Score:0 is blocking our IP because we use multiple unrelated HELO values

jp flag is blocking our IP because we send mail using multiples domain names from a single IP.

The message is

A device (computer, server, mobile phone, etc), or an app on a device that is using aaa.bbb.ccc.ddd is infected, badly misconfigured, or compromised. It is making SMTP connections with multiple unrelated HELO values on port 25.

The most recent detection was on: May 18 2022, 10:20:00 UTC (+/- 5 minutes). The observed HELO values were xxx yyy zzz ,...

We have a lot of different domains for emails (one customer = one domain), and all the emails are sent from the same IP (Multiples different server using the same internet gateway).

How should we handle this use case ? We currently use exim4 as a mailserver on the multiples servers.

Nikita Kipriyanov avatar
za flag
No, it isn't. There are *myriads* of mail systems that handle multiple domains. Spamhaus never blocked anyone just for that. How *exactly* looks your Spamhaus blocking message/reason?
vn flag
If that alone were Spamhaus's reason, every major email service provider would be blocked immediately. Do these domains have valid SPF records permitting your IP to send emails on their behalf?
Jean avatar
jp flag
I added the Spamhaus blocking message. Yes, these domains have valid SPF records.
A.B avatar
cl flag
Just writing that the tag `spam-marked` includes two canonical Q/A in its full description there: which might already include some checks to do.
vn flag
See [this Spamhaus page]( specifically.
tripleee avatar
ar flag
Does this answer your question? [How to send emails and avoid them being classified as spam?](
Jean avatar
jp flag
Hello, I accepted Nikita Kipriyanov's answer, because that's exactly the problem I had. The canonical question you linked shows multiples possibilities, one among them is the solution I looked for. I think it will be easier for future users to read this answer, using the specific description of my use case.
za flag

You configured it to present different HELO names for each served domain? That's really a bad idea. That is why Spamhaus is angry to you.

  • Your server should have certain FQDN, at least for the mail service, let's say;
  • set up that FQDN name as the single constant HELO name, which is always presented by the MTA, no matter which domain's mail it is delivering now;
  • that name should have A or AAAA records that resolve to the server IP address, for example, A;
  • the server uses this or some other IP address when makes outgoing connections. The reverse DNS lookup of that outgoing IP address should point to this same FQDN, for example, PTR;
  • ideally, enable STARTTLS and use SSL certificate that is valid for this FQDN, e.g. or SAN field contains or DNS:*

And then you specify this FQDN in the MX record of served domains, like this: MX 10 (don't forget to set up SPF, DKIM, DMARC records too).

Notice, you can not have multiple PTR records for a single IP address; technically you can, but that won't work as you might expect. Some DNS servers check these three items (HELO, forward DNS query for the HELO name and reverse DNS query for your IP) to match and block messages if they don't. This partially answers why you shouldn't change HELO name for each message.

(It's essentially the same as this answer in the linked "Canonical question")

Jean avatar
jp flag
Thank you, we fixed it by setting the same HELO FQDN on our multiples servers. The FQDN now matches the DNS for this server. (related FAQ : "Correct HELO/DNS/rDNS alignment for domain") At the same time, Spamhaus removed our IP from the blocked-list. I'll wait until tomorrow, and will accept this answer. Thanks again.
jp flag
Excellent answer! A minor notice: I think that there should always be a SAN matching the CN nowadays.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.