Jump to content
Sign in to follow this  
william_

[Resolved] test blocklist is actually working on single email address

Recommended Posts

Hi,

is there somehow to test whether an email address is not being filtered by dnsbl.

Situation is - email is received on an address, the IP where the spam comes from is sometimes listed on two or even four of the installed blocklists. (I have checked 10mins after reception of the spam, the ip address in dnsbl.info to see where it is listed).

So does spamcop have a place to put in an email address - to get a test email fom spamcop, from an ip that is listed in spamcop?

Thanks in advance.

Edited by william_

Share this post


Link to post
Share on other sites

Thank you. The mystry remains.

95.133.164.203 is listed in spamcop. (203-164-133-95.pool.ukrtel.net)

It was listed at 0700 GMT at cbl.abuse.at

http://cbl.abuseat.org/lookup.cgi?ip=95.13...;.submit=Lookup

email was recieved at 09.33 GMT

we have cbl.abuse.at in sendmail

FEATURE(`enhdnsbl',`cbl.abuseat.org')dnl

also spamcop and some other ones.

I dont know how to check the dnsbl lookups that our mail server has done and what the responses were, if I could I could see very easily what happened.

Share this post


Link to post
Share on other sites
...I dont know how to check the dnsbl lookups that our mail server has done and what the responses were, if I could I could see very easily what happened.
Well, CBL and SpamCop make some note of the evidence seen and approximate time as you have seen from the form-based lookups you quote.

You can check numerous blocklists in "one go" at a number of places and sometimes there are links you can use to see the evidence. A couple of these handy lookups are

http://www.robtex.com/ip/95.133.164.203.html#blacklists

http://multirbl.valli.org/dnsbl-lookup/95.133.164.203.html

You can use command-line lookups on specific BLs (input requires reversed dot.quad address for nslookup if you use that), like

C:\Documents and Settings\Admin>nslookup

...

> 203.164.133.95.bl.spamcop.net

...

Non-authoritative answer:

Name: 203.164.133.95.bl.spamcop.net

Address: 127.0.0.2

> 203.164.133.95.cbl.abuseat.org

...

Non-authoritative answer:

Name: 203.164.133.95.cbl.abuseat.org

Address: 127.0.0.2

>

>exit

C:\Documents and Settings\Admin>

If listed the result is 127.0.0.2 or similar. If not listed it is "Unknown ... non-existant domain". Most BLs have pages explaining how to use their lookups in command-line mode and the meaning of query codes returned - and many (like SC and CBL) also have the form-based lookups as you have seen.

What exactly do you need help with beyond that? Someone will be able to advise you further.

Share this post


Link to post
Share on other sites

i have changed to

eg

FEATURE(`enhdnsbl',`dnsbl address',`',`t')dnl

so that dns lookup timeouts reject the email - but problem persists.

Been looking at tcpdump to view dns traffic, however the output is not quite clear enough to me to assertain what is going on

tcpdump -i eth0 dst port 53

11:11:45.149251 IP mailserver.ourdomain.tld.42578 > gateway.ourdomain.tld.domain: 28966+ AAAA? spam.spamcop.net. (34)

11:11:45.149598 IP mailserver.ourdomain.tld.42578 > gateway.ourdomain.tld.domain: 24078+ A? spam.spamcop.net. (34)

11:11:45.149799 IP mailserver.ourdomain.tld.42578 > gateway.ourdomain.tld.domain: 17215+ MX? spam.spamcop.net. (34)

Need to see the ip address sent (eg 95.133.164.203) and the response (eg 127.0.0.2 ) in clear text.

I generally use http://www.dnsbl.info - though I used to use http://www.openrbl.org/ which seems to have been undergoing work for some time now.

no sc account email involved here, this is email for our domain on our sendmail.

Share this post


Link to post
Share on other sites
please move this thread to the feature request forum.

Personally, I'm still in the dark as to what you are really doing, what tools are in use, etc., etc. I was thinking of moving this Topic myself, as I'm still working on whether the SpamCopDNSBL ois actually involved or not? I'm gong with a 'perhaps' but basically because it sonds like a configuration issue, however, your actual questions seems to be about the use of (other) BLs in general.

Not sure at all about your logged data citing spam.spamcop,net, but that might have something to do with just what tools you'tr trying to ise????? It just doesn't look right. I'm thinking bl.spamcop.net would be more appropriate. (as noted/suggested by Farelf)

So does spamcop have a place to put in an email address - to get a test email fom spamcop, from an ip that is listed in spamcop?

If this is the 'feature request' I'd have to ask just where you came up with this concept, and where did you seem to find somewhere else that managed to do what you are asking? That an open relay e-mail server these days isn't a good thing to begin with, actually using it to try to send any 'unauthorized' e-mail would be way out-of-bounds. An e-mail server anywhere near correctly configured wouldn't allow for just anyone to send anything through it without login/authorization. Are you sure you're asking exactly what your words descrbe?

Share this post


Link to post
Share on other sites

Personally, I'm still in the dark as to what you are really doing, what tools are in use, etc., etc. I was thinking of moving this Topic myself, as I'm still working on whether the SpamCopDNSBL ois actually involved or not? I'm gong with a 'perhaps' but basically because it sonds like a configuration issue, however, your actual questions seems to be about the use of (other) BLs in general.

Not sure at all about your logged data citing spam.spamcop,net, but that might have something to do with just what tools you'tr trying to ise????? It just doesn't look right. I'm thinking bl.spamcop.net would be more appropriate. (as noted/suggested by Farelf)

If this is the 'feature request' I'd have to ask just where you came up with this concept, and where did you seem to find somewhere else that managed to do what you are asking? That an open relay e-mail server these days isn't a good thing to begin with, actually using it to try to send any 'unauthorized' e-mail would be way out-of-bounds. An e-mail server anywhere near correctly configured wouldn't allow for just anyone to send anything through it without login/authorization. Are you sure you're asking exactly what your words descrbe?

The new feature request - is for a form in spamcop website so that a test email can be sent whose originating IP is on a blocklist to an address on your own domain - so as to test rejecting with that blocklist (in this case on just one address).

The "logged data citing spam.spamcop,net" is clearly just example of format from quoted command. As stated Tools involved are tcpdump - sendmail and dnsbl.

Yes, I think a configuration issue is the issue, it is not spamcops or other dnsbls fault - as I have ruled out dns lookup time-out errors (see second post from me - which would have been surprising if it was the solution in this case), however spamcop dnsbl is involved (along with several others) in a way - but I am trying to assertain why email that should be rejected is swanning into an inbox.

I've not found anywhere that does the concept of the feature request - I have not spent time looking for this at other locatrions up to this point in time.

The concept 'could' work - for logged in users of spamcop reporter service - unauthorised usage would not work, as their systems would be known to the system, and is a very low risk mechanism if limited also.

I'll post back some info sometime re info about the problem described.

Share this post


Link to post
Share on other sites
The new feature request - is for a form in spamcop website so that a test email can be sent whose originating IP is on a blocklist to an address on your own domain - so as to test rejecting with that blocklist (in this case on just one address).

I think the request is clear enough but almost impossible to provide. The only way of sending an Email from a listed IP address is to actually send through that IP.

So I think you can request the feature but I doubt it will be offered any time soon.

Sorry.

Andrew

Share this post


Link to post
Share on other sites

It seems after getting tcpdump to record what happens (and looking into the sendmail setup) that a lookup request is not being triggered for these spam emails.

currently a rule in access.db (in sendmail)

"from:ourdomain.com OK"

is figured to be a major factor in the problem observed, as whitelisted stuff is currently skipped of dnsbl lookups.

the emails have these common headers: (where address1[at]ourdomain.com is a valid/used address)

Return-Path: <address1[at]ourdomain.com>

To: <address1[at]ourdomain.com>

From: <address1[at]ourdomain.com>

So the 'feature request' would need to forge 'return-path', and 'from' address to truely test for this scenario. Perhaps too much of a corner case? Certainly a common tactic by spammers.

agsteel: The email sent from an ip listed in the dnsbl (a spamcop ip address from the purpose) - how is that impossible? I though I was clear - If I had meant forging ip addresses I would have said so, how is forging IP address even remotely (in this contect) a sensible/plausiable/possible/credible/reasonable suggestion anyway? Completely trivial configuration and you imply a request was made for something non trivial - why did you do that exactly?

Thanks.

Share this post


Link to post
Share on other sites
agsteel: The email sent from an ip listed in the dnsbl (a spamcop ip address from the purpose) - how is that impossible? I though I was clear - If I had meant forging ip addresses I would have said so, how is forging IP address even remotely (in this contect) a sensible/plausiable/possible/credible/reasonable suggestion anyway? Completely trivial configuration and you imply a request was made for something non trivial - why did you do that exactly?

OK, I was still slightly misunderstanding your suggestion... Yes, I suppose the SC folk could allocate an IP for an SMTP server and intentionally list it in the SCBL for the purpose of allowing a user to request a test Email to allow a test of block list configuration.

To be honest, I don't see it happening but, as I said previously, your request is clear enough.

Andrew

Share this post


Link to post
Share on other sites
It seems after getting tcpdump to record what happens (and looking into the sendmail setup) that a lookup request is not being triggered for these spam emails.

currently a rule in access.db (in sendmail)

"from:ourdomain.com OK"

is figured to be a major factor in the problem observed, as whitelisted stuff is currently skipped of dnsbl lookups.

Anti-spam Configuration Control actually adds more emphasis to using your IP Address block, rather then a Domain-included address for setting up these types of controls. The additional qualification of Authourized SMTP if you're trying to satisfy roaming users.

the emails have these common headers: (where address1[at]ourdomain.com is a valid/used address)

So the 'feature request' would need to forge 'return-path', and 'from' address to truely test for this scenario. Perhaps too much of a corner case? Certainly a common tactic by spammers.

Perhaps, but also includes a large downside to generating forged/false/test e-mails. You seem to be suggesting that you are running the show at your place, but other ISPs/Hosts have a number of tech staff involved ... issue being that one person may generate the test, but 14 other folks see the 'bad news' and choose to jump on it.

BTW: I still believe you have misidentified SpamCop.net resources in your configuration settings.

spam.spamcop.net doesn't seem to me to have anything directly to do with the SpamCopDNSBL. As pointed out at least twice thus far, try using bl.spamcop.net to do your lookips. Some else's config file entry looks like

FEATURE(`enhdnsbl', `bl.spamcop.net', `"spam blocked see: .......

agsteel: The email sent from an ip listed in the dnsbl (a spamcop ip address from the purpose) - how is that impossible? I though I was clear - If I had meant forging ip addresses I would have said so, how is forging IP address even remotely (in this contect) a sensible/plausiable/possible/credible/reasonable suggestion anyway? Completely trivial configuration and you imply a request was made for something non trivial - why did you do that exactly?

However, that's exactly what's kept me from Posting any reply since my last ... the 'forging mode' was all that came into my mind, and I couldn't figure out why you seemed to have no problem with it.

So now that you've explained your alternative, there's now the issue of the various empires involved. Back when this was the one-man-show, perhaps the funds might have been available to grab another IP Address, toss up another server, and generate the software to provide your suggestion. These days, not so simple .... someone from SpamCop would have to make the request to IronPort. who'd probably have to send it up to Cisco, asking for the IP Address assignment, the hardware, the software-engineering time to develop the code, the probable additional support staff .. on and on. As stated by kmolloy, pretty doubtful thrse days.

On the other hand, a correctly configured DNSBL filter setup would normally provide pretty much instant feedback these days.

And now, to turn things around, take a look at Crynwr spam blocking resources .... perhaps close enough to what you're looking for ??????

Share this post


Link to post
Share on other sites

Anti-spam Configuration Control actually adds more emphasis to using your IP Address block, rather then a Domain-included address for setting up these types of controls. The additional qualification of Authourized SMTP if you're trying to satisfy roaming users.

Removing the

"from:ourdomain.com OK"

from access.db seems to be the solution. Relevant computers/servers wre already accomodated via ip address listed in sendmail's access.db. Ourdomain name crept into the config from an auto learn on contact details for the whitelist.

Perhaps, but also includes a large downside to generating forged/false/test e-mails. You seem to be suggesting that you are running the show at your place, but other ISPs/Hosts have a number of tech staff involved ... issue being that one person may generate the test, but 14 other folks see the 'bad news' and choose to jump on it.

a single email - clearly marked in the header, subject and body is unlikely to cause a panic at any organisation's IT department. Do you think honestly to the contrary?

BTW: I still believe you have misidentified SpamCop.net resources in your configuration settings.

spam.spamcop.net doesn't seem to me to have anything directly to do with the SpamCopDNSBL. As pointed out at least twice thus far, try using bl.spamcop.net to do your lookips. Some else's config file entry looks like

FEATURE(`enhdnsbl', `bl.spamcop.net', `"spam blocked see: .......

The example tcpdump actually captured the dns lookup for an autoreporting event of a spam item to a quick reporting address.

here is a negatory response from some blacklists - from a tcpdump in wireshark.

dnstraffic.jpg

However, that's exactly what's kept me from Posting any reply since my last ... the 'forging mode' was all that came into my mind, and I couldn't figure out why you seemed to have no problem with it.

So now that you've explained your alternative, there's now the issue of the various empires involved. Back when this was the one-man-show, perhaps the funds might have been available to grab another IP Address, toss up another server, and generate the software to provide your suggestion. These days, not so simple .... someone from SpamCop would have to make the request to IronPort. who'd probably have to send it up to Cisco, asking for the IP Address assignment, the hardware, the software-engineering time to develop the code, the probable additional support staff .. on and on. As stated by kmolloy, pretty doubtful thrse days.

On the other hand, a correctly configured DNSBL filter setup would normally provide pretty much instant feedback these days.

Some pointless naysaying and fairly unfounded conjecture from you. I have never warrented that this feature request would be a fully fledged proposal with all possible angles covered. If you have constructive criticism fine, but this hopelessness is quite tiresome. I can accept that Spamcop may not want to for what ever reason do this feature request - I knew this before writing a word. To say some twaddle about time and money - well I do realise there would be a cost - but that is not my concern, and TBH I am not all that interested either beyond being satisfied within my own mind that the feature is not outside the limits of reason *(ie not wasting peoples time). I hope that is not too brusqe, I agree it is important to consider the different situations likely to occur, like in large isps etc.

And now, to turn things around, take a look at Crynwr spam blocking resources .... perhaps close enough to what you're looking for ??????

Does seem fairly far towards the feature request detailed.

However the problem is solved here. The Feature request in whatever state it is in stands, and need to be moved to the feature rquest forum.

You seem to act as if moving this thread to the feature request forum would be a bad idea (for unspecified reasons - perhaps undue validation of it is feared?) - as yet I persoanlly cant see the invalidity to the feature request - no matter how much of a corner case it maybe.

Have you seen this?

http://news.spamcop.net/pipermail/spamcop-...une/111951.html

It might be of help to you. However, TTBOMK no one has asked us for this particular functionality before, so it's unlikely we'll implement it at this point.

I have now, thank you.

Share this post


Link to post
Share on other sites
So now that you've explained your alternative, there's now the issue of the various empires involved. Back when this was the one-man-show, perhaps the funds might have been available to grab another IP Address, toss up another server, and generate the software to provide your suggestion. These days, not so simple .... someone from SpamCop would have to make the request to IronPort. who'd probably have to send it up to Cisco, asking for the IP Address assignment, the hardware, the software-engineering time to develop the code, the probable additional support staff .. on and on. As stated by kmolloy, pretty doubtful thrse days.

SpamCop is fully integrated into Cisco Ironport. I lead support and am pretty much as close to a project manager as SpamCop has, Ironport Cisco developers make code changes, Ironport Cisco Ops people keep the servers running. It wouldn't even cost us much; we have hardware aplenty and I could file a feature enhancement bug and get it in a new release. We could use an IP that doesn't otherwise need to send mail.

I could do it. But when I look at the things that SpamCop needs (many of which are "under the covers" and not visible to reporters), something that has only been asked for once (so far as I can tell) is not a high priority and our resources can be better spent elsewhere. There's a hierarchy of needs, and this is in the "nice to have some day if we had unlimited resources" category. But if someone can make a case that this is very important to the ongoing use and further adoption of the SCBL, then I'm willing to be convinced.

Share this post


Link to post
Share on other sites
Removing the

"from:ourdomain.com OK"

from access.db seems to be the solution. Relevant computers/servers wre already accomodated via ip address listed in sendmail's access.db. Ourdomain name crept into the config from an auto learn on contact details for the whitelist.

Great. A configuration issue would seem to have been the cause and the solution to the problem that led you to post here. Based on this last data, I will tag this Topic as Resolved.

a single email - clearly marked in the header, subject and body is unlikely to cause a panic at any organisation's IT department. Do you think honestly to the contrary?

Some pointless naysaying and fairly unfounded conjecture from you.

Let me take the time to stand this up correctly. The data used in order to provide responses come from the words available on this screen. Technically, you have changed your descriptions and definitions more than once, but the mahority of the things you seem to be taking exception to were in response to your very first Post that included these exact words;

to get a test email fom spamcop, from an ip that is listed in spamcop

It eas several Posts later that you then decided to describe the function (and test) as using a forged e-mail address (so as to try to do a DNS check on the forged Domain name. The original concept may have been clear in your mind, but ... the words you used didn't allow for that kind of expamsion from this side of the screen until you changed things around. But then you finally got around to suggesting the possible use of a dedicated IP Address that would somehow be permanently included in the SpaCopDNSBL (which brings in some other issues as this is much in contrast to the 'dynamic' mode of this particular BL) .... OK, perhaps there's something there to work with, but just pointing out that this is a bit removed (or parhaps rather better described as extrapokated) from the actual question that was first asked.

However the problem is solved here. The Feature request in whatever state it is in stands, and need to be moved to the feature rquest forum.

You seem to act as if moving this thread to the feature request forum would be a bad idea (for unspecified reasons - perhaps undue validation of it is feared?) - as yet I persoanlly cant see the invalidity to the feature request - no matter how much of a corner case it maybe.

I invite you to start a new Topic in that other Forum section. The Topic-starting-Post here was taken to be a call for about about an issue with your use of the DNSBL function on your server .... and at the end, it does seem that this turns out to be true. So, in your new Topic, please confine the contents of that Post to just describing the actual request/suggested application. This in turn would allow for others to then pile on much more gracefully, if there are any others that see or feel the need.

Share this post


Link to post
Share on other sites
Technically, you have changed your descriptions and definitions more than once, but the mahority of the things you seem to be taking exception to were in response to your very first Post that included these exact words;

to get a test email fom spamcop, from an ip that is listed in spamcop

It eas several Posts later that you then decided to describe the function (and test) as using a forged e-mail address (so as to try to do a DNS check on the forged Domain name. The original concept may have been clear in your mind, but ... the words you used didn't allow for that kind of expamsion from this side of the screen until you changed things around. But then you finally got around to suggesting the possible use of a dedicated IP Address that would somehow be permanently included in the SpaCopDNSBL (which brings in some other issues as this is much in contrast to the 'dynamic' mode of this particular BL) .... OK, perhaps there's something there to work with, but just pointing out that this is a bit removed (or parhaps rather better described as extrapokated) from the actual question that was first asked.

The specifiaction merely developed (not even close to feature creep unless specification phase had been passed) - I see no back tracking, mistakes or corrections were made merely clarifcations to posters (who seemed to goad the specification process along with wild assumptions) . It was a logical progression. There are very few ways to do the described task, and I do not see many options to the specifications, do you? Fundamentally the finer details do not need to be discusssed here, as long as the general idea is communicated well then those reading it can draw their opinion without the need for 'clarification'. It is a fairly simple feature request after all.

The thread title still describes the feature accuratly.

You seem to be doing a critique of my posting where it is not warrented - a critique which is inaccurate, rude and uncalled for as well as slightly queer, as the following makes no sense atall.:

Let me take the time to stand this up correctly. The data used in order to provide responses come from the words available on this screen.

Additionaly you quote me - but fail to answer the question which was actually posited because of your utterly fatuous ramblings about panic in ISP's. Instead you accuse me of various posting wrongs.

I invite you to start a new Topic in that other Forum section. The Topic-starting-Post here was taken to be a call for about about an issue with your use of the DNSBL function on your server .... and at the end, it does seem that this turns out to be true. So, in your new Topic, please confine the contents of that Post to just describing the actual request/suggested application. This in turn would allow for others to then pile on much more gracefully, if there are any others that see or feel the need.

Actually you will find that first request in this thead was enquire as to the possible location of the feature described. It is described in the title in a rudementary way.

Please move this thread to the feature request forum.

Share this post


Link to post
Share on other sites
Please move this thread to the feature request forum.

Already answered, but you didn't luke it. Let's try to explain it this way ....

This Topic and the follow-on Discussion actually described an issue and the follow-up actions taken to solve a problem you found when whitelisting your own Domain/Addresses within a SendMail configuration file in conjunction with trying to use DNSBLs for spam management. That makes it a Help with the use of the SpamCopDNSBL subject. Therefore, it will remain th this Forum section for the benefit of future users that run into the same issue and look 'here' for the possible solution.

I'm suggesting that if you want, you can clean up your suggested new feature idea and Post it as a clean and much better documented Post iinto that other Forum section, with a better Title/Description. This action will help you to get any possible direct follow-up agreements/disagreements in response to that Post, rather than expecting someone else to wade through all of this Discussion, which again, has already been tagged as Resolved.

I will note that you have received more responses from tte 'official paid-staff' folks in this Forum section than any of the existing Topics in that other Forum section.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×