hMailServer forum

Hello,

I have a situation where many spam emails are coming through recently. I ran through the settings the see if something was missing but what I have found is that emails from domains that SpamHaus has listed are not triggering an increase in score. As an example, the information below is from the log file.

"SMTPD" 2220 236042 "2017-02-20 15:10:21.285" "74.63.250.108" "RECEIVED: MAIL FROM:<Neuropathy_Treatment_Group@reject.qhigain.us>"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Total spam score: 0"

If I go to mxtoolbox.com and enter "reject.qhigain.us" SpamHaus shows this as listed. In my mind, the SpamTestDNSBlackLists score should be equal to what I have entered for SpamHaus (5). Am I understanding the system operation incorrectly please?.

I have attached some screen shots below.

Please Acton viewtopic.php?f=20&t=30914 and post results here.

Thank you.

[code]2/20/2017 6:04:49 PM Hmailserver: 5.6.6-B2383

IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: False
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 6 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: localhost
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: True - 5 Use SA score: True
Subject Text: "[SPAM]"
Spam delete threshold: 6 Maximum message size: 1024

GREYLISTING:
Greylisting: True Defer mins: 7 Days Unused: 2 Days Used: 72
Bypass SPF: True Bypass A/MX: False

Greylist WHITELIST ENTRIES:
IP Address: 127.0.0.1
IP Address: 67.227.238.94

Greylist DOMAINS enabled:
No entries

DNSBL ENTRIES:
zen.spamhaus.org Score: 5 Result: 127.0.0.*
bl.spamcop.net Score: 4 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 1
-----------------------------------------------------------------------------------------------

WHITELISTING
0.0.0.0 to 255.255.255.255 *facebook
0.0.0.0 to 255.255.255.255 *@worldpay.com
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email - Notify Sender: False, Notify Receiver: True

Max Message Size: 1052
CLAM AV: False
CLAMWIN: False
CUSTOMAV: False
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : False
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 587 / SMTP - None
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-02-20.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-02-20.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - .
TCPIP - .
DEBUG - True
AWSTATS - .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

No problems were found in the IP range configuration.

-----------------------------------------------------------------------------------------------

[/code]Generated by HMSSettingsDiagnostics v1.40, Hmailserver Forum.

You cant use wildcard for Result codes.
https://www.hmailserver.com/documentati ... blacklists

Spamhaus result: 127.0.0.2-11 is more appropriate.

I did have the exact ranges set before and the result was the same. I would add that the link you pointed to says that wildcards are acceptable.

I have changed it anyway, but the results are the same.

I believe that documentation page is wrong. Many versions ago it was allowed to enter * as an "IP ADDRESS" return where as now there is a 'result code' but since v5.3.2 they were all changed to be exact matches. (Needs investigation).

When you say its still happening, how do you know? Have you had NEW inbound emails from that source since changing it?

Ok, just tested, and it seems wildcard is still accepted and allowed. Documentation is right after all and I am wrong. Sorry.

So...

When you say its still happening, how do you know? Have you had NEW inbound emails from that source since changing it?

spamhaus checks the connecting IP address (in reverse) NOT the sender FROM

you need to check for IP 74.63.250.108
(This IS currently listed - unsure about when you received that message though)

Personally I find SPamhaus, while excellent is a lot slower than other DNSBLs that I Use to add new IPs

mattg wrote:spamhaus checks the connecting IP address (in reverse) NOT the sender FROM

you need to check for IP 74.63.250.108

Yes, I checked the connecting address 74.63.250.108 and it is listed: https://www.spamhaus.org/query/ip/74.63.250.108

Hello guys,

So the result is 'yes' to your question about new connections coming in. As an example here is a recent email from today.

"SMTPD" 2212 242672 "2017-02-21 16:12:39.537" "74.63.228.254" "RECEIVED: MAIL FROM:<Real-Results@dough.viwound.us>"
"DEBUG" 2212 "2017-02-21 16:12:39.537" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.537" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.537" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.552" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.552" "Total spam score: 0"

SpamHaus has that sending IP address (74.63.228.254) listed as blacklisted.

tiggywiggler wrote:SpamHaus has that sending IP address (74.63.228.254) listed as blacklisted.

Yes, but how long after the message was received did you check the list?

I use 'notepad ++'

it has an excellent search facility, called 'Find in Files'.
If I put the text 'zen.spamhaus.org, 1 addresses found' in the find what, and then set it to search my hMailsevrer log directory, i get many hundreds of hits in my (this months) logs.

If you have notepad++ please try that, or perhaps search with windows search looking at contents of files.

I have many instances where zen.spamhaus.org doesn't find anything, but I also have some where they do. I also 're-check for spam' any unread mail every four hours, and find many messages in the second scan that weren't tagged as spam four hours previously.

Searching for this string inside Notepad++ returns zero results.

I would conduct a rebuild, but I cannot understand why that would help. Is there a SpamHaus DLL that could be corrupt?

tiggywiggler wrote:I would conduct a rebuild, but I cannot understand why that would help. Is there a SpamHaus DLL that could be corrupt?

No such thing exists. Hmailserver does lookups purely from the text/entries you write in th DNSBL settings.

It is still likely that the address wasnt listed at the time you received the email (especially given that the ip address 74.63.228.254 is different from the first one 74.63.250.108). These lookup up/spam traps are not immediate. You might be better to implement greylisting which will then add the benefit of delaying any incoming email for a particular period of time given the likes of spamhaus to make and register their traps. (Often, spambots wont retry if greylisted anyway).

You could always script your own RBLcheck if you don't trust the system...

System Scripting Runtime COM object -> http://www.netal.com/ssr.htm
Binary -> http://www.netal.com/software/ssr15.zip
http://www.wisegeek.com/what-is-snowsho ... youknowout

Example of usage...

I also like to know what happens if you change DNS server on your machine...

Which DNS does your windows machine use?

mattg wrote:I also like to know what happens if you change DNS server on your machine...

Which DNS does your windows machine use?

(I also got to this thought but could no longer be bother to go down that route)

Hello all and thank you for your comments. I am sorry I did not reply, we had a serious breakdown at work I had to drive north for a period and didn't have access to this terminal anymore. Apologies for that.

Something I have been wondering about is that we went through a period where no emails were received at all, to get around this I whitelisted the local IP address within the greylist tool (127.0.0.1). I notice some comments above about greylisting / whitelisting. Do you think I may have broken something by doing this? The intention was the whitelist anything coming from within the local server (applications trying to send out mail), but I suppose I could have done something bad.

Let me know either way. I am going to enable TCP/IP logging to see if I can see anything in the log, if I don't get anywhere with that I will try the scripts you have mentioned (looks like I have some reading and learning to do!).

Its true you have greylisting and also some WHITELISTING enabled but neith of your entries would affect these example addresses you have recently reported.

And in fact 74.63.228.254 and 74.63.250.108 do not even show as listed now.

I still firmly believe that it is either a case of any 'spam list' for the addresses you check is late/slow to list them (and you are an early receiver of their mailings).

If you really want to prove the point as whether your spanhaus set up is working, contact me via PM, I will send you an email from my home setup (which will have me listed in PBL as I am a domestic line) and you should see that email list.

Hello guys, and thank you for your comment Jimimaseye.

I was reading the logs with TCP/IP on and I see this :

My comments added with [[]] double brackets

"TCPIP" 2212 "2017-02-26 13:34:50.371" "TCP - 205.209.133.122 connected to 67.227.238.94:25 [[My IP]]."
"DEBUG" 2212 "2017-02-26 13:34:50.386" "TCP connection started for session 273297"
"SMTPD" 2212 273297 "2017-02-26 13:34:50.386" "205.209.133.122" "SENT: 220 mail.scotsconnection.com [[My Server Name]] ESMTP"
"SMTPD" 2212 273297 "2017-02-26 13:34:50.465" "205.209.133.122" "RECEIVED: EHLO duck.easiert.us"
"SMTPD" 2212 273297 "2017-02-26 13:34:50.465" "205.209.133.122" "SENT: 250-mail.scotsconnection.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2216 273297 "2017-02-26 13:34:50.543" "205.209.133.122" "RECEIVED: MAIL FROM:<Booking.Orlando.Vacation@duck.easiert.us>"
"TCPIP" 2216 "2017-02-26 13:34:50.543" "DNS lookup: 122.133.209.205.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2216 "2017-02-26 13:34:50.543" "DNS lookup: 122.133.209.205.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Total spam score: 0"

I see from SpamHaus that the domain "easiert.us" is blocked, but the IP address that I think is being sent to spamhaus.org (122.133.209.205) is only listed in the PBL list, not the SBL or XBL. Do you think this may have any involvement in the results that I am seeing?

Why are you looking up 122.133.209.205? The IP is 205.209.133.122. You dont need to reverse the addresses when doing the lookup on spamhaus website (just enter the address as it appears).

https://www.spamhaus.org/query/ip/205.209.133.122 is listed under SBL list which would return 127.0.0.3. What do you have for your return codes to zen.spamhaus (do you have it as one of your return codes)?

I have just sent a test email to the 'sales' address you provided in PM.

The debug should show that it is received, and will hit the PBL list with spamhaus.

I'm not reversing anything, that is simply a copy & paste from the logs.

"DNS lookup: 122.133.209.205.zen.spamhaus.org, 0 addresses found: (none), Match: False"

I wonder if that is something that it does as a matter of course?

As you say, the correct source IP address has entries in the SBL and XBL, the reversed IP address has an entry in the PBL, so it is the result in the SBL and XBL (205.209.133.122) that we should be paying attention to.

Regarding your question about return codes, I don't see anything in the logs related to return codes, only what I have copied and pasted in the previous comment.

Here is another example, with a mail coming from Bahama_All_Inclusive@loading.gosorta.us

If we test the domain (loading.gosorta.us) in MXToolbox, Zen.SpamHaus shows it as listed, if we test the IP address in Zen.SpamHaus we see that the IP address (63.143.40.125) is listed in the SBL only. if you reverse the IP address (still not sure why we would do this, but hey). you see that 125.40.143.63 is listed in the PBL. The reason I reverse the IP address like that is that you see the push to zen.spamhaus.org in the log has a reversed IP address but this may just be because the service on the end of the line reverses again and you need to do this for zen.spamhaus.org to get the correct address (who knows?).

Here is the log:

"DEBUG" 2212 "2017-02-26 14:02:27.229" "Creating session 273524"
"TCPIP" 2212 "2017-02-26 14:02:27.229" "TCP - 63.143.40.125 connected to 67.227.238.94:25."
"DEBUG" 2212 "2017-02-26 14:02:27.245" "TCP connection started for session 273523"
"SMTPD" 2212 273523 "2017-02-26 14:02:27.245" "63.143.40.125" "SENT: 220 mail.scotsconnection.com ESMTP"
"SMTPD" 2212 273523 "2017-02-26 14:02:27.307" "63.143.40.125" "RECEIVED: EHLO loading.gosorta.us"
"SMTPD" 2212 273523 "2017-02-26 14:02:27.307" "63.143.40.125" "SENT: 250-mail.scotsconnection.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2216 273523 "2017-02-26 14:02:27.370" "63.143.40.125" "RECEIVED: MAIL FROM:<Bahama_All_Inclusive@loading.gosorta.us>"
"TCPIP" 2216 "2017-02-26 14:02:27.370" "DNS lookup: 125.40.143.63.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2216 "2017-02-26 14:02:27.370" "DNS lookup: 125.40.143.63.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Total spam score: 0"

Can you review the logs for the email I sent please.

I assume this entry is the one from you? Yes, this hit the list.

"DEBUG" 2212 "2017-02-26 14:06:24.971" "Creating session 273556"
"TCPIP" 2212 "2017-02-26 14:06:24.971" "TCP - 80.42.31.164 connected to 67.227.238.94:25."
"DEBUG" 2212 "2017-02-26 14:06:24.987" "TCP connection started for session 273555"
"SMTPD" 2212 273555 "2017-02-26 14:06:24.987" "80.42.31.164" "SENT: 220 mail.scotsconnection.com ESMTP"
"SMTPD" 2220 273555 "2017-02-26 14:06:25.096" "80.42.31.164" "RECEIVED: EHLO jimimaseye.homeip.net"
"SMTPD" 2220 273555 "2017-02-26 14:06:25.096" "80.42.31.164" "SENT: 250-mail.scotsconnection.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2220 273555 "2017-02-26 14:06:25.221" "80.42.31.164" "RECEIVED: MAIL FROM:<user1@jim.homeip.net>"
"TCPIP" 2220 "2017-02-26 14:06:25.221" "DNS lookup: 164.31.42.80.zen.spamhaus.org, 1 addresses found: 127.0.0.11, Match: True"
"TCPIP" 2220 "2017-02-26 14:06:25.221" "DNS lookup: 164.31.42.80.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2220 "2017-02-26 14:06:25.221" "Spam test: SpamTestDNSBlackLists, Score: 5"
"DEBUG" 2220 "2017-02-26 14:06:25.331" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2220 "2017-02-26 14:06:25.456" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2220 "2017-02-26 14:06:25.487" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2220 "2017-02-26 14:06:25.487" "Total spam score: 5"

That entry is listed in the PBL

Yes it was mine.

So therefore your setup is working as it is configured to do so (.11 is a return code of PBL - https://www.spamhaus.org/zen/)

The conclusion is that if spamhaus is not returning a code and you think it is incorrect then the issue will be with spamhaus or dns records - all of which you cannot control.

Thank you for your help with that.

Ok, a consolation for you........

despite spamhaus showing on their ONLINE lookup facility some of these addresses as being listed, when I do a command check I still get zero results.

For example, I know the address I used (80.42.31.164) is listed and indeed your hmailserver also got this returned a such.

However, if I do a search from my machine using nslookup I get no results:
So I try an online lookup with DIG: https://toolbox.googleapps.com/apps/dig ... amhaus.org and that too also doesnt return a result.
BUT.... I then went to our work server and did the same check:
and there it is, listed: (127.0.0.11)

The difference being the DNS supplier - the work one being a caching server which ultimately is fed by work ISP's dns servers. If I use that same ISP DNS server then I do get the positive lookup.

So, summary: I dont know why but it is based on DNS and some return it correctly and some do not. Therefore I think it is out of your hands (unless someone can work out and explain why these random results happen between DNS suppliers/servers).

My DNS (NAS w/ BIND 9) find you no problem... Google ( 8.8.8.8 ) do not!

I know some RBL's block known common DNS servers as they cannot control traffic per user/site.
Lookup's are free - but only to a certain extent.
https://www.lifewire.com/free-and-publi ... rs-2626062

"OpenDNS Home" and "FreeDNS" I tried and they work

Yes, I thikn you have also demonstrated what we have observed - the difference being with the added rationale explanation. So the OP just has to find a DNS service that doent have these restrictions.

I just tried Norton and that works too: https://dns.norton.com/ (comes with 3 levels of protection of your own choice)

SorenR wrote:My DNS (NAS w/ BIND 9) find you no problem... Google ( 8.8.8.8 ) do not!

I know some RBL's block known common DNS servers as they cannot control traffic per user/site.
Lookup's are free - but only to a certain extent.

Yep
https://www.spamhaus.org/organization/dnsblusage/

That is mental! you guys are amazing for finding this out.

Thank you for this. I will have a look about and see what the options are for me to sort this out.

tiggywiggler wrote:That is mental! you guys are amazing for finding this out.

Thank you for this. I will have a look about and see what the options are for me to sort this out.

I can't speak for all but when I started out with computers, I got to do assembler programming of Intel 8080's and DARPA was still working on ARPA net - oh and my first SmartPhone was the Ericsson R380

So in reality it's all down to experience and beeing online for a very, very, long time