Mail Server Naming Problems

The CBL uses a variety of techniques to determine what IPs are behaving highly suspiciously and are likely have been compromised into sending spam or viruses.

You have been directed here because there is a possibility that your IP may have been listed as result of misconfiguration or broken mailer software.

Here, we're primarily concerned with mail servers announcing non-RFC-compliant names via the HELO (NOT the welcome banner!) during SMTP port 25 connections it makes (NOT connections to it!).

However, this set of pages is intended to find out what's wrong, whatever it is, whether it be a hostname, mailer, or autoresponder misconfiguration, or an outright machine compromise.

First and foremost, however, if this IP address is a NAT/PAT gateway/firewall/router, please read about securing your NAT first. Until you have secured your NAT/PAT (if you have one), the following instructions will be of little use.

Identifying the Problem Area

There are two basic types of detections that land an IP in this page. RFC2821 section says that there are only two legal types of HELO/EHLO a mail server can issue - either a fully qualified domain name (eg: "") or an "IP literal" (eg: "[]").

The listings that land in this page are:

  • HELO "localhost", "localhost.localdomain", and other generic "unconfigured" names.
  • HELOs that are bare IP addresses (without enclosing square brackets).

Listings on the former are most common in UNIX-derived systems (such as Linux, xBSD, MacOS X) etc. Alternately, it may be a misconfiguration in a mail-sending custom application, using libraries such as perl's Net::SMTP (which must be explicitly configured to use a specific HELO string).

If this IP corresponds to a Windows machine, a HELO of "localhost" almost certainly means that this machine is infected with Maazben or Lethic.

Listings on the latter are due to a variety of things, most often improperly configured Windows mail servers or mail applications (address verifiers, challenge/response, bulk mailers etc).

In all cases, the first thing you should do is identify whether the main mail server software is helo'ing properly. If not, it needs to be fixed. If it is helo'ing properly, you need to identify what _other_ mail sending applications (that send email direct to the recipient without going through your main mail servers) exist, and check those.

Checking your main mail server naming

First, follow the helo checking procedure

If the helo checking procedure shows that the helo is wrong, you will need to fix it - skip to the next section that applies to you.

UNIX-derived systems

This document describes how to analyse problems with UNIX/Linux derived systems.

Windows Systems

Consult your mail software documentation/configuration panels on how to set the "server name" to what it should be.

Once done, repeat the helo testing procedures, hit BACK and delist your IP.

If you didn't find anything wrong, go to the next section.

It's not my mail server software, now what?

You've gotten here because testing has shown that your mail server is using the right names.

The CBL simply doesn't make mistakes in this area, your IP address is emitting invalid HELOs.

So we have to identify what software is doing it.

Many systems have alternate methods of sending email other than standard MTA server software (such as sendmail or Exchange). For example, Content Management Systems such as Wordpress, Joomla etc, or even just web sites written with PHP web-aware libraries, Perl tc have mechanisms that can send mail directly without sending through a formal system mail server. This is particularly common in mult-host web environments, where customers/users can download their own software packages. Many real and serious infection problems arise out of multi-hosting customers downloading pirated plugins that have been compromised with malicious scripts. See Email not coming from a real mail server if you think that "non-mail-server" mail clients are, or could be operating on your system.