Spamhaus blacklisted our mdaemon server IP due to wrong HELO | MDaemon Technologies, Ltd.

Spamhaus blacklisted our mdaemon server IP due to wrong HELO


  • since two weeks ago spamhaus kept on putting our IP address on the CSS blacklist - we've had few thing to fix from the guideline so we delisted ourselves few times after checking all the requirements.

    Now after 3 times they created a ticket for our case and state that our helo response is a localhost:

    Then something else is going on:

    (IP, UTC timestamp, HELO value) 188.39.** 2023-05-30 18:40:00 localhost.localdomain 188.39.** 2023-05-30 07:35:00 localhost.localdomain 188.39.** 2023-05-28 07:05:00 localhost.localdomain 188.39.** 2023-05-27 22:05:00 localhost.localdomain 188.39.** 2023-05-27 17:05:00 localhost.localdomain

    Note the top one is after your message claiming the HELO is correct.

    Every time we have been blacklisted we checked our helo response by sending an email to helocheck@abuseat.org and response was proper FQDN with valid syntax - no error here.

    Is there anyway that they could be getting the localhost.localdomain response from our IP? How do they test for HELO response, could it be firewall sending HELO?

    I would appreciate any help, thank you



  • Yes, it could be the firewall or another SMTP server accepting inbound connections.  What do you get if you telnet to your IP address from the internet on port 25?  

    telnet $IP$ 25

    If you tell me your IP address I can check it for you. 


  • 188.39.253.226 we had our mailspecialist look at it and he says it seems perfectly fine. We are waiting for update from spamhaus but it seems we are stuck at the moment


  • Everything for the inbound side looks correct to me.  

    Can you send an email to domain-test@mdaemon.com and forward me the response that you get back?

    arron.caruth @ mdaemon.com 


  • Still waiting for a response from domain-test@mdaemon.com, not sure if its normal (30min)


  • Its not normal, our server rejected the message because your IP is listed on spamhaus.  I've added the domain-test@mdaemon.com address to the DNS-BL allow list.  

    I can see in our logs that your server is announcing itself correctly.  

    Are there any other servers or services running behind your firewall that could be sending email?  Forexample, is your website sending email using Microsoft's SMTP service?    

    Is there any additional information available from spamhaus?

     


  • We have only one server running - mdaemon, port 25 is directed to this local server only on firewall. Before they sent last test we had rdns set incorrectly, could it be reason behind it? 

    This is explanation given by spamhaus with some guidelines:

    Thank you for contacting Spamhaus CSS Removals,

     

    Please use https://translate.google.com/ for language, if needed.

     

    188.39.253.*** is making SMTP connections which indicate that it is misconfigured. Some elements of your existing configuration create message characteristics identical to previously identified spam messages.

     

    Please align the ma l server's HELO/EHLO 'localhost.localdomain' with proper DNS (forward and reverse) values for a mail server. Here is an example:

     

    Correct HELO/DNS/rDNS alignment for domain example.com:

    - Mail server HELO: mail.example.com

    - Mail server IP: 192.0.2.12

    - Forward DNS: mail.example.com -> 192.0.2.12

    - Reverse DNS: 192.0.2.12 -> mail.example.com

     

    Correcting an invalid HELO or a HELO/forward DNS lookup mismatch will stop the IP from being listed again.

     

    Points to consider:

     

    * Alignment: it is strongly recommended that the forward DNS lookup (domain name to IP address) and rDNS (IP to domain) of your IP should match the HELO value set in your server, if possible

    * The IP and the HELO value should both have forward and rDNS, and should resolve in public DNS

    * Ensure that the domain used in HELO actually exists!

     

    Additional points:

     

    * According to RFC, the HELO must be a fully qualified domain name (FQDN): "hostname.example.com" is an FQDN and "example.com" is not an FQDN.

    * The domain used should belong to your organisation.

    * HELO is commonly a server setting, not DNS.

     

    Contact your hosting provider for assistance if needed.

     

    You can test a server's HELO configuration by sending an email from it to helocheck@abuseat.org. A bounce that contains the required information will be returned immediately. It will look like an error, it is not. Please examine the contents of this email.

     

    If all settings are correct, you have a different problem, probably malware/spambot. Again, the HELO we are seeing is 'localhost.localdomain'. The last detection was at 2023-05-30 07:35:00 (UTC).

     

    For information on misconfigured or hacked SMTP servers and networks, please see this FAQ: https://www.spamhaus.org/faq/section/Hacked...%20Here's%20help#539

     

    CSS listings expire a few days after last detection. You can always open a ticket (or update an existing one) to inform us when and how the situation was been secured.

     


  • The only thing we did with that server last few years was changing the isp 2 months ago, but we adjusted everything i guess


  • Before they sent last test we had rdns set incorrectly, could it be reason behind it? 

    According to the report from spamhaus a server is announcing itself as localhost.localdomain.  It looks to me like this is happening with outbound sessions.  So the server is trying to send a message and when it does it is sending EHLO localhost.localdomain during the SMTP session.

    Is your firewall configured to allow other machines on the network to connect to the internet on port 25?  If it is, try configuring your firewall so that only your mail server is allowed to connect to the internet on port 25.  Any other connections on port 25 from the LAN can be redirected to the mail server or just dropped.   

     


  • @Arron I've got more details from spamhaus, but still can't wrap my head around it: does it mean the rejections are being sent back with wrong HELO?

    As of 12 hours after your request. This is still not fixed.

    This is likely a fundamental hostname problem. "localhost.localdomain" smells like some linux default.

     

    It appears that you are forwarding to outlook, getting rejected for spam there, then sending the rejections back to the forged sender.

     

    Possibly it is some robot fault detection


  • Lets look at the last 12 hours of your MDaemon logs and see if we can find anything.   If MDaemon is processing the messages and generating the NDR, it will be shown in the MDaemon logs.  

    Can spamhaus provide a copy of a message that is causing your IP to be blocked?

    Is your firewall configured to allow port 25 traffic to the internet from any workstation or server on your network?

     


  • @Arron

    Can i send log (would it be only smtp out one for 31st?) to your email adress?

    I'll ask spamhaus for a copy but getting response might take a while.

    At the moment our network technician is working on checking/blocking port 25 so it could be possible that other device is using port 25.
    We tried to go through the log ourselves and were struggling to find anything. Does it mean most likely the improper communication was coming out of our network from other device?


  • Yes, you can me the logs, arron.caruth @ mdaemon.com.  Please send the inbound SMTP, outbound SMTP, routing, and RAW logs for the 31st and I'll see what I can find.

     Does it mean most likely the improper communication was coming out of our network from other device?

    It seems likely, but at this point, I don't know think have enough information to know for sure.  


  • @Arron Thank you a lot, I've sent it using gmail (backhi3)


  • I'm not seeing anything in the logs that looks like it could be causing it, but without more deteails about the message causing the issue, we are basically looking for a needle in a haystack.

    I don't see any attempts by MDaemon to send mail using localhost.localdomain as the EHLO value.  I don't see any non delivery report emails being generated by MDaemon. 

    It could still be caused by MDaemon, but we are going to need details from the message that is causing the issue to be able to figure it out.

     


  • @Arron thank you, I've sent a request to spamhaus for more details of this message, let see what will be the reply


  • @Arron Unfortunately no update from spamhaus.

    We've disabled one smtp service that was sending reports to outside ( our network specialist says it most probably was the cause of it )

    Today we closed port 25 for any other device other than mailserver.

    I hope for good news from spamhaus today.


Please login to reply this topic!