OK, that was it. I went onto my mail server and tried to ping my DNS
server. No go. I rebooted my DNS server, flushed the cache from my mail
server, then all was well. It looks like things are working again.
Quick question - can I add a second DNS server (which I have) so that it
looks there if the primary is unavailable? I never thought of that but I
guess anytime I have to reboot the primary server, then I am effectively
leaving the mail server "unprotected".
Thanks, David!
Todd
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Thursday, July 10, 2008 2:01 PM
To: [email protected]
Subject: RE: [Declude.JunkMail] Overnight Spam Increase?
ISSUE:
Spam is slipping past Declude that hasn't normally passed any filtering.
Spam is not being weighted high enough for actionable thresholds to take
effect.
Place your LOGLEVEL in DEBUG, let it run for several minutes and then open
the log. What we are trying to do is identify a possible DNS issue.
Packets not making it to the DNS server or not making it back from the DNS
server can be an issue if you are running Declude Security Suite. The
reason is we rely heavily on these queries to be successfully resolved in
order to trigger certain test and assign spam a high enough weight. If
you
see the following in the log, find out where these queries are going
because
they aren't getting back to the application.
02/07/2007 13:48:34.640 35958831 Test #2 [ADNSBL] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #3 [BLITZEDALL] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #4 [CBL] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #5 [CSMA-SBL] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #6 [DSBL-CONFIRMED] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC]didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #8 [JAMMDNSBL] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #9 [INTERSIL] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #10 [IPWHOIS] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #11 [IMP-SPAM] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #14 [NJABL] is same as Test #14
[NJABL=127.0.0.2]. Answer=?
02/07/2007 13:48:34.640 35958831 Test #15 [SBL] didn't get a response
02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a
response
02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a
response
RESOLUTION:
Check your diags.txt, if you see an IP address next to the DNS field and
you
see the above in your DEBUG log, that DNS server has either stopped
responding or connectivity has been lost between the email server and the
DNS machine. If no IP address has been identified in this field then
Declude is having an issue reading it from your mail server itself. Open
up
your Global.cfg and specify an alternate address to another DNS server
next
to the DNS directive near the top of the file. Make sure to save your
file,
rename or delete the old DEBUG log and start a new one. You should see
that
these "didn't get a response" goes away.
If you do not have an alternate DNS server try use the following.
DNS 208.67.222.222
Also check your firewall to make sure it is not blocking DNS queries.
David B
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Thursday, July 10, 2008 11:05 AM
To: [email protected]
Subject: RE: [Declude.JunkMail] Overnight Spam Increase?
Hmm, this is new to me. An internal DNS issue or external (which we host
with DNSMadeEasy)? This just started so I'm not sure where to look for
resolution.
Thanks,
Todd
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Thursday, July 10, 2008 9:11 AM
To: [email protected]
Subject: RE: [Declude.JunkMail] Overnight Spam Increase?
Looks like you are having a DNS problem, this email never scored any RBL's
yet when checking the IP it failed several.
Failed: SPAMCOP HOSTKARMA SENDERSCORE UBL UCEPROTECTL2 UCEPROTECTL3
CASA-CBL+ CASA-CBL- SORBS-WEB SPAMHAUS PBL2
David B
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Thursday, July 10, 2008 9:16 AM
To: [email protected]
Subject: RE: [Declude.JunkMail] Overnight Spam Increase?
Thanks David. What I'm seeing is legitimate spam that while it is going
through Declude - most is marked as spam - it's not scoring quite high
enough to get held.
Normally my Junk E-mail folder in Outlook (used to catch what little does
make it through) has about 10 from the evening before. This morning, I
had
140 in there. The strange part is that it looks like "old school" spam -
credit card stuff, meds, etc. But when I look at the headers I can see it
is going through the filters.
Below is an example of one such emails, with the header information before
the body. (note my hold weight is at 19)
Todd
******** HEADER **********
Received: from [79.186.114.208] [79.186.114.208] by mail.nnepa.com with
ESMTP
(SMTPD-8.22) id A25D01E4; Wed, 09 Jul 2008 23:38:53 -0500
Message-ID: <[EMAIL PROTECTED]>
From: "giraud bryan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: **SPAM**credit history
Date: Thu, 10 Jul 2008 02:51:27 +0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-invURIBL-Scan: Scanned by invURIBL 3.1.1 on 7/9/2008 11:40:06 PM
X-invURIBL-Weight: 0
X-invURIBL-Range: CLEAN
X-RBL-Warning: SNIFFER: Message failed SNIFFER: 58.
X-RBL-Warning: FILTER-COUNTRY: Message failed FILTER-COUNTRY test (line
174,
weight 0)
X-RBL-Warning: WEIGHT10: Weight of 18 reaches or exceeds the limit of 10.
X-Declude-Sender: [EMAIL PROTECTED] [79.186.114.208]
X-Declude-Spoolname: D925c01be0000747b.smd
X-Declude-RefID: str=0001.0A010202.4875276F.00B8,ss=4,sh,fgs=0
X-Declude-Note: Scanned by Declude 4.3.64 for spam.
"http://www.declude.com/x-note.htm";
X-Declude-Scan: Incoming Score [18] at 23:40:14 on 09 Jul 2008
X-Declude-Tests: SNIFFER [18], FILTER-COUNTRY [0], WEIGHT10 [10], WEIGHT15
[15], ZEROHOUR [0]
X-Country-Chain: POLAND->destination
X-Declude-Code: f
X-Helo: [79.186.114.208]
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 515451365
X-IMail-ThreadID: 925c01be0000747b
******** BODY **********
Do Not consolidate your debt Eliminate it!
Legally ELIMINATE your credit card and other unsecured debt
* WITHOUT ever making another payment to your creditors
* WITHOUT it affecting your credit long-term
* WITHOUT confrontation
Visit www.joinedtodayi.com
This IS NOT:
* Bankruptcy
* Consolidation
* Or refinancing of any kind
Visit here www.joinedtodayi.com to learn how
* Must have a minimum of $10K in combined household unsecured debt to
apply.
* Must be a US resident.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, July 09, 2008 2:24 PM
To: [email protected]
Subject: RE: [Declude.JunkMail] Overnight Spam Increase?
We got slammed at about 9 am EST time today, causing delays, most of the
increase looks like backscatter.
David B
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd
Richards
Sent: Wednesday, July 09, 2008 11:47 AM
To: [email protected]
Subject: [Declude.JunkMail] Overnight Spam Increase?
Hi Everyone -
There was an unusually high increase in the amount of spam for me to
review
when I got to the office this morning, and more making it through to my
email than usual (still scanned and marked appropriately).
Is anyone else seeing this?
Todd
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
