Calzonie Posted February 3, 2004 Posted February 3, 2004 I have spamcop in place on several servers, since Jan 11th my logs show -0- blocks for spamcop yet all my others RBL's still work. Was anything done or is this something that is effecting only me? Thanks.
Chris Parker Posted February 3, 2004 Posted February 3, 2004 I have spamcop in place on several servers, since Jan 11th my logs show -0- blocks for spamcop yet all my others RBL's still work. Was anything done or is this something that is effecting only me? You'll have to be a little more clear as to what your problem is. You seem to imply that bl.spamcop.net is no longer responding. You can try an nslookup of 2.0.0.127.bl.spamcop.net and see what happens. If that fails to respond something may be up with your DNS server(s).
Ellen Posted February 4, 2004 Posted February 4, 2004 I happened to check all the bl mirrors just a few minutes ago and they are all working. You can see where the mirrors are by doing a dig bl.spamcop.net ns
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 [root[at]dale mail]# dig bl.spamcop.net ns ; <<>> DiG 9.2.1 <<>> bl.spamcop.net ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33659 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;bl.spamcop.net. IN NS ;; ANSWER SECTION: bl.spamcop.net. 86400 IN NS loopback. ;; Query time: 177 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Wed Feb 4 10:46:10 2004 ;; MSG SIZE rcvd: 54
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 It just doesn't seem to ask SP if the ip is relay anymore and the 3 other RBL's I use all work fine. [root[at]dale mail]# nslookup 2.0.0.127.bl.spamcop.net Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 0.0.0.0 Address: 0.0.0.0#53 ** server can't find 2.0.0.127.bl.spamcop.net: NXDOMAIN
jefft Posted February 4, 2004 Posted February 4, 2004 [root[at]dale mail]# dig bl.spamcop.net ns ; <<>> DiG 9.2.1 <<>> bl.spamcop.net ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33659 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;bl.spamcop.net. IN NS ;; ANSWER SECTION: bl.spamcop.net. 86400 IN NS loopback. ;; Query time: 177 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Wed Feb 4 10:46:10 2004 ;; MSG SIZE rcvd: 54 That's not right. You shouldn't get loopback as the answer. It sounds to me like whoever runs that DNS server has either intentionally blocked access to the bl or has tried to set something else up and gotten it wrong. JT
Jeff G. Posted February 4, 2004 Posted February 4, 2004 Calzonie, someone has been mucking with your nameserver. "bl.spamcop.net. 86400 IN NS loopback." is just plain wrong - it never should have gotten into your nameserver, as it specifies "don't use bl.spamcop.net for 24 hours". Please ask your nameserver's administrator who authorized that info and will fix it, what possessed them to install that info, when it was authorized and when it will be fixed, where that info came from, and why it was allowed into the nameserver. Thanks!
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 I handle my own dns and have att as my forwards. The dns serial hasn't changed since november 03 and the running zone has the correct serial number. My sendmail.conf is as I created it. sendmail.mc FEATURE(`dnsbl',`bl.spamcop.net',`Rejected - http://spamcop.net/')dnl sendmail.cf # DNS based IP address spam list bl.spamcop.net R$* $: $&{client_addr} R$-.$-.$-.$- $: <?> $(dnsbl $4.$3.$2.$1.bl.spamcop.net. $: OK $) R<?>OK $: OKSOFAR R<?>$+<TMP> $: TMPOK R<?>$+ $#error $[at] 5.7.1 $: Rejected - http://spamcop.net/ Is it possible that spamcop is now blocking me for one reason or another? Here's a "tcpdump | grep spamcop" : 32231+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:23:53.277366 ns1.mydomain.com.32769 > dns-rs1.bgtmo.ip.att.net.domain: 49103+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:23:51.263007 ns1.mydoamin.com.32769 > rmtu.mt.rs.els-gms.att.net.domain: 32231+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:23:53.277366 ns1.mydomain.com.32769 > dns-rs1.bgtmo.ip.att.net.domain: 49103+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:24:10.534846 ns2.mydomain.com.45483 > dns-rs1.bgtmo.ip.att.net.domain: 47673+ AAAA? 41.181.59.69.bl.spamcop.net. (45) (DF)
jefft Posted February 4, 2004 Posted February 4, 2004 I handle my own dns and have att as my forwards. The dns serial hasn't changed since november 03 and the running zone has the correct serial number. My sendmail.conf is as I created it. sendmail.mc FEATURE(`dnsbl',`bl.spamcop.net',`Rejected - http://spamcop.net/')dnl sendmail.cf # DNS based IP address spam list bl.spamcop.net R$* $: $&{client_addr} R$-.$-.$-.$- $: <?> $(dnsbl $4.$3.$2.$1.bl.spamcop.net. $: OK $) R<?>OK $: OKSOFAR R<?>$+<TMP> $: TMPOK R<?>$+ $#error $[at] 5.7.1 $: Rejected - http://spamcop.net/ Is it possible that spamcop is now blocking me for one reason or another? Here's a "tcpdump | grep spamcop" : 32231+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:23:53.277366 ns1.mydomain.com.32769 > dns-rs1.bgtmo.ip.att.net.domain: 49103+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:23:51.263007 ns1.mydoamin.com.32769 > rmtu.mt.rs.els-gms.att.net.domain: 32231+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:23:53.277366 ns1.mydomain.com.32769 > dns-rs1.bgtmo.ip.att.net.domain: 49103+ AAAA? 39.220.195.208.bl.spamcop.net. (47) (DF) 11:24:10.534846 ns2.mydomain.com.45483 > dns-rs1.bgtmo.ip.att.net.domain: 47673+ AAAA? 41.181.59.69.bl.spamcop.net. (45) (DF) Your DNS server is confused. You're saying you run your own DNS, but do you run your own DNS cache? What do your clients computers have configured for DNS server? The serial number you mention is for your zone and doesn't have anything to do with the cache. The tcpdump only shows IPV6 queries, going to AT&T DNS servers. I don't know why you're doing IPV6 queries or why you're querying AT&T servers. Try restarting your cache and see if that fixes it by itself. To see what a proper response looks like, try: dig [at]use1.akam.net bl.spamcop.net ns JT
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 The box points to itself to resolve and the named.conf forwards to att. I reloaded bind and ran your query: [root[at]chip mail]# dig [at]use1.akam.net bl.spamcop.net ns ; <<>> DiG 9.2.1 <<>> [at]use1.akam.net bl.spamcop.net ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57687 ;; flags: qr rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8 ;; QUESTION SECTION: ;bl.spamcop.net. IN NS ;; ANSWER SECTION: bl.spamcop.net. 172800 IN NS blns12.spamcop.net. bl.spamcop.net. 172800 IN NS blns4.spamcop.net. bl.spamcop.net. 172800 IN NS blns5.spamcop.net. bl.spamcop.net. 172800 IN NS blns6.spamcop.net. bl.spamcop.net. 172800 IN NS blns8.spamcop.net. bl.spamcop.net. 172800 IN NS blns10.spamcop.net. bl.spamcop.net. 172800 IN NS blns11.spamcop.net. bl.spamcop.net. 172800 IN NS blns9.spamcop.net. ;; ADDITIONAL SECTION: blns12.spamcop.net. 172800 IN A 216.127.43.91 blns4.spamcop.net. 172800 IN A 194.109.6.147 blns5.spamcop.net. 172800 IN A 198.145.240.35 blns6.spamcop.net. 172800 IN A 209.198.142.147 blns8.spamcop.net. 172800 IN A 66.6.205.130 blns10.spamcop.net. 172800 IN A 206.67.234.112 blns11.spamcop.net. 172800 IN A 209.92.188.201 blns9.spamcop.net. 172800 IN A 208.39.222.110 ;; Query time: 79 msec ;; SERVER: 63.209.170.136#53(use1.akam.net) ;; WHEN: Wed Feb 4 12:15:14 2004 ;; MSG SIZE rcvd: 334
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 Here's a manual query on an ip that is listed on spamcop: [root[at]dale etc]# dig 39.220.195.208.bl.spamcop.net ; <<>> DiG 9.2.1 <<>> 39.220.195.208.bl.spamcop.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60187 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;39.220.195.208.bl.spamcop.net. IN A ;; AUTHORITY SECTION: bl.spamcop.net. 10800 IN SOA loopback. root.loopback. 1 3600 600 3600000 86400 ;; Query time: 2243 msec ;; SERVER: 127.0.0.1#53(0.0.0.0) ;; WHEN: Wed Feb 4 12:32:20 2004 ;; MSG SIZE rcvd: 96 Also, I read: http://www.spamcop.net/fom-serve/cache/294.html And change the sendmail.conf section of Kdnsbl but it doesn't seem to change anything.
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 Here's another manual dig after the sendmail.cf update: [root[at]dale mail]# dig 100.220.111.207.bl.spamcop.net ;; AUTHORITY SECTION: bl.spamcop.net. 10735 IN SOA loopback. root.loopback. 1 3600 600 3600000 86400 Here's a new tcpdump (diff ip), notice only one "A" now: 13:35:04.656464 ns2.mydomain.com.56636 > dns-rs1.bgtmo.ip.att.net.domain: 53021+ A? 207.68.119.66.bl.spamcop.net. (46) (DF)
Calzonie Posted February 4, 2004 Author Posted February 4, 2004 Well what do you know!!!! I took out my isp (att) as the forward and let my dns query the root servers and: Feb 4 13:37:52 dale sendmail[16862]: ruleset=check_relay, arg1=noc-207-182-132-120-su-4377-pt.youdidto.com, arg2=127.0.0.2, relay=noc-207-182-132-120-su-4377-pt.youdidto.com [207.182.132.120], reject=553 5.3.0 Rejected - http://spamcop.net/ Feb 4 13:46:37 chip sendmail[16757]: ruleset=check_relay, arg1=offd14.cw69.com, arg2=127.0.0.2, relay=offd14.cw69.com [66.239.205.114] (may be forged), reject=553 5.3.0 Rejected - http://spamcop.net/
Recommended Posts
Archived
This topic is now archived and is closed to further replies.