Re: [Assp-test] More MX and A record lookup issues

[K P. <nnt...@gm...>]

Alright, with DebugSPF (the debugging option for DNS, senderbase, etc) I
see a lot of info in the logs.  They're going to grow big!

We've got 3 internal dns severs 51, 52, and 53

This sequence of log lines is puzzling me.  ASSP is looking for the txt
record for the dmarc record for my.orbitz.com (which exists).  Why is is
asking all 3 servers?  It looks like it asked 52 first, and 52 gave the
answer.

May-19-15 11:41:26 Info: reuse DNS socket for 172.23.0.52
May-19-15 11:41:26 Info: sent DNS query for '_dmarc.my.orbitz.com' type
'TXT' to nameserver 172.23.0.52
May-19-15 11:41:26 Info: reuse DNS socket for 172.23.0.53
May-19-15 11:41:26 Info: sent DNS query for '_dmarc.my.orbitz.com' type
'TXT' to nameserver 172.23.0.53
May-19-15 11:41:26 Info: reuse DNS socket for 172.23.0.51
May-19-15 11:41:26 Info: sent DNS query for '_dmarc.my.orbitz.com' type
'TXT' to nameserver 172.23.0.51
May-19-15 11:41:26 Info: DNS query time 0.000 - 172.23.0.52 172.23.0.53
May-19-15 11:41:26 Info: got DNS DATA answer from nameserver 172.23.0.52

Looking back in the logs, any dns query that I see looks like its asking
all 3 servers.  Is that normal??



On Tue, May 19, 2015 at 11:12 AM, K Post <nnt...@gm...> wrote:

> Thanks Collin.
>
> I've turned on debugSPF.  The problem is that I only see this every once
> in a while.  Will debugSPF cause huge logs or does that go to a separate
> debug file?
>
> Any suggestion on how to debug DNS on WIndows?  I don't think I can get
> access to the servers themselves, but I can do whatever we need on this
> Windows 2012 box.
>
> Here's what I see in the log for this message with my notes in bold.
>
> May-18-15 11:01:00 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org DKIM-Signature found
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org info: SenderBase - query using SenderBase
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org info: SenderBase - query using Whois
> May-18-15 11:01:01 Info: whoisip_lookup '198.245.83.134' on 'ARIN' => ''
>      *nothing??*
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org SenderBase -- used -- country: orgname: host:
> mta6.e.hautelook.com   *nothing??*
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org [Scoring] SenderBase -- No CountryCode/Organization
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org checking MX/A for bounce.e.hautelook.com ,
> e.nordstromrack.com
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org bounce.e.hautelook.com - no MX record found - ()   *no
> mx??*
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org e.nordstromrack.com - MX 'bounce-mx.exacttarget.com'
> - got IP (66.231.91.54)
> May-18-15 11:01:01 msg61260-00904 [MissingMX] 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org [[scoring]] MX missing: bounce.e.hautelook.com (Mail
> From:)
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org Message-Score: added 10 (mxValencePB) for MX missing:
> bounce.e.hautelook.com (Mail From:), total score for this message is now
> 10
> May-18-15 11:01:01 msg61260-00904 [MissingMXA] 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org [[scoring]] A record missing: bounce.e.hautelook.com
> (Mail From:)   *NO A record??*
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org deleting spamming safelisted tuplet: (198.245.83.0,
> bounce.e.hautelook.com) age: 1s
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org Message-Score: added 15 (mxaValencePB) for A record
> missing: bounce.e.hautelook.com (Mail From:), total score for this
> message is now 25
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org MX found: e.nordstromrack.com (From , Reply-To) ->
> bounce-mx.exacttarget.com   *but it does find the MX record for the mail
> from*
> May-18-15 11:01:01 msg61260-00904 198.245.83.134 <
> bou...@bo...> to:
> user@OurCharity.org A record found: e.nordstromrack.com (From , Reply-To)
> -> 66.231.91.54  and the *A record*
>
> *Could this be a function of the mail-from differing from the from causing
> a problem?*
>
>
> On Tue, May 19, 2015 at 10:20 AM, Colin Waring <co...@do...>
> wrote:
>
>> You need debug logs and set something up to monitor your DNS traffic. You
>> need to be certain whether the issue is with ASSP handling DNS or your DNS
>> setup. This information is the only thing that will really let you track
>> your issue down.
>>
>> All the best,
>> Colin Waring.
>>
>> -----Original Message-----
>> From: K Post [mailto:nnt...@gm...]
>> Sent: 19 May 2015 14:57
>> To: ASSP development mailing list
>> Subject: [Assp-test] More MX and A record lookup issues
>>
>> Running 15135 on a Windows 2012 box.
>>
>> I've got a message that was ultimately erroneously rejected due to total
>> score.  Contributing to this score is ASSP being (for some reason) unable
>> to find A or MX records for the sending IP.  This isn't the first time I've
>> seen this.  My last suggestion of potentially having ASSP retry dns lookups
>> if neither A or MX returns anything was dismissed as crazy.  I don't know
>> what else to suggest.  Here's what I'm seeing:
>>
>> In analyze everything looks great:
>> • domain bounce.e.hautelook.com (in Mail From:) has a valid MX record:
>> bounce-mx.exacttarget.com
>> • domainMX bounce-mx.exacttarget.com has a valid A record: 66.231.91.54
>> • domain e.nordstromrack.com (in From , Reply-To) has a valid MX record:
>> reply-mx.s6.exacttarget.com
>> • domainMX reply-mx.s6.exacttarget.com has a valid A record:
>> 198.245.82.46 • 198.245.83.134 SenderBase: status=white SenderBase,
>> data=[CN=US, ORG=EXACTTARGET, DOM=hautelook.com, BLS=, HNM=Y, CIDR=20,
>> HN= mta6.e.hautelook.com] Senderbase should have given a bonus, the A
>> and MX record is there, so it shouldn't have counted against the message.
>>
>> But in the message in the corpus, I see:
>> X-ASSP-Message-Score: 10 (MX missing: bounce.e.hautelook.com (Mail
>> From:))
>> X-ASSP-IP-Score: 10 (MX missing: bounce.e.hautelook.com (Mail From:))
>> X-ASSP-Message-Score: 15 (A record missing: bounce.e.hautelook.com (Mail
>> From:))
>> X-ASSP-IP-Score: 15 (A record missing: bounce.e.hautelook.com (Mail
>> From:)) Senderbase doesn't seem to have run either
>>
>> I see nothing else to indicate that the machine is having DNS problems of
>> any kind.  It's looking to a set of internal DNS servers that are fast and
>> reliable - they're used for all of our servers and none of them have any
>> dns issues.
>>
>> It's not light exacttarget, a major mailing company used by big
>> companies, temporarily removed the A and MX records for this hostname.
>>
>> Any idea of what could be going on and how to correct it?  Could it be
>> that this is happening to others but I'm the only one going through almost
>> every questionally blocked message by hand (hate this part)??
>>
>>
>> Thanks
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications Performance
>> metrics, stats and reports that give you Actionable Insights Deep dive
>> visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Assp-test mailing list
>> Ass...@li...
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Assp-test mailing list
>> Ass...@li...
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
>