How to test outbound SMTP HELO response for a possible Websense Email security issue?
A client of mine recently was recently downgraded on senderbase.org from Good to Neutral. This caused a few bounce backs and is obviously something I want to resolve as soon as possible. I contacted Senderbase support and got this response:
**********************
SenderBase uses a variety of techniques to determine what IP addresses are behaving highly suspiciously and are likely to have been compromised into sending spam or viruses. Your mail server is demonstrating suspicious behavior and we suggest that you investigate/fix the following:
* rDNS points to a fully qualified domain name (FQDN)
* rDNS points to a domain which matches the HELO FQDN
* rDNS points to a domain which matches the sender domain or a domain which matches the parent domain
To this end, one of the HELO string we are seeing "obfuscate.com" which is not an exact match to the PTR of the IP 50.50.50.50 (mail.obfuscate.com). This contravenes RFC2821, section 4.1.1.1 which states, "These [HELO] commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the SMTP client if one is available." I would suggest speaking with your provider about this if they are really using an improperly formatted HELO string.
**************************
With this information in hand I went to an outside machine and ran a "telnet mail.obfuscate.com 25". Initial header listed the proper "mail.obfuscate.com", as did helo and ehlo.
*********"Telnet mail.obfuscate.com 25" from outside machine**********
220 mail.obfuscate.com ESMTP ready at Wed, 05 Sep 2012 14:29:25 -0400
helo
250 mail.obfuscate.com Hello , pleased to meet you
ehlo
250-mail.obfuscate.com
250-SIZE 20480000
250-STARTTLS
250 8BITMIME
**************************
This client uses a Websense 7.3 Email security server. I opened server config and under receive service->SMTP Properties I already had the proper "mail.obfuscate.com" listed.
I also checked the Send Service and may have found the issue. Under SMTP EHLO/HELO Command->Specify the domain name: I previously had "obfuscate.com". I have changed that to "mail.obfuscate.com".
My question is how do I test this? Would a telnet session, run from the Websense server, parrot back the proper FQDN? Unfortunately all my other clients are Postini clients and I attempted this with a Postini server and it did not parrot back my FQDN. Is there a way to verify I have corrected this issue? Does anyone have a site I can run a Telnet 25 session to which would give me the info I'm after. My Websense server seems to do it, but not Postini.
Or do you think Senderbase support was referring to receive connections? If so, are they using a tool that digs deeper into the SMTP communication, than my simple telnet test? Is it something I can replicate to test?
Thanks for your help,
Mike
**********************
SenderBase uses a variety of techniques to determine what IP addresses are behaving highly suspiciously and are likely to have been compromised into sending spam or viruses. Your mail server is demonstrating suspicious behavior and we suggest that you investigate/fix the following:
* rDNS points to a fully qualified domain name (FQDN)
* rDNS points to a domain which matches the HELO FQDN
* rDNS points to a domain which matches the sender domain or a domain which matches the parent domain
To this end, one of the HELO string we are seeing "obfuscate.com" which is not an exact match to the PTR of the IP 50.50.50.50 (mail.obfuscate.com). This contravenes RFC2821, section 4.1.1.1 which states, "These [HELO] commands are used to identify the SMTP client to the SMTP server. The argument field contains the fully-qualified domain name of the SMTP client if one is available." I would suggest speaking with your provider about this if they are really using an improperly formatted HELO string.
**************************
With this information in hand I went to an outside machine and ran a "telnet mail.obfuscate.com 25". Initial header listed the proper "mail.obfuscate.com", as did helo and ehlo.
*********"Telnet mail.obfuscate.com 25" from outside machine**********
220 mail.obfuscate.com ESMTP ready at Wed, 05 Sep 2012 14:29:25 -0400
helo
250 mail.obfuscate.com Hello , pleased to meet you
ehlo
250-mail.obfuscate.com
250-SIZE 20480000
250-STARTTLS
250 8BITMIME
**************************
This client uses a Websense 7.3 Email security server. I opened server config and under receive service->SMTP Properties I already had the proper "mail.obfuscate.com" listed.
I also checked the Send Service and may have found the issue. Under SMTP EHLO/HELO Command->Specify the domain name: I previously had "obfuscate.com". I have changed that to "mail.obfuscate.com".
My question is how do I test this? Would a telnet session, run from the Websense server, parrot back the proper FQDN? Unfortunately all my other clients are Postini clients and I attempted this with a Postini server and it did not parrot back my FQDN. Is there a way to verify I have corrected this issue? Does anyone have a site I can run a Telnet 25 session to which would give me the info I'm after. My Websense server seems to do it, but not Postini.
Or do you think Senderbase support was referring to receive connections? If so, are they using a tool that digs deeper into the SMTP communication, than my simple telnet test? Is it something I can replicate to test?
Thanks for your help,
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your assistance grahamnonweiler. I was looking for a complex solution, to which you had a very simple and effective one.
As an extra coment, having a "neutral" rating is not a problem, and quite common particularly if the traffic coming out out your IP is relatively low. To have a consistently "good" rating normally means traffic of at least 50K to 60K sizeable messages per day.