My office is bogus.
June 9, 2006 8:48 AM Subscribe
I host my domain with godaddy.com, and am suddenly not able to get email from my office. Their IP has been blocked by godaddy because of a "bogus helo."
Godaddy insists that what causes this is a virus or worm on my office's mailserver. They've run all kinds of scans but have not detected anything wrong. Godaddy still refuses to unblock, since I'm on a shared server. Email from the work server still gets through to other hosts (yahoo.com, gmail.com, etc.). Any suggestions for a work around or another way to find the problem on the work mailserver? They're running MS-Exchange.
Godaddy insists that what causes this is a virus or worm on my office's mailserver. They've run all kinds of scans but have not detected anything wrong. Godaddy still refuses to unblock, since I'm on a shared server. Email from the work server still gets through to other hosts (yahoo.com, gmail.com, etc.). Any suggestions for a work around or another way to find the problem on the work mailserver? They're running MS-Exchange.
Response by poster: Yes. And that's the machine we've been running scans on.
posted by Framer at 9:06 AM on June 9, 2006
posted by Framer at 9:06 AM on June 9, 2006
Are you running a sniffer on the supposedly infected machine to see what packets it's sending out?
posted by bshort at 9:08 AM on June 9, 2006
posted by bshort at 9:08 AM on June 9, 2006
It's hard to tell exactly what kind of bogosity it is. HELO is the first command in an SMTP exchange -- the connecting mailserver says "HELO mydomain.com" to the one it connected to.
Spammers and viruses consistently get the HELO wrong, doing things like "HELO jsdksdf" or "HELO yourdomain.com", and blocking mail based on HELO is actually pretty effective. So your mailserver is doing something unusual there. But without knowing what specifically I don't know where to start advising.
If you want to send me mail to the address in my profile, I'll look at the HELO your mailserver gave my mailserver, and from there we can try to guess what the problem was.
(If the error message from godaddy had more to it than "bogus helo", though, please share!)
posted by mendel at 9:08 AM on June 9, 2006
Spammers and viruses consistently get the HELO wrong, doing things like "HELO jsdksdf" or "HELO yourdomain.com", and blocking mail based on HELO is actually pretty effective. So your mailserver is doing something unusual there. But without knowing what specifically I don't know where to start advising.
If you want to send me mail to the address in my profile, I'll look at the HELO your mailserver gave my mailserver, and from there we can try to guess what the problem was.
(If the error message from godaddy had more to it than "bogus helo", though, please share!)
posted by mendel at 9:08 AM on June 9, 2006
Response by poster: The error message from the bounces:
xxxxx.org #5.5.0 smtp;553 Bogus helo xxxxx.org.
I'm x'ing out the domain info because I don't run the server and am not sure the sysadmin would want me broadcasting the problem in this way.
Mendel: I don't use the mailserver to send, but will try to get someone in the office to send you somthing.
posted by Framer at 9:23 AM on June 9, 2006
xxxxx.org #5.5.0 smtp;553 Bogus helo xxxxx.org.
I'm x'ing out the domain info because I don't run the server and am not sure the sysadmin would want me broadcasting the problem in this way.
Mendel: I don't use the mailserver to send, but will try to get someone in the office to send you somthing.
posted by Framer at 9:23 AM on June 9, 2006
If the domain is secret this is going to be really hard to solve publically. Better someone responsible for the box ask on a mailing list he trusts with the details.
posted by mendel at 9:33 AM on June 9, 2006
posted by mendel at 9:33 AM on June 9, 2006
Best answer: Ok, so this is hard to explain without giving away domains and hostnames and IP addresses and so on, but the only troubling thing that I see in the HELO is that the domain used in the HELO looks up to an IP address which is not the IP address of that mailserver.
What you want is for the "helo" to contain the actual hostname of the mailserver (say, "mail.example.com"), for that to look up to the IP address of the mail server ("mail.example.com has address 10.0.0.5"), and that that IP address looks up to the name of the mail server ("5.0.0.10.in-addr.arpa has address mail.example.com"). Offhand I'd say that you're 0 for 3.
That's not to say that godaddy is necessarily using that heuristic but it's not an unusual one to use (although I'd call it unnecessarily strict).
The only other thing I can think of is that the hostname that the IP address of the mailserver looks up to (the one that ends ".customer.algx.net") looks like it is in dynamic IP space. Some sites block mail from dynamic IPs because they tend to be virus-laden or open-proxy home computers. You may be able to solve this if you can solve the 3rd DNS tip above ("5.0.0.10.in-addr.arpa has address mail.example.com").
One thing to try that might be easier than getting all your DNS ducks in a row is to configure the Exchange server to use your ISP's mailserver as a smarthost, sending all outgoing mail through it.
posted by mendel at 10:10 AM on June 9, 2006
What you want is for the "helo" to contain the actual hostname of the mailserver (say, "mail.example.com"), for that to look up to the IP address of the mail server ("mail.example.com has address 10.0.0.5"), and that that IP address looks up to the name of the mail server ("5.0.0.10.in-addr.arpa has address mail.example.com"). Offhand I'd say that you're 0 for 3.
That's not to say that godaddy is necessarily using that heuristic but it's not an unusual one to use (although I'd call it unnecessarily strict).
The only other thing I can think of is that the hostname that the IP address of the mailserver looks up to (the one that ends ".customer.algx.net") looks like it is in dynamic IP space. Some sites block mail from dynamic IPs because they tend to be virus-laden or open-proxy home computers. You may be able to solve this if you can solve the 3rd DNS tip above ("5.0.0.10.in-addr.arpa has address mail.example.com").
One thing to try that might be easier than getting all your DNS ducks in a row is to configure the Exchange server to use your ISP's mailserver as a smarthost, sending all outgoing mail through it.
posted by mendel at 10:10 AM on June 9, 2006
Response by poster: Thanks, Mendel. We're going through those steps now. You've saved me a lot of time.
On the other hand, visiting your blog and discovering "For Better Or For Worse slashfic" may well have just sucked up the rest of my afternoon.....
posted by Framer at 10:48 AM on June 9, 2006
On the other hand, visiting your blog and discovering "For Better Or For Worse slashfic" may well have just sucked up the rest of my afternoon.....
posted by Framer at 10:48 AM on June 9, 2006
For the benefit of onlookers: Don't look at me, it's not my slashfic!
posted by mendel at 11:10 AM on June 9, 2006
posted by mendel at 11:10 AM on June 9, 2006
Also, note that SMTP explicitly states that blocking connections based on the HELO (or EHLO) is bad. Godaddy's mail server is broken. (Not that this information will help you in any way, of course.)
posted by hattifattener at 12:03 PM on June 9, 2006
posted by hattifattener at 12:03 PM on June 9, 2006
Response by poster: Any "official"-type source for such a claim, hatti, that I can throw at Godaddy?
posted by Framer at 3:02 PM on June 10, 2006
posted by Framer at 3:02 PM on June 10, 2006
Any "official"-type source for such a claim, hatti, that I can throw at Godaddy?
It won't help one bit. They're not doing it accidentally, and there's nothing that enforces perfect SMTP. You can't force anyone to accept your mail.
posted by mendel at 5:19 PM on June 10, 2006
It won't help one bit. They're not doing it accidentally, and there's nothing that enforces perfect SMTP. You can't force anyone to accept your mail.
posted by mendel at 5:19 PM on June 10, 2006
« Older Who wants to party? Or at least pay for it. | Help me be lazier but learn something in the... Newer »
This thread is closed to new comments.
posted by bshort at 9:04 AM on June 9, 2006