Page 1 of 1

Fake SURBL DNSBL from local network

Posted: 2019-11-15 10:28
by Ruser
Hi,

testing HMS for antispam. 99% SURBL and DNSBL dns-lookup a fake.

HMS installed on windows 7 in 192.168.0.255 network.
static ip=192.168.0.172, dns=8.8.8.8
SMTP Relayer in internet: smtp.beget.com
Accounts mails from external account: pop3.beget.ru

Fake SURBL example:
"SURBL: Lookup: cb-killer.ru.multi.surbl.org"
"DEBUG" 2524 "2019-11-15 08:08:24.052" "SURBL: Match found"
"DEBUG" 2524 "2019-11-15 08:08:24.052" "Spam test: SpamTestSURBL, Score: 3"
tested by http://www.surbl.org/surbl-analysis

Fake DNSBL example:
"TCPIP" 2652 "2019-11-13 10:42:42.551" "DNS lookup: 101.249.105.180.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2652 "2019-11-13 10:42:42.738" "DNS lookup: 101.249.105.180.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2652 "2019-11-13 10:42:42.738" "Spam test: SpamTestDNSBlackLists, Score: 0"
tested by https://www.spamhaus.org/query/ip/180.105.249.101

Test: Collect server details
hMailServer version: hMailServer 5.6.8-B2494
Database type: MySQL

Test: Test IPv6
IPv6 support is available in operating system.

Test: Test outbound port
SMTP relayer is in use.
Local address is 192.168.0.172.
Trying to connect to host smtp.beget.com...
Trying to connect to TCP/IP address 185.78.30.58 on port 25.
Received: 220 smtp.beget.com.
Connected successfully.

Test: Test backup directory
Backup directory D:\hMailServer\bcp is writable.

Test: Test MX records
Trying to resolve MX records for 9250505.ru...
Host name found: mx1.beget.com
Host name found: mx2.beget.com

Test: Test local connect
Connecting to TCP/IP address in MX records for local domain domain 9250505.ru...
Trying to connect to host mx1.beget.com...
Trying to connect to TCP/IP address 5.101.158.68 on port 25.
Received: 220 mail1.beget.ru.
Connected successfully.

Test: Test message file locations
Relative message paths are stored in the database for all messages.

Test: Test IP range configuration
No problems were found in the IP range configuration.

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 10:44
by RvdH
Mmmm, right :!: :?:
...but what is your actual question?

cb-killer.ru is a existing domain, which actually can be listed in multi.surbl.org (and apparently is)
DNSBL lookups seem fine

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 11:04
by Ruser
RvdH wrote:
2019-11-15 10:44
DNSBL lookups seem fine
yes, not a spamer

but HMS think this is a spamer:
Ruser wrote:
2019-11-15 10:28
"DEBUG" 2524 "2019-11-15 08:08:24.052" "SURBL: Match found
feel the difference?

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 13:11
by RvdH
multi.surbl.org lists domain cb-killer.ru as a spammer, not hmailserver
hmailserver only checks the domain against multi.surbl.org

[EDIT]
I see your point... doing the lookup with http://www.surbl.org/surbl-analysis the result is: cb-killer.ru is NOT listed

Weird...cached DNS lookup result maybe?

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 13:41
by palinka
Try changing to open DNS instead on the server.

I've read reports that firewalls can be hacked to fake dns queries.

http://www.rawinfopages.com/tips/2016/0 ... -settings/

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 15:01
by Ruser
RvdH wrote:
2019-11-15 13:11
cached DNS lookup result maybe?
i set google DNS in computer settings:
Ruser wrote:
2019-11-15 10:28
static ip=192.168.0.172, dns=8.8.8.8
where cache? my router "mikrotik", ISP?
i try router off/on...

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 15:12
by Ruser
palinka wrote:
2019-11-15 13:41
Try changing to open DNS instead on the server.
what?
i already have corporate DNS on ip=192.168.0.12

tested:
C:\Users\1>nslookup seal.com
server: dns.google
Address: 8.8.8.8

answer:
 : seal.com
Address: 174.129.25.170

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-15 16:41
by palinka
Ruser wrote:
2019-11-15 15:12
palinka wrote:
2019-11-15 13:41
Try changing to open DNS instead on the server.
what?
i already have corporate DNS on ip=192.168.0.12

tested:
C:\Users\1>nslookup seal.com
server: dns.google
Address: 8.8.8.8

answer:
 : seal.com
Address: 174.129.25.170
You have corporate dns or Google dns?

If it's Google DNS (which you reported in the OP), then it's probably just a case where the examples you presented in the logs already expired. Just a coincidence that they tested positive when the messages were received and no return when you (and we) checked later.

Alternatively, your mikrotik router is compromised although I believe setting dns to Google or open dns on your server will bypass the router dns altogether.

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-18 16:03
by Ruser
DNSBL SURBL check does not work,
every time, when i send test email.
(ip mast be spam)
(url mast be not a spam)

Log:
"TCPIP" 3828 "2019-11-18 17:44:22.941" "DNS lookup: 101.249.105.180.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 3828 "2019-11-18 17:44:22.941" "DNS lookup: 101.249.105.180.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Total spam score: 0"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Execute"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Found URL: cb-killer.ru"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: 1 unique addresses found."
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Lookup: cb-killer.ru.multi.surbl.org"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Match found"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Spam test: SpamTestSURBL, Score: 3"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Total spam score: 3"

I create simple test.eml:

Return-Path: jiaohe9144@126.com
Return-Path: <nrsymeau@hcfh.com>
Received: from [180.105.249.101] (port=3798 helo=hcfh.com)
by mail1.beget.ru with esmtp (Exim 4.90.1-beget)
(envelope-from <nrsymeau@hcfh.com>)
id 1iUlIy-0004QL-21
for marketing@kristalnaya.ru; Wed, 18 Nov 2019 08:35:01 +0300
Received: from vps9736 ([127.0.0.1]) by localhost via TCP with ESMTPA; Wed, 13 Nov 2019 18:34:34 +0800
MIME-Version: 1.0
From: Leo <jiaohe9144@126.com>
Sender: Leo <nrsymeau@hcfh.com>
To: marketing@kristalnaya.ru
Reply-To: Leo <jiaohe9144@126.com>
Date: 18 Nov 2019 13:34:34 +0800
Subject: test2
Content-Type: text/html; charset=utf-8
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable

<p style=3D"color: #666;font-size: 10px;"><a href=3D"http://cb-killer.ru/un=
subsribe">test2</a></p>

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-18 16:06
by Ruser
palinka wrote:
2019-11-15 16:41
You have corporate dns or Google dns?
My computer is set to Google dns.

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-18 17:43
by palinka
Ruser wrote:
2019-11-18 16:06
palinka wrote:
2019-11-15 16:41
You have corporate dns or Google dns?
My computer is set to Google dns.
The machine that hmailserver is on has Google or local dns? What happens when you do nslookup from that machine?

It should not be different for hmailserver than for any other program on the server. Hmailserver is only using the server's dns settings. It doesn't have its own dns.

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-19 08:39
by Ruser
[quote=palinka post_id=216254 time=1574091822 user_id=47609]
The machine that hmailserver is on has Google or local dns? What happens when you do nslookup from that machine?
[/quote]

also, i do "ipconfig /flushdns" and reboot windows 7 pro

ipconfig /all
IP settings for Windows
name . . . . . . . . . : NB-75
main DNS-Suffix . . . . . . : kristal.local
WINS-proxy enabled . . . . . . . : no
Order list DNS . : kristal.local

Ethernet adapter:
DNS-Suffix . . . . . :
Name. . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
DHCP enabled. . . . . . . . . . . : yes
Auto settings. . . . . . : yes
IPv6 . . . : fe80::d4ba:227:5fea:1fbe%11(main)
IPv4. . . . . . . . . . . . : 192.168.0.172(main)
mask . . . . . . . . . . : 255.255.255.0
main gateway. . . . . . . . . : 192.168.0.197
DHCP-server. . . . . . . . . . . : 192.168.0.197
DNS-servers. . . . . . . . . . . : 8.8.8.8
77.88.8.88
main WINS-server. . . . . . . : 192.168.0.12
NetBios by TCP/IP. . . . . . . . : enabled

nslookup cb-killer.ru.multi.surbl.org
result the same as
nslookup 101.249.105.180.zen.spamhaus.org
srv: dns.google
Address: 8.8.8.8
*** dns.google -> 101.249.105.180.zen.spamhaus.org: Non-existent domain

https://mxtoolbox.com/SuperTool.aspx?action=a%3a101.249.105.180.zen.spamhaus.org&run=toolpage
DNS No Valid NameServers Responded

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-19 08:51
by Ruser
Ruser wrote:
2019-11-18 16:03
I create simple test.eml
Who knows, where to put this file for smtp testing?
(now i use another local mail server box)

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-19 09:46
by RvdH
Could it be because of 'SURBL detection properly fails to detect url's ending with a query string issue #108' in < 5.7.0 builds?

Perhaps you could try my custom build, that should fix above issue
5.6.8-B2494.22.7z
(969.3 KiB) Downloaded 50 times

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-19 10:42
by Ruser
RvdH wrote:
2019-11-19 09:46
Could it be because of 'SURBL detection properly fails to detect url's ending with a query string
No "DNS query failed" in logs.

Today SURBL do job properly for 1 test email:
"DEBUG" 2216 "2019-11-19 12:11:11.840" "SURBL: Lookup: cb-killer.ru.multi.surbl.org"
"DEBUG" 2216 "2019-11-19 12:11:11.902" "SURBL: Match not found"
"DEBUG" 2216 "2019-11-19 12:11:11.902" "Spam test: SpamTestSURBL, Score: 0"

But DNSBL job not properly:
"TCPIP" 2216 "2019-11-19 12:11:11.684" "DNS lookup: 101.249.105.180.zen.spamhaus.org, 0 addresses found: (none), Match: False"

Continue testing...
i will try:
RvdH wrote:
2019-11-19 09:46
Perhaps you could try my custom build, that should fix above issue
i will try:
hMailServer-5.7.0-B2497-x64.exe

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-19 14:55
by RvdH
Ruser wrote:
2019-11-15 15:01
RvdH wrote:
2019-11-15 13:11
cached DNS lookup result maybe?
i set google DNS in computer settings:
Ruser wrote:
2019-11-15 10:28
static ip=192.168.0.172, dns=8.8.8.8
where cache? my router "mikrotik", ISP?
i try router off/on...

Code: Select all

ipconfig /flushdns

Re: Fake SURBL DNSBL from local network

Posted: 2019-11-20 16:39
by Ruser
RvdH wrote:
2019-11-19 14:55
ipconfig /flushdns
yes, i do
Ruser wrote:
2019-11-19 08:39
also, i do "ipconfig /flushdns" and reboot
Tested: spamhaus not worked because... they want money.
Some other DNSBL services block many requests from google DNS servers.
Now i use ISP dns server for check DNSBL.
(nslookup -q=A 108.135.121.190.bl.spamcop.net 91.240.45.249)