zc2
asked on
hMailServer spam filter
Some (not all) spam emails are not detected by the DNSBL filter.
In the hMailServer log I can see:
DNS lookup: 200.197.98.172.zen.spamhau s.org, 0 addresses found: (none), Match: False
But, if I try to execute the following command:
host 200.197.98.172.zen.spamhau s.org
it does return a match:
200.197.98.172.zen.spamhau s.org has address 127.0.0.3
The hMailServer's spamhaus entry is configured as follows:
We are using local Windows Server DNS service for caching and I can't find the missed DNS requests in the cache.
How that could be fixed?
In the hMailServer log I can see:
DNS lookup: 200.197.98.172.zen.spamhau
But, if I try to execute the following command:
host 200.197.98.172.zen.spamhau
it does return a match:
200.197.98.172.zen.spamhau
The hMailServer's spamhaus entry is configured as follows:
<DNSBlackList Name="zen.spamhaus.org" Score="3" RejectMessage="Rejected by Spamhaus." Active="1" ExpectedResult="127.0.0.2-7"/>
We are using local Windows Server DNS service for caching and I can't find the missed DNS requests in the cache.
How that could be fixed?
ASKER
There are a number of forwarders in the DNS service setup. Please see the attached screenshot.
68.87.64.146 was given by the ISP, but looks like it's not active. I am going to remove it.
75.75.75.75 is also belongs to the ISP (Comcast Business) and responds with an expected result
But the 8.8.8.8 was recommended as a fast one and it looks like it does not actually work for DNSBL:
Should we don't use it?
DNSfwds.png
68.87.64.146 was given by the ISP, but looks like it's not active. I am going to remove it.
75.75.75.75 is also belongs to the ISP (Comcast Business) and responds with an expected result
dig 200.197.98.172.zen.spamhaus.org @75.75.75.75
; <<>> DiG 9.10.4-P4 <<>> 200.197.98.172.zen.spamhaus.org @75.75.75.75
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19717
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;200.197.98.172.zen.spamhaus.org. IN A
;; ANSWER SECTION:
200.197.98.172.zen.spamhaus.org. 60 IN A 127.0.0.3
;; Query time: 118 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Tue May 09 13:43:00 EDT 2017
;; MSG SIZE rcvd: 76
But the 8.8.8.8 was recommended as a fast one and it looks like it does not actually work for DNSBL:
dig 200.197.98.172.zen.spamhaus.org @8.8.8.8
; <<>> DiG 9.10.4-P4 <<>> 200.197.98.172.zen.spamhaus.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57710
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;200.197.98.172.zen.spamhaus.org. IN A
;; AUTHORITY SECTION:
zen.spamhaus.org. 9 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1705091746 3600 600 432000 10
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 09 13:47:23 EDT 2017
;; MSG SIZE rcvd: 124
Should we don't use it?
DNSfwds.png
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I will try to remove 8.8.8.8 and test it for a while. Then let you know.
ASKER
Did not help...
the log says:
DNS lookup: 86.51.0.173.zen.spamhaus.o rg, 0 addresses found: (none), Match: False
DNS lookup: 86.51.0.173.psbl.surriel.c om, 0 addresses found: (none), Match: False
manual requests:
host 86.51.0.173.zen.spamhaus.o rg
86.51.0.173.zen.spamhaus.o rg has address 127.0.0.3
host 86.51.0.173.psbl.surriel.c om
86.51.0.173.psbl.surriel.c om has address 127.0.0.2
the log says:
DNS lookup: 86.51.0.173.zen.spamhaus.o
DNS lookup: 86.51.0.173.psbl.surriel.c
manual requests:
host 86.51.0.173.zen.spamhaus.o
86.51.0.173.zen.spamhaus.o
host 86.51.0.173.psbl.surriel.c
86.51.0.173.psbl.surriel.c
Can you try another public DNS server because I believe it's still a DNS issue. Take a read from here: viewtopic.php?p=193817#p19 3817 onwards. It may help you understand why and where to troubleshoot.
Here are some other DNS servers:
Provider Primary DNS Server Secondary DNS Server
Google3 8.8.8.8 8.8.4.4
DNS.WATCH4 84.200.69.80 84.200.70.40
Comodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home5 208.67.222.222 208.67.220.220
Here are some other DNS servers:
Provider Primary DNS Server Secondary DNS Server
Google3 8.8.8.8 8.8.4.4
DNS.WATCH4 84.200.69.80 84.200.70.40
Comodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home5 208.67.222.222 208.67.220.220
ASKER
You posted some url, but the st name is truncated, where is that article you suggest me to read?
I've add all the servers except google ones (as I posted before those servers do not return the DNSBL info for some reason).
Attached is a screenshot of the DNS forwarders of the local DNS server.
Is there a way to make hMailServer access the DNS servers directly, I mean not to use the host machine's settings?
DNSs.png
I've add all the servers except google ones (as I posted before those servers do not return the DNSBL info for some reason).
Attached is a screenshot of the DNS forwarders of the local DNS server.
Is there a way to make hMailServer access the DNS servers directly, I mean not to use the host machine's settings?
DNSs.png
I will look into your question about hmail access DNS server directly and get back to you. I lost that article, will look for it. BRB
ASKER
I don't think the latest change in the DNS forwarders changed a thing.
Still, in the log
"TCPIP" 2768 "2017-05-24 13:52:38.679" "DNS lookup: 98.232.30.69.zen.spamhaus. org, 0 addresses found: (none), Match: False"
manual command:
host 98.232.30.69.zen.spamhaus. org
98.232.30.69.zen.spamhaus. org has address 127.0.0.3
Still, in the log
"TCPIP" 2768 "2017-05-24 13:52:38.679" "DNS lookup: 98.232.30.69.zen.spamhaus.
manual command:
host 98.232.30.69.zen.spamhaus.
98.232.30.69.zen.spamhaus.
you may want to look for a cache hit rather than a cache miss. there is a delay before spamhaus detects new spam and an extra delay if your dns server caches the previous NXDOMAIN entry.
ASKER
I never knew NXDOMAIN entries are cached. Is that what all DNS servers do?
Like I said in the question the request is not seen in the cache. Does that mean the DNS server's UI just does not show the cached NXDOMAINs?
And is there a way to fix this?
Like I said in the question the request is not seen in the cache. Does that mean the DNS server's UI just does not show the cached NXDOMAINs?
And is there a way to fix this?
not all servers cache NXDOMAIN. some do, others don't. it is usually configurable. might be called "negative caching" o something similar.
how do you know that the IP was already blacklisted at the time the mail went through ?
blacklists usually take minutes, possibly hours to react to new bots. the caching only adds an additional delay.
one other issue could be either the blacklists, or your dns relay, or possibly hmail itself, the network (more likely than you'd think with firewall nat).... makes some of your dns queries fail under heavy load. if that is the case, hmail probably complains about failed dns queries in the logs.
how do you know that the IP was already blacklisted at the time the mail went through ?
blacklists usually take minutes, possibly hours to react to new bots. the caching only adds an additional delay.
one other issue could be either the blacklists, or your dns relay, or possibly hmail itself, the network (more likely than you'd think with firewall nat).... makes some of your dns queries fail under heavy load. if that is the case, hmail probably complains about failed dns queries in the logs.
ASKER
some do, others don't.I checked the UI of the Windows DNS service, and I didn't see any mentioning of NXDOMAIN or "negative caching".
how do you know that the IP was already blacklistedWhile preparing this question I was monitoring the hMailServer log closely and each time a not detected spam email appeared I executed the "host" command like in my original question. Between those event may passed less than a minute.
hmail probably complains about failed dns queriesI did not see any failed DNS requests, only those "Match: False" results. But is it possible the hMail logs "Match: False" also in a case of a DNS request failure, not only on a NXDOMAIN?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
this should help and likely make a measurable difference. but do not expect blacklists to filter out 100% of your spam anyway. many bots send trash about 5mn at a time and get blacklisted after 1 to a few minutes ( if at all ), and other spam sources are mixed up with legitimate traffic so blacklists can hardly trigger.
Configure a DNS Server to Use Forwarders: https://technet.microsoft.com/en-us/library/cc754941(v=ws.11).aspx