RE: [Declude.JunkMail] DNS Warnings
Title: RE: [Declude.JunkMail] DNS Warnings Is there a way to have something we could take action on ifwhen Declude queries the DNS Server andlogs aWARNING SERVER FAILURE (i.e. HOLD, ROUTETO)? It seems in my testing, none of these domains that it got this for where legititmate (see below). Also, if Declude gets this back, it cancels processing of not only the DNS based tests, but also filters or external programs (i.e. Sniffer) according to the log. Thanks for the aid. Keith From: Keith Johnson Sent: Sunday, January 25, 2004 1:55 PMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] DNS Warnings Scott, I took some time and went through the log and found that the following was true on all the ones I checked (around 50) entries, the following examples were found using dnsreport.com about the Warnings: Getting MX record for mail3b-better-health.wsol8423.com... Received an NXDOMAIN response OR Getting MX record for atkingroup.co.uk... Received a response code of 2.This should be treated as an ERROR (per RFC974), and the E-mail delivery should PROBABLY be retried later I found 1 or 2 that did show an entry listed in dnsreport, however, I could not connect to them via telnet or nslookup's Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Sun 1/25/2004 10:44 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.JunkMail] DNS Warnings Thanks for the aid. I'm with you on the second point, I think our DNS server (Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and couldn't find an A or MX listed for them and returned back to Declude that warning.Actually, the "server failure" should indicate that your DNS server isbroken, so it definitely should *not* return the server failure unless itis broken, or *perhaps* if it receives a server failure from the remote DNSserver.Declude JunkMail is asking BIND if the domain has an MX or A record -- soif it returns a server failure when it should not, it is hurting your spamcontrol. -Scott---Declude JunkMail: The advanced anti-spam solution for IMail mailservers.Declude Virus: Catches known viruses and is the leader in mailservervulnerability detection.Find out what you've been missing: Ask about our free 30-day evaluation.---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Warnings
Is there a way to have something we could take action on if when Declude queries the DNS Server and logs a WARNING SERVER FAILURE (i.e. HOLD, ROUTETO)? It seems in my testing, none of these domains that it got this for where legititmate (see below). The problem here occurs if *your* DNS server starts reporting a server failure. If that happens, then all mail (spam and legitimate mail) will get caught by the test. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] DNS Warnings
I think you can filter on the "server failure" entry that appears in place of the REVDNS name with a custom filter (is that correct?). Canceling processing on all RBL's along with external tests seems like an issue that needs to be addressed if in fact the case. I'm also scanning on multiple hops and I would be curious about how that would affect such things. This would seem to be a hole that could be exploited if this is in fact true. >From my own DNS digging on spam networks, I've found a fair number of them that don't have a server that will respond to reverse DNS queries (failure to contact the server). This is probably the case because a block delegated directly from ARIN to a spam house isn't always configured properly because they like to use dynamic entries in order to avoid detection, and that can lead to mistakes. This also might be doing this in order to avoid detection. Certainly the less information you have, the harder it is to identify and track the spammer. Matt Keith Johnson wrote: RE: [Declude.JunkMail] DNS Warnings Is there a way to have something we could take action on ifwhen Declude queries the DNS Server andlogs aWARNING SERVER FAILURE (i.e. HOLD, ROUTETO)? It seems in my testing, none of these domains that it got this for where legititmate (see below). Also, if Declude gets this back, it cancels processing of not only the DNS based tests, but also filters or external programs (i.e. Sniffer) according to the log. Thanks for the aid. Keith From: Keith Johnson Sent: Sunday, January 25, 2004 1:55 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] DNS Warnings Scott, I took some time and went through the log and found that the following was true on all the ones I checked (around 50) entries, the following examples were found using dnsreport.com about the Warnings: Getting MX record for mail3b-better-health.wsol8423.com... Received an NXDOMAIN response OR Getting MX record for atkingroup.co.uk... Received a response code of 2. This should be treated as an ERROR (per RFC974), and the E-mail delivery should PROBABLY be retried later I found 1 or 2 that did show an entry listed in dnsreport, however, I could not connect to them via telnet or nslookup's Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED]] Sent: Sun 1/25/2004 10:44 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.JunkMail] DNS Warnings Thanks for the aid. I'm with you on the second point, I think our DNS server (Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and couldn't find an A or MX listed for them and returned back to Declude that warning. Actually, the "server failure" should indicate that your DNS server is broken, so it definitely should *not* return the server failure unless it is broken, or *perhaps* if it receives a server failure from the remote DNS server. Declude JunkMail is asking BIND if the domain has an MX or A record -- so if it returns a server failure when it should not, it is hurting your spam control. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
[Declude.JunkMail] DNS Warnings
I noticed in our Declude Log (running MID) that we have numerous of the below message (different domains). Is this telling me that there was no MX or A record listed for the lookup domain? I pretty sure, however, just wanted to check, thanks for the aid. Keith WARNING: DNS server 10.10.50.31 returned a SERVER FAILURE error for MX or A for srvrdasdsmmkva06k.xp4y.net j)pjjyu+*7^V*m^r[yNfy^ %yj)fj)b b{.n+lzwZI[hfu%fvz %yj)Srzjmj)Zb(
Re: [Declude.JunkMail] DNS Warnings
I noticed in our Declude Log (running MID) that we have numerous of the below message (different domains). Is this telling me that there was no MX or A record listed for the lookup domain? I pretty sure, however, just wanted to check, thanks for the aid. It is saying that your DNS server reported a server failure - which technically means that *your* server failed. However, many DNS servers will return a server failure response when a remote DNS server returns a server failure. So the chances are that the remote DNS server is the one with the problem. Declude JunkMail will not fail the test if a server failure is returned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Warnings
Scott, Thanks for the aid. I'm with you on the second point, I think our DNS server (Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and couldn't find an A or MX listed for them and returned back to Declude that warning. I appreciate the speedy response, have a good weekend. Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Sun 1/25/2004 9:28 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [Declude.JunkMail] DNS Warnings I noticed in our Declude Log (running MID) that we have numerous of the below message (different domains). Is this telling me that there was no MX or A record listed for the lookup domain? I pretty sure, however, just wanted to check, thanks for the aid. It is saying that your DNS server reported a server failure - which technically means that *your* server failed. However, many DNS servers will return a server failure response when a remote DNS server returns a server failure. So the chances are that the remote DNS server is the one with the problem. Declude JunkMail will not fail the test if a server failure is returned. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.JunkMail] DNS Warnings
Thanks for the aid. I'm with you on the second point, I think our DNS server (Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and couldn't find an A or MX listed for them and returned back to Declude that warning. Actually, the server failure should indicate that your DNS server is broken, so it definitely should *not* return the server failure unless it is broken, or *perhaps* if it receives a server failure from the remote DNS server. Declude JunkMail is asking BIND if the domain has an MX or A record -- so if it returns a server failure when it should not, it is hurting your spam control. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] DNS Warnings
Scott, A took some time and went through the log and found that the following was true on all the ones I checked (around 50) entries, the following examples were found using dnsreport.com about the Warnings: Getting MX record for mail3b-better-health.wsol8423.com... Received an NXDOMAIN response OR Getting MX record for atkingroup.co.uk... Received a response code of 2. This should be treated as an ERROR (per RFC974), and the E-mail delivery should PROBABLY be retried later I found 1 or 2 that did show an entry listed in dnsreport, however, I could not connect to them via telnet or nslookup's Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Sun 1/25/2004 10:44 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.JunkMail] DNS Warnings Thanks for the aid. I'm with you on the second point, I think our DNS server (Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and couldn't find an A or MX listed for them and returned back to Declude that warning. Actually, the server failure should indicate that your DNS server is broken, so it definitely should *not* return the server failure unless it is broken, or *perhaps* if it receives a server failure from the remote DNS server. Declude JunkMail is asking BIND if the domain has an MX or A record -- so if it returns a server failure when it should not, it is hurting your spam control. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. winmail.dat
RE: [Declude.JunkMail] DNS Warnings
Scott, I took some time and went through the log and found that the following was true on all the ones I checked (around 50) entries, the following examples were found using dnsreport.com about the Warnings: Getting MX record for mail3b-better-health.wsol8423.com... Received an NXDOMAIN response OR Getting MX record for atkingroup.co.uk... Received a response code of 2. This should be treated as an ERROR (per RFC974), and the E-mail delivery should PROBABLY be retried later I found 1 or 2 that did show an entry listed in dnsreport, however, I could not connect to them via telnet or nslookup's Keith -Original Message- From: R. Scott Perry [mailto:[EMAIL PROTECTED] Sent: Sun 1/25/2004 10:44 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [Declude.JunkMail] DNS Warnings Thanks for the aid. I'm with you on the second point, I think our DNS server (Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and couldn't find an A or MX listed for them and returned back to Declude that warning. Actually, the server failure should indicate that your DNS server is broken, so it definitely should *not* return the server failure unless it is broken, or *perhaps* if it receives a server failure from the remote DNS server. Declude JunkMail is asking BIND if the domain has an MX or A record -- so if it returns a server failure when it should not, it is hurting your spam control. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Nf_ynub! 0u%dj)\jgr[xf)+-Nrz;uj)l^r[yjwmmr[x8^j!qy.i0f+r