hMailServer spam filter

Do you have a DNS forwarder configured for when the internal DNS cannot resolve a name?

Configure a DNS Server to Use Forwarders: https://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx

There are a number of forwarders in the DNS service setup. Please see the attached screenshot.
68.87.64.146 was given by the ISP, but looks like it's not active. I am going to remove it.
75.75.75.75 is also belongs to the ISP (Comcast Business) and responds with an expected result

dig 200.197.98.172.zen.spamhaus.org @75.75.75.75

; <<>> DiG 9.10.4-P4 <<>> 200.197.98.172.zen.spamhaus.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19717
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;200.197.98.172.zen.spamhaus.org. IN    A

;; ANSWER SECTION:
200.197.98.172.zen.spamhaus.org. 60 IN  A       127.0.0.3

;; Query time: 118 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Tue May 09 13:43:00 EDT 2017
;; MSG SIZE  rcvd: 76

Select allOpen in new window

But the 8.8.8.8 was recommended as a fast one and it looks like it does not actually work for DNSBL:

dig 200.197.98.172.zen.spamhaus.org @8.8.8.8

; <<>> DiG 9.10.4-P4 <<>> 200.197.98.172.zen.spamhaus.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57710
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;200.197.98.172.zen.spamhaus.org. IN    A

;; AUTHORITY SECTION:
zen.spamhaus.org.       9       IN      SOA     need.to.know.only. hostmaster.spamhaus.org. 1705091746 3600 600 432000 10

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 09 13:47:23 EDT 2017
;; MSG SIZE  rcvd: 124

Select allOpen in new window

Should we don't use it?
DNSfwds.png

Ok, I will try to remove 8.8.8.8 and test it for a while. Then let you know.

Did not help...

the log says:
DNS lookup: 86.51.0.173.zen.spamhaus.org, 0 addresses found: (none), Match: False
DNS lookup: 86.51.0.173.psbl.surriel.com, 0 addresses found: (none), Match: False

manual requests:
host 86.51.0.173.zen.spamhaus.org
86.51.0.173.zen.spamhaus.org has address 127.0.0.3
host 86.51.0.173.psbl.surriel.com
86.51.0.173.psbl.surriel.com has address 127.0.0.2

Can you try another public DNS server because I believe it's still a DNS issue.  Take a read from here: viewtopic.php?p=193817#p193817 onwards. It may help you understand why and where to troubleshoot.

Here are some other DNS servers:

Provider      Primary DNS Server      Secondary DNS Server
Google3      8.8.8.8      8.8.4.4
DNS.WATCH4      84.200.69.80      84.200.70.40
Comodo Secure DNS      8.26.56.26      8.20.247.20
OpenDNS Home5      208.67.222.222      208.67.220.220

You posted some url, but the st name is truncated, where is that article you suggest me to read?

I've add all the servers except google ones (as I posted before those servers do not return the DNSBL info for some reason).
Attached is a screenshot of the DNS forwarders of the local DNS server.

Is there a way to make hMailServer access the DNS servers directly, I mean not to use the host machine's settings?
DNSs.png

I will look into your question about hmail access DNS server directly and get back to you.  I lost that article, will look for it. BRB

I don't think the latest change in the DNS forwarders changed a thing.
Still, in the log
"TCPIP"      2768      "2017-05-24 13:52:38.679"      "DNS lookup: 98.232.30.69.zen.spamhaus.org, 0 addresses found: (none), Match: False"
manual command:
host 98.232.30.69.zen.spamhaus.org
98.232.30.69.zen.spamhaus.org has address 127.0.0.3

you may want to look for a cache hit rather than a cache miss. there is a delay before spamhaus detects new spam and an extra delay if your dns server caches the previous NXDOMAIN entry.

I never knew NXDOMAIN entries are cached. Is that what all DNS servers do?
Like I said in the question the request is not seen in the cache. Does that mean the DNS server's UI just does not show the cached NXDOMAINs?
And is there a way to fix this?

not all servers cache NXDOMAIN. some do, others don't. it is usually configurable. might be called "negative caching" o something similar.

how do you know that the IP was already blacklisted at the time the mail went through ?
blacklists usually take minutes, possibly hours to react to new bots. the caching only adds an additional delay.

one other issue could be either the blacklists, or your dns relay, or possibly hmail itself, the network (more likely than you'd think with firewall nat).... makes some of your dns queries fail under heavy load. if that is the case, hmail probably complains about failed dns queries in the logs.

some do, others don't.

I checked the UI of the Windows DNS service, and I didn't see any mentioning of NXDOMAIN or "negative caching".

how do you know that the IP was already blacklisted

While preparing this question I was monitoring the hMailServer log closely and each time a not detected spam email appeared I executed the "host" command like in my original question. Between those event may passed less than a minute.

hmail probably complains about failed dns queries

I did not see any failed DNS requests, only those "Match: False" results. But is it possible the hMail logs "Match: False" also in a case of a DNS request failure, not only on a NXDOMAIN?

this should help and likely make a measurable difference. but do not expect blacklists to filter out 100% of your spam anyway. many bots send trash about 5mn at a time and get blacklisted after 1 to a few minutes ( if at all ), and other spam sources are mixed up with legitimate traffic so blacklists can hardly trigger.