Fake SURBL DNSBL from local network

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-15 10:28

Hi,

testing HMS for antispam. 99% SURBL and DNSBL dns-lookup a fake.

HMS installed on windows 7 in 192.168.0.255 network.
static ip=192.168.0.172, dns=8.8.8.8
SMTP Relayer in internet: smtp.beget.com
Accounts mails from external account: pop3.beget.ru

Fake SURBL example:
"SURBL: Lookup: cb-killer.ru.multi.surbl.org"
"DEBUG" 2524 "2019-11-15 08:08:24.052" "SURBL: Match found"
"DEBUG" 2524 "2019-11-15 08:08:24.052" "Spam test: SpamTestSURBL, Score: 3"
tested by http://www.surbl.org/surbl-analysis

Fake DNSBL example:
"TCPIP" 2652 "2019-11-13 10:42:42.551" "DNS lookup: 101.249.105.180.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2652 "2019-11-13 10:42:42.738" "DNS lookup: 101.249.105.180.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 2652 "2019-11-13 10:42:42.738" "Spam test: SpamTestDNSBlackLists, Score: 0"
tested by https://www.spamhaus.org/query/ip/180.105.249.101

Test: Collect server details
hMailServer version: hMailServer 5.6.8-B2494
Database type: MySQL

Test: Test IPv6
IPv6 support is available in operating system.

Test: Test outbound port
SMTP relayer is in use.
Local address is 192.168.0.172.
Trying to connect to host smtp.beget.com...
Trying to connect to TCP/IP address 185.78.30.58 on port 25.
Received: 220 smtp.beget.com.
Connected successfully.

Test: Test backup directory
Backup directory D:\hMailServer\bcp is writable.

Test: Test MX records
Trying to resolve MX records for 9250505.ru...
Host name found: mx1.beget.com
Host name found: mx2.beget.com

Test: Test local connect
Connecting to TCP/IP address in MX records for local domain domain 9250505.ru...
Trying to connect to host mx1.beget.com...
Trying to connect to TCP/IP address 5.101.158.68 on port 25.
Received: 220 mail1.beget.ru.
Connected successfully.

Test: Test message file locations
Relative message paths are stored in the database for all messages.

Test: Test IP range configuration
No problems were found in the IP range configuration.

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Fake SURBL DNSBL from local network

Post by RvdH » 2019-11-15 10:44

Mmmm, right :!: :?:
...but what is your actual question?

cb-killer.ru is a existing domain, which actually can be listed in multi.surbl.org (and apparently is)
DNSBL lookups seem fine
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-15 11:04

RvdH wrote:
2019-11-15 10:44
DNSBL lookups seem fine
yes, not a spamer

but HMS think this is a spamer:
Ruser wrote:
2019-11-15 10:28
"DEBUG" 2524 "2019-11-15 08:08:24.052" "SURBL: Match found
feel the difference?

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Fake SURBL DNSBL from local network

Post by RvdH » 2019-11-15 13:11

multi.surbl.org lists domain cb-killer.ru as a spammer, not hmailserver
hmailserver only checks the domain against multi.surbl.org

[EDIT]
I see your point... doing the lookup with http://www.surbl.org/surbl-analysis the result is: cb-killer.ru is NOT listed

Weird...cached DNS lookup result maybe?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Fake SURBL DNSBL from local network

Post by palinka » 2019-11-15 13:41

Try changing to open DNS instead on the server.

I've read reports that firewalls can be hacked to fake dns queries.

http://www.rawinfopages.com/tips/2016/0 ... -settings/

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-15 15:01

RvdH wrote:
2019-11-15 13:11
cached DNS lookup result maybe?
i set google DNS in computer settings:
Ruser wrote:
2019-11-15 10:28
static ip=192.168.0.172, dns=8.8.8.8
where cache? my router "mikrotik", ISP?
i try router off/on...

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-15 15:12

palinka wrote:
2019-11-15 13:41
Try changing to open DNS instead on the server.
what?
i already have corporate DNS on ip=192.168.0.12

tested:
C:\Users\1>nslookup seal.com
server: dns.google
Address: 8.8.8.8

answer:
 : seal.com
Address: 174.129.25.170

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Fake SURBL DNSBL from local network

Post by palinka » 2019-11-15 16:41

Ruser wrote:
2019-11-15 15:12
palinka wrote:
2019-11-15 13:41
Try changing to open DNS instead on the server.
what?
i already have corporate DNS on ip=192.168.0.12

tested:
C:\Users\1>nslookup seal.com
server: dns.google
Address: 8.8.8.8

answer:
 : seal.com
Address: 174.129.25.170
You have corporate dns or Google dns?

If it's Google DNS (which you reported in the OP), then it's probably just a case where the examples you presented in the logs already expired. Just a coincidence that they tested positive when the messages were received and no return when you (and we) checked later.

Alternatively, your mikrotik router is compromised although I believe setting dns to Google or open dns on your server will bypass the router dns altogether.

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-18 16:03

DNSBL SURBL check does not work,
every time, when i send test email.
(ip mast be spam)
(url mast be not a spam)

Log:
"TCPIP" 3828 "2019-11-18 17:44:22.941" "DNS lookup: 101.249.105.180.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 3828 "2019-11-18 17:44:22.941" "DNS lookup: 101.249.105.180.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Total spam score: 0"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Execute"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Found URL: cb-killer.ru"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: 1 unique addresses found."
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Lookup: cb-killer.ru.multi.surbl.org"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "SURBL: Match found"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Spam test: SpamTestSURBL, Score: 3"
"DEBUG" 3828 "2019-11-18 17:44:22.941" "Total spam score: 3"

I create simple test.eml:

Return-Path: jiaohe9144@126.com
Return-Path: <nrsymeau@hcfh.com>
Received: from [180.105.249.101] (port=3798 helo=hcfh.com)
by mail1.beget.ru with esmtp (Exim 4.90.1-beget)
(envelope-from <nrsymeau@hcfh.com>)
id 1iUlIy-0004QL-21
for marketing@kristalnaya.ru; Wed, 18 Nov 2019 08:35:01 +0300
Received: from vps9736 ([127.0.0.1]) by localhost via TCP with ESMTPA; Wed, 13 Nov 2019 18:34:34 +0800
MIME-Version: 1.0
From: Leo <jiaohe9144@126.com>
Sender: Leo <nrsymeau@hcfh.com>
To: marketing@kristalnaya.ru
Reply-To: Leo <jiaohe9144@126.com>
Date: 18 Nov 2019 13:34:34 +0800
Subject: test2
Content-Type: text/html; charset=utf-8
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable

<p style=3D"color: #666;font-size: 10px;"><a href=3D"http://cb-killer.ru/un=
subsribe">test2</a></p>

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-18 16:06

palinka wrote:
2019-11-15 16:41
You have corporate dns or Google dns?
My computer is set to Google dns.

palinka
Senior user
Senior user
Posts: 1542
Joined: 2017-09-12 17:57

Re: Fake SURBL DNSBL from local network

Post by palinka » 2019-11-18 17:43

Ruser wrote:
2019-11-18 16:06
palinka wrote:
2019-11-15 16:41
You have corporate dns or Google dns?
My computer is set to Google dns.
The machine that hmailserver is on has Google or local dns? What happens when you do nslookup from that machine?

It should not be different for hmailserver than for any other program on the server. Hmailserver is only using the server's dns settings. It doesn't have its own dns.

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-19 08:39

[quote=palinka post_id=216254 time=1574091822 user_id=47609]
The machine that hmailserver is on has Google or local dns? What happens when you do nslookup from that machine?
[/quote]

also, i do "ipconfig /flushdns" and reboot windows 7 pro

ipconfig /all
IP settings for Windows
name . . . . . . . . . : NB-75
main DNS-Suffix . . . . . . : kristal.local
WINS-proxy enabled . . . . . . . : no
Order list DNS . : kristal.local

Ethernet adapter:
DNS-Suffix . . . . . :
Name. . . . . . . . . . . . . : Realtek PCIe GBE Family Controller
DHCP enabled. . . . . . . . . . . : yes
Auto settings. . . . . . : yes
IPv6 . . . : fe80::d4ba:227:5fea:1fbe%11(main)
IPv4. . . . . . . . . . . . : 192.168.0.172(main)
mask . . . . . . . . . . : 255.255.255.0
main gateway. . . . . . . . . : 192.168.0.197
DHCP-server. . . . . . . . . . . : 192.168.0.197
DNS-servers. . . . . . . . . . . : 8.8.8.8
77.88.8.88
main WINS-server. . . . . . . : 192.168.0.12
NetBios by TCP/IP. . . . . . . . : enabled

nslookup cb-killer.ru.multi.surbl.org
result the same as
nslookup 101.249.105.180.zen.spamhaus.org
srv: dns.google
Address: 8.8.8.8
*** dns.google -> 101.249.105.180.zen.spamhaus.org: Non-existent domain

https://mxtoolbox.com/SuperTool.aspx?action=a%3a101.249.105.180.zen.spamhaus.org&run=toolpage
DNS No Valid NameServers Responded

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-19 08:51

Ruser wrote:
2019-11-18 16:03
I create simple test.eml
Who knows, where to put this file for smtp testing?
(now i use another local mail server box)

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Fake SURBL DNSBL from local network

Post by RvdH » 2019-11-19 09:46

Could it be because of 'SURBL detection properly fails to detect url's ending with a query string issue #108' in < 5.7.0 builds?

Perhaps you could try my custom build, that should fix above issue
5.6.8-B2494.22.7z
(969.3 KiB) Downloaded 35 times
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-19 10:42

RvdH wrote:
2019-11-19 09:46
Could it be because of 'SURBL detection properly fails to detect url's ending with a query string
No "DNS query failed" in logs.

Today SURBL do job properly for 1 test email:
"DEBUG" 2216 "2019-11-19 12:11:11.840" "SURBL: Lookup: cb-killer.ru.multi.surbl.org"
"DEBUG" 2216 "2019-11-19 12:11:11.902" "SURBL: Match not found"
"DEBUG" 2216 "2019-11-19 12:11:11.902" "Spam test: SpamTestSURBL, Score: 0"

But DNSBL job not properly:
"TCPIP" 2216 "2019-11-19 12:11:11.684" "DNS lookup: 101.249.105.180.zen.spamhaus.org, 0 addresses found: (none), Match: False"

Continue testing...
i will try:
RvdH wrote:
2019-11-19 09:46
Perhaps you could try my custom build, that should fix above issue
i will try:
hMailServer-5.7.0-B2497-x64.exe

User avatar
RvdH
Senior user
Senior user
Posts: 843
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Fake SURBL DNSBL from local network

Post by RvdH » 2019-11-19 14:55

Ruser wrote:
2019-11-15 15:01
RvdH wrote:
2019-11-15 13:11
cached DNS lookup result maybe?
i set google DNS in computer settings:
Ruser wrote:
2019-11-15 10:28
static ip=192.168.0.172, dns=8.8.8.8
where cache? my router "mikrotik", ISP?
i try router off/on...

Code: Select all

ipconfig /flushdns
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Ruser
New user
New user
Posts: 12
Joined: 2019-11-14 12:54

Re: Fake SURBL DNSBL from local network

Post by Ruser » 2019-11-20 16:39

RvdH wrote:
2019-11-19 14:55
ipconfig /flushdns
yes, i do
Ruser wrote:
2019-11-19 08:39
also, i do "ipconfig /flushdns" and reboot
Tested: spamhaus not worked because... they want money.
Some other DNSBL services block many requests from google DNS servers.
Now i use ISP dns server for check DNSBL.
(nslookup -q=A 108.135.121.190.bl.spamcop.net 91.240.45.249)

Post Reply