DNS Blacklist problem?
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
DNS Blacklist problem? - 2.Jun.2008 5:04:01 PM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
Starting last Friday, one of our offsite users' incoming E-mails to our other employees were being blocked by the DNS Blacklist.
This user has Outlook 2000 that is set up for Internet Mail Delivery and sends/receives all mail through our own Exchange 2003 mail server.
The log claims that zen.spamhaus.org had the sending mail server's IP address on the list. When I tried to check spamhaus.org's IP lookup, I cannot even get to their website. So, I unchecked zen.spamhaus.org from the list and had the user re-send. Unfortunately, the DNS blacklist log shows bl.spamcop.net had the IP on its list. I checked spamcop's IP lookup and looked up our own mail server's IP along with the remote user's (dynamic) IP and neither address was on spamcop.
I turned OFF the DNS blacklist completely, and the user's mail is now coming through just fine.
My other remote users' e-mails are NOT being blocked by the DNS filter. They are using the same Exchange 2003 server here to send/recieve their mail, though they have different ISP's.
What am I missing???
My concern is that this user's mail is being rejected by other mail servers that are using the same black lists.
< Message edited by mnwolftrack -- 2.Jun.2008 5:05:38 PM >
|
|
|
|
|
RE: DNS Blacklist problem? - 3.Jun.2008 11:26:35 AM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
Like I said, I already tried getting to the spamhaus website but I could not get to it. I removed it from the blacklist filter anyway, but spamcop's list still caught the E-mail. Spamcop did not have the IP's (our mail server or remote user's dynamic IP) on their list. I will try spamhaus again today to see if their site is accessible. I've been there before, so I know about the IP lookup.
|
|
|
|
|
RE: DNS Blacklist problem? - 9.Jun.2008 9:49:34 AM
|
|
|
Jelle
Posts: 5
Joined: 9.Jun.2008
Status: offline
|
I encountered the same problem. Emails were marked as spam by dns blacklist. I had to disable dns blacklist, as there were to many false positives. Now we have spams coming trough as no other filter detects them. The problem seems to have started with release 20080326.
|
|
|
|
|
RE: DNS Blacklist problem? - 9.Jun.2008 10:20:04 AM
|
|
|
John Letourneau
Posts: 907
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
mnwolftrack and Jelle,
Can you enable the DNS Blacklist for testing and then past some logs from DNSRBL.gfi_log.txt where it shows the message pass through your system? If you are not sure where to stop the logging in the past, the more information the better.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: DNS Blacklist problem? - 9.Jun.2008 10:39:38 AM
|
|
|
Jelle
Posts: 5
Joined: 9.Jun.2008
Status: offline
|
I'm sorry, I just detected that it is not DNS blacklist, but Spam URI Realtime blocklist...
|
|
|
|
|
RE: DNS Blacklist problem? - 9.Jun.2008 11:39:22 AM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
John, I will try turning on the filter temporarily today and post the log. I looked at the log just now and it only seems to report the last few hours worth of information. So, I will turn the filter back on, have my user send a test E-mail, post the log file, and turn the filter back off.
I checked my user's dynamic IP today (66.72.193.155) and it is on the PBL list at spamhaus.org. What confuses me is that spamhaus' description of the PBL list is that it actually SHOULD list dynamic IP's (such as that of the typical in-home DSL or cable modem) like my user's address.
|
|
|
|
|
RE: DNS Blacklist problem? - 9.Jun.2008 12:19:20 PM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
I turned the DNS filter back on (but changed the action to tag rather than to delete). A test E-mail from my user did not get stopped by the filter. So, I'm assuming there's nothing to show because the log doesn't even show their E-mail being looked at.
I'm not sure what to think at this point.
|
|
|
|
|
RE: DNS Blacklist problem? - 9.Jun.2008 2:41:59 PM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
Ok, my user just sent another test E-mail (a few hours after the other E-mail made it through ok) and the message was filtered and tagged, claiming the IP is on zen.spamhaus.org. If I go back to spamhaus.org and check their website, this IP does not appear on the SBL or XBL lists. It's only on the PBL list, and it's supposed to be (according to the PBL info). Here's the information from the DNS log file you requested (I have changed actual names, IP addresses, and E-mail addresses to protect the innocent):
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","::MTAM_InitMessage"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","[this = 0258EF9B0],CMTAMMessage::CMTAMMessage"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","[this = 0258EF9B0] = CMTAMMessage::InitMessage"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","[CMTAMMessage::InitMessage] refresh context?"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","[CMTAMMessage::InitMessage] keep a copy of the message"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","[CMTAMMessage::InitMessage] default action config is <log: 1 block: 0 type: -1 NDR: 0 Tag: 1 Exchange: Inbox/DNSBlackList>"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","::MTAM_ProcessMessage"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL",",>> ProcessMessage [this = 0X258EF9B0]"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Version: DNSRBL - Version 15"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Retrieved channel database connection"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: Subject: Anti Virus Scan"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: From: "My User" <myuser@ourdomain.com>"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: Sender: "
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: MessageID: <NEBBIBKFJCFCGDLGDNDEMEFCDEAA.myuser@ourdomain.com>"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: Content type: multipart/alternative; boundary="----=_NextPart_000_0004_01C8CA33.96B953D0"; charset="iso-8859-1""
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: SMTP Sender: myuser@ourdomain.com"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: SMTP Recipient: me@ourdomain.com"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: Mime From display name: My User"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","INFO: Message recipients: 1"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Recipient me@ourdomain.com' belongs to a local domain (ourdomain.com)"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL",">> CHeaderChecking"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Processing Message : DNS Blacklist"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Getting IP from received lines"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL",">> GetRecievedLines"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Stream recieved"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","<< GetRecievedLines"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Received lines: Received: from My User ([66.72.193.155]) by mail.ourdomain.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 9 Jun 2008 13:21:03 -0500 From: "My User" <myuser@ourdomain.com> To: "Me" <me@ourdomain.com> Subject: Anti Virus Scan Date: Mon, 9 Jun 2008 13:20:30 -0500 Message-ID: <NEBBIBKFJCFCGDLGDNDEMEFCDEAA.myuser@ourdomain.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0004_01C8CA33.96B953D0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Importance: Normal Return-Path: myuser@ourdomain.com X-OriginalArrivalTime: 09 Jun 2008 18:21:03.0968 (UTC) FILETIME=[93C04600:01C8CA5D]"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Extracting the last of the remote IPs"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL",">> ExtractLastRemoteIP"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Constructed final regex: (?:(?:our.ip.address).+?)+\[((\d{1,3}[.]){3}\d{1,3})\]"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","<< ExtractLastRemoteIP"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","No last IP could be extracted. Using connection IP address."
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","GFI_MTAMSGPROPS_CONNECTION_SERVER_IP_ADDRESS is 66.72.193.155"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Performing Zombie Check on the following IP: 66.72.193.155"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL",">> CheckOpenRelay"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Cache size: 118"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Checking: 66.72.193.155"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Performing lookup using provider: zen.spamhaus.org IP: 66.72.193.155"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL",">> DNSRBLLookupEx"
2008-06-09,13:21:04,250,3,"#00000564","#000017cc","info ","DNSRBL","Performing query: 155.193.72.66.zen.spamhaus.org"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","<< DNSRBLLookupEx [0x0]"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","IP 66.72.193.155 listed as open-relay by zen.spamhaus.org"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","<< CheckOpenRelay (returning spam)"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","SPAM DETECTED: Open Relay detected"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Report: Sending mail server found on zen.spamhaus.org "
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Writing SpamFlag: -1"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Spam email is let through"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Action config is <log: 1 block: 0 type: -1 NDR: 0 Tag: 1 Exchange: Inbox/DNSBlackList>"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[CIMessage::MIMESenders]"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","extractemailsusingregex from ("My User" <myuser@ourdomain.com>)"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[extractemailsfromfields] buffer: <"My User" < myuser@ourdomain.com >>"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","NUM MATCHES: 1"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL",">> myuser@ourdomain.com <<"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","extractemailsusingregex from ()"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[extractemailsfromfields] buffer: <>"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","NUM MATCHES: 0"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[CIMessage::MIMERecipients]"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","extractemailsusingregex from ("Me" <me@ourdomain.com>)"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[extractemailsfromfields] buffer: <"Me" < me@ourdomain.com >>"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","NUM MATCHES: 1"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL",">> me@ourdomain.com <<"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Building move-to-folder path"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Log Action? 1"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","Updating action log: 'C:\Program Files\GFI\MailEssentials\logs\dnsbl.log'"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[Log] me@ourdomain.com "
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[Log] Sending mail server found on zen.spamhaus.org"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[Log] Anti Virus Scan"
2008-06-09,13:21:04,531,3,"#00000564","#000017cc","info ","DNSRBL","[Log] myuser@ourdomain.com 1"
2008-06-09,13:21:04,546,3,"#00000564","#000017cc","info ","DNSRBL","[DLE] DLE initialized"
2008-06-09,13:21:04,546,3,"#00000564","#000017cc","info ","DNSRBL","Writing to DLE..."
2008-06-09,13:21:04,546,3,"#00000564","#000017cc","info ","DNSRBL","[CMTAMMessage::ProcessMessage] NDR? 0"
2008-06-09,13:21:04,546,3,"#00000564","#000017cc","info ","DNSRBL","[CMTAMMessage::ProcessMessage] tag <SPAM>, reason <Sending mail server found on zen.spamhaus.org> to subject. 0"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","<< ProcessMessage [6]"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","<< CHeaderChecking"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","::MTAM_UnInitMessage, MID = 630127024"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","[this = 0258EF9B0],CMTAMMessage::UnInitMessage"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","releasing CMTAMMessage"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","[this = 0258EF9B0],CMTAMMessage::~CMTAMMessage"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","CMTAMMessage released"
2008-06-09,13:21:04,578,3,"#00000564","#000017cc","info ","DNSRBL","::MTAM_UnInitMessage,[returning]"
|
|
|
|
|
RE: DNS Blacklist problem? - 10.Jun.2008 2:49:09 PM
|
|
|
John Letourneau
Posts: 907
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
mnwolftrack,
If you changed the IP it is going to make it hard to find out what is happening. Based on the log below the message should have been blocked by zen.spamhaus.org because the IP (66.72.193.155) is listed in pbl.spamhaus.org.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: DNS Blacklist problem? - 10.Jun.2008 2:53:31 PM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
correction--I didn't change the IP address the message was coming from, so the one you listed is correct. However, what confuses me is that the FAQ for the PBL list states that dynamic addresses SHOULD be in the PBL list. My user does have a dynamic address because they have basic in-home DSL. So what does this mean?
|
|
|
|
|
RE: DNS Blacklist problem? - 10.Jun.2008 5:01:15 PM
|
|
|
John Letourneau
Posts: 907
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
mnwolftrack,
pbl.spamhaus.org is a DNS Blacklist that is used to block messages sent from dynamic addresses. This helps cut down on infected residential based hosts being able to send spam out to the internet. In your situation this is causing a non-spam message to be blocked. Is it possible that this user may be able to get a static IP? Even if we used IP based whitelists for this user with a dynamic IP they would not last.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
|
RE: DNS Blacklist problem? - 10.Jun.2008 5:07:40 PM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
Hello John,
My best option is to probably turn the filter off. For starters, ever since I upgraded to the latest build a few weeks ago, the DNS Blacklist went from catching hundreds of SPAM a day down to about 20 a day now. Second, My biggest concern is whether other systems are blocking this user's E-mail as well. I could put this person's E-mail address in our white list, but we also receive some spoofed E-mail from time to time that comes from this same address. So, whitelisting the E-mail address alone is probably not a great idea. And like you said, whitelisting by IP wouldn't do much good for a dynamic address.
I would think, if my user's machine actually had a virus, that they would be on other blacklists as well? I've run Adaware, Spybot Search and Destroy, and the Enterprise Edition of Symantec on this machine and no problems were found. The comptuer isn't more than about 6 months old either, and the user has not had any other problems, and no symptoms that even suggest a potential infection.
|
|
|
|
|
RE: DNS Blacklist problem? - 12.Jun.2008 9:47:49 AM
|
|
|
mnwolftrack
Posts: 68
Joined: 8.Feb.2005
Status: offline
|
John--is there anything else that can be done? I have several remote users, all of them with dymanic IP's, and no one else gets blocked. I'd rather not have to pay extra for a static IP if the problem is not of our own. Why does GFI ME think there's a problem? If I check one of my other user's recent dynamic IP's, it also obviously shows up on the PBL list. But, that user's E-mail has never been filtered by the DNS Blacklist. Come to think of it, this problem did not happen until we upgraded to this most current build. Perhaps it is something related to the new build. Shall I open a support case?
|
|
|
|
|
RE: DNS Blacklist problem? - 26.Jun.2008 11:44:50 PM
|
|
|
John Letourneau
Posts: 907
Joined: 28.Apr.2008
From: Clayton, NC
Status: offline
|
mnwolftrack,
What you could do is disable zen.spamhaus.org (which includes pbl.spamhaus.org) and use sbl-xbl.spamhaus.org. That should work for you.
_____________________________
Regards,
John Letourneau - Technical Support Representative
GFI Software - www.gfi.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
