[Declude.JunkMail] RE: Thoughts on running DNS on the IMail (declude) server ???
Hey David What would your thoughts be on running a Caching ONLY DNS on the IMail (declude) server ??? Thanks very much Ferrell - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, July 10, 2008 4:26 PM Subject: X-IMail-SPAM RE: [Declude.JunkMail] Overnight Spam Increase? OK, that was it. I went onto my mail server and tried to ping my DNS server. No go. I rebooted my DNS server, flushed the cache from my mail server, then all was well. It looks like things are working again. Quick question - can I add a second DNS server (which I have) so that it looks there if the primary is unavailable? I never thought of that but I guess anytime I have to reboot the primary server, then I am effectively leaving the mail server unprotected. Thanks, David! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, July 10, 2008 2:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight Spam Increase? ISSUE: Spam is slipping past Declude that hasn't normally passed any filtering. Spam is not being weighted high enough for actionable thresholds to take effect. Place your LOGLEVEL in DEBUG, let it run for several minutes and then open the log. What we are trying to do is identify a possible DNS issue. Packets not making it to the DNS server or not making it back from the DNS server can be an issue if you are running Declude Security Suite. The reason is we rely heavily on these queries to be successfully resolved in order to trigger certain test and assign spam a high enough weight. If you see the following in the log, find out where these queries are going because they aren't getting back to the application. 02/07/2007 13:48:34.640 35958831 Test #2 [ADNSBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #3 [BLITZEDALL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #4 [CBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #5 [CSMA-SBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #6 [DSBL-CONFIRMED] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC]didn't get a response 02/07/2007 13:48:34.640 35958831 Test #8 [JAMMDNSBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #9 [INTERSIL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #10 [IPWHOIS] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #11 [IMP-SPAM] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #14 [NJABL] is same as Test #14 [NJABL=127.0.0.2]. Answer=? 02/07/2007 13:48:34.640 35958831 Test #15 [SBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response RESOLUTION: Check your diags.txt, if you see an IP address next to the DNS field and you see the above in your DEBUG log, that DNS server has either stopped responding or connectivity has been lost between the email server and the DNS machine. If no IP address has been identified in this field then Declude is having an issue reading it from your mail server itself. Open up your Global.cfg and specify an alternate address to another DNS server next to the DNS directive near the top of the file. Make sure to save your file, rename or delete the old DEBUG log and start a new one. You should see that these didn't get a response goes away. If you do not have an alternate DNS server try use the following. DNS 208.67.222.222 Also check your firewall to make sure it is not blocking DNS queries. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, July 10, 2008 11:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight Spam Increase? Hmm, this is new to me. An internal DNS issue or external (which we host with DNSMadeEasy)? This just started so I'm not sure where to look for resolution. Thanks, Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, July 10, 2008 9:11 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight Spam Increase? Looks like you are having a DNS problem, this email never scored any RBL's yet when checking the IP it failed several. Failed: SPAMCOP HOSTKARMA SENDERSCORE UBL UCEPROTECTL2 UCEPROTECTL3 CASA-CBL+ CASA-CBL- SORBS-WEB SPAMHAUS PBL2 David B -Original
RE: [Declude.JunkMail] RE: Thoughts on running DNS on the IMail (declude) server ???
We do, it works really well. Quite Speedy!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Thursday, July 10, 2008 4:38 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] RE: Thoughts on running DNS on the IMail (declude) server ??? Hey David What would your thoughts be on running a Caching ONLY DNS on the IMail (declude) server ??? Thanks very much Ferrell - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, July 10, 2008 4:26 PM Subject: X-IMail-SPAM RE: [Declude.JunkMail] Overnight Spam Increase? OK, that was it. I went onto my mail server and tried to ping my DNS server. No go. I rebooted my DNS server, flushed the cache from my mail server, then all was well. It looks like things are working again. Quick question - can I add a second DNS server (which I have) so that it looks there if the primary is unavailable? I never thought of that but I guess anytime I have to reboot the primary server, then I am effectively leaving the mail server unprotected. Thanks, David! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, July 10, 2008 2:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight Spam Increase? ISSUE: Spam is slipping past Declude that hasn't normally passed any filtering. Spam is not being weighted high enough for actionable thresholds to take effect. Place your LOGLEVEL in DEBUG, let it run for several minutes and then open the log. What we are trying to do is identify a possible DNS issue. Packets not making it to the DNS server or not making it back from the DNS server can be an issue if you are running Declude Security Suite. The reason is we rely heavily on these queries to be successfully resolved in order to trigger certain test and assign spam a high enough weight. If you see the following in the log, find out where these queries are going because they aren't getting back to the application. 02/07/2007 13:48:34.640 35958831 Test #2 [ADNSBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #3 [BLITZEDALL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #4 [CBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #5 [CSMA-SBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #6 [DSBL-CONFIRMED] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC]didn't get a response 02/07/2007 13:48:34.640 35958831 Test #8 [JAMMDNSBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #9 [INTERSIL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #10 [IPWHOIS] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #11 [IMP-SPAM] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #14 [NJABL] is same as Test #14 [NJABL=127.0.0.2]. Answer=? 02/07/2007 13:48:34.640 35958831 Test #15 [SBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response RESOLUTION: Check your diags.txt, if you see an IP address next to the DNS field and you see the above in your DEBUG log, that DNS server has either stopped responding or connectivity has been lost between the email server and the DNS machine. If no IP address has been identified in this field then Declude is having an issue reading it from your mail server itself. Open up your Global.cfg and specify an alternate address to another DNS server next to the DNS directive near the top of the file. Make sure to save your file, rename or delete the old DEBUG log and start a new one. You should see that these didn't get a response goes away. If you do not have an alternate DNS server try use the following. DNS 208.67.222.222 Also check your firewall to make sure it is not blocking DNS queries. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, July 10, 2008 11:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight Spam Increase? Hmm, this is new to me. An internal DNS issue or external (which we host with DNSMadeEasy)? This just started so I'm not sure where to look
Re[2]: [Declude.JunkMail] RE: Thoughts on running DNS on the IMail (declude) server ???
We've done this in the past also -- it made quite a difference, especially on underpowered hardware. _M On Thursday, July 10, 2008, 5:18:30 PM, Fox,Thomas wrote: FT We do, it works really well. Quite Speedy!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ferrell Ard Sent: Thursday, July 10, 2008 4:38 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] RE: Thoughts on running DNS on the IMail (declude) server ??? Hey David What would your thoughts be on running a Caching ONLY DNS on the IMail (declude) server ??? Thanks very much Ferrell - Original Message - From: Todd Richards [EMAIL PROTECTED] To: declude.junkmail@declude.com Sent: Thursday, July 10, 2008 4:26 PM Subject: X-IMail-SPAM RE: [Declude.JunkMail] Overnight Spam Increase? OK, that was it. I went onto my mail server and tried to ping my DNS server. No go. I rebooted my DNS server, flushed the cache from my mail server, then all was well. It looks like things are working again. Quick question - can I add a second DNS server (which I have) so that it looks there if the primary is unavailable? I never thought of that but I guess anytime I have to reboot the primary server, then I am effectively leaving the mail server unprotected. Thanks, David! Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Thursday, July 10, 2008 2:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight Spam Increase? ISSUE: Spam is slipping past Declude that hasn't normally passed any filtering. Spam is not being weighted high enough for actionable thresholds to take effect. Place your LOGLEVEL in DEBUG, let it run for several minutes and then open the log. What we are trying to do is identify a possible DNS issue. Packets not making it to the DNS server or not making it back from the DNS server can be an issue if you are running Declude Security Suite. The reason is we rely heavily on these queries to be successfully resolved in order to trigger certain test and assign spam a high enough weight. If you see the following in the log, find out where these queries are going because they aren't getting back to the application. 02/07/2007 13:48:34.640 35958831 Test #2 [ADNSBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #3 [BLITZEDALL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #4 [CBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #5 [CSMA-SBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #6 [DSBL-CONFIRMED] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #7 [FIVETEN-SRC]didn't get a response 02/07/2007 13:48:34.640 35958831 Test #8 [JAMMDNSBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #9 [INTERSIL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #10 [IPWHOIS] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #11 [IMP-SPAM] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #12 [MXRATE-BLOCK] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #14 [NJABL] is same as Test #14 [NJABL=127.0.0.2]. Answer=? 02/07/2007 13:48:34.640 35958831 Test #15 [SBL] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response 02/07/2007 13:48:34.640 35958831 Test #16 [SORBS-HTTP] didn't get a response RESOLUTION: Check your diags.txt, if you see an IP address next to the DNS field and you see the above in your DEBUG log, that DNS server has either stopped responding or connectivity has been lost between the email server and the DNS machine. If no IP address has been identified in this field then Declude is having an issue reading it from your mail server itself. Open up your Global.cfg and specify an alternate address to another DNS server next to the DNS directive near the top of the file. Make sure to save your file, rename or delete the old DEBUG log and start a new one. You should see that these didn't get a response goes away. If you do not have an alternate DNS server try use the following. DNS 208.67.222.222 Also check your firewall to make sure it is not blocking DNS queries. David B -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, July 10, 2008 11:05 AM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Overnight
