How to test outbound SMTP HELO response for a possible Websense Email security issue?

Posted on 2012-09-05
Medium Priority
Last Modified: 2012-09-06
A client of mine recently was recently downgraded on senderbase.org from Good to Neutral.  This caused a few bounce backs and is obviously something I want to resolve as soon as possible.  I contacted Senderbase support and got this response:

SenderBase uses a variety of techniques to determine what IP addresses are behaving highly suspiciously and are likely to have been compromised into sending spam or viruses. Your mail server is demonstrating suspicious behavior and we suggest that you investigate/fix the following:

* rDNS points to a fully qualified domain name (FQDN)
* rDNS points to a domain which matches the HELO FQDN
* rDNS points to a domain which matches the sender domain or a domain which matches the parent domain

To this end, one of the HELO string we are seeing "obfuscate.com" which is not an exact match to the PTR of the IP  (mail.obfuscate.com).   This contravenes RFC2821, section which states, "These [HELO] commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the SMTP client if one is available." I would suggest speaking with your provider about this if they are really using an improperly formatted HELO string.

With this information in hand I went to an outside machine and ran a "telnet mail.obfuscate.com 25".  Initial header listed the proper "mail.obfuscate.com", as did helo and ehlo.

*********"Telnet mail.obfuscate.com 25" from outside machine**********
220 mail.obfuscate.com ESMTP ready at Wed, 05 Sep 2012 14:29:25 -0400
250 mail.obfuscate.com Hello , pleased to meet you
250-SIZE 20480000

This client uses a Websense 7.3 Email security server.  I opened server config and under receive service->SMTP Properties I already had the proper "mail.obfuscate.com" listed.

I also checked the Send Service and may have found the issue.  Under SMTP EHLO/HELO Command->Specify the domain name: I previously had "obfuscate.com".  I have changed that to "mail.obfuscate.com".  

My question is how do I test this?  Would a telnet session, run from the Websense server, parrot back the proper FQDN?  Unfortunately all my other clients are Postini clients and I attempted this with a Postini server and it did not parrot back my FQDN.  Is there a way to verify I have corrected this issue?  Does anyone have a site I can run a Telnet 25 session to which would give me the info I'm after.  My Websense server seems to do it, but not Postini.

Or do you think Senderbase support was referring to receive connections?  If so, are they using a tool that digs deeper into the SMTP communication, than my simple telnet test?  Is it something I can replicate to test?

Thanks for your help,
Question by:tw525
  • 2
LVL 16

Accepted Solution

grahamnonweiler earned 2000 total points
ID: 38369611
Senderbase requires that the following are all the same:

EHLO send/response domain name
RDNS domain name
DNS domain name


If your SMTP transport is using "mail.obfuscate.com"
then a DNS lookup on "mail.obfuscate.com" must return the IP address of your mail server
the IP address sending email must match the DNS lookup above
and a reverse DNS on the IP address must return the domain name "mail.obfuscate.com"

The telnet test is not going to confirm anything other than what your server is "answering" incoming messages as. You need to test the "outgoing" transport, which is what Senderbase is interested in.

Send an email from the server to another email address and look at the headers of the message and check that "mail.obfuscate.com" appears correctly there. And ideally have someone accept an email from you and get them to send you the headers and log file extract.

If you wish you can send a message to support -at- nonweiler.com and we will send you back the log file extract - mention EE in the subject line
LVL 16

Expert Comment

ID: 38371245
We received your test email and sent a response back to you, including log file extracts showing that all of your server headers were in keeping with Industy Standards.

As an extra coment, having a "neutral" rating is not a problem, and quite common particularly if the traffic coming out out your IP is relatively low. To have a consistently "good" rating normally means traffic of at least 50K to 60K sizeable messages per day.

Author Closing Comment

ID: 38372044
Thank you for your assistance grahamnonweiler.  I was looking for a complex solution, to which you had a very simple and effective one.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question