Menu
▾
▴
assp-test
|
From: Paul H. <du...@sh...> - 2008-10-27 19:53:26
|
Is anyone else seeing inconsistencies with the DNSBL test? I'm getting IP addresses that are not listed in any RBL, yet the DNBL test is marking the messages as spam. For instance, Oct-27-08 10:58:05 Connected: 159.53.46.149:2297 -> 192.168.1.91:25 -> 192.168.1.91:125 Oct-27-08 10:58:06 id-19486-07656 159.53.46.149 <cha...@no...> to: us...@do... PB-Message-Score is 45, added 45 (DNSBL failed, 159.53.46.149 listed by safe.dnsbl.sorbs.net zen.spamhaus.org) Oct-27-08 10:58:06 id-19486-07656 159.53.46.149 <cha...@no...> to: us...@do... PB-IP-Score for '159.53.46.0' is 45, added 45 for DNSBLfailed Oct-27-08 10:58:06 id-19486-07656 [DNSBL] 159.53.46.149 <cha...@no...> to: us...@do... [spam found] (DNSBL, 159.53.46.149 listed by safe.dnsbl.sorbs.net zen.spamhaus.org) -> c:\assp/spam/7656.eml Oct-27-08 10:58:06 id-19486-07656 159.53.46.149 <cha...@no...> to: us...@do... [SMTP Error] 554 5.7.1 DNS Blacklisted by safe.dnsbl.sorbs.net zen.spamhaus.org Oct-27-08 10:58:06 Disconnected: 159.53.46.149 Running ASSP 1.4.1RC.17 |
|
From: Tom S. <ts...@oi...> - 2008-10-27 23:23:44
|
We host some honeypots and a lot of http scanning is being done by the same bots that spew spam. It would seem proactive to block the same bots attacking webservers from attacking mailservers. My problem is the lookup is my_key.reversed_ip_quad.dnsbl.httpbl.org TIA, Tom -- Tom Shaw - Chief Engineer, OITC <ts...@oi...>, http://www.oitc.com/ US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) Text Paging: http://www.oitc.com/Pager/sendmessage.html AIM/iChat: tr...@ma... Never argue with an idiot: a bystander can't tell the difference. - Mark Twain |
|
From: Paul H. <du...@sh...> - 2008-10-28 14:20:10
|
Paul Houlbrooke wrote: > Is anyone else seeing inconsistencies with the DNSBL test? I'm getting > IP addresses that are not listed in any RBL, yet the DNBL test is > marking the messages as spam. Anyone have any idea what could be going on? Oct-28-08 10:14:01 Connected: 32.97.110.152:47217 -> 192.168.1.91:25 -> 192.168.1.91:125 Oct-28-08 10:14:02 Commencing RBL checks on 32.97.110.152 Oct-28-08 10:14:02 id-03242-03847 32.97.110.152 <> to: us...@my... PB-Message-Score is 45, added 45 (DNSBL failed, 32.97.110.152 listed by safe.dnsbl.sorbs.net zen.spamhaus.org) Oct-28-08 10:14:02 id-03242-03847 32.97.110.152 <> to: us...@my... PB-IP-Score for '32.97.110.0' is 45, added 45 for DNSBLfailed Oct-28-08 10:14:02 id-03242-03847 [DNSBL] 32.97.110.152 <> to: us...@my... [spam found] (DNSBL, 32.97.110.152 listed by safe.dnsbl.sorbs.net zen.spamhaus.org) -> nocollect:red Oct-28-08 10:14:02 id-03242-03847 32.97.110.152 <> to: us...@my... [SMTP Error] 554 5.7.1 DNS Blacklisted by safe.dnsbl.sorbs.net zen.spamhaus.org Oct-28-08 10:14:02 Disconnected: 32.97.110.152 32.97.110.152 is not listed on sorbs or spamhaus as far as I can tell. |
|
From: Fritz B. <fb...@iw...> - 2008-11-03 22:40:22
|
Has anybody else such a problem? I cannot see anything like that in my installations. Is there a pattern to see in the IPs involved? |
|
From: Paul H. <du...@sh...> - 2008-11-04 01:28:03
|
Fritz Borgstedt wrote: > Has anybody else such a problem? I cannot see anything like that in my > installations. > Is there a pattern to see in the IPs involved? Here's a good way to test this. Email something like fsd...@us.... The Domino (SMTP) server will respond with an "Unknown User" email. That email comes from an IP that DNSBL is marking as bad, even though it is not listed. RBLServiceProvider is set to zen.spamhaus.org|bl.spamcop.net|safe.dnsbl.sorbs.net Both sorbs.net and spamhaus.org are reporting the IP as bad, even though with their online service the IP is not listed. Nov-3-08 20:20:05 Connected: 32.97.110.149:36192 -> 192.168.1.91:25 -> 192.168.1.91:125 Nov-3-08 20:20:05 Commencing RBL checks on 32.97.110.149 Nov-3-08 20:20:06 id-61605-03858 [DNSBL] 32.97.110.149 <> to: us...@sh... [monitoring] (DNSBL: failed, 32.97.110.149 listed by(safe.dnsbl.sorbs.net->207.69.131.9; zen.spamhaus.org->207.69.131.10; )) Nov-3-08 20:20:06 id-61605-03858 [BombRaw] 32.97.110.149 <> to: us...@sh... [scoring] (BombRaw 'Subject: DELIVERY FAILURE') Nov-3-08 20:20:06 id-61605-03858 32.97.110.149 <> to: us...@sh... PB-Message-Score is 20, added 20 (BombRaw: 'Subject: DELIVERY FAILURE') Nov-3-08 20:20:06 id-61605-03858 32.97.110.149 <> to: us...@sh... Bayesian Check - Prob: 0.00000 => ham Nov-3-08 20:20:06 id-61605-03858 [MessageOK] 32.97.110.149 <> to: us...@sh... MESSAGE OK Nov-3-08 20:20:06 Disconnected: 32.97.110.149 |
|
From: marrco <as...@mi...> - 2008-11-04 14:09:39
|
> Has anybody else such a problem? I cannot see anything > like that in my installations. > Is there a pattern to see in the IPs involved? On June, 21 (I know, that's 4 months ago) I had to disable URIBL check (single check with black.uribl.com) because I had a few anomalous hits. I never re-enabled that option, so maybe it was just a problem with my dns that week. I also set a low value (2) to rbl cache and on oct.20 I changed it to 1, because I had some problems, never fully investigated so I can't really tell you if there's some bug somewhere. If memory helps there were problems a long ago with timeouts and dns error responses wrongly categorized as positive hits. |
|
From: Paul H. <du...@sh...> - 2008-11-04 01:12:45
|
Fritz Borgstedt wrote: > Has anybody else such a problem? I cannot see anything like that in my > installations. > Is there a pattern to see in the IPs involved? I don't see any patterns myself. I'll keep an eye and see if one emerges. |
|
From: Paul H. <du...@sh...> - 2008-11-07 12:35:00
|
Paul Houlbrooke wrote: > Fritz Borgstedt wrote: >> Has anybody else such a problem? I cannot see anything like that in my >> installations. >> Is there a pattern to see in the IPs involved? > > I don't see any patterns myself. I'll keep an eye and see if one emerges. > I found the pattern. EVERY DNSBL check that was done was failing. I didn't notice this before because most of the mail that passes through ASSP is either spam, or whitelist/non processing (i.e skips the DNSBL test). I have also found the solution. I disabled "UseLocalDNS" and am now using the OpenDNS DNS servers. But I'm very confused as to why it would matter what DNS server I am using. Shouldn't the DNSBL test just being looking for a "good" or "bad" response from the blacklist database? Why would the DNS server I'm using effect that? |
|
From: GrayHat <gr...@gm...> - 2008-11-07 12:54:22
|
> I found the pattern. EVERY DNSBL check that was done was failing. I > didn't notice this before because most of the mail that passes through > ASSP is either spam, or whitelist/non processing (i.e skips the DNSBL > test). hmm... could you please open a shell and perform some dns lookups by hand using your local DNS server ? That may help nailing down the issue and finding why your DNS is causing such a problem; as a note, I don't use OpenDNS and just rely on my DNS servers and never had any problem so I suspect you may have a DNS config issue |
|
From: Fritz B. <fb...@iw...> - 2008-11-07 19:46:26
|
ASSP development mailing list <ass...@li...> schreibt: > >What exactly am I looking for? ASSP is using the same DNS that I use >for > everything else and I have no issues browsing the web, for instance. In the final 1.4.3.0 on my site is a DNS check at startup time built in. You can see what the responsetime is. This can also be seen in Info&Stats/Server Information. You can update the DNS on the fly (no restart necessary). |
|
From: Paul <Pa...@bl...> - 2008-11-07 23:08:58
|
On 7 Nov 2008 at 7:35, Paul Houlbrooke wrote: > Paul Houlbrooke wrote: > > I found the pattern. EVERY DNSBL check that was done was failing. I > didn't notice this before because most of the mail that passes through > ASSP is either spam, or whitelist/non processing (i.e skips the DNSBL test). > > I have also found the solution. I disabled "UseLocalDNS" and am now > using the OpenDNS DNS servers. But I'm very confused as to why it would > matter what DNS server I am using. Shouldn't the DNSBL test just being > looking for a "good" or "bad" response from the blacklist database? Why > would the DNS server I'm using effect that? Usually any dnsbl response is a hit - what dns servers were you using? |
|
From: GrayHat <gr...@gm...> - 2008-11-10 07:30:26
|
> What exactly am I looking for? ASSP is using the same DNS that > I use for everything else and I have no issues browsing the web, > for instance. timeouts; probably caused by congestion or connectivity issues the "browsing" isn't a good indication since there are many other factors involved (e.g. you may be using a proxy) I'd try monitoring the DNS servers for timeouts / packet loss; about the "resolution testing"; if you tell me which platform are you running ASSP on I may give you more detailed instruction to test the DNS resolution |
|
From: Paul H. <du...@sh...> - 2008-11-10 14:45:36
|
GrayHat wrote: >> What exactly am I looking for? ASSP is using the same DNS that >> I use for everything else and I have no issues browsing the web, >> for instance. > > timeouts; probably caused by congestion or connectivity issues > the "browsing" isn't a good indication since there are many other > factors involved (e.g. you may be using a proxy) I'd try monitoring > the DNS servers for timeouts / packet loss; about the "resolution > testing"; if you tell me which platform are you running ASSP on I > may give you more detailed instruction to test the DNS resolution > Windows 2003 |
|
From: marrco <as...@mi...> - 2008-11-10 14:50:52
|
> timeouts; probably caused by congestion or connectivity issues That's what I suspected. Sometimes problems happen. But a timeout/error should be a pass, not a block ! |
|
From: GrayHat <gr...@gm...> - 2008-11-10 15:48:39
|
>> timeouts; probably caused by congestion or connectivity issues >> the "browsing" isn't a good indication since there are many other >> factors involved (e.g. you may be using a proxy) I'd try monitoring >> the DNS servers for timeouts / packet loss; about the "resolution >> testing"; if you tell me which platform are you running ASSP on I >> may give you more detailed instruction to test the DNS resolution > Windows 2003 ok; ensure your DNS servers are performing selftests at regular intervals; also, ensure they aren't using "forwarders" if possible but just using "root hints" to carry out standard resolution; to ensure you've everything properly setup, have a look here http://support.microsoft.com/kb/323380 just ensure to skip the "forwarders" section (if possible) and setup your DNS so that it will use full recursion and root-hints w/o delegating the resolution process to external forwarders; also, ensure to have the EDNS0 support disabled (see http://support.microsoft.com/kb/828263) since in most cases it may cause slowdowns and/or packet "loss" once you'll have the above properly setup, keep an eye on your resolver and also on your firewall logs trying to spot any dropped DNS traffic and/or any DNS queries timeouts |
|
From: GrayHat <gr...@gm...> - 2008-11-10 17:29:15
|
> My DNS is supplied from the ISP (or rather, my router > which gets it's info from the ISP) through DHCP. hmmm... so you don't have a *REAL* DNS server; ok, you have three option then; either setup your router to forward queries to some decent DNS resolvers, like (e.g.) 4.2.2.2 and 4.2.2.3 or setup ASSP to use OpenDNS resolvers... or setup a local, and true DNS resolver :D |
|
From: Fritz B. <fb...@iw...> - 2008-11-10 17:41:46
|
GrayHat <gr...@gm...> schreibt: >hmmm... so you don't have a *REAL* DNS server; ok, >you have three option then; either setup your router to >forward queries to some decent DNS resolvers, like >(e.g.) 4.2.2.2 and 4.2.2.3 or setup ASSP to use OpenDNS >resolvers... or setup a local, and true DNS resolver :D ASSP 1.4.3 & ASSP 2.0.0 help to prevent timeouts. ASSP will check regularly for timeouts and will move not responding servers to the end of the list - making it inactive. To get the most out of this set up as many mailservers as you want, mixing local, public & open in DNS Name Servers (DNSServers) and set Use System Default DNS (UseLocalDNS) to off. |
|
From: Fritz B. <fb...@iw...> - 2008-11-10 18:09:41
|
ASSP development mailing list <ass...@li...> schreibt: >And an easy startup test can be done just looking for a A RR for >127.0.0.2 >that should be present in all dnsbl. ASSP is honoring this: If the RBL returned an A record, the value for that key will be the IP address in the A record - typically 127.0.0.1 - 127.0.0.4. If the RBL returned a CNAME, the value will be the hostname, typically used for a comment on why the IP address is listed. |
|
From: Fritz B. <fb...@iw...> - 2008-11-11 10:55:46
|
The current implementation of DNSBL-Lookup is based on Net::RBLClient, which was incorporated into the ASSP code several years ago. It was modified to work with URIBL. I went through it and found some minor quirks which I fixed. Please try 1.4.3.0.4 |
|
From: marrco <as...@mi...> - 2008-11-11 12:17:08
|
> Please try 1.4.3.0.4 Hmmm.. ok, I try : $modversion='.0.11111242'; #appended in version display. |
|
From: Paul H. <du...@sh...> - 2008-11-11 13:45:45
|
Fritz Borgstedt wrote: > The current implementation of DNSBL-Lookup is based on Net::RBLClient, > which was incorporated into the ASSP code several years ago. It was > modified to work with URIBL. I went through it and found some minor > quirks which I fixed. > Please try 1.4.3.0.4 > Did you mean to remove the DNS timeout logging feature? Or did it just move? |
|
From: Paul H. <du...@sh...> - 2008-11-12 15:18:43
|
Fritz Borgstedt wrote: > The current implementation of DNSBL-Lookup is based on Net::RBLClient, > which was incorporated into the ASSP code several years ago. It was > modified to work with URIBL. I went through it and found some minor > quirks which I fixed. > Please try 1.4.3.0.4 Still occuring with 1.4.1.FRC.11022200 |
|
From: GrayHat <gr...@gm...> - 2008-11-11 13:34:16
|
>> address in the A record - typically 127.0.0.1 - 127.0.0.4. If the RBL > 127.0.0.2-255 > Zen returns from .2 to .11, surbl return from .2 to .128, spamcop just .2 > I don't recall a common dnsbl returning .1 don't just focus on "zen" or similar RBLs; other blacklists may return different results (e.g. 127.2.1.32) so it would be a better idea checking for the "127"; that said if the DNS query code works there shouldn't be any need to perform additional checks :) as I wrote, I suspect that the Net::DNS module may have some "glitches" which cause problems |
|
From: Paul H. <du...@sh...> - 2008-11-11 15:32:53
|
GrayHat wrote: >> My DNS is supplied from the ISP (or rather, my router >> which gets it's info from the ISP) through DHCP. > > hmmm... so you don't have a *REAL* DNS server; ok, > you have three option then; either setup your router to > forward queries to some decent DNS resolvers, like > (e.g.) 4.2.2.2 and 4.2.2.3 or setup ASSP to use OpenDNS > resolvers... or setup a local, and true DNS resolver :D Yea, I know I can change which DNS server I use (via my router, or ASSP). But it would be nice to know why this is happening. As far as I can see, I'm not running into the timout issue. And this same DNS is being used for web browsing and I've never run into any problems before. So it would be good to see if I can defiantly say whether this is an ASSP (DNS module) bug, or something wrong with the name server I'm using. |
|
From: Fritz B. <fb...@iw...> - 2008-11-11 15:51:58
|
ASSP development mailing list <ass...@li...> schreibt: > So it would be good to see if I can defiantly say whether this is >an >ASSP (DNS module) bug, or something wrong with the name server I'm >using. There was no other report about anything similar. Nevertheless I went through the code and fixed minor glitches. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X