Host not found?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Host not found?

Joey J
Hello all,

I'm trying to understand why this is telling me host not found.
On that same server if I nslookup the ip it does resolve.

Oct 18 16:00:51 mgw postfix/smtpd[24119]: NOQUEUE: reject: RCPT from unknown[199.5.50.180]: 450 4.7.1 <br2.vw.com>: Helo command rejected: Host not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<br2.vw.com>

--
Thanks!
Joey

Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

Richard-2


> Date: Sunday, October 18, 2020 16:07:24 -0400
> From: Joey J <[hidden email]>
>
> Hello all,
>
> I'm trying to understand why this is telling me host not found.
> On that same server if I nslookup the ip it does resolve.
>
> Oct 18 16:00:51 mgw postfix/smtpd[24119]: NOQUEUE: reject: RCPT from
> unknown[199.5.50.180]: 450 4.7.1 <br2.vw.com>: Helo command
> rejected: Host not found; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<br2.vw.com>


There doesn't appear to be an A or MX record for "br2.vw.com".



Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

Patrick Chemla

No MX server for client.com:


# nslookup -type=mx client.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
*** Can't find client.com: No answer



Le 18/10/2020 à 23:16, Richard a écrit :

Date: Sunday, October 18, 2020 16:07:24 -0400
From: Joey J [hidden email]

Hello all,

I'm trying to understand why this is telling me host not found.
On that same server if I nslookup the ip it does resolve.

Oct 18 16:00:51 mgw postfix/smtpd[24119]: NOQUEUE: reject: RCPT from
unknown[199.5.50.180]: 450 4.7.1 <br2.vw.com>: Helo command
rejected: Host not found; from=[hidden email]
to=[hidden email] proto=ESMTP helo=<br2.vw.com>

There doesn't appear to be an A or MX record for "br2.vw.com".



Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

Viktor Dukhovni
In reply to this post by Joey J
On Sun, Oct 18, 2020 at 04:07:24PM -0400, Joey J wrote:

> I'm trying to understand why this is telling me host not found.
> On that same server if I nslookup the ip it does resolve.

Only in the IP -> name direction.  The name -> IP direction fails.
And it seems you've configured: reject_unknown_client_hostname or
equivalent.

> Oct 18 16:00:51 mgw postfix/smtpd[24119]: NOQUEUE: reject: RCPT from
> unknown[199.5.50.180]: 450 4.7.1 <br2.vw.com>: Helo command rejected: Host
> not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<br2.vw.com>

    $ dig +noall +ans +nocl +nottl -x 199.5.50.180
    180.50.5.199.in-addr.arpa. PTR br2.vw.com.

    $ dig +noall +auth +ans +nocl +nottl br2.vw.com.
    vw.com. SOA ns1.vw.com. domainmaster.vw.com. 355100950 10800 3600 2419200 900

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

Bob Proulx
In reply to this post by Joey J
Joey J wrote:
> I'm trying to understand why this is telling me host not found.
> On that same server if I nslookup the ip it does resolve.
>
> Oct 18 16:00:51 mgw postfix/smtpd[24119]: NOQUEUE: reject: RCPT from
> unknown[199.5.50.180]: 450 4.7.1 <br2.vw.com>: Helo command rejected: Host
> not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<br2.vw.com>

In addition to what has already been said...  I look up the SPF record
for Audi.com and find:

    $ host -t txt Audi.com | grep spf
    Audi.com descriptive text "v=spf1 include:cust-spf.exacttarget.com ip4:199.5.47.0/24 ip4:91.198.139.136/31 -all"

    $ host -t txt cust-spf.exacttarget.com | grep spf
    cust-spf.exacttarget.com descriptive text "v=spf1 ip4:64.132.92.0/24 ip4:64.132.88.0/23 ip4:66.231.80.0/20 ip4:68.232.192.0/20 ip4:199.122.120.0/21 ip4:207.67.38.0/24 " "ip4:207.67.98.192/27 ip4:207.250.68.0/24 ip4:209.43.22.0/28 ip4:198.245.80.0/20 ip4:136.147.128.0/20 ip4:136.147.176.0/20 ip4:13.111.0.0/16 ip4:161.71.32.0/17 -all"
    $ host -t txt cust-spf.exacttarget.com | grep spf | grep 199.5
    ...nothing...

Since 199.5.50.180 does not appear in the allowance for the SPF
records that I can see (I inspected by eye, did I miss something?)
then the final "-all" would have caused the message to be rejected by
SPF policy *if* it had been not been already rejected by the policy of
using "reject_unknown_client_hostname" .

Which means this SMTP transaction had multiple problems making it very
likely a spammer as the most simple explanation.  Or simply very deeply
misconfigured if not.

Bob
Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

@lbutlr
On 19 Oct 2020, at 13:13, Bob Proulx <[hidden email]> wrote:
> Since 199.5.50.180 does not appear in the allowance for the SPF
> records that I can see

dig -x 199.5.50.180 +short
br2.vw.com.

VW does own Audi, so… mystery deepens?

--
'They're the cream!' Rincewind sighed. 'Cohen, they're the cheese.'

Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

Viktor Dukhovni
> On Oct 19, 2020, at 7:19 PM, @lbutlr <[hidden email]> wrote:
>
> dig -x 199.5.50.180 +short
> br2.vw.com.
>
> VW does own Audi, so… mystery deepens?

Anyone can spoof PTR records, but in this case the address really
does appear to be VW:

NetRange:       199.5.32.0 - 199.5.63.255
CIDR:           199.5.32.0/19
NetName:        NETBLK-NET-VWNA
NetHandle:      NET-199-5-32-0-1
Parent:         NET199 (NET-199-0-0-0-0)
NetType:        Direct Assignment
OriginAS:      
Organization:   Volkswagen Group of America, Inc. (VOLKSW-1)
RegDate:        1994-01-05
Updated:        2007-03-22
Ref:            https://rdap.arin.net/registry/ip/199.5.32.0


OrgName:        Volkswagen Group of America, Inc.
OrgId:          VOLKSW-1
Address:        3800 Hamlin Rd
City:           Auburn Hills
StateProv:      MI
PostalCode:     48326
Country:        US
RegDate:        1994-01-05
Updated:        2018-05-01
Ref:            https://rdap.arin.net/registry/entity/VOLKSW-1

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Host not found?

Bob Proulx
In reply to this post by @lbutlr
@lbutlr wrote:
> Bob Proulx wrote:
> > Since 199.5.50.180 does not appear in the allowance for the SPF
> > records that I can see
>
> dig -x 199.5.50.180 +short
> br2.vw.com.
>
> VW does own Audi, so... mystery deepens?

That's simply the reverse DNS PTR record.  Anyone can set their own
PTR records to be anything they wish them to be.  That's why for the
full circle test the br2.vw.com would need to resolve back to
199.5.50.180 in order to have any trust in it at all.  Because that
would show that vw.com lists 199.5.50.180.  The PTR record is only
just so ever slightly more trustworthy than the HELO hostname.  Ever
so slightly since it means the hosting provider supported the
setting.  Most VPS providers do for example.

However I did look one step deeper and queried the whois records for
that IP address allocation.  It does have an address allocation to
Volkswagen Group of America, Inc. and therefore may actually be part
of them.

    NetRange:       199.5.32.0 - 199.5.63.255
    CIDR:           199.5.32.0/19
    NetName:        NETBLK-NET-VWNA
    NetHandle:      NET-199-5-32-0-1
    Parent:         NET199 (NET-199-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:      
    Organization:   Volkswagen Group of America, Inc. (VOLKSW-1)

Which would swing my opinion over to the deeply misconfigured side of
things.

Bob