RE: [Declude.JunkMail] DNS Warnings

2004-01-26 Thread Keith Johnson 
Title: RE: [Declude.JunkMail] DNS Warnings



Is there a way to have something we could take action on 
ifwhen Declude queries the DNS Server andlogs aWARNING SERVER 
FAILURE (i.e. HOLD, ROUTETO)? It seems in my testing, none of these 
domains that it got this for where legititmate (see below). Also, if 
Declude gets this back, it cancels processing of not only the DNS based tests, 
but also filters or external programs (i.e. Sniffer) according to the log. 
Thanks for the aid.

Keith


From: Keith Johnson Sent: Sunday, 
January 25, 2004 1:55 PMTo: 
[EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] DNS 
Warnings


Scott,

  I took some time 
  and went through the log and found that the following was true on all the ones 
  I checked (around 50) entries, the following examples were found using 
  dnsreport.com about the Warnings:
  
  Getting MX record for mail3b-better-health.wsol8423.com... 
  Received an NXDOMAIN response
  
  OR
  
  Getting MX record for atkingroup.co.uk... Received a response 
  code of 2.This should be treated as an ERROR (per RFC974), and the 
  E-mail delivery should PROBABLY be retried later
  
  I found 1 or 2 that did 
  show an entry listed in dnsreport, however, I could not connect to them via 
  telnet or nslookup's
  
  Keith
  
  
-Original Message- From: R. Scott Perry 
[mailto:[EMAIL PROTECTED] Sent: Sun 1/25/2004 10:44 AM 
To: [EMAIL PROTECTED] Cc: 
Subject: RE: [Declude.JunkMail] DNS 
Warnings
 
Thanks for the aid. I'm with you on the second point, I think 
our DNS server (Bind 8.4.3) attempted to verify the domain (all of 
them look spam in nature) and couldn't find an A or MX listed for 
them and returned back to Declude that warning.Actually, the 
"server failure" should indicate that your DNS server isbroken, so it 
definitely should *not* return the server failure unless itis broken, or 
*perhaps* if it receives a server failure from the remote 
DNSserver.Declude JunkMail is asking BIND if the domain has an 
MX or A record -- soif it returns a server failure when it should not, 
it is hurting your 
spamcontrol. 
-Scott---Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers.Declude Virus: Catches known viruses and is the leader in 
mailservervulnerability detection.Find out what you've been missing: 
Ask about our free 30-day evaluation.---[This E-mail was scanned 
for viruses by Declude Virus (http://www.declude.com)]---This 
E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, 
just send an E-mail to [EMAIL PROTECTED], andtype "unsubscribe 
Declude.JunkMail". The archives can be foundat http://www.mail-archive.com.

RE: [Declude.JunkMail] DNS Warnings

2004-01-26 Thread R. Scott Perry 

Is there a way to have something we could take action on if when Declude 
queries the DNS Server and logs a WARNING SERVER FAILURE (i.e. HOLD, 
ROUTETO)?  It seems in my testing, none of these domains that it got this 
for where legititmate (see below).
The problem here occurs if *your* DNS server starts reporting a server 
failure.  If that happens, then all mail (spam and legitimate mail) will 
get caught by the test.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] DNS Warnings

2004-01-26 Thread Matt 




I think you can filter on the "server failure" entry that appears in
place of the REVDNS name with a custom filter (is that correct?).
Canceling processing on all RBL's along with external tests seems like
an issue that needs to be addressed if in fact the case. I'm also
scanning on multiple hops and I would be curious about how that would
affect such things. This would seem to be a hole that could be
exploited if this is in fact true.

>From my own DNS digging on spam networks, I've found a fair number of
them that don't have a server that will respond to reverse DNS queries
(failure to contact the server). This is probably the case because a
block delegated directly from ARIN to a spam house isn't always
configured properly because they like to use dynamic entries in order
to avoid detection, and that can lead to mistakes. This also might be
doing this in order to avoid detection. Certainly the less information
you have, the harder it is to identify and track the spammer.

Matt



Keith Johnson wrote:

  RE: [Declude.JunkMail] DNS Warnings
  
  
  Is there a way to have something
we could take action on ifwhen Declude queries the DNS Server andlogs
aWARNING SERVER FAILURE (i.e. HOLD, ROUTETO)? It seems in my testing,
none of these domains that it got this for where legititmate (see
below). Also, if Declude gets this back, it cancels processing of not
only the DNS based tests, but also filters or external programs (i.e.
Sniffer) according to the log. Thanks for the aid.
  
  Keith
  
  
  From: Keith
Johnson 
  Sent: Sunday, January 25, 2004 1:55 PM
  To: [EMAIL PROTECTED]
  Subject: RE: [Declude.JunkMail] DNS Warnings
  
  
  
Scott,
  
I took some time and went through the log and found
that the following was true on all the ones I checked (around 50)
entries, the following examples were found using dnsreport.com about
the Warnings:

Getting MX record for mail3b-better-health.wsol8423.com...
Received an NXDOMAIN response

OR

Getting MX record for atkingroup.co.uk... Received a
response code of 2.

This should be treated as an ERROR (per RFC974), and the E-mail
delivery should PROBABLY be retried later

I found 1 or 2 that did show an entry listed in
dnsreport, however, I could not connect to them via telnet or nslookup's

Keith


  -Original Message- 
  From: R. Scott Perry [mailto:[EMAIL PROTECTED]] 
  Sent: Sun 1/25/2004 10:44 AM 
  To: [EMAIL PROTECTED] 
  Cc: 
      Subject: RE: [Declude.JunkMail] DNS Warnings
  
  
  
   Thanks for the aid. I'm with you
on the second point, I think
 our DNS server (Bind 8.4.3) attempted to verify the domain (all of
them
 look spam in nature) and couldn't find an A or MX listed for them
and
 returned back to Declude that warning.
  
Actually, the "server failure" should indicate that your DNS server is
broken, so it definitely should *not* return the server failure unless
it
is broken, or *perhaps* if it receives a server failure from the remote
DNS
server.
  
Declude JunkMail is asking BIND if the domain has an MX or A record --
so
if it returns a server failure when it should not, it is hurting your
spam
control.
  
 -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
  
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
  
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
  

  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] DNS Warnings

2004-01-25 Thread R. Scott Perry 

I noticed in our Declude Log (running MID) that we have numerous of the 
below message (different domains).  Is this telling me that there was no 
MX or A record listed for the lookup domain?  I pretty sure, however, just 
wanted to check, thanks for the aid.
It is saying that your DNS server reported a server failure - which 
technically means that *your* server failed.

However, many DNS servers will return a server failure response when a 
remote DNS server returns a server failure.  So the chances are that the 
remote DNS server is the one with the problem.  Declude JunkMail will not 
fail the test if a server failure is returned.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DNS Warnings

2004-01-25 Thread Keith Johnson 
Scott,
 Thanks for the aid.  I'm with you on the second point, I think our DNS server 
(Bind 8.4.3) attempted to verify the domain (all of them look spam in nature) and 
couldn't find an A or MX listed for them and returned back to Declude that warning.  I 
appreciate the speedy response, have a good weekend.
 
Keith

-Original Message- 
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Sun 1/25/2004 9:28 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [Declude.JunkMail] DNS Warnings




I noticed in our Declude Log (running MID) that we have numerous of the
below message (different domains).  Is this telling me that there was no
MX or A record listed for the lookup domain?  I pretty sure, however, just
wanted to check, thanks for the aid.

It is saying that your DNS server reported a server failure - which
technically means that *your* server failed.

However, many DNS servers will return a server failure response when a
remote DNS server returns a server failure.  So the chances are that the
remote DNS server is the one with the problem.  Declude JunkMail will not
fail the test if a server failure is returned.


-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.JunkMail] DNS Warnings

2004-01-25 Thread R. Scott Perry 

 Thanks for the aid.  I'm with you on the second point, I think 
our DNS server (Bind 8.4.3) attempted to verify the domain (all of them 
look spam in nature) and couldn't find an A or MX listed for them and 
returned back to Declude that warning.
Actually, the server failure should indicate that your DNS server is 
broken, so it definitely should *not* return the server failure unless it 
is broken, or *perhaps* if it receives a server failure from the remote DNS 
server.

Declude JunkMail is asking BIND if the domain has an MX or A record -- so 
if it returns a server failure when it should not, it is hurting your spam 
control.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] DNS Warnings

2004-01-25 Thread Keith Johnson 
Scott,
 A took some time and went through the log and found that the following was 
true on all the ones I checked (around 50) entries, the following examples were found 
using dnsreport.com about the Warnings:
 
Getting MX record for mail3b-better-health.wsol8423.com...   Received an NXDOMAIN 
response
 
OR
 
Getting MX record for atkingroup.co.uk...   Received a response code of 2.

This should be treated as an ERROR (per RFC974), and the E-mail delivery should 
PROBABLY be retried later
 
I found 1 or 2 that did show an entry listed in dnsreport, however, I could 
not connect to them via telnet or nslookup's
 
Keith
 

-Original Message- 
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Sun 1/25/2004 10:44 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.JunkMail] DNS Warnings




  Thanks for the aid.  I'm with you on the second point, I think
 our DNS server (Bind 8.4.3) attempted to verify the domain (all of them
 look spam in nature) and couldn't find an A or MX listed for them and
 returned back to Declude that warning.

Actually, the server failure should indicate that your DNS server is
broken, so it definitely should *not* return the server failure unless it
is broken, or *perhaps* if it receives a server failure from the remote DNS
server.

Declude JunkMail is asking BIND if the domain has an MX or A record -- so
if it returns a server failure when it should not, it is hurting your spam
control.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


winmail.dat

RE: [Declude.JunkMail] DNS Warnings

2004-01-25 Thread Keith Johnson 
Scott,

 I took some time and went through the log and found that the 
following was true on all the ones I checked (around 50) entries, the following 
examples were found using dnsreport.com about the Warnings:
 
Getting MX record for mail3b-better-health.wsol8423.com...   Received an 
NXDOMAIN response
 
OR
 
Getting MX record for atkingroup.co.uk...   Received a response code of 2.

This should be treated as an ERROR (per RFC974), and the E-mail delivery 
should PROBABLY be retried later
 
I found 1 or 2 that did show an entry listed in dnsreport, however, I 
could not connect to them via telnet or nslookup's
 
Keith
 

-Original Message- 
From: R. Scott Perry [mailto:[EMAIL PROTECTED] 
Sent: Sun 1/25/2004 10:44 AM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: RE: [Declude.JunkMail] DNS Warnings




  Thanks for the aid.  I'm with you on the second point, I 
think
 our DNS server (Bind 8.4.3) attempted to verify the domain (all of 
them
 look spam in nature) and couldn't find an A or MX listed for them and
 returned back to Declude that warning.

Actually, the server failure should indicate that your DNS server is
broken, so it definitely should *not* return the server failure unless 
it
is broken, or *perhaps* if it receives a server failure from the 
remote DNS
server.

Declude JunkMail is asking BIND if the domain has an MX or A record -- 
so
if it returns a server failure when it should not, it is hurting your 
spam
control.

-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail 
mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask about our free 30-day 
evaluation.

---
[This E-mail was scanned for viruses by Declude Virus 
(http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.


Nf_ynub!
0u%dj)\jgr[xf)+-Nrz;uj)l^r[yjwmmr[x8^j!qy.i0f+r