Possible Mail Server Configuration Issues
Please note: due to the distributed denial of service attack
on Spamhaus and the CBL in late March, the "helocheck" procedure outlined below has
The testing address has been changed to [email protected]
One way of testing whether your mail server is misconfigured
is to send an email through it to [email protected] You will
get a virtually immediate rejection.
In other words, you will get bounce message back that appears to
indicate that your email to helocheck didn't work.
It's _supposed_ to work that way.
The important piece to check is the error message you see.
Examine the error message,
and you should see something like one of the following lines:
#5.0.0 SMTP; 554 *** The HELO name for IP address 22.214.171.124 was 'localhost.localdomain'
#5.0.0 SMTP; 554 *** The HELO name for IP address 126.96.36.199 was 'localhost'
#5.0.0 SMTP; 554 *** The HELO name for IP address 188.8.131.52 was 'smtp'
#5.0.0 SMTP; 554 *** The HELO name for IP address 184.108.40.206 was '220.127.116.11'
#5.0.0 SMTP; 554 *** The HELO name for IP address 18.104.22.168 was 'My company name Inc'
#5.0.0 SMTP; 554 *** The HELO name for IP address 22.214.171.124 was '[126.96.36.199]'
#5.0.0 SMTP; 554 *** The HELO name for IP address 188.8.131.52 was 'mail.example.com'
Note that the numeric error code (eg: 554 above) or extended version (5.0.0 above) may
not be 550/5.0.0 respectively. The exact values don't really matter.
It's the "The HELO name ..." string that matters.
Note that some mail servers (particularly outlook) try to hide the detailed error string
and guess what the error is. Outlook frequently guesses wrong. The important thing
is to visually scan the entire bounce message until you find the critical string.
It should be the fully qualified domain name for your mail server or an IP
address enclosed in square brackets.
Using "[IP address]" is strongly discouraged and should not be used except in
exceptional cases - sending email on behalf of multiple domains is NOT
one of those cases.
The first five examples are syntactically wrong by RFC2821.
The last two are valid.
If it isn't like one of the last two examples, you have found the problem that
needs to be fixed.
If the HELO you see from "helocheck" is a fully qualified domain
(such as "mail.example.com"), your mail server software is configured
correctly, but something else in your environment
is attempting to send email, and you need to hunt it down. Check for
sender verify code, challenge/response or proxy trojans (common on
certain flavours of web servers). Eg: check the running tasks for
anything you don't immediately recognize.
Don't assume that if the HELO is correct that the CBL detection is in error.
The CBL is never, ever wrong in this basic test. The fact that the
software you know about and tested gets it right doesn't prove there is no
malware on your machine doing it wrong - you just haven't looked in the right
place yet. That is what you have to search for it until you do find it.
Please don't contact
us and say "but our mail server isn't doing it". It may
not be, but SOMETHING at the listed IP
IS doing it. Find it!
The CBL and abuseat.org web pages are copyright ©
2003-2017, all unauthorized copying is prohibited.
All external pages referenced are copyright by their