Re: Refused by block lists
On 1/8/2023 12:36 PM, Matus UHLAR - fantomas wrote: On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote: - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? On 07.01.23 14:06, joe a wrote: Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. providing answer to my second question would spare you from guessing. On 08.01.23 13:07, joe a wrote: 127.0.0.1 is not in /etc/resolv.conf. I labor under the impression that telling unbound to accept query only on one IP and telling SA in local.cf "dns_server th.at.addr.ess" would cause it to use unbound. this requires reloading spamassassin or any process using it (amavis, mimedefang etc). putting 127.0.0.1 into resolv.conf usually takes effect faster. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: Refused by block lists
On 1/8/2023 2:08 PM, Martin Gregorie wrote: On 07.01.23 14:06, joe a wrote: Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. Thats pretty simple to check, provided you've got Wireshark installed: Fire it up and tell it to watch for DNS and/or blacklist lookup traffic on the appropriate ports. Then feed known spam to SA. Wireshark will show you if spam is causing external lookup requests to be generated, where they are being sent, and what replies are being received Martin Earlier I was going to do something like that, but at the firewall/router link to the cable modem. I wanted to be sure the "source IP" was the site static IP. A separate discussion uncovered I may have to register that IP with spamhaus.org. Registered years ago and stopped using it. Just now dawned that provider mergers cause my static IP's to change a few years back. Almost every day I pass a "beef farmer" whose ponds and field teem with Canadian Geese. Perhaps that should have been an omen?
Re: Refused by block lists
> > On 07.01.23 14:06, joe a wrote: > > > Pretty sure. Or, I was. Ran various tests with unbound running > > > and > > > not running confirmed it was working, at least providing a > > > response. > > Thats pretty simple to check, provided you've got Wireshark installed: Fire it up and tell it to watch for DNS and/or blacklist lookup traffic on the appropriate ports. Then feed known spam to SA. Wireshark will show you if spam is causing external lookup requests to be generated, where they are being sent, and what replies are being received Martin
Re: Refused by block lists
On 1/8/2023 12:36 PM, Matus UHLAR - fantomas wrote: On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote: - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? On 07.01.23 14:06, joe a wrote: Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. providing answer to my second question would spare you from guessing. 127.0.0.1 is not in /etc/resolv.conf. I labor under the impression that telling unbound to accept query only on one IP and telling SA in local.cf "dns_server th.at.addr.ess" would cause it to use unbound.
Re: Refused by block lists
On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote: - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? On 07.01.23 14:06, joe a wrote: Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. providing answer to my second question would spare you from guessing. SA I told to use unbound via local.cf as well. Right now unbound is disabled and DNS is via "my old way". why? it can't be worse. - doesn't unbound forward queries to other (isp, open) resolvers? Not certain. The docs/examples seemed a bit sparse suggesting it does and exceptions needed to be specified for spamhaus (for example) but did not provide examples of how to do that. Some folks elsewhere seemed to suggest it would "just work". Likely I need to learn how to configure it properly? standard configuration should be enough, IF it's used at all. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Re: Refused by block lists
joe a skrev den 2023-01-07 20:07: On 1/7/2023 12:16 PM, Benny Pedersen wrote: joe a skrev den 2023-01-07 18:03: That will give me some time to review how to disable specific checks, such as dnswl.org which caused a score of -5.0 for some obviously spammy stuff. please report spam https://www.dnswl.org/?page_id=17 especily for dnswl hi I'll give it a try. When I looked at dnswl.org the last updated comment seemed to be from 2017, so I kind of wrote it off as being unmaintained. But, what do I know? haha, thay hate me on irc by this knowledge here have helped Mail::DMARC in the past to now being in use for spamassassin, just check references undobt ?, go on dnswl irc
Re: Refused by block lists
On 1/7/2023 12:16 PM, Benny Pedersen wrote: joe a skrev den 2023-01-07 18:03: That will give me some time to review how to disable specific checks, such as dnswl.org which caused a score of -5.0 for some obviously spammy stuff. please report spam https://www.dnswl.org/?page_id=17 especily for dnswl hi I'll give it a try. When I looked at dnswl.org the last updated comment seemed to be from 2017, so I kind of wrote it off as being unmaintained. But, what do I know?
Re: Refused by block lists
On 1/7/2023 1:25 PM, Matus UHLAR - fantomas wrote: On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Q: My queries to a DNS-blocklist were blocked. What does this mean? ... Resolving the block might be as simple as using your own non-forwarding caching nameserver https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? Pretty sure. Or, I was. Ran various tests with unbound running and not running confirmed it was working, at least providing a response. SA I told to use unbound via local.cf as well. Right now unbound is disabled and DNS is via "my old way". - doesn't unbound forward queries to other (isp, open) resolvers? Not certain. The docs/examples seemed a bit sparse suggesting it does and exceptions needed to be specified for spamhaus (for example) but did not provide examples of how to do that. Some folks elsewhere seemed to suggest it would "just work". Likely I need to learn how to configure it properly?
Re: Refused by block lists
On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Q: My queries to a DNS-blocklist were blocked. What does this mean? ... Resolving the block might be as simple as using your own non-forwarding caching nameserver https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver On 07.01.23 12:03, joe a wrote: Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. - do you actually use that unbound server? is 127.0.0.1 in /etc/resolv.conf? - doesn't unbound forward queries to other (isp, open) resolvers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: Refused by block lists
joe a skrev den 2023-01-07 18:03: That will give me some time to review how to disable specific checks, such as dnswl.org which caused a score of -5.0 for some obviously spammy stuff. please report spam https://www.dnswl.org/?page_id=17 especily for dnswl hi
Re: Refused by block lists
On 1/7/2023 9:06 AM, Matus UHLAR - fantomas wrote: On Fri, 6 Jan 2023, joe a wrote: Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". On 06.01.23 09:49, John Hardin wrote: Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.) Google? Best practice is to set up a local, non-forwarding (potentially non-forwarding only for the DNSBL domains, see my email from a week or so back) DNS server for your MTA and SpamAssassin to use (potentially your entire local network as well, but that's not relevant to your question). DNSBL providers generally don't like requests from public DNS servers as they aggregate a lot of requests from a lot of sources. https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Q: My queries to a DNS-blocklist were blocked. What does this mean? ... Resolving the block might be as simple as using your own non-forwarding caching nameserver https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver Thanks. I think I actually got unbound working but still was getting URIBL rejects from spamhaus. I've disabled queries for now and will try again in a few days, thinking the "free use" limits may have been tripped. That will give me some time to review how to disable specific checks, such as dnswl.org which caused a score of -5.0 for some obviously spammy stuff.
Re: Refused by block lists
On Fri, 6 Jan 2023, joe a wrote: Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". On 06.01.23 09:49, John Hardin wrote: Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.) Google? Best practice is to set up a local, non-forwarding (potentially non-forwarding only for the DNSBL domains, see my email from a week or so back) DNS server for your MTA and SpamAssassin to use (potentially your entire local network as well, but that's not relevant to your question). DNSBL providers generally don't like requests from public DNS servers as they aggregate a lot of requests from a lot of sources. https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists Q: My queries to a DNS-blocklist were blocked. What does this mean? ... Resolving the block might be as simple as using your own non-forwarding caching nameserver https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Refused by block lists
On 1/6/2023 12:49 PM, John Hardin wrote: On Fri, 6 Jan 2023, joe a wrote: . .. I think you're getting distracted by the word "resolve" there... This sounds like a DNS issue. Agree it is likely a DNS issue. Apparently one I do not yet grasp. Is there an online tool to which I can make a DNS query and have it display what it receives? Trying to avoid having to packet sniff my outbound traffic. I have captured DNS queries via the firewall log/filters, but would like to verify.
Re: Refused by block lists
joe a skrev den 2023-01-06 18:35: On 1/6/2023 12:15 PM, Kevin A. McGrail wrote: My interpretation is thus: You have a firewall with a public IP and an private IP You have a box with email behind that firewall. When it talks to the world, it should do helo that maps back to your Firewall's public IP not to a private RFC1918 address. Regards,KAM Make sense to me. So I guess my real question is, how do I cause spamassassin to make it's query in that fashion? Since the wiki stated it in a way that suggests it is a spamassassin feature, I presume to ask here and not look at the firewall or elsewhere. KAM is always right firewall :=) why do you ask for spamassassin configs then ? if your spamassassin is on rfc1918 ip, then move your local dns server to wan ip on the firewall, then allow query from rfc 1918 on the dns server, listen-on 192.168.1.1 as and example, do list all ips "ip addr show" on the firewall and add all non routeble ips from this list ps dont bind the wan ip if you can then use pdns-recursor, with nearly have all good defaults for all needed to be up and running safely #powerdns Recursor 4.8.0 | Authoritative Server 4.7.3 | dnsdist 1.7.3 if you like to play :=) bind is not that stable for me sadly, so using other problems to solve what bind dont do well
Re: Refused by block lists
On Fri, 6 Jan 2023, joe a wrote: Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". Are you forwarding your SpamAssassin DNS queries to your ISP or (e.g.) Google? Best practice is to set up a local, non-forwarding (potentially non-forwarding only for the DNSBL domains, see my email from a week or so back) DNS server for your MTA and SpamAssassin to use (potentially your entire local network as well, but that's not relevant to your question). DNSBL providers generally don't like requests from public DNS servers as they aggregate a lot of requests from a lot of sources. One of many things puzzling me at the moment is something found in the related Wiki that states "A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to its external address." I think you're getting distracted by the word "resolve" there... This sounds like a DNS issue. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Je ne suis pas Charlie. Je suis armé. --- Tomorrow: the 8th anniversary of the Charlie Hebdo massacre
Re: Refused by block lists
On 1/6/2023 12:15 PM, Kevin A. McGrail wrote: My interpretation is thus: You have a firewall with a public IP and an private IP You have a box with email behind that firewall. When it talks to the world, it should do helo that maps back to your Firewall's public IP not to a private RFC1918 address. Regards,KAM Make sense to me. So I guess my real question is, how do I cause spamassassin to make it's query in that fashion? Since the wiki stated it in a way that suggests it is a spamassassin feature, I presume to ask here and not look at the firewall or elsewhere.
Re: Refused by block lists
My interpretation is thus: You have a firewall with a public IP and an private IP You have a box with email behind that firewall. When it talks to the world, it should do helo that maps back to your Firewall's public IP not to a private RFC1918 address. Regards,KAM On 1/6/2023 12:00 PM, joe a wrote: Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". One of many things puzzling me at the moment is something found in the related Wiki that states "A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to its external address." I brazenly confess I have no idea how to check this (or what it means, in this context). Figured I should sort out that puzzlement before attempting to install and configure "unbound" for example. -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Refused by block lists
Attempting to utilize the various block lists and find rejection messages in mail headers "blocked due to usage of an open resolver". One of many things puzzling me at the moment is something found in the related Wiki that states "A: Third, if your email gateway is behind a firewall make sure that SpamAssassin is resolving the gateway to its external address." I brazenly confess I have no idea how to check this (or what it means, in this context). Figured I should sort out that puzzlement before attempting to install and configure "unbound" for example.