exchange 2003 sp2 server dnsbl problem

[snagglepuss]

Hi All,

I'm new to spamcop so bear with me! I'm not sure where to post this issue, but I'll try here and on the Geek forum.

We have an exchange 2003 sp2 server and I have setup connection filtering using spamcop and spamhaus as the blocklist providers. I can see the dns lookup requests being sent to spamcom/spamhaus, however, the only thing I get back from both bl providers is what looks to be the ip address of HP (hewlett packard)???return code ?? see below for the packet trace for detailed info..........

22:07:12.926859 10.16.103.3.47116 > 216.220.0.1.53: [udp sum ok] 1503+ A? 15.103.16.10.sbl-xbl.spamhaus.org. [|domain] (ttl 128, id 55291, len 79)

0x0000 4500 004f d7fb 0000 8011 18b2 0a10 6703 E..O..........g.

0x0010 d8dc 0001 b80c 0035 003b 090d 05df 0100 .......5.;......

0x0020 0001 0000 0000 0000 0231 3503 3130 3302 .........15.103.

0x0030 3136 0231 3007 7362 6c2d 7862 6c08 7370 16.10.sbl-xbl.sp

0x0040 616d 6861 7573 036f 7267 0000 0100 01 amhaus.org.....

22:07:12.939353 216.220.0.1.53 > 10.16.103.3.47116: [udp sum ok] 1503 NXDomain q: A? 15.103.16.10.sbl-xbl.spamhaus.org. 0/1/0 ns: sbl-xbl.spamhaus.org. SOA need.to.know.only. hostmaster.spamhaus.org. 2007112887 3600 600 432000 900 (115) (ttl 59, id 49229, len 143)

0x0000 4500 008f c04d 0000 3b11 7520 d8dc 0001 E....M..;.u.....

0x0010 0a10 6703 0035 b80c 007b 111d 05df 8183 ..g..5...{......

0x0020 0001 0000 0001 0000 0231 3503 3130 3302 .........15.103.

0x0030 3136 0231 3007 7362 6c2d 7862 6c08 7370 16.10.sbl-xbl.sp

0x0040 616d 6861 7573 036f 7267 0000 0100 01c0 amhaus.org......

0x0050 1900 0600 0100 0000 f200 3404 6e65 6564 ..........4.need

0x0060 0274 6f04 6b6e 6f77 046f 6e6c 7900 0a68 .to.know.only..h

0x0070 6f73 746d 6173 7465 72c0 2177 a21c b700 ostmaster.!w....

0x0080 000e 1000 0002 5800 0697 8000 0003 84 ......X........

22:07:12.940154 10.16.103.3.47117 > 216.220.0.1.53: [udp sum ok] 1504+ A? 15.103.16.10.bl.spamcop.net. [|domain] (ttl 128, id 55292, len 73)

0x0000 4500 0049 d7fc 0000 8011 18b7 0a10 6703 E..I..........g.

0x0010 d8dc 0001 b80d 0035 0035 d5a8 05e0 0100 .......5.5......

0x0020 0001 0000 0000 0000 0231 3503 3130 3302 .........15.103.

0x0030 3136 0231 3002 626c 0773 7061 6d63 6f70 16.10.bl.spamcop

0x0040 036e 6574 0000 0100 01 .net.....

22:07:13.045317 216.220.0.1.53 > 10.16.103.3.47117: [udp sum ok] 1504 NXDomain q: A? 15.103.16.10.bl.spamcop.net. 0/1/0 ns: bl.spamcop.net. SOA bl.spamcop.net. hostmaster.admin.spamcop.net. 1196286351 3600 1800 3600 0 (98) (ttl 59, id 49261, len 126)

0x0000 4500 007e c06d 0000 3b11 7511 d8dc 0001 E..~.m..;.u.....

0x0010 0a10 6703 0035 b80d 006a efa4 05e0 8183 ..g..5...j......

0x0020 0001 0000 0001 0000 0231 3503 3130 3302 .........15.103.

0x0030 3136 0231 3002 626c 0773 7061 6d63 6f70 16.10.bl.spamcop

0x0040 036e 6574 0000 0100 01c0 1900 0600 0100 .net............

0x0050 0000 0000 29c0 190a 686f 7374 6d61 7374 ....)...hostmast

0x0060 6572 0561 646d 696e c01c 474d e18f 0000 er.admin..GM....

0x0070 0e10 0000 0708 0000 0e10 0000 0000

Thanks for any/all help!

[GraemeL]

Hi All,

I'm new to spamcop so bear with me! I'm not sure where to post this issue, but I'll try here and on the Geek forum.

We have an exchange 2003 sp2 server and I have setup connection filtering using spamcop and spamhaus as the blocklist providers. I can see the dns lookup requests being sent to spamcom/spamhaus, however, the only thing I get back from both bl providers is what looks to be the ip address of HP (hewlett packard)???return code ?? see below for the packet trace for detailed info..........

<snip>

22:07:12.939353 216.220.0.1.53 > 10.16.103.3.47116: [udp sum ok] 1503 NXDomain q: A?

<snip>

22:07:13.045317 216.220.0.1.53 > 10.16.103.3.47117: [udp sum ok] 1504 NXDomain q: A?

<snip>

Thanks for any/all help!

NXDomain is the reply you should expect to see if the IP you are testing is not listed on the blocklist you're testing against.

[GraemeL]

Here are responses to an unlisted and a listed address formatted by dig. You can see how the formatted data relates to what you're seeing in your packet captures.

Unlisted

dig 1.0.0.127.zen.spamhaus.org

; <<>> DiG 9.3.1 <<>> 1.0.0.127.zen.spamhaus.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63664
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1.0.0.127.zen.spamhaus.org.	IN	  A

;; AUTHORITY SECTION:
zen.spamhaus.org.	   900	 IN	  SOA	 need.to.know.only. hostmaster.spamhaus.org. 2007120407 3600 600 432000 900

;; Query time: 193 msec
;; SERVER: 195.7.224.57#53(195.7.224.57)
;; WHEN: Tue Dec  4 02:00:09 2007
;; MSG SIZE  rcvd: 108

Listed

dig 2.0.0.127.zen.spamhaus.org

; <<>> DiG 9.3.1 <<>> 2.0.0.127.zen.spamhaus.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35876
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 23, ADDITIONAL: 3

;; QUESTION SECTION:
;2.0.0.127.zen.spamhaus.org.	IN	  A

;; ANSWER SECTION:
2.0.0.127.zen.spamhaus.org. 1357 IN	 A	   127.0.0.10
2.0.0.127.zen.spamhaus.org. 1357 IN	 A	   127.0.0.2
2.0.0.127.zen.spamhaus.org. 1357 IN	 A	   127.0.0.4

;; AUTHORITY SECTION:
zen.spamhaus.org.	   46681   IN	  NS	  c.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  d.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  f.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  g.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  h.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  i.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  k.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  l.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  m.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  n.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  o.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  q.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  r.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  s.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  t.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  x.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  y.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  1.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  3.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  4.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  8.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  a.ns.spamhaus.org.
zen.spamhaus.org.	   46681   IN	  NS	  b.ns.spamhaus.org.

;; ADDITIONAL SECTION:
1.ns.spamhaus.org.	  10373   IN	  A	   218.189.175.50
1.ns.spamhaus.org.	  10373   IN	  A	   220.181.15.205
3.ns.spamhaus.org.	  10373   IN	  A	   203.81.36.6

;; Query time: 72 msec
;; SERVER: 195.7.224.57#53(195.7.224.57)
;; WHEN: Tue Dec  4 02:00:17 2007
;; MSG SIZE  rcvd: 511

[Wazoo]

I'm new to spamcop so bear with me! I'm not sure where to post this issue, but I'll try here and on the Geek forum.

Do not make duplicate posts in multiple Forum sections.

Had the query just been about the use of the SpamCop.net DNSBL, then the suggested place would have been in the Blocking List Help Forum section. However, you included multiple BLs as used by an Exchange server, so in reality, the Geeks .. Software issue should have been the more likely spot. However, one has to note that the Lounge area gets a lot more traffic .. it's just that the many, many views are probably from folks that wouldn't have a clue as to how to come up with an answer.

Moving to the more appropriate Forum section with this post. Duplicate Post removed.

[snagglepuss]

Hello Graemel,

Thanks for the information. I'm not sure I can interpret what you are saying here. It sounds to me like you are saying that the response back from spamcop/spamhaus look valid to you?

I'm afraid I'm not familiar with Dig and my position here at my company is Mangement so I am relying on the technical people that I work with.

The packet capture was done by our security monitoring company and the technician that tried to help me said he couldn't understand why the packet trace is showing an address of 15.103.16.10 (which is the address of hewlett packard) instead of the 127.0.0.x return code. I can see through exchange monitoring that the dns BL lookup requests are being sent to spamcop/spamhaus, however, the exchange monitor is showing that none of the replies from spamcop/spamhaus are indicating to exchange to drop the email if it's spam. It's just showing the 15.103.16.10 address as the return code (according to the tech)?

Any additional help or explaination would be greatly appreciated!

Thanks!

Thanks for your direction/help Wazoo! I'll try not to make the same mistake next time!

[GraemeL]

Hello Graemel,

Thanks for the information. I'm not sure I can interpret what you are saying here. It sounds to me like you are saying that the response back from spamcop/spamhaus look valid to you?

I'm afraid I'm not familiar with Dig and my position here at my company is Mangement so I am relying on the technical people that I work with.

The packet capture was done by our security monitoring company and the technician that tried to help me said he couldn't understand why the packet trace is showing an address of 15.103.16.10 (which is the address of hewlett packard) instead of the 127.0.0.x return code. I can see through exchange monitoring that the dns BL lookup requests are being sent to spamcop/spamhaus, however, the exchange monitor is showing that none of the replies from spamcop/spamhaus are indicating to exchange to drop the email if it's spam. It's just showing the 15.103.16.10 address as the return code (according to the tech)?

Any additional help or explaination would be greatly appreciated!

Thanks!

Thanks for your direction/help Wazoo! I'll try not to make the same mistake next time!

OK, I see your problem now. This is going to be pretty technical, but it should make sense to your IT staff.

The replies are correct given the queries that your server is sending, but the queries are meaningless.

When querying a blocklist, the quads are reversed. If I want to test the IP address 127.0.0.2, the query actually gets sent as 2.0.0.127.sbl-xbl.spamhaus.org. So the IP address you are querying isn't 15.103.16.10 (which does belong to HP) but 10.16.103.15 which is in IANA reserved space. This would seem to indicate that the mail server that you're attempting to do the lookups from doesn't receive mail directly from the internet, but instead gets it from another server which is connected to the internet and then relays it over your internal network.

Since the sort of lookups that you're attempting only ever check the address of the machine that is involved in the current SMTP transaction, all your lookups will be for 10.16.103.15. One solution would be to do the RBL checks on the external gateway.

I'm assuming that your setup looks something like this:

Internal server <---> External gateway <---> Internet

So all checks on the internal server will always check the address of the external gateway.

If you can do the tests at the external gateway, you will be testing the address of the machine on the internet that is trying to send you mail.

[snagglepuss]

Thanks Graemel!

You have been a great help. I will have the tech guys take a look at this and see what they recommend.

Your assumption is correct ( Internal server <---> External gateway <---> Internet). we also have an SMTP email virus checking server that checks the incoming email before it gets to the email server(exchange) for viruses. Maybe this is the issue.

Thanks again,

I'll let you know what we do!