zen.spamhaus error

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

zen.spamhaus error

Post by sheffters » 2010-01-13 14:28

Hi,

zen.spamhaus is down and hmailis marking all messages sent as SPAM due to this (on my install anyway) ...

when I check using other services it comes back as timeout, but hmail is considering a timeout as SPAM answer ... dont know why, its on default settings - 127.0.0.* as response codes ...

just a quick note as all my mail this morning has been deleted due to this!

Not sure why hmail is considering a timeout as spam - if thats what its doing, but appears to be.

S.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-14 03:13

Weird, i didn't get any errors at all yesterday or today on zen and mail was still being marked from zen.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-14 10:52

http://www.mxtoolbox.com/SuperTool.aspx ... shaw.co.uk

weird ... mines still borked ... and cant get to it from mxtoolbox either ... hms still marking everything as spam as soon as I turn it on as well ... meh
spamhaus.jpg
S.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-14 13:15

According to http://www.dnsbl.info/dnsbl-database-check.php it's working fine same for http://www.blacklistalert.org/

can you get to the website? Check your HOSTS file, make sure you haven't been rooted.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-14 13:23

hmm ... hosts looks fine, can get to the spamhaus website too ... weird ...

... have re-enabled it and uppped the spamdelete threshold to 8 so it wont delete purely based on a spamhaus reject

S.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-14 13:26

could be a routing issue from your server to them. My servers are in *.NL I assume yours is in the UK. perhaps that's why I can get there ok and you cant?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Tezcatlipoca
Senior user
Senior user
Posts: 309
Joined: 2009-07-21 12:33

Re: zen.spamhaus error

Post by Tezcatlipoca » 2010-01-14 13:50

My servers are in the UK and spamhaus.org connection and lookup tests are all fine.

You are searching spamhaus.org and not sapmhouse.org, I assume? The latter will always return a positive lookup, and, by extension, false-positives in hMail.

The only other suggestion I have is that you change the way spawm is handled. On ^DooM^'s recommendation, my hMail as a delete threshold set to 100, as I don't actually want hMail to wipe anything; I simply want it to mark the spam as such, then let the connecting clients decide what to do with it.

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-14 14:04

somethings changed since yesterday ... and cant be my end as not been on the server ... but everymail gets binned ...

X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Rejected by Spamhaus. - (Score: 4)
X-hMailServer-Reason-Score: 4

settings as per screenshot, but they haven't changed in months ... can get to http://www.spamhaus.org/ but not http://zen.spamhaus.org/ ... is the zen one supposed to be accessible via a browser? (no idea how they communicate to get the return code).

All other lists work fine ... and assuming they all use the same ports etc ... then shouldnt be a firewall problem.

Is there a command line string anyone knows that you can use to mimik the response hmail will be getting?

Cheers

S.
settings.jpg
Last edited by sheffters on 2010-01-14 14:05, edited 1 time in total.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-14 14:05

I get server not found for http://zen.spamhaus.org/
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-14 14:14

sheffters wrote:Is there a command line string anyone knows that you can use to mimik the response hmail will be getting?
Use a php or perl equivilent of gethostbyname("1.0.0.127.zen.spamhaus.org");

Change ip to whatever and make sure it's reversed.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Tezcatlipoca
Senior user
Senior user
Posts: 309
Joined: 2009-07-21 12:33

Re: zen.spamhaus error

Post by Tezcatlipoca » 2010-01-14 14:19

Curious. I also get no connection to zen.spamhaus.org, either in a browser, as a ping, or as an nslookup.

I can point my browser at http://www.spamhaus.org, and can ping and nslookup it (with the DNS records resolving to 192.150.94.202 and 213.171.194.34 for me), I just get zero connection to the zen. subdomain.
Last edited by Tezcatlipoca on 2010-01-14 15:56, edited 1 time in total.

User avatar
mattg
Moderator
Moderator
Posts: 21103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: zen.spamhaus error

Post by mattg » 2010-01-14 15:31

^DooM^ wrote:... make sure you haven't been rooted.
The Aussie in me just loves this statement.

:lol: :lol: :lol: :lol: :lol:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-14 15:37

lol @ matt

Tezcatlipoca @ least its not just me getting failed connections ... looks like something other than a specific server issue then (hosts file hasnt changed etc on either of mine)

If there failing ... not sure HMS is marking a no response as SPAM though ... doesnt seem right it should do so ... I'd expect a no score on a failed lookup (i.e. no response).

Still not managed to solve this one ...both my mail servers are marking as a fail ... :(

S.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-14 17:24

Perhaps you should install wireshark and watch whats going and returning from zen.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-14 18:51

Elo,

Done a wireshark ...

from what I can tell ... (based on my limited knowledge!) ...

HMS does a DNS quiery on spamhaus ... so if you can get external DNSs resolved it should work.

I did a test email from virginmedia / blueyonder ... it did

149 15.861312 213.171.198.64 213.171.193.245 DNS Standard query A 195.216.85.209.bl.spamcop.net

150 15.916756 213.171.193.245 213.171.198.64 DNS Standard query response, No such name

which I think is right?? ... and HMS didn't flag it as SPAM (typical) ... !

So it looks to have been an intermittent problem ... ?

Will keep an eye on it ... although these wireshark logs seem to get huge pritty quick!

Cheers

S.

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-14 19:00

ah ...

... I think the Spamhaus database is being a bit OTT by the looks of things ...

... just had a mail from Halfords (that wasnt spam) ... but spamhaus said it was (gave it 127.0.0.255 response).

I think its just the spamhaus database being over energetic with its spam ... fingers crossed it will return to normal ...

... surprised noone else has noticed a load more spam being tagged from them though

Cheers

S.

p.s. @doom ... thanks for the Wireshark suggestion ... had forgoten about that program!

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: zen.spamhaus error

Post by martin » 2010-01-18 21:43

sheffters,
I got some feedback from Spamhaus on your problem. Maybe they browse the forum; at least someone contacted me and claimed to be from "The Spamhaus Project"

I rewrote their text a bit (they used some word I don't understand but I'm assuming isn't entirely nice).
The problem is actually caused by the DNS servers of an African network he is using: (ns.iafrica.com) which are not querying Spamhaus at all. Iafrica.com are intercepting all queries for Spamhaus DNSBLs and returning "Listed" for everything, resulting in a lot of blocked email in Africa these last 3 days. Spamhaus has nothing to do with it.
I'm not sure this makes any sense though. As I understood it, you were from UK so I'm not sure why you would use an African DNS server. However, what they say may apply to other DNS servers as well. If I remember it correctly, OpenDNS for instance does this.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-18 22:14

Correct he is from UK and as far as I am aware using UK DNS servers.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-18 23:34

Hi,

Thanks for that Martin.

I'm from the UK - both mail servers are with Fasthosts, using there DNS servers, so don't think / assume there won't be an African connection (don't see any reason for there to be).

It's started to clear up over the last couple of days, but some stuff is still marked SPAM when it obviously shouldn't be.
Spamhaus has nothing to do with it.
I don't believe that, if it was a network issue that someone has blcked then it wouldn't be clearing up partially, it would either be still returning SPAM or working properly, at the moment it's in some sort of hybrid state, which is weird.

Anyway, thanks for the update Martin; although I'm not sure there totally correct in there explanation of why there service was returning everything as SPAM.

Cheers

S.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-19 03:22

Could be Sheff's DNS servers were poisoned. I'm fairly sure this is not a zen specific issue else everyone would see this unless zen are using some kind of cache servers and a few of their cache servers became compromised. I guess we will never know.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-19 10:49

Someone else had the problem in a different thread from memory ... weird ... would have thought there would be something in the logs if anyone had been on the server that shouldn't be.

Don't really think my servers would be worth anyones time messing with the DNS only on for one domain to be able to send a bit more spam ... nice if they were, but there's not enough users, more likely they'd take the servers over than just mess with one domain.
I guess we will never know.
most likely!

S.

Tezcatlipoca
Senior user
Senior user
Posts: 309
Joined: 2009-07-21 12:33

Re: zen.spamhaus error

Post by Tezcatlipoca » 2010-01-19 13:21

My servers are also in the UK. I did another test this morning, and nslookup against zen.spamhaus.org now resolves to 64.20.60.106 and 64.20.60.99. Still no domain lookup (not that surprising) or ping against the domain name, though.

Spamhaus Ops
New user
New user
Posts: 5
Joined: 2010-01-20 11:41

Re: zen.spamhaus error

Post by Spamhaus Ops » 2010-01-20 11:59

sheffters wrote:ah ...

... I think the Spamhaus database is being a bit OTT by the looks of things ...

... just had a mail from Halfords (that wasnt spam) ... but spamhaus said it was (gave it 127.0.0.255 response).
The response you got was NOT from Spamhaus, we do not have any "127.0.0.255" response code. Our codes end at 127.0.0.11.

But we know of a rogue DNS server that *is* returning that exact code to anyone who queries any spamhaus.org DNSBL. The DNS server in question is hijacking queries to spamhaus.org and answering them itself saying everything is blocked. So the solution is: Look at the DNS servers your mail server is using for DNS resolution and change them (especially if one of them is 206.251.73.9)

Spamhaus Ops
New user
New user
Posts: 5
Joined: 2010-01-20 11:41

Re: zen.spamhaus error

Post by Spamhaus Ops » 2010-01-20 12:06

Tezcatlipoca wrote:My servers are also in the UK. I did another test this morning, and nslookup against zen.spamhaus.org now resolves to 64.20.60.106 and 64.20.60.99.
An nslookup of zen.spamhaus.org should not resolve to anything at all, since zen.spamhaus.org is *not* a host (it's a NS zone). Trying to ping or lookup the A record of "zen.spamhaus.org" is the same as trying to ping or lookup the A record of ".com"

The 64.20.60.* IPs are probably the DNS provider you use, redirecting you to a Casino website when you query for anything that is "not found". Try loading http://64.20.60.106 in your browser and see.

Spamhaus Ops
New user
New user
Posts: 5
Joined: 2010-01-20 11:41

Re: zen.spamhaus error

Post by Spamhaus Ops » 2010-01-20 12:18

martin wrote:sheffters,
I got some feedback from Spamhaus on your problem. Maybe they browse the forum; at least someone contacted me and claimed to be from "The Spamhaus Project"

I rewrote their text a bit (they used some word I don't understand but I'm assuming isn't entirely nice).
The problem is actually caused by the DNS servers of an African network he is using: (ns.iafrica.com) which are not querying Spamhaus at all. Iafrica.com are intercepting all queries for Spamhaus DNSBLs and returning "Listed" for everything, resulting in a lot of blocked email in Africa these last 3 days. Spamhaus has nothing to do with it.
I'm not sure this makes any sense though. As I understood it, you were from UK so I'm not sure why you would use an African DNS server. However, what they say may apply to other DNS servers as well. If I remember it correctly, OpenDNS for instance does this.
We have an update on this: We contacted the African network and had them stop their hijacking of our queries. Then we found another public DNS server hijacking our queries, this time in Europe. The OP needs to look at the DNS servers his mail server is using for DNS resolution and needs to change them immediately. One of the pubic DNS servers he is using is hijacking queries to spamhaus.org DNSBLs and returning "Everything listed". If the OP can tell us which DNS server's his mail server was using it will help us know if it was the same rogue server we know about.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-20 13:53

So how was it possible for these rogue DNS servers to place themselves in front of Zen? I know about metaspliot and DNS poisoning attacks but these are pretty rare at the moment. however if Afrinic are aiding these people by deliberately redirecting DNS calls then no domain is safe even if you use SSL and that has massive security implications.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-20 14:10

Then we found another public DNS server hijacking our queries, this time in Europe. The OP needs to look at the DNS servers his mail server is using for DNS resolution and needs to change them immediately. One of the pubic DNS servers he is using is hijacking queries to spamhaus.org DNSBLs and returning "Everything listed". If the OP can tell us which DNS server's his mail server was using it will help us know if it was the same rogue server we know about.
Can you let us know which Europe DNS server is doing this?

ta

S.

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-20 17:16

If the OP can tell us which DNS server's his mail server was using it
213.171.192.249
213.171.193.245

both at Fasthosts

S.

Tezcatlipoca
Senior user
Senior user
Posts: 309
Joined: 2009-07-21 12:33

Re: zen.spamhaus error

Post by Tezcatlipoca » 2010-01-20 17:38

If it helps, I also run a network based in the UK, with UK servers, and get the same zen.spamhaus.org issues as sheffters (although my mails don't get wiped as I run a policy of keeping my hMail delete threashold very high and letting the connecting clients decide what to do with messages marked as spam. Spamhaus is currently turned off due to the high number of false-positives).

All machines, including the hMail server, in my network take their DNS from a master server, which pulls it direct from our ISP, and is set to 212.135.1.36 and 195.40.1.36 (both Easynet).

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: zen.spamhaus error

Post by martin » 2010-01-20 18:40

I believe this is partly an issue with hMailServer. In your setup, you probably have 127.0.0.* set up. Now, only roughly 127.0.0.1->127.0.0.11 are valid return codes. I'm not sure if it's always been like that, but it is now. So if Spamhaus returns 127.0.0.255 for some reason, hMailServer will assume its spam.

The problem is that there's no easy way to specify 127.0.0.1->8, 10-11 in hMailServer. I'm in the middle of creating a new 5.3.2-version where it's possible to do this (127.0.0.1-8|127.0.1.10-11).

Maybe Spamhaus server sometimes returns 127.0.0.255 when it's under high load or something similar to that. :-\

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-20 19:06

IF you'r making changes in that area anyway, can i get access key added as well, pretty please?

http://www.hmailserver.com/forum/viewto ... =2&t=16960

:D :D :D
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: zen.spamhaus error

Post by sheffters » 2010-01-20 19:08

In your setup, you probably have 127.0.0.* set up.
yep!
The problem is that there's no easy way to specify 127.0.0.1->8, 10-11 in hMailServer. I'm in the middle of creating a new 5.3.2-version where it's possible to do this (127.0.0.1-8|127.0.1.10-11).
Thanks Martin, top stuff :)

Cheers

S.

Tezcatlipoca
Senior user
Senior user
Posts: 309
Joined: 2009-07-21 12:33

Re: zen.spamhaus error

Post by Tezcatlipoca » 2010-01-20 19:28

Yes, I can also confirm I have it set to 127.0.0.*

Oh, and...
^DooM^ wrote:IF you'r making changes in that area anyway, can i get access key added as well, pretty please?

http://www.hmailserver.com/forum/viewto ... =2&t=16960

:D :D :D
If you're doing a new version, martin, could I put in a request to have it play the Imperial March whenever I log in as the administrator, please? :D
Last edited by Tezcatlipoca on 2010-01-21 11:33, edited 1 time in total.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: zen.spamhaus error

Post by ^DooM^ » 2010-01-20 19:37

Tezcatlipoca wrote:If you're doing a new version, martin, could I put in a request to have it play the Imperial March whenever I log in as the adminsitrator, please? :D
He's not making changes to the login function :P
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Post Reply