DNS Blacklist score zero when SpamHaus lists as blocked

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-20 17:23

Hello,

I have a situation where many spam emails are coming through recently. I ran through the settings the see if something was missing but what I have found is that emails from domains that SpamHaus has listed are not triggering an increase in score. As an example, the information below is from the log file.

"SMTPD" 2220 236042 "2017-02-20 15:10:21.285" "74.63.250.108" "RECEIVED: MAIL FROM:<Neuropathy_Treatment_Group@reject.qhigain.us>"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2220 "2017-02-20 15:10:21.285" "Total spam score: 0"

If I go to mxtoolbox.com and enter "reject.qhigain.us" SpamHaus shows this as listed. In my mind, the SpamTestDNSBlackLists score should be equal to what I have entered for SpamHaus (5). Am I understanding the system operation incorrectly please?.

I have attached some screen shots below.
Attachments
2017-02-20_15-23-27.jpg
2017-02-20_15-23-14.jpg
2017-02-20_15-22-55.jpg

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-20 17:27

Please Acton viewtopic.php?f=20&t=30914 and post results here.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-20 20:05

Thank you.

[code]2/20/2017 6:04:49 PM Hmailserver: 5.6.6-B2383

IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: False
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 6 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: localhost
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: True - 5 Use SA score: True
Subject Text: "[SPAM]"
Spam delete threshold: 6 Maximum message size: 1024

GREYLISTING:
Greylisting: True Defer mins: 7 Days Unused: 2 Days Used: 72
Bypass SPF: True Bypass A/MX: False

Greylist WHITELIST ENTRIES:
IP Address: 127.0.0.1
IP Address: 67.227.238.94

Greylist DOMAINS enabled:
No entries

DNSBL ENTRIES:
zen.spamhaus.org Score: 5 Result: 127.0.0.*
bl.spamcop.net Score: 4 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 1
-----------------------------------------------------------------------------------------------

WHITELISTING
0.0.0.0 to 255.255.255.255 *facebook
0.0.0.0 to 255.255.255.255 *@worldpay.com
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email - Notify Sender: False, Notify Receiver: True

Max Message Size: 1052
CLAM AV: False
CLAMWIN: False
CUSTOMAV: False
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : False
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 587 / SMTP - None
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-02-20.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-02-20.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - .
TCPIP - .
DEBUG - True
AWSTATS - .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

No problems were found in the IP range configuration.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.40, Hmailserver Forum.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-20 20:16

Code: Select all

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.*
You cant use wildcard for Result codes.
https://www.hmailserver.com/documentati ... blacklists

Spamhaus result: 127.0.0.2-11 is more appropriate.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-20 22:54

I did have the exact ranges set before and the result was the same. I would add that the link you pointed to says that wildcards are acceptable.

I have changed it anyway, but the results are the same.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-20 22:58

I believe that documentation page is wrong. Many versions ago it was allowed to enter * as an "IP ADDRESS" return where as now there is a 'result code' but since v5.3.2 they were all changed to be exact matches. (Needs investigation).

When you say its still happening, how do you know? Have you had NEW inbound emails from that source since changing it?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-20 23:22

Ok, just tested, and it seems wildcard is still accepted and allowed. Documentation is right after all and I am wrong. Sorry.

So...

When you say its still happening, how do you know? Have you had NEW inbound emails from that source since changing it?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by mattg » 2017-02-20 23:23

spamhaus checks the connecting IP address (in reverse) NOT the sender FROM

you need to check for IP 74.63.250.108
(This IS currently listed - unsure about when you received that message though)

Personally I find SPamhaus, while excellent is a lot slower than other DNSBLs that I Use to add new IPs
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-20 23:27

mattg wrote:spamhaus checks the connecting IP address (in reverse) NOT the sender FROM

you need to check for IP 74.63.250.108
Yes, I checked the connecting address 74.63.250.108 and it is listed: https://www.spamhaus.org/query/ip/74.63.250.108
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-21 18:23

Hello guys,

So the result is 'yes' to your question about new connections coming in. As an example here is a recent email from today.

"SMTPD" 2212 242672 "2017-02-21 16:12:39.537" "74.63.228.254" "RECEIVED: MAIL FROM:<Real-Results@dough.viwound.us>"
"DEBUG" 2212 "2017-02-21 16:12:39.537" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.537" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.537" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.552" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2212 "2017-02-21 16:12:39.552" "Total spam score: 0"

SpamHaus has that sending IP address (74.63.228.254) listed as blacklisted.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by mattg » 2017-02-22 00:43

tiggywiggler wrote:SpamHaus has that sending IP address (74.63.228.254) listed as blacklisted.
Yes, but how long after the message was received did you check the list?

I use 'notepad ++'

it has an excellent search facility, called 'Find in Files'.
If I put the text 'zen.spamhaus.org, 1 addresses found' in the find what, and then set it to search my hMailsevrer log directory, i get many hundreds of hits in my (this months) logs.

If you have notepad++ please try that, or perhaps search with windows search looking at contents of files.

I have many instances where zen.spamhaus.org doesn't find anything, but I also have some where they do. I also 're-check for spam' any unread mail every four hours, and find many messages in the second scan that weren't tagged as spam four hours previously.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-23 19:37

Searching for this string inside Notepad++ returns zero results.

I would conduct a rebuild, but I cannot understand why that would help. Is there a SpamHaus DLL that could be corrupt?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-23 19:44

tiggywiggler wrote:I would conduct a rebuild, but I cannot understand why that would help. Is there a SpamHaus DLL that could be corrupt?
No such thing exists. Hmailserver does lookups purely from the text/entries you write in th DNSBL settings.

It is still likely that the address wasnt listed at the time you received the email (especially given that the ip address 74.63.228.254 is different from the first one 74.63.250.108). These lookup up/spam traps are not immediate. You might be better to implement greylisting which will then add the benefit of delaying any incoming email for a particular period of time given the likes of spamhaus to make and register their traps. (Often, spambots wont retry if greylisted anyway).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by SorenR » 2017-02-24 12:44

You could always script your own RBLcheck if you don't trust the system...

System Scripting Runtime COM object -> http://www.netal.com/ssr.htm
Binary -> http://www.netal.com/software/ssr15.zip

Code: Select all

   Function IsSnowShoe(strIP)
      Dim a
      a = Split(strIP, ".")
      With CreateObject("SScripting.IPNetwork")
         strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
      End With
      If (strIP = "127.0.0.3") Then
         IsSnowShoe = True
      Else
         IsSnowShoe = False
      End If
   End Function
http://www.wisegeek.com/what-is-snowsho ... youknowout

Example of usage...

Code: Select all

   Sub OnClientConnect(oClient)

      If IsSnowShoe(oClient.IPAddress) Then
         '
         ' SnowShoe SPAM detection
         '
         Result.Value = 1
         Call AutoBan(oClient.IPAddress, "SnowShoe SPAM", 2, "h")
         Exit Sub
      End If

   End Sub
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by mattg » 2017-02-25 13:17

I also like to know what happens if you change DNS server on your machine...

Which DNS does your windows machine use?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-25 13:20

mattg wrote:I also like to know what happens if you change DNS server on your machine...

Which DNS does your windows machine use?
(I also got to this thought but could no longer be bother to go down that route)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-26 15:08

Hello all and thank you for your comments. I am sorry I did not reply, we had a serious breakdown at work I had to drive north for a period and didn't have access to this terminal anymore. Apologies for that.

Something I have been wondering about is that we went through a period where no emails were received at all, to get around this I whitelisted the local IP address within the greylist tool (127.0.0.1). I notice some comments above about greylisting / whitelisting. Do you think I may have broken something by doing this? The intention was the whitelist anything coming from within the local server (applications trying to send out mail), but I suppose I could have done something bad.

Let me know either way. I am going to enable TCP/IP logging to see if I can see anything in the log, if I don't get anywhere with that I will try the scripts you have mentioned (looks like I have some reading and learning to do!).

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 15:22

Its true you have greylisting and also some WHITELISTING enabled but neith of your entries would affect these example addresses you have recently reported.

And in fact 74.63.228.254 and 74.63.250.108 do not even show as listed now.

I still firmly believe that it is either a case of any 'spam list' for the addresses you check is late/slow to list them (and you are an early receiver of their mailings).

If you really want to prove the point as whether your spanhaus set up is working, contact me via PM, I will send you an email from my home setup (which will have me listed in PBL as I am a domestic line) and you should see that email list.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-26 15:47

Hello guys, and thank you for your comment Jimimaseye.

I was reading the logs with TCP/IP on and I see this :

My comments added with [[]] double brackets

"TCPIP" 2212 "2017-02-26 13:34:50.371" "TCP - 205.209.133.122 connected to 67.227.238.94:25 [[My IP]]."
"DEBUG" 2212 "2017-02-26 13:34:50.386" "TCP connection started for session 273297"
"SMTPD" 2212 273297 "2017-02-26 13:34:50.386" "205.209.133.122" "SENT: 220 mail.scotsconnection.com [[My Server Name]] ESMTP"
"SMTPD" 2212 273297 "2017-02-26 13:34:50.465" "205.209.133.122" "RECEIVED: EHLO duck.easiert.us"
"SMTPD" 2212 273297 "2017-02-26 13:34:50.465" "205.209.133.122" "SENT: 250-mail.scotsconnection.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2216 273297 "2017-02-26 13:34:50.543" "205.209.133.122" "RECEIVED: MAIL FROM:<Booking.Orlando.Vacation@duck.easiert.us>"
"TCPIP" 2216 "2017-02-26 13:34:50.543" "DNS lookup: 122.133.209.205.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2216 "2017-02-26 13:34:50.543" "DNS lookup: 122.133.209.205.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2216 "2017-02-26 13:34:50.543" "Total spam score: 0"

I see from SpamHaus that the domain "easiert.us" is blocked, but the IP address that I think is being sent to spamhaus.org (122.133.209.205) is only listed in the PBL list, not the SBL or XBL. Do you think this may have any involvement in the results that I am seeing?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 15:56

Why are you looking up 122.133.209.205? The IP is 205.209.133.122. You dont need to reverse the addresses when doing the lookup on spamhaus website (just enter the address as it appears).

https://www.spamhaus.org/query/ip/205.209.133.122 is listed under SBL list which would return 127.0.0.3. What do you have for your return codes to zen.spamhaus (do you have it as one of your return codes)?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 16:06

I have just sent a test email to the 'sales' address you provided in PM.

The debug should show that it is received, and will hit the PBL list with spamhaus.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-26 16:09

I'm not reversing anything, that is simply a copy & paste from the logs.

"DNS lookup: 122.133.209.205.zen.spamhaus.org, 0 addresses found: (none), Match: False"

I wonder if that is something that it does as a matter of course?

As you say, the correct source IP address has entries in the SBL and XBL, the reversed IP address has an entry in the PBL, so it is the result in the SBL and XBL (205.209.133.122) that we should be paying attention to.

Regarding your question about return codes, I don't see anything in the logs related to return codes, only what I have copied and pasted in the previous comment.

Here is another example, with a mail coming from Bahama_All_Inclusive@loading.gosorta.us

If we test the domain (loading.gosorta.us) in MXToolbox, Zen.SpamHaus shows it as listed, if we test the IP address in Zen.SpamHaus we see that the IP address (63.143.40.125) is listed in the SBL only. if you reverse the IP address (still not sure why we would do this, but hey). you see that 125.40.143.63 is listed in the PBL. The reason I reverse the IP address like that is that you see the push to zen.spamhaus.org in the log has a reversed IP address but this may just be because the service on the end of the line reverses again and you need to do this for zen.spamhaus.org to get the correct address (who knows?).

Here is the log:

"DEBUG" 2212 "2017-02-26 14:02:27.229" "Creating session 273524"
"TCPIP" 2212 "2017-02-26 14:02:27.229" "TCP - 63.143.40.125 connected to 67.227.238.94:25."
"DEBUG" 2212 "2017-02-26 14:02:27.245" "TCP connection started for session 273523"
"SMTPD" 2212 273523 "2017-02-26 14:02:27.245" "63.143.40.125" "SENT: 220 mail.scotsconnection.com ESMTP"
"SMTPD" 2212 273523 "2017-02-26 14:02:27.307" "63.143.40.125" "RECEIVED: EHLO loading.gosorta.us"
"SMTPD" 2212 273523 "2017-02-26 14:02:27.307" "63.143.40.125" "SENT: 250-mail.scotsconnection.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2216 273523 "2017-02-26 14:02:27.370" "63.143.40.125" "RECEIVED: MAIL FROM:<Bahama_All_Inclusive@loading.gosorta.us>"
"TCPIP" 2216 "2017-02-26 14:02:27.370" "DNS lookup: 125.40.143.63.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2216 "2017-02-26 14:02:27.370" "DNS lookup: 125.40.143.63.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2216 "2017-02-26 14:02:27.370" "Total spam score: 0"

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 16:13

Can you review the logs for the email I sent please.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-26 16:14

I assume this entry is the one from you? Yes, this hit the list.

"DEBUG" 2212 "2017-02-26 14:06:24.971" "Creating session 273556"
"TCPIP" 2212 "2017-02-26 14:06:24.971" "TCP - 80.42.31.164 connected to 67.227.238.94:25."
"DEBUG" 2212 "2017-02-26 14:06:24.987" "TCP connection started for session 273555"
"SMTPD" 2212 273555 "2017-02-26 14:06:24.987" "80.42.31.164" "SENT: 220 mail.scotsconnection.com ESMTP"
"SMTPD" 2220 273555 "2017-02-26 14:06:25.096" "80.42.31.164" "RECEIVED: EHLO jimimaseye.homeip.net"
"SMTPD" 2220 273555 "2017-02-26 14:06:25.096" "80.42.31.164" "SENT: 250-mail.scotsconnection.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2220 273555 "2017-02-26 14:06:25.221" "80.42.31.164" "RECEIVED: MAIL FROM:<user1@jim.homeip.net>"
"TCPIP" 2220 "2017-02-26 14:06:25.221" "DNS lookup: 164.31.42.80.zen.spamhaus.org, 1 addresses found: 127.0.0.11, Match: True"
"TCPIP" 2220 "2017-02-26 14:06:25.221" "DNS lookup: 164.31.42.80.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2220 "2017-02-26 14:06:25.221" "Spam test: SpamTestDNSBlackLists, Score: 5"
"DEBUG" 2220 "2017-02-26 14:06:25.331" "Spam test: SpamTestHeloHost, Score: 0"
"DEBUG" 2220 "2017-02-26 14:06:25.456" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 2220 "2017-02-26 14:06:25.487" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 2220 "2017-02-26 14:06:25.487" "Total spam score: 5"

That entry is listed in the PBL

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 16:19

Yes it was mine.

So therefore your setup is working as it is configured to do so (.11 is a return code of PBL - https://www.spamhaus.org/zen/)

The conclusion is that if spamhaus is not returning a code and you think it is incorrect then the issue will be with spamhaus or dns records - all of which you cannot control.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-26 16:36

Thank you for your help with that. :)

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 16:40

Ok, a consolation for you........

despite spamhaus showing on their ONLINE lookup facility some of these addresses as being listed, when I do a command check I still get zero results.

For example, I know the address I used (80.42.31.164) is listed and indeed your hmailserver also got this returned a such.

However, if I do a search from my machine using nslookup I get no results:

Code: Select all

> 164.31.42.80.zen.spamhaus.org
Server:  resolver1.dyndnsinternetguide.com
Address:  216.146.35.35

*** resolver1.dyndnsinternetguide.com can't find 164.31.42.80.zen.spamhaus.org:
Non-existent domain
So I try an online lookup with DIG: https://toolbox.googleapps.com/apps/dig ... amhaus.org and that too also doesnt return a result.

Code: Select all

id 53503
opcode QUERY
rcode NXDOMAIN
flags QR RD RA
;QUESTION
164.31.42.80.zen.spamhaus.org. IN A
;ANSWER
;AUTHORITY
zen.spamhaus.org. 9 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1702261427 3600 600 432000 10
;ADDITIONAL
BUT.... I then went to our work server and did the same check:

Code: Select all

> 164.31.42.80.zen.spamhaus.org
Server:  UnKnown
Address:  192.168.0.200

Non-authoritative answer:
Name:    164.31.42.80.zen.spamhaus.org
Address:  127.0.0.11
and there it is, listed: (127.0.0.11)

The difference being the DNS supplier - the work one being a caching server which ultimately is fed by work ISP's dns servers. If I use that same ISP DNS server then I do get the positive lookup.

So, summary: I dont know why but it is based on DNS and some return it correctly and some do not. Therefore I think it is out of your hands (unless someone can work out and explain why these random results happen between DNS suppliers/servers).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by SorenR » 2017-02-26 18:25

My DNS (NAS w/ BIND 9) find you no problem... Google ( 8.8.8.8 ) do not!

I know some RBL's block known common DNS servers as they cannot control traffic per user/site.
Lookup's are free - but only to a certain extent. :wink:

Code: Select all

C:\WINDOWS>nslookup
Default Server:  bigbrother.lolle.org
Address:  192.168.0.50

> 164.31.42.80.zen.spamhaus.org
Server:  bigbrother.lolle.org
Address:  192.168.0.50

Non-authoritative answer:
Name:    164.31.42.80.zen.spamhaus.org
Address:  127.0.0.11

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 164.31.42.80.zen.spamhaus.org
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** google-public-dns-a.google.com can't find 164.31.42.80.zen.spamhaus.org: Non
-existent domain
>
https://www.lifewire.com/free-and-publi ... rs-2626062

"OpenDNS Home" and "FreeDNS" I tried and they work 8)
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 18:35

Yes, I thikn you have also demonstrated what we have observed - the difference being with the added rationale explanation. So the OP just has to find a DNS service that doent have these restrictions.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by jimimaseye » 2017-02-26 22:21

I just tried Norton and that works too: https://dns.norton.com/ (comes with 3 levels of protection of your own choice)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by mattg » 2017-02-26 23:20

SorenR wrote:My DNS (NAS w/ BIND 9) find you no problem... Google ( 8.8.8.8 ) do not!

I know some RBL's block known common DNS servers as they cannot control traffic per user/site.
Lookup's are free - but only to a certain extent.
Yep
https://www.spamhaus.org/organization/dnsblusage/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tiggywiggler
New user
New user
Posts: 11
Joined: 2017-02-20 17:18

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by tiggywiggler » 2017-02-28 13:13

That is mental! you guys are amazing for finding this out.

Thank you for this. I will have a look about and see what the options are for me to sort this out.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS Blacklist score zero when SpamHaus lists as blocked

Post by SorenR » 2017-02-28 13:35

tiggywiggler wrote:That is mental! you guys are amazing for finding this out.

Thank you for this. I will have a look about and see what the options are for me to sort this out.
I can't speak for all but when I started out with computers, I got to do assembler programming of Intel 8080's and DARPA was still working on ARPA net - oh and my first SmartPhone was the Ericsson R380 ;-)

So in reality it's all down to experience and beeing online for a very, very, long time :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Post Reply