The CBL - Composite Blocking List
CBL Statistics CBL FAQ
CBL HOME Privacy Policy

Possible Mail Server Configuration Issues

Please note: due to the distributed denial of service attack on Spamhaus and the CBL in late March, the "helocheck" procedure outlined below has been changed. The testing address has been changed to [email protected]

One way of testing whether your mail server is misconfigured is to send an email through it to [email protected] You will get a virtually immediate rejection.

In other words, you will get bounce message back that appears to indicate that your email to helocheck didn't work. It did. It's _supposed_ to work that way. The important piece to check is the error message you see.

Examine the error message, and you should see something like one of the following lines:

#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was 'localhost.localdomain'
#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was 'localhost'
#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was 'smtp'
#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was '1.2.4.6'
#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was 'My company name Inc'
#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was '[1.2.4.6]'
#5.0.0 SMTP; 554 *** The HELO name for IP address 1.2.4.6 was 'mail.example.com'

Note that the numeric error code (eg: 554 above) or extended version (5.0.0 above) may not be 550/5.0.0 respectively. The exact values don't really matter. It's the "The HELO name ..." string that matters.

Note that some mail servers (particularly outlook) try to hide the detailed error string and guess what the error is. Outlook frequently guesses wrong. The important thing is to visually scan the entire bounce message until you find the critical string.

It should be the fully qualified domain name for your mail server or an IP address enclosed in square brackets.

Using "[IP address]" is strongly discouraged and should not be used except in exceptional cases - sending email on behalf of multiple domains is NOT one of those cases.

The first five examples are syntactically wrong by RFC2821. The last two are valid.

If it isn't like one of the last two examples, you have found the problem that needs to be fixed.

WARNING If the HELO you see from "helocheck" is a fully qualified domain (such as "mail.example.com"), your mail server software is configured correctly, but something else in your environment is attempting to send email, and you need to hunt it down. Check for sender verify code, challenge/response or proxy trojans (common on certain flavours of web servers). Eg: check the running tasks for anything you don't immediately recognize.

Don't assume that if the HELO is correct that the CBL detection is in error. The CBL is never, ever wrong in this basic test. The fact that the software you know about and tested gets it right doesn't prove there is no malware on your machine doing it wrong - you just haven't looked in the right place yet. That is what you have to search for it until you do find it.

Please don't contact us and say "but our mail server isn't doing it". It may not be, but SOMETHING at the listed IP IS doing it. Find it!

The CBL and abuseat.org web pages are copyright © 2003-2017, all unauthorized copying is prohibited. All external pages referenced are copyright by their respective owners.