: [90.163.233.145] (90.163.233.145:58049) said "helo mail.sanmail.ru"
May 31 04:47:31 mail mimedefang.pl[23008]: filter_helo tempfailed helo mail.sanmail.ru
May 31 04:47:31 mail sendmail[24762]: q4VAlQh4024762: Milter: helo=mail.sanmail.ru, reject=451 4.3.0 No rDNS records found; try again when you've properly configured your DNS.
May 31 05:35:49 mail mimedefang.pl[23443]: helo: [84.76.193.69] (84.76.193.69:49547) said "helo mail.sanmail.ru"
May 31 05:35:49 mail mimedefang.pl[23443]: filter_helo tempfailed helo mail.sanmail.ru
May 31 05:35:49 mail sendmail[24991]: q4VBZiac024991: Milter: helo=mail.sanmail.ru, reject=451 4.3.0 No rDNS records found; try again when you've properly configured your DNS.
May 31 07:12:56 mail mimedefang.pl[25225]: helo: 68.246.76.188.dynamic.jazztel.es (188.76.246.68:64354) said "helo smtp.jazztel.es"
May 31 07:12:56 mail mimedefang.pl[25225]: filter_helo rejected helo smtp.jazztel.es
May 31 07:12:56 mail sendmail[25581]: q4VDCp0o025581: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 07:23:36 mail mimedefang.pl[25225]: helo: 75.162.16.95.dynamic.jazztel.es (95.16.162.75:2951) said "helo smtp.jazztel.es"
May 31 07:23:36 mail mimedefang.pl[25225]: filter_helo rejected helo smtp.jazztel.es
May 31 07:23:36 mail sendmail[25624]: q4VDNSOu025624: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 10:29:42 mail mimedefang.pl[26004]: helo: [85.52.167.76] (85.52.167.76:4564) said "helo smtp.orange.es"
May 31 10:29:42 mail mimedefang.pl[26004]: filter_helo tempfailed helo smtp.orange.es
May 31 10:29:42 mail sendmail[26800]: q4VGTaMx026800: Milter: helo=smtp.orange.es, reject=451 4.3.0 No rDNS records found; try again when you've properly configured your DNS.
May 31 11:49:21 mail mimedefang.pl[26499]: helo: [90.173.22.167] (90.173.22.167:2581) said "helo mail.sanmail.ru"
May 31 11:49:21 mail mimedefang.pl[26499]: filter_helo rejected helo mail.sanmail.ru
May 31 11:49:21 mail sendmail[27296]: q4VHnFKF027296: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 14:58:13 mail mimedefang.pl[27644]: helo: 215.161.79.188.dynamic.jazztel.es (188.79.161.215:49434) said "helo smtp.jazztel.es"
May 31 14:58:13 mail mimedefang.pl[27644]: filter_helo rejected helo smtp.jazztel.es
May 31 14:58:13 mail sendmail[28431]: q4VKw7mG028431: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 15:21:42 mail mimedefang.pl[27644]: helo: [90.163.125.55] (90.163.125.55:1112) said "helo mail.sanmail.ru"
May 31 15:21:43 mail mimedefang.pl[27644]: filter_helo rejected helo mail.sanmail.ru
May 31 15:21:43 mail sendmail[28559]: q4VLLbtf028559: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.4
May 31 20:53:40 mail mimedefang.pl[29623]: helo: 97.149.23.95.dynamic.jazztel.es (95.23.149.97:57131) said "helo smtp.jazztel.es"
May 31 20:53:40 mail mimedefang.pl[29623]: filter_helo rejected helo smtp.jazztel.es
May 31 20:53:40 mail sendmail[30051]: q512rZc2030051: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 21:04:11 mail mimedefang.pl[29623]: helo: [90.168.5.2] (90.168.5.2:4449) said "helo mail.sanmail.ru"
May 31 21:04:11 mail mimedefang.pl[29623]: filter_helo rejected helo mail.sanmail.ru
May 31 21:04:11 mail sendmail[30090]: q51345l0030090: Milter: helo=mail.sanmail.ru, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
May 31 23:12:05 mail mimedefang.pl[29623]: helo: 121.32.218.87.dynamic.jazztel.es (87.218.32.121:4530) said "helo smtp.jazztel.es"
May 31 23:12:05 mail mimedefang.pl[29623]: filter_helo rejected helo smtp.jazztel.es
May 31 23:12:05 mail sendmail[30564]: q515BuDm030564: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
Jun 1 00:22:17 mail mimedefang.pl[29623]: helo: 68.246.76.188.dynamic.jazztel.es (188.76.246.68:51031) said "helo smtp.jazztel.es"
Jun 1 00:22:17 mail mimedefang.pl[29623]: filter_helo rejected helo smtp.jazztel.es
Jun 1 00:22:17 mail sendmail[30830]: q516MCR3030830: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
Jun 1 07:17:56 mail mimedefang.pl[480]: helo: 57.146.16.95.dynamic.jazztel.es (95.16.146.57:3456) said "helo smtp.jazztel.es"
Jun 1 07:17:56 mail mimedefang.pl[480]: filter_helo rejected helo smtp.jazztel.es
Jun 1 07:17:56 mail sendmail[823]: q51DHorY000823: Milter: helo=smtp.jazztel.e, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
Jun 1 08:20:54 mail mimedefang.pl[480]: helo: 89.234.77.188.dynamic.jazztel.es (188.77.234.89:50714) said "helo smtp.jazztel.es"
Jun 1 08:20:54 mail mimedefang.pl[480]: filter_helo rejected helo smtp.jazztel.es
Jun 1 08:20:54 mail sendmail[1141]: q51EKmag001141: Milter: helo=smtp.jazztel.es, reject=554 5.7.1 This address is on ZenBL as 127.0.0.11
More information about the MIMEDefang
mailing list