Re: Bad Helo Host impersonating

Wed, 23 Mar 2011 01:10:43 -0700 

On Tue, 22 Mar 2011, jon1234 wrote:





From where do they get that bounce message? From a host internal to your
network or from hosts out on the Internet?


The bounce message is only when they send certain domains that are external
to our network.



If that's coming from an internal MTA, I'd suggest that MTA doesn't
believe your Exchange server is a legitimate source for mail from your
domain. If that's coming from external MTA(s) then others on the public
Internet apparently don't believe your public IP address is a legitimate
source for mail from your domain. Do you publish SPF information or use
Domainkeys? Has your public MTA's internet IP address changed recently?


AFAIK we arent using Domainkeys, we use DynDNS.com and a check on our SPF
records gives

"The TXT records found for your domain are:
v=spf1 ip4:202.44.190.48/28 ~all

SPF records should also be published in DNS as type SPF records.

No type SPF records found.

Checking to see if there is a valid SPF record.

Found v=spf1 record for afnsecurity.com:
v=spf1 ip4:202.44.190.48/28 ~all "

the external IP of the exchange server is 202.44.190.49.. could this be the
cause? If so why would only certain domains be giving the error?

Regards,
Jon


Some people may have their level of paranoia WRT SPF mis-match cranked up.


The other possible cause of those rejects is that your full-circle-DNS is 
FUBAR. EG:


$ host afnsecurity.com
 afnsecurity.com has address 202.44.190.61
 afnsecurity.com mail is handled by 50 mx2.mailhop.org.
 afnsecurity.com mail is handled by 60 mx1.afnsecurity.com.
 afnsecurity.com mail is handled by 10 mx1.afnsecurity.com.
$ host 202.44.190.61
 61.190.44.202.in-addr.arpa domain name pointer 
202.44.190.61.static.nexnet.net.au.
$ host 202.44.190.49
 49.190.44.202.in-addr.arpa domain name pointer 
202.44.190.49.static.nexnet.net.au.

  afnsecurity.com != 202.44.190.61.static.nexnet.net.au

Thus the claim that you are an imposterer


any chance you can get your ISP to fix that DNS reverse map and those SPF 
records?




--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{






















					Reply via email to