We help IT Professionals succeed at work.

hMailServer spam filter

zc2
zc2 asked
on
994 Views
Last Modified: 2018-02-23
Some (not all) spam emails are not detected by the DNSBL filter.
In the hMailServer log I can see:
DNS lookup: 200.197.98.172.zen.spamhaus.org, 0 addresses found: (none), Match: False

But, if I try to execute the following command:
host 200.197.98.172.zen.spamhaus.org
it does return a match:
200.197.98.172.zen.spamhaus.org has address 127.0.0.3

The hMailServer's spamhaus entry is configured as follows:
<DNSBlackList Name="zen.spamhaus.org" Score="3" RejectMessage="Rejected by Spamhaus." Active="1" ExpectedResult="127.0.0.2-7"/>

Open in new window


We are using local Windows Server DNS service for caching and I can't find the missed DNS requests in the cache.

How that could be fixed?
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2015

Commented:
Do you have a DNS forwarder configured for when the internal DNS cannot resolve a name?

Configure a DNS Server to Use Forwarders: https://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx
zc2
CERTIFIED EXPERT

Author

Commented:
There are a number of forwarders in the DNS service setup. Please see the attached screenshot.
68.87.64.146 was given by the ISP, but looks like it's not active. I am going to remove it.
75.75.75.75 is also belongs to the ISP (Comcast Business) and responds with an expected result

dig 200.197.98.172.zen.spamhaus.org @75.75.75.75

; <<>> DiG 9.10.4-P4 <<>> 200.197.98.172.zen.spamhaus.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19717
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;200.197.98.172.zen.spamhaus.org. IN    A

;; ANSWER SECTION:
200.197.98.172.zen.spamhaus.org. 60 IN  A       127.0.0.3

;; Query time: 118 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Tue May 09 13:43:00 EDT 2017
;; MSG SIZE  rcvd: 76

Open in new window


But the 8.8.8.8 was recommended as a fast one and it looks like it does not actually work for DNSBL:
dig 200.197.98.172.zen.spamhaus.org @8.8.8.8

; <<>> DiG 9.10.4-P4 <<>> 200.197.98.172.zen.spamhaus.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57710
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;200.197.98.172.zen.spamhaus.org. IN    A

;; AUTHORITY SECTION:
zen.spamhaus.org.       9       IN      SOA     need.to.know.only. hostmaster.spamhaus.org. 1705091746 3600 600 432000 10

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 09 13:47:23 EDT 2017
;; MSG SIZE  rcvd: 124

Open in new window


Should we don't use it?
DNSfwds.png
CERTIFIED EXPERT
Top Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
zc2
CERTIFIED EXPERT

Author

Commented:
Ok, I will try to remove 8.8.8.8 and test it for a while. Then let you know.
zc2
CERTIFIED EXPERT

Author

Commented:
Did not help...

the log says:
DNS lookup: 86.51.0.173.zen.spamhaus.org, 0 addresses found: (none), Match: False
DNS lookup: 86.51.0.173.psbl.surriel.com, 0 addresses found: (none), Match: False

manual requests:
host 86.51.0.173.zen.spamhaus.org
86.51.0.173.zen.spamhaus.org has address 127.0.0.3
host 86.51.0.173.psbl.surriel.com
86.51.0.173.psbl.surriel.com has address 127.0.0.2
CERTIFIED EXPERT
Top Expert 2015

Commented:
Can you try another public DNS server because I believe it's still a DNS issue.  Take a read from here: viewtopic.php?p=193817#p193817 onwards. It may help you understand why and where to troubleshoot.

Here are some other DNS servers:

Provider      Primary DNS Server      Secondary DNS Server
Google3      8.8.8.8      8.8.4.4
DNS.WATCH4      84.200.69.80      84.200.70.40
Comodo Secure DNS      8.26.56.26      8.20.247.20
OpenDNS Home5      208.67.222.222      208.67.220.220
zc2
CERTIFIED EXPERT

Author

Commented:
You posted some url, but the st name is truncated, where is that article you suggest me to read?

I've add all the servers except google ones (as I posted before those servers do not return the DNSBL info for some reason).
Attached is a screenshot of the DNS forwarders of the local DNS server.

Is there a way to make hMailServer access the DNS servers directly, I mean not to use the host machine's settings?
DNSs.png
CERTIFIED EXPERT
Top Expert 2015

Commented:
I will look into your question about hmail access DNS server directly and get back to you.  I lost that article, will look for it. BRB
zc2
CERTIFIED EXPERT

Author

Commented:
I don't think the latest change in the DNS forwarders changed a thing.
Still, in the log
"TCPIP"      2768      "2017-05-24 13:52:38.679"      "DNS lookup: 98.232.30.69.zen.spamhaus.org, 0 addresses found: (none), Match: False"
manual command:
host 98.232.30.69.zen.spamhaus.org
98.232.30.69.zen.spamhaus.org has address 127.0.0.3
CERTIFIED EXPERT

Commented:
you may want to look for a cache hit rather than a cache miss. there is a delay before spamhaus detects new spam and an extra delay if your dns server caches the previous NXDOMAIN entry.
zc2
CERTIFIED EXPERT

Author

Commented:
I never knew NXDOMAIN entries are cached. Is that what all DNS servers do?
Like I said in the question the request is not seen in the cache. Does that mean the DNS server's UI just does not show the cached NXDOMAINs?
And is there a way to fix this?
CERTIFIED EXPERT

Commented:
not all servers cache NXDOMAIN. some do, others don't. it is usually configurable. might be called "negative caching" o something similar.

how do you know that the IP was already blacklisted at the time the mail went through ?
blacklists usually take minutes, possibly hours to react to new bots. the caching only adds an additional delay.

one other issue could be either the blacklists, or your dns relay, or possibly hmail itself, the network (more likely than you'd think with firewall nat).... makes some of your dns queries fail under heavy load. if that is the case, hmail probably complains about failed dns queries in the logs.
zc2
CERTIFIED EXPERT

Author

Commented:
some do, others don't.
I checked the UI of the Windows DNS service, and I didn't see any mentioning of NXDOMAIN or "negative caching".
how do you know that the IP was already blacklisted
While preparing this question I was monitoring the hMailServer log closely and each time a not detected spam email appeared I executed the "host" command like in my original question. Between those event may passed less than a minute.
hmail probably complains about failed dns queries
I did not see any failed DNS requests, only those "Match: False" results. But is it possible the hMail logs "Match: False" also in a case of a DNS request failure, not only on a NXDOMAIN?
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
zc2
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
this should help and likely make a measurable difference. but do not expect blacklists to filter out 100% of your spam anyway. many bots send trash about 5mn at a time and get blacklisted after 1 to a few minutes ( if at all ), and other spam sources are mixed up with legitimate traffic so blacklists can hardly trigger.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.