Jump to content

[Resolved] Blocking List Rejecting Emails When Active


Unforgiven23

Recommended Posts

First time poster here needing help with something strange going on with my mailserver. For about a 2 year period now I've been using bl.spamcop.net and sbl-xbl.spamhaus.org as dual RBL options for my company mailserver. I have had issues with Spamhaus going down from time to time and outside emails being rejected with SMTP errors. Disabling sbl-xbl.spamhaus.org let email through and I re-enabled it a few days later without issues after talking with their tech support and them stating they were having server issues.

For the last 12 hours I have had to disable bl.spamcop.net because outside emails were being rejected. Here is the error message being sent back to outside sources:

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

xxxxx[at]domain.com

Technical details of permanent failure:

PERM_FAILURE: SMTP Error (state 9): 550 Requested action not taken.

Is anyone else experiencing the same issues over the past 12 hours with bl.spamcop.net as a RBL?

No configuration changes have been made to the server in that time. I have since restarted multiple times but anytime I enable bl.spamcop.net emails immediately start being rejected. The rejections are from multiple domains so I know it's not just a single domain that has accidentally been blacklisted. Any help is greatly appreciated!

Thank You!

Link to comment
Share on other sites

Is anyone else experiencing the same issues over the past 12 hours with bl.spamcop.net as a RBL?

Not seen any problems here. The only thing that I can think of is that your DNS cache has been poisoned.

Can you run one of the following commands and post the results here? Dig output would be preferred, but nslookup will do if you don't have dig.

dig +trace 2.0.0.127.bl.spamcop.net

nslookup -debug 2.0.0.127.bl.spamcop.net

Edit to add

Probably worth testing for negative results too with

dig +trace 1.0.0.10.bl.spamcop.net

nslookup -debug 1.0.0.10.bl.spamcop.net

Link to comment
Share on other sites

Not seen any problems here. The only thing that I can think of is that your DNS cache has been poisoned.

Can you run one of the following commands and post the results here? Dig output would be preferred, but nslookup will do if you don't have dig.

dig +trace 2.0.0.127.bl.spamcop.net

nslookup -debug 2.0.0.127.bl.spamcop.net

Edit to add

Probably worth testing for negative results too with

dig +trace 1.0.0.10.bl.spamcop.net

nslookup -debug 1.0.0.10.bl.spamcop.net

Response from nslookup -debug 2.0.0.127.bl.spamcop.net:

------------

Got answer:

HEADER:

opcode = QUERY, id = 1, rcode = NXDOMAIN

header flags: response, want recursion, recursion avail.

questions = 1, answers = 1, authority records = 1, additional = 0

QUESTIONS:

151.52.46.12.in-addr.arpa, type = PTR, class = IN

ANSWERS:

-> 151.52.46.12.in-addr.arpa

canonical name = 151.128/25.52.46.12.in-addr.arpa

ttl = 171174 (1 day 23 hours 32 mins 54 secs)

AUTHORITY RECORDS:

-> 128/25.52.46.12.in-addr.arpa

ttl = 9174 (2 hours 32 mins 54 secs)

primary name server = cbru.br.ns.els-gms.att.net

responsible mail addr = rm-hostmaster.ems.att.com

serial = 12

refresh = 83000 (23 hours 3 mins 20 secs)

retry = 10000 (2 hours 46 mins 40 secs)

expire = 600000 (6 days 22 hours 40 mins)

default TTL = 86400 (1 day)

------------

Server: UnKnown

Address: 12.46.52.151

------------

Got answer:

HEADER:

opcode = QUERY, id = 2, rcode = NXDOMAIN

header flags: response, auth. answer, want recursion, recursion avail.

questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:

2.0.0.127.bl.spamcop.net.XXX.LOCAL, type = A, class = IN

AUTHORITY RECORDS:

-> XXX.local

ttl = 3600 (1 hour)

primary name server = dcmain.XXX.local

responsible mail addr = hostmaster

serial = 719

refresh = 900 (15 mins)

retry = 600 (10 mins)

expire = 86400 (1 day)

default TTL = 900 (15 mins)

------------

DNS request timed out.

timeout was 2 seconds.

timeout (2 secs)

Response from nslookup -debug 1.0.0.10.bl.spamcop.net:

------------

Got answer:

HEADER:

opcode = QUERY, id = 1, rcode = NXDOMAIN

header flags: response, want recursion, recursion avail.

questions = 1, answers = 1, authority records = 1, additional = 0

QUESTIONS:

151.52.46.12.in-addr.arpa, type = PTR, class = IN

ANSWERS:

-> 151.52.46.12.in-addr.arpa

canonical name = 151.128/25.52.46.12.in-addr.arpa

ttl = 171132 (1 day 23 hours 32 mins 12 secs)

AUTHORITY RECORDS:

-> 128/25.52.46.12.in-addr.arpa

ttl = 9132 (2 hours 32 mins 12 secs)

primary name server = cbru.br.ns.els-gms.att.net

responsible mail addr = rm-hostmaster.ems.att.com

serial = 12

refresh = 83000 (23 hours 3 mins 20 secs)

retry = 10000 (2 hours 46 mins 40 secs)

expire = 600000 (6 days 22 hours 40 mins)

default TTL = 86400 (1 day)

------------

Server: UnKnown

Address: 12.46.52.151

------------

Got answer:

HEADER:

opcode = QUERY, id = 2, rcode = NXDOMAIN

header flags: response, auth. answer, want recursion, recursion avail.

questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:

1.0.0.10.bl.spamcop.net.XXX.LOCAL, type = A, class = IN

AUTHORITY RECORDS:

-> XXX.local

ttl = 3600 (1 hour)

primary name server = dcmain.XXX.local

responsible mail addr = hostmaster

serial = 719

refresh = 900 (15 mins)

retry = 600 (10 mins)

expire = 86400 (1 day)

default TTL = 900 (15 mins)

------------

------------

Got answer:

HEADER:

opcode = QUERY, id = 3, rcode = NXDOMAIN

header flags: response, want recursion, recursion avail.

questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:

1.0.0.10.bl.spamcop.net, type = A, class = IN

AUTHORITY RECORDS:

-> bl.spamcop.net

ttl = 0 (0 secs)

primary name server = bl.spamcop.net

responsible mail addr = hostmaster.admin.spamcop.net

serial = 1165340751

refresh = 3600 (1 hour)

retry = 1800 (30 mins)

expire = 3600 (1 hour)

default TTL = 0 (0 secs)

------------

The thing I don't understand is that Spamhaus is working just fine and if my DNS cache would be screwed I would assume it would affect both services that are being queried. Anyhow, there's the info.

Link to comment
Share on other sites

The thing I don't understand is that Spamhaus is working just fine and if my DNS cache would be screwed I would assume it would affect both services that are being queried. Anyhow, there's the info.

Just because one domain works, doesn't mean that other domains can be broken. Something definitely looks wrong with your DNS responses for SC queries. They should look something like this...

For an entry in the blocklist:
nslookup -debug 2.0.0.127.bl.spamcop.net
Server:         195.7.224.143
Address:        195.7.224.143#53

------------
    QUESTIONS:
        2.0.0.127.bl.spamcop.net, type = A, class = IN
    ANSWERS:
    ->  2.0.0.127.bl.spamcop.net
        internet address = 127.0.0.2
    AUTHORITY RECORDS:
    ->  bl.spamcop.net
        nameserver = blns43.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns45.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns47.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns48.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns9.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns33.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns34.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns42.spamcop.net.
    ADDITIONAL RECORDS:
    ->  blns9.spamcop.net
        internet address = 208.39.222.110
    ->  blns33.spamcop.net
        internet address = 195.54.99.5
    ->  blns34.spamcop.net
        internet address = 192.42.113.254
    ->  blns42.spamcop.net
        internet address = 72.232.188.26
    ->  blns43.spamcop.net
        internet address = 72.232.188.18
    ->  blns45.spamcop.net
        internet address = 209.67.211.210
    ->  blns47.spamcop.net
        internet address = 209.67.211.202
    ->  blns48.spamcop.net
        internet address = 63.246.147.170
------------
Non-authoritative answer:
Name:   2.0.0.127.bl.spamcop.net
Address: 127.0.0.2


For an entry not in the blocklist:
nslookup -debug 3.0.0.127.bl.spamcop.net
Server:         195.7.224.143
Address:        195.7.224.143#53

------------
    QUESTIONS:
        3.0.0.127.bl.spamcop.net, type = A, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  bl.spamcop.net
        origin = bl.spamcop.net
        mail addr = hostmaster.admin.spamcop.net
        serial = 1165346152
        refresh = 3600
        retry = 1800
        expire = 3600
        minimum = 0
    ADDITIONAL RECORDS:
------------
** server can't find 3.0.0.127.bl.spamcop.net: NXDOMAIN

See the difference in the authority records? You did do this from the mail server with access to internet DNS and not from a machine on the internal network that can only see internal DNS?

Link to comment
Share on other sites

See the difference in the authority records? You did do this from the mail server with access to internet DNS and not from a machine on the internal network that can only see internal DNS?

Just because the authority records are not there does not mean it should not resolve.

My lookup, using our internal DNS still returns

Name: 2.0.0.127.bl.spamcop.net

Address: 127.0.0.2

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\>nslookup -debug 2.0.0.127.bl.spamcop.net
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        11.75.1.10.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  11.75.1.10.in-addr.arpa
        name = kopdc01.kopin.com
        ttl = 1200 (20 mins)

------------
Server:  kopdc01.kopin.com
Address:  10.1.75.11

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        2.0.0.127.bl.spamcop.net.kopin.com, type = A, class = IN
    AUTHORITY RECORDS:
    ->  kopin.com
        ttl = 3600 (1 hour)
        primary name server = kopdc01.kopin.com
        responsible mail addr = hostmaster.kopin.com
        serial  = 5448
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, auth. answer
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        2.0.0.127.bl.spamcop.net, type = A, class = IN
    ANSWERS:
    ->  2.0.0.127.bl.spamcop.net
        internet address = 127.0.0.2
        ttl = 2100 (35 mins)

------------
Name:    2.0.0.127.bl.spamcop.net
Address:  127.0.0.2


C:\>

Link to comment
Share on other sites

I'll ask the stupid question ..... if the 'connection' isn't made, don't most DNSBL check tools default to the mode "item not listed" ...????? (which would then also seem to indicate that the e-mail would pass ...)

The default in sendmail is to ignore lookups that time out. It can be set to issue a 450 temporary failure by adding an extra argument to the configuration line though. Never worked with an MTA that will issue a 5xx error on a timeout for a dnsbl lookup.

Link to comment
Share on other sites

Wazoo: That would be the default behavior for most DNSBL check tools that I've used.

Unforgiven23: what mail server software/DNSBL check tools and versions are you using?

I'm using ISMail EP version 3.3.877 by InstantServers.

Just because one domain works, doesn't mean that other domains can be broken. Something definitely looks wrong with your DNS responses for SC queries. They should look something like this...

For an entry in the blocklist:
nslookup -debug 2.0.0.127.bl.spamcop.net
Server:         195.7.224.143
Address:        195.7.224.143#53

------------
    QUESTIONS:
        2.0.0.127.bl.spamcop.net, type = A, class = IN
    ANSWERS:
    ->  2.0.0.127.bl.spamcop.net
        internet address = 127.0.0.2
    AUTHORITY RECORDS:
    ->  bl.spamcop.net
        nameserver = blns43.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns45.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns47.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns48.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns9.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns33.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns34.spamcop.net.
    ->  bl.spamcop.net
        nameserver = blns42.spamcop.net.
    ADDITIONAL RECORDS:
    ->  blns9.spamcop.net
        internet address = 208.39.222.110
    ->  blns33.spamcop.net
        internet address = 195.54.99.5
    ->  blns34.spamcop.net
        internet address = 192.42.113.254
    ->  blns42.spamcop.net
        internet address = 72.232.188.26
    ->  blns43.spamcop.net
        internet address = 72.232.188.18
    ->  blns45.spamcop.net
        internet address = 209.67.211.210
    ->  blns47.spamcop.net
        internet address = 209.67.211.202
    ->  blns48.spamcop.net
        internet address = 63.246.147.170
------------
Non-authoritative answer:
Name:   2.0.0.127.bl.spamcop.net
Address: 127.0.0.2
For an entry not in the blocklist:
nslookup -debug 3.0.0.127.bl.spamcop.net
Server:         195.7.224.143
Address:        195.7.224.143#53

------------
    QUESTIONS:
        3.0.0.127.bl.spamcop.net, type = A, class = IN
    ANSWERS:
    AUTHORITY RECORDS:
    ->  bl.spamcop.net
        origin = bl.spamcop.net
        mail addr = hostmaster.admin.spamcop.net
        serial = 1165346152
        refresh = 3600
        retry = 1800
        expire = 3600
        minimum = 0
    ADDITIONAL RECORDS:
------------
** server can't find 3.0.0.127.bl.spamcop.net: NXDOMAIN

See the difference in the authority records? You did do this from the mail server with access to internet DNS and not from a machine on the internal network that can only see internal DNS?

I ran the commands directly from the mailserver that uses our internal DNS server first then uses the DNS servers given to us directly by the ISP.

Link to comment
Share on other sites

Just to update, I found my resolution to be 2 fold....

1) Gmail has some servers that are blacklisted by Spamcop as well as other providers thus some email being rejected due to 550 errors.

2) There was an issue with the DNS server I had setup in the mail server configuration. In my server software it asks for 2 DNS servers for resolution. Well I was using 2 root servers such as a.root-servers.org and b.root-servers.org and one of them was having an issue apparently. What I did was just change them to different servers and that solved any remaining issues I had.

This was just a problem that was multi-pronged and was a real pain to figure out. Yesterday I tried using different blacklisting services other than Spamhaus and I got similar results. I guess using Gmail for my testing account was a stupid idea, but upon further research Gmail has been blacklisted by a few providers and thus some of my issues. The strange thing is that some Gmail would go through, some would not, which lead me to believe that it was the actual RBL that I was using.

Anyhow, thanks for the help and please mark this issue resolved.

Thank You!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...