zen.spamhaus error

[sheffters]

Hi,

zen.spamhaus is down and hmailis marking all messages sent as SPAM due to this (on my install anyway) ...

when I check using other services it comes back as timeout, but hmail is considering a timeout as SPAM answer ... dont know why, its on default settings - 127.0.0.* as response codes ...

just a quick note as all my mail this morning has been deleted due to this!

Not sure why hmail is considering a timeout as spam - if thats what its doing, but appears to be.

S.

[^DooM^]

Weird, i didn't get any errors at all yesterday or today on zen and mail was still being marked from zen.

[sheffters]

http://www.mxtoolbox.com/SuperTool.aspx ... shaw.co.uk

weird ... mines still borked ... and cant get to it from mxtoolbox either ... hms still marking everything as spam as soon as I turn it on as well ... meh

S.

[^DooM^]

According to http://www.dnsbl.info/dnsbl-database-check.php it's working fine same for http://www.blacklistalert.org/

can you get to the website? Check your HOSTS file, make sure you haven't been rooted.

[sheffters]

hmm ... hosts looks fine, can get to the spamhaus website too ... weird ...

... have re-enabled it and uppped the spamdelete threshold to 8 so it wont delete purely based on a spamhaus reject

S.

[^DooM^]

could be a routing issue from your server to them. My servers are in *.NL I assume yours is in the UK. perhaps that's why I can get there ok and you cant?

[Tezcatlipoca]

My servers are in the UK and spamhaus.org connection and lookup tests are all fine.

You are searching spamhaus.org and not sapmhouse.org, I assume? The latter will always return a positive lookup, and, by extension, false-positives in hMail.

The only other suggestion I have is that you change the way spawm is handled. On ^DooM^'s recommendation, my hMail as a delete threshold set to 100, as I don't actually want hMail to wipe anything; I simply want it to mark the spam as such, then let the connecting clients decide what to do with it.

[sheffters]

somethings changed since yesterday ... and cant be my end as not been on the server ... but everymail gets binned ...

X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Rejected by Spamhaus. - (Score: 4)
X-hMailServer-Reason-Score: 4

settings as per screenshot, but they haven't changed in months ... can get to http://www.spamhaus.org/ but not http://zen.spamhaus.org/ ... is the zen one supposed to be accessible via a browser? (no idea how they communicate to get the return code).

All other lists work fine ... and assuming they all use the same ports etc ... then shouldnt be a firewall problem.

Is there a command line string anyone knows that you can use to mimik the response hmail will be getting?

Cheers

S.

[^DooM^]

I get server not found for http://zen.spamhaus.org/

[^DooM^]

Is there a command line string anyone knows that you can use to mimik the response hmail will be getting?

Use a php or perl equivilent of gethostbyname("1.0.0.127.zen.spamhaus.org");

Change ip to whatever and make sure it's reversed.

[Tezcatlipoca]

Curious. I also get no connection to zen.spamhaus.org, either in a browser, as a ping, or as an nslookup.

I can point my browser at http://www.spamhaus.org, and can ping and nslookup it (with the DNS records resolving to 192.150.94.202 and 213.171.194.34 for me), I just get zero connection to the zen. subdomain.

[mattg]

... make sure you haven't been rooted.

The Aussie in me just loves this statement.

[sheffters]

lol @ matt

Tezcatlipoca @ least its not just me getting failed connections ... looks like something other than a specific server issue then (hosts file hasnt changed etc on either of mine)

If there failing ... not sure HMS is marking a no response as SPAM though ... doesnt seem right it should do so ... I'd expect a no score on a failed lookup (i.e. no response).

Still not managed to solve this one ...both my mail servers are marking as a fail ...

S.

[^DooM^]

Perhaps you should install wireshark and watch whats going and returning from zen.

[sheffters]

Elo,

Done a wireshark ...

from what I can tell ... (based on my limited knowledge!) ...

HMS does a DNS quiery on spamhaus ... so if you can get external DNSs resolved it should work.

I did a test email from virginmedia / blueyonder ... it did

149 15.861312 213.171.198.64 213.171.193.245 DNS Standard query A 195.216.85.209.bl.spamcop.net

150 15.916756 213.171.193.245 213.171.198.64 DNS Standard query response, No such name

which I think is right?? ... and HMS didn't flag it as SPAM (typical) ... !

So it looks to have been an intermittent problem ... ?

Will keep an eye on it ... although these wireshark logs seem to get huge pritty quick!

Cheers

S.

[sheffters]

ah ...

... I think the Spamhaus database is being a bit OTT by the looks of things ...

... just had a mail from Halfords (that wasnt spam) ... but spamhaus said it was (gave it 127.0.0.255 response).

I think its just the spamhaus database being over energetic with its spam ... fingers crossed it will return to normal ...

... surprised noone else has noticed a load more spam being tagged from them though

Cheers

S.

p.s. @doom ... thanks for the Wireshark suggestion ... had forgoten about that program!

[martin]

sheffters,
I got some feedback from Spamhaus on your problem. Maybe they browse the forum; at least someone contacted me and claimed to be from "The Spamhaus Project"

I rewrote their text a bit (they used some word I don't understand but I'm assuming isn't entirely nice).

The problem is actually caused by the DNS servers of an African network he is using: (ns.iafrica.com) which are not querying Spamhaus at all. Iafrica.com are intercepting all queries for Spamhaus DNSBLs and returning "Listed" for everything, resulting in a lot of blocked email in Africa these last 3 days. Spamhaus has nothing to do with it.

I'm not sure this makes any sense though. As I understood it, you were from UK so I'm not sure why you would use an African DNS server. However, what they say may apply to other DNS servers as well. If I remember it correctly, OpenDNS for instance does this.

[^DooM^]

Correct he is from UK and as far as I am aware using UK DNS servers.

[sheffters]

Hi,

Thanks for that Martin.

I'm from the UK - both mail servers are with Fasthosts, using there DNS servers, so don't think / assume there won't be an African connection (don't see any reason for there to be).

It's started to clear up over the last couple of days, but some stuff is still marked SPAM when it obviously shouldn't be.

Spamhaus has nothing to do with it.

I don't believe that, if it was a network issue that someone has blcked then it wouldn't be clearing up partially, it would either be still returning SPAM or working properly, at the moment it's in some sort of hybrid state, which is weird.

Anyway, thanks for the update Martin; although I'm not sure there totally correct in there explanation of why there service was returning everything as SPAM.

Cheers

S.

[^DooM^]

Could be Sheff's DNS servers were poisoned. I'm fairly sure this is not a zen specific issue else everyone would see this unless zen are using some kind of cache servers and a few of their cache servers became compromised. I guess we will never know.

[sheffters]

Someone else had the problem in a different thread from memory ... weird ... would have thought there would be something in the logs if anyone had been on the server that shouldn't be.

Don't really think my servers would be worth anyones time messing with the DNS only on for one domain to be able to send a bit more spam ... nice if they were, but there's not enough users, more likely they'd take the servers over than just mess with one domain.

I guess we will never know.

most likely!

S.

[Tezcatlipoca]

My servers are also in the UK. I did another test this morning, and nslookup against zen.spamhaus.org now resolves to 64.20.60.106 and 64.20.60.99. Still no domain lookup (not that surprising) or ping against the domain name, though.

[Spamhaus Ops]

ah ...

... I think the Spamhaus database is being a bit OTT by the looks of things ...

... just had a mail from Halfords (that wasnt spam) ... but spamhaus said it was (gave it 127.0.0.255 response).

The response you got was NOT from Spamhaus, we do not have any "127.0.0.255" response code. Our codes end at 127.0.0.11.

But we know of a rogue DNS server that *is* returning that exact code to anyone who queries any spamhaus.org DNSBL. The DNS server in question is hijacking queries to spamhaus.org and answering them itself saying everything is blocked. So the solution is: Look at the DNS servers your mail server is using for DNS resolution and change them (especially if one of them is 206.251.73.9)

[Spamhaus Ops]

My servers are also in the UK. I did another test this morning, and nslookup against zen.spamhaus.org now resolves to 64.20.60.106 and 64.20.60.99.

An nslookup of zen.spamhaus.org should not resolve to anything at all, since zen.spamhaus.org is *not* a host (it's a NS zone). Trying to ping or lookup the A record of "zen.spamhaus.org" is the same as trying to ping or lookup the A record of ".com"

The 64.20.60.* IPs are probably the DNS provider you use, redirecting you to a Casino website when you query for anything that is "not found". Try loading http://64.20.60.106 in your browser and see.

[Spamhaus Ops]

sheffters,
I got some feedback from Spamhaus on your problem. Maybe they browse the forum; at least someone contacted me and claimed to be from "The Spamhaus Project"

I rewrote their text a bit (they used some word I don't understand but I'm assuming isn't entirely nice).

The problem is actually caused by the DNS servers of an African network he is using: (ns.iafrica.com) which are not querying Spamhaus at all. Iafrica.com are intercepting all queries for Spamhaus DNSBLs and returning "Listed" for everything, resulting in a lot of blocked email in Africa these last 3 days. Spamhaus has nothing to do with it.

I'm not sure this makes any sense though. As I understood it, you were from UK so I'm not sure why you would use an African DNS server. However, what they say may apply to other DNS servers as well. If I remember it correctly, OpenDNS for instance does this.

We have an update on this: We contacted the African network and had them stop their hijacking of our queries. Then we found another public DNS server hijacking our queries, this time in Europe. The OP needs to look at the DNS servers his mail server is using for DNS resolution and needs to change them immediately. One of the pubic DNS servers he is using is hijacking queries to spamhaus.org DNSBLs and returning "Everything listed". If the OP can tell us which DNS server's his mail server was using it will help us know if it was the same rogue server we know about.

[^DooM^]

So how was it possible for these rogue DNS servers to place themselves in front of Zen? I know about metaspliot and DNS poisoning attacks but these are pretty rare at the moment. however if Afrinic are aiding these people by deliberately redirecting DNS calls then no domain is safe even if you use SSL and that has massive security implications.

[sheffters]

Then we found another public DNS server hijacking our queries, this time in Europe. The OP needs to look at the DNS servers his mail server is using for DNS resolution and needs to change them immediately. One of the pubic DNS servers he is using is hijacking queries to spamhaus.org DNSBLs and returning "Everything listed". If the OP can tell us which DNS server's his mail server was using it will help us know if it was the same rogue server we know about.

Can you let us know which Europe DNS server is doing this?

ta

S.

[sheffters]

If the OP can tell us which DNS server's his mail server was using it

213.171.192.249
213.171.193.245

both at Fasthosts

S.

[Tezcatlipoca]

If it helps, I also run a network based in the UK, with UK servers, and get the same zen.spamhaus.org issues as sheffters (although my mails don't get wiped as I run a policy of keeping my hMail delete threashold very high and letting the connecting clients decide what to do with messages marked as spam. Spamhaus is currently turned off due to the high number of false-positives).

All machines, including the hMail server, in my network take their DNS from a master server, which pulls it direct from our ISP, and is set to 212.135.1.36 and 195.40.1.36 (both Easynet).

[martin]

I believe this is partly an issue with hMailServer. In your setup, you probably have 127.0.0.* set up. Now, only roughly 127.0.0.1->127.0.0.11 are valid return codes. I'm not sure if it's always been like that, but it is now. So if Spamhaus returns 127.0.0.255 for some reason, hMailServer will assume its spam.

The problem is that there's no easy way to specify 127.0.0.1->8, 10-11 in hMailServer. I'm in the middle of creating a new 5.3.2-version where it's possible to do this (127.0.0.1-8|127.0.1.10-11).

Maybe Spamhaus server sometimes returns 127.0.0.255 when it's under high load or something similar to that. :-\

[^DooM^]

IF you'r making changes in that area anyway, can i get access key added as well, pretty please?

http://www.hmailserver.com/forum/viewto ... =2&t=16960

[sheffters]

In your setup, you probably have 127.0.0.* set up.

yep!

The problem is that there's no easy way to specify 127.0.0.1->8, 10-11 in hMailServer. I'm in the middle of creating a new 5.3.2-version where it's possible to do this (127.0.0.1-8|127.0.1.10-11).

Thanks Martin, top stuff

Cheers

S.

[Tezcatlipoca]

Yes, I can also confirm I have it set to 127.0.0.*

Oh, and...

IF you'r making changes in that area anyway, can i get access key added as well, pretty please?

http://www.hmailserver.com/forum/viewto ... =2&t=16960

If you're doing a new version, martin, could I put in a request to have it play the Imperial March whenever I log in as the administrator, please?

[^DooM^]

If you're doing a new version, martin, could I put in a request to have it play the Imperial March whenever I log in as the adminsitrator, please?

He's not making changes to the login function