[ctw] Re: ForgedHELO

  • From: IBS Ltd. <admin@xxxxxxxxxxxx>
  • To: ctw@xxxxxxxxxxxxx
  • Date: Fri, 10 Jul 2009 01:17:31 -0300

Good day Tom...
You sir just solved the issue - DoFakedUseLocalDomain was selected - the hotmail test worked this time....
When the test comes from hotmail - it says it is spoofed... when I reply to it - it sends it to a default address - not back to hotmail... I can not send anything to the outside world - only locally - and everything says it is spoofed - which is what I am guessing is why I can not email out.... 

disable smtp vrfy is not selected in eims


example:

        From:     admin@xxxxxxxxxxxx
        Subject:        test
        Date:   July 10, 2009 1:08:58 AM ADT
        To:       mytestaddress@xxxxxxxxxxx
        Return-Path:    <admin@xxxxxxxxxxxx>
Received: from [10.0.1.2] (xxx.xx.xxx.xxx) by mail.mydoamin.com with ESMTP (EIMS X 3.3.9) for <admin@xxxxxxxxxxxx>; Fri, 10 Jul 2009 01:08:59 -0300 Received: from [10.0.1.2] ([156.34.149.11] helo=[10.0.1.2]) with IPv4:587 by mail.mydomain.com; 10 Jul 2009 01:08:58 -0300 
        Mime-Version:   1.0 (Apple Message framework v753.1)
        Content-Transfer-Encoding:      7bit
        Message-Id:     <4156B3F2-F66E-4500-8A9A-4E4B47B87402@xxxxxxxxxxxx>
        Content-Type:   text/plain
        X-Mailer:       Apple Mail (2.753.1)
        X-Assp-Score:   5 (Suspicious HELO - contains IP: '[10.0.1.2]')
        X-Assp-Score:   5 (IP in HELO does not match connection: '[10.0.1.2]')
        X-Assp-Score:   10 (user unknown admin@xxxxxxxxxxxx)
        X-Assp-Score:   20 (No Spoofing Allowed 'admin@xxxxxxxxxxxx')
        X-Assp-Spam-Level:      ****************
        X-Assp-Tag:     SpoofedSender
        X-Assp-Envelope-From:   admin@xxxxxxxxxxxx
        X-Assp-Version:         1.5.1.2(4.0.03)
        X-Assp-Id:      mail.ibsltd.nb.ca ()
        X-Assp-Spam:    YES
        X-Assp-Original-Subject:        test
        X-Assp-Block:   NO (alltestmode)
        X-Spam-Status:  YES
        X-Assp-Spam-Reason:     No Spoofing Allowed 'admin@xxxxxxxxxxxx'
        X-Assp-Message-Totalscore:      40

The log file...
Jul-10-09 01:06:54 156.34.149.11 <admin@xxxxxxxxxxxx> MessageScore is now 5, after adding 5 
                   (Suspicious HELO - contains IP: '[10.0.1.2]')
Jul-10-09 01:06:54 156.34.149.11 <admin@xxxxxxxxxxxx> MessageScore is now 10, after adding 5 (IP in 
                   HELO does not match connection: '[10.0.1.2]')
Jul-10-09 01:06:55 156.34.149.11 <admin@xxxxxxxxxxxx> to: admin@xxxxxxxxxxxx MessageScore is now 30, after adding 20 (No Spoofing Allowed 'admin@xxxxxxxxxxxx') Jul-10-09 01:06:55 [SpoofedSender][alltestmode] 156.34.149.11 <admin@xxxxxxxxxxxx> to: admin@xxxxxxxxxxxx [spam found] and passing because alltestmode, otherwise blocked (No 
                   Spoofing Allowed 'admin@xxxxxxxxxxxx') ->
                   /applications/assp/discarded/6574.eml



On Jul 9, 2009, at 7:23 PM, Tom Shaw wrote:
I am about to release 1.5.1.3 so I do not have the exact same config as befor
Do you have DoFakedUseLocalDomain set or do you use DoFakedUseLocalDomain? 

At 9:38 PM -0300 7/8/09, IBS Ltd. wrote:

Using ASSP 1.5.1.2
Localdomains populated
I have searched through the list - not finding an answer... I am obviously missing something. <//www.freelists.org/post/ctw/Forged-Helos-Blocked-Now- invalid-local-sender> 
- using the above my settings are the same as Toms.

All hosts that connect are connecting as Forged -

Sample from log below: test from hotmail.
Jul-8-09 21:13:52 [ForgedHELO][alltestmode] 65.55.90.15 <ibsltd@xxxxxxxxxxx> to: info@xxxxxx 
 [spam found] and passing because alltestmode, otherwise blocked
(ForgedHELO:'snt0-omc1-s4.snt0.hotmail.com') ->
  /applications/assp/spam/6456.eml
Received: from snt0-omc1-s4.snt0.hotmail.com ([65.55.90.15] helo=snt0-omc1-s4.snt0.hotmail.com) 
        with IPv4:25 by mail.XXX.ca; 8 Jul 2009 21:13:51 -0300
Received: from SNT102-W11 ([65.55.90.9]) by snt0-omc1- s4.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); 
         Wed, 8 Jul 2009 17:08:52 -0700
Message-ID: <SNT102-W119ED061A9060A05FA657CCB260@xxxxxxx>
Return-Path: XXX@xxxxxxxxxxx
Content-Type: multipart/alternative;
        boundary="_42c7b169-acdf-4780-a33a-bba737de351e_"
X-Originating-IP: [0.0.0.0]
From: XXX <XXX@xxxxxxxxxxx>
To: "info@xxxxxx" <info@xxxxxx>
Subject: test
Date: Wed, 8 Jul 2009 21:38:51 -0200
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 09 Jul 2009 00:08:52.0206 (UTC) FILETIME= [70F230E0:01CA0029] 

--_42c7b169-acdf-4780-a33a-bba737de351e_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Any suggestions?

--Gary
Circle The Wagons
manage: //www.freelists.org/list/ctwpost: mailto:ctw@xxxxxxxxxxxxx 
unsubscribe: mailto:ctw-request@xxxxxxxxxxxxx?subject=unsubscribe
search: //www.freelists.org/archives/ctw
faq: //www.freelists.org/wiki/the_faq



Circle The Wagons
manage: //www.freelists.org/list/ctw post: mailto:ctw@xxxxxxxxxxxxx 
unsubscribe: mailto:ctw-request@xxxxxxxxxxxxx?subject=unsubscribe
search: //www.freelists.org/archives/ctw
faq: //www.freelists.org/wiki/the_faq


Circle The Wagons
manage: //www.freelists.org/list/ctw post: mailto:ctw@xxxxxxxxxxxxx 
unsubscribe: mailto:ctw-request@xxxxxxxxxxxxx?subject=unsubscribe
search: //www.freelists.org/archives/ctw
faq: //www.freelists.org/wiki/the_faq

Other related posts:

  1. Home
  2. ctw
  3. Archive
  4. 07-2009