Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Weird DNSBL issue with zen.spamhaus.org
  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
Currently I'm using the following DNSBL:
list.dsbl.org
dnsbl.sorbs.net
rhsbl.sorbs.net
bl.spamcop.net
zen.spamhaus.org

All are working as they should, with the exception of zen.spamhaus.org.

About a week ago I started receiving lookup errors in my warning log along the lines of:

"DNS failure while trying to find address 82.234.227.12.zen.spamhaus.org in blacklist SpamHaus ZEN

DNS failure while trying to find address 109.81.253.77.zen.spamhaus.org in blacklist SpamHaus ZEN"


As previously stated all other DNSBL are functioning normally. If I disable zen.spamhaus.org obviously enough the messages stop.

The weird thing is, if I run a lookup directly on the mail server, the lookup is successful.

For instance:

dig 82.234.227.12.zen.spamhaus.org

QUESTION SECTION:
82.234.227.12.zen.spamhaus.org.        IN      A

ANSWER SECTION:
82.234.227.12.zen.spamhaus.org. 1723 IN A       127.0.0.11


So the problem is not DNS, and seems internal to the mail server.

Any ideas or suggestions?
  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
Corrupted DNS cache in kerio?

Good is better than evil because it's nicer
--Mammy Yokum
  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
Perhaps, but I wouldn't think so, as all other DNSBL are functioning perfectly.

I'm also certain the operating system's DNS cache is fine, as everything is working as it should, simply not one specific DNSBL inside Kerio.

I've heard the only way to flush Kerio's DNS cache (which is limited the TTL of record or 1 hour, which ever is greater, as such wouldn't think it was the issue) is to start/stop the email server.

I'll have to schedule an appropriate window of time to further troubleshoot.

I'll report back with results of the hup.
  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
I stopped / started the mail server. Unfortunately I do not see any change in behavior.

I'm still receiving DNS failure messages regarding zen.spamhaus.org.

As before, all other DNSBL are functioning perfectly, and zen.spamhaus.org lookups ran directly on the mail server are receiving correct DNS responses.

I'm at a loss.
  •  
psfollies

Messages: 12
Karma: 0
Send a private message to this user
I'm running the latest verion of Kerio Mailserver on a OSX 10.4 box and all of the sudden am getting the same thing, but with all of the Internet Blacklists. Here is some output from my "Warning" log (I already submitted a ticket on the issue):

Quote:

[25/Feb/2008 17:20:57] DNS failure while trying to find address 95.170.83.124.dnsbl.sorbs.net in blacklist SORBS DNSBL
[25/Feb/2008 17:20:57] DNS failure while trying to find address 51.222.112.131.bl.spamcop.net in blacklist SpamCop
[25/Feb/2008 17:20:58] DNS failure while trying to find address 74.135.251.63.bl.spamcop.net in blacklist SpamCop
[25/Feb/2008 17:20:58] DNS failure while trying to find address 10.211.212.64.dnsbl.sorbs.net in blacklist SORBS DNSBL
[25/Feb/2008 17:20:59] DNS failure while trying to find address 12.39.202.147.db.wpbl.info in blacklist WPBL - Weighted Private Block List
[25/Feb/2008 17:20:59] DNS failure while trying to find address 32.180.36.207.zen.spamhaus.org in blacklist SpamHaus SBL-XBL
[25/Feb/2008 17:20:59] DNS failure while trying to find address 21.29.67.80.rhsbl.sorbs.net in blacklist SORBS RHSBL
[25/Feb/2008 17:20:59] DNS failure while trying to find address 36.22.79.160.db.wpbl.info in blacklist WPBL - Weighted Private Block List
[25/Feb/2008 17:20:59] DNS failure while trying to find address 37.252.250.89.list.dsbl.org in blacklist Distributed Sender Blackhole List - trusted
[25/Feb/2008 17:21:00] DNS failure while trying to find address 32.123.238.203.bl.spamcop.net in blacklist SpamCop
[25/Feb/2008 17:21:00] DNS failure while trying to find address 168.244.216.203.zen.spamhaus.org in blacklist SpamHaus SBL-XBL
[25/Feb/2008 17:21:00] DNS failure while trying to find address 19.201.240.66.bl.spamcop.net in blacklist SpamCop
[25/Feb/2008 17:21:01] DNS failure while trying to find address 216.18.214.85.db.wpbl.info in blacklist WPBL - Weighted Private Block List



Now, from the Terminal, if I issue:
dig 82.234.227.12.zen.spamhaus.org

I get:

Quote:

;;connection timed out; no servers could be reached


So am I having a DNS issue on my box?

[Updated on: Tue, 26 February 2008 02:36]

  •  
ahoutzer

Messages: 33

Karma: 0
Send a private message to this user
I have the same thing happening, with multiple blacklists.
  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
...wanted to give an update on the situation.

I upgraded from 6.3.1 to 6.5.0 hoping this would fix the problem.

Unfortunately I'm still seeing the same issue. All blacklists, including the two new blacklists supplied with 6.5.0 are working as they should, with the exception of zen.spamhaus.org.

Just as before, all queries ran manually on the email server work flawlessly.

  •  
da.baron

Messages: 2
Karma: 0
Send a private message to this user
You have the SMTP Greeting delay turned on in the Spam Repellant tab (under Spam Filter).

I think this happens when a sending server's IP address has already been submitted to KMS's RBL engine which in turn goes to check it against the RBLs. But during this time the sending server drops the connection before KMS has sent the SMTP greeting. When the RBL engine tries to match up the IP the connection is no longer available and so KMS logs this error.

Here is an example from my server right now.

In my WARNING LOG:
[20/Mar/2008 06:15:57] DNS failure while trying to find address 121.93.27.216.zen.spamhaus.org in blacklist SpamHaus

In my SECURITY LOG:
[20/Mar/2008 06:16:05] SMTP Spam attack detected from 216.27.93.121, client closed connection before SMTP greeting

This isn't actually a problem with the blacklists, although it's strange that you're only experiencing it with spamhaus. Like everybody else you should see it happening with all the RBL services at some point.

It's a problem with the way KMS logs information. Also, if you have "Report the spam attack to the security log" unchecked in the SMTP Repellent tab you will not see these attacks logged in the Security log.

Personally I leave that option unchecked so I had to turn it on again to get the examples for you

Hope that helps

  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
I wish that was the case, as that would have been a simple solution.

Unfortunately that's not the case as I do not have SMTP greeting delay enabled.

Also for what it's worth, the IP is only referenced in the warning log, not other log contains information about the IP.

grep "208.251.230.201" /usr/local/kerio/mailserver/store/logs/*
[20/Mar/2008 11:23:36] DNS failure while trying to find address 208.251.230.201.zen.spamhaus.org in blacklist SpamHaus ZEN

grep "201.230.251.208" /usr/local/kerio/mailserver/store/logs/*

I almost wish I had the SMTP greeting delay enabled, as then the whole situation would make sense.
  •  
pamf

Messages: 10
Karma: 0
Send a private message to this user

Hello:

I have exactly the same problem.
The client I notice the increase in SPAM And noting the log Warning this happens since January, 1.

  •  
psfollies

Messages: 12
Karma: 0
Send a private message to this user
da.baron wrote on Wed, 19 March 2008 22:22

You have the SMTP Greeting delay turned on in the Spam Repellant tab (under Spam Filter).

I think this happens when a sending server's IP address has already been submitted to KMS's RBL engine which in turn goes to check it against the RBLs. But during this time the sending server drops the connection before KMS has sent the SMTP greeting. When the RBL engine tries to match up the IP the connection is no longer available and so KMS logs this error.

Here is an example from my server right now.

In my WARNING LOG:
[20/Mar/2008 06:15:57] DNS failure while trying to find address 121.93.27.216.zen.spamhaus.org in blacklist SpamHaus

In my SECURITY LOG:
[20/Mar/2008 06:16:05] SMTP Spam attack detected from 216.27.93.121, client closed connection before SMTP greeting

This isn't actually a problem with the blacklists, although it's strange that you're only experiencing it with spamhaus. Like everybody else you should see it happening with all the RBL services at some point.

It's a problem with the way KMS logs information. Also, if you have "Report the spam attack to the security log" unchecked in the SMTP Repellent tab you will not see these attacks logged in the Security log.

Personally I leave that option unchecked so I had to turn it on again to get the examples for you

Hope that helps




Indeed - I have the delay set to 25 seconds here. Does this pose any problems in terms of an inability for people to send/receive?
  •  
pamf

Messages: 10
Karma: 0
Send a private message to this user

Hello:

I have done some testing. I do not know if they make sense but for the moment he succeeded in solving the problem.

Most of my mail servers were the DNS 195.235.96.90
I replaced the old DNS by 194.179.1.101 and has not been fail. Confused

żż??
  •  
blackbox

Messages: 82
Karma: 0
Send a private message to this user
To make sure I'm on the same page, you were having issues specifically with the zen.spamhaus.org DNSBL and changing your DNS from 195.235.96.90 to 194.179.1.101 seems to have fixed the issue?
  •  
pamf

Messages: 10
Karma: 0
Send a private message to this user
Hello !!

At the moment the problem has been solved!!!


WHAT do not understand!! Confused

blackbox

Messages: 82
Karma: 0
Send a private message to this user
You said "I have exactly the same problem" but did not direct the response to a discernible individual. At that point in the thread there have been multiple people with different specific issues addressed.

I understand you stated "but for the moment he succeeded in solving the problem." I was not asking about the end result, rather making sure I understood the process you were describing as the fix.
Previous Topic: KOFF Automatic Update
Next Topic: Using secure ldap in apple address book
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 19:35:58 CET 2017

Total time taken to generate the page: 0.00528 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.