Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » DNS BL False positives?
  •  
j.a.duke

Messages: 356
Karma: 14
Send a private message to this user
I've got several blacklists on my various servers that I administer and I've started having false positives on one install.

The following BLs appear to be flagging 90%+ of the mail coming in as spam:

b.barracudacentral.org
blackholes.five-ten-sg.com
ix.dnsbl.manitu.net

The changes seemed to happen on Jan 1. 2011 and have persisted since then.

Prior to Jan 1, I was using the "block" setting on all three. Since then, I've had to add either .5 or .3 to the spam score rather than blocking the message.

If I use the DNS Stuff (dnsstuff.com) Spam Database lookup on IPs flagged as positives by those three BLs, most of the time it comes back as not listed.

This is troubling as I'm sure I was blocking legitimate email, or at least sending it to the junk folder.

Has anyone else seen this on their Kerio install?

I'm trying to figure out what would have changed, presumably on my end, to cause this.

The server is running Mac OS X 10.6.4. My DNS is provided locally by another Mac OS X system (and has been for 4 years). Backup DNS is 4.2.2.1-4 (that's been set for a long time as well).

I'm open to suggestions on how to troubleshoot and solve this.

Thanks.

Cheers,
Jon
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Are you by any chance getting your mail from a gateway that is listed in blacklists? A Barracuda listing is completely automatic and fed largely by spamtraps, so something have definitely triggered it. The other two lists are in my opinion unfit for production systems (documented high rate of false positives and unpublished listing criteria), but that is a different discussion I suppose.
  •  
j.a.duke

Messages: 356
Karma: 14
Send a private message to this user
TorW wrote on Thu, 17 February 2011 17:29
Are you by any chance getting your mail from a gateway that is listed in blacklists? A Barracuda listing is completely automatic and fed largely by spamtraps, so something have definitely triggered it. The other two lists are in my opinion unfit for production systems (documented high rate of false positives and unpublished listing criteria), but that is a different discussion I suppose.


I am receiving mail directly to the server.

The real question is why am I seeing differing results from my server compared to when I look up an address either through DNSStuff's blacklist lookup or directly on the barracudacentral.org site.

Example:
Quote:

[18/Feb/2011 14:01:55] IP address 150.228.40.119 found in DNS blacklist BRBL 2009-04-27, mail from <Effie.Ypsilantis@merrillcorp.com> to <xxx<_at_>xxx-xxx.com>

The ip address 150.228.40.119 is not currently listed as "poor" on the Barracuda Reputation System.


I did the lookup less than a minute after the message came through.

If I perform a test from the command line:
$host 119.40.228.150.b.barracudacentral.org
119.40.228.150.b.barracudacentral.org has address 92.242.144.2
Host 119.40.228.150.b.barracudacentral.org not found: 3(NXDOMAIN)
Host 119.40.228.150.b.barracudacentral.org not found: 3(NXDOMAIN)


What puzzles me is the result returned-I would expect that the result would either be a 127.0.0.2 or a "not found".

My DNS servers were:
192.168.1.11 (internal DNS)
4.2.2.2
208.67.220.220

I'm running KC on Mac OS X 10.6.4.

The internal DNS is running Mac OS X Server 10.5.8 with the following referral servers:
207.172.3.8
207.172.3.9
68.87.71.226
68.87.73.242

I'm truly perplexed as what's happening here. Up until around Jan 1, 2011 everything was working just fine. I made no config changes around that date, so I'm really in the dark as to why the lookups just started returning bogus data.

What's stranger is that on the other KC servers that I admin, everything seems OK.

I'm sure there's something that I'm not seeing in all the pieces that explains all this, so I'm hoping that someone out there has a suggestion, or two, that will help.

Thanks.

Cheers,
Jon
  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Quote:
[18/Feb/2011 14:01:55] IP address 150.228.40.119 found in DNS blacklist BRBL 2009-04-27


Have you named the your Barracuda blacklist entry BRBL 2009-04-27 ?

Can you post a screenshot of your blacklist config?

Also, with Barracuda Central, you have to register.


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
j.a.duke

Messages: 356
Karma: 14
Send a private message to this user
freakinvibe wrote on Wed, 23 February 2011 04:25
Quote:
[18/Feb/2011 14:01:55] IP address 150.228.40.119 found in DNS blacklist BRBL 2009-04-27


Have you named the your Barracuda blacklist entry BRBL 2009-04-27 ?

Can you post a screenshot of your blacklist config?

Also, with Barracuda Central, you have to register.



To answer the questions, yes I've registered with Barracuda Central and have all the possible IPs I might query from registered with them.

My entry is in fact named "BRBL 2009-04-27"

I've taken a screen shot of my current config and attached below.

Thanks for your help.

Cheers,
Jon

[Updated on: Wed, 23 February 2011 17:58]

  •  
freakinvibe

Messages: 1553
Karma: 62
Send a private message to this user
Quote:
119.40.228.150.b.barracudacentral.org has address 92.242.144.2


It looks like one of your DNS servers is giving you the wrong answer. To find out which one it is, you should use "nslookup" and test your query for each DNS server separately:

nslookup -type=A 119.40.228.150.b.barracudacentral.org 192.168.1.11
nslookup -type=A 119.40.228.150.b.barracudacentral.org 4.2.2.2
nslookup -type=A 119.40.228.150.b.barracudacentral.org 208.67.220.220

nslookup -type=A 119.40.228.150.b.barracudacentral.org 207.172.3.8
nslookup -type=A 119.40.228.150.b.barracudacentral.org 207.172.3.9
nslookup -type=A 119.40.228.150.b.barracudacentral.org 68.87.71.226
nslookup -type=A 119.40.228.150.b.barracudacentral.org 68.87.73.242


Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
j.a.duke

Messages: 356
Karma: 14
Send a private message to this user
freakinvibe wrote on Thu, 24 February 2011 02:10
Quote:
119.40.228.150.b.barracudacentral.org has address 92.242.144.2


It looks like one of your DNS servers is giving you the wrong answer. To find out which one it is, you should use "nslookup" and test your query for each DNS server separately:

nslookup -type=A 119.40.228.150.b.barracudacentral.org 192.168.1.11
nslookup -type=A 119.40.228.150.b.barracudacentral.org 4.2.2.2
nslookup -type=A 119.40.228.150.b.barracudacentral.org 208.67.220.220

nslookup -type=A 119.40.228.150.b.barracudacentral.org 207.172.3.8
nslookup -type=A 119.40.228.150.b.barracudacentral.org 207.172.3.9
nslookup -type=A 119.40.228.150.b.barracudacentral.org 68.87.71.226
nslookup -type=A 119.40.228.150.b.barracudacentral.org 68.87.73.242



Thanks for the test methodology.

I ran that address today and received a "not found" from all the servers (which is correct as of today). I verified the results via DNSStuff and on the Barracuda site directly.

And, at the moment, it looks like my queries to the Barracuda list are being returned with the proper info - no false positives.

I'd like to thank everyone who contributed here - I've learned a bit through the process and I hope that the discussion has been productive for others as well.

Cheers,
Jon
Previous Topic: BES Express and Kerio - from exchange
Next Topic: Problems with showing Useres on BBESE from Kerio Connect
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 08:42:16 CET 2017

Total time taken to generate the page: 0.00409 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.