Re: [mailop] I disabled Spamhaus checking due to false-positives
It appears that Michael Peddemors via mailop said: >Just make it simple, set your DNS servers to be your upstream provider.. >You pay them money, use their services if you don't want to run your own >DNS server.. If you're doing DNSBL lookups and your upstream provider is a giant like Comcast or Rogers, your lookups will be rate limited. This is a particular problem for DNSBLs, for normal traffic you are right. R's, John >PS, don't even THINK of using DoH ;) Comcast provides perfectly good DoH if that's what you want. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
It appears that Al Iverson via mailop said: >> On an debian/ubuntu system just >> >> apt install unbound >> >> It comes configured fairly safely, listening only on localhost. >> >> and edit /etc/resolv.conf to say >> >> nameserver 127.0.0.1 >> >> And there isn't much else to it for single machine. Indeed it is quite >> a good way to bring DNSSEC up to the local machine. Yup. For us BSD users, it's even installed by default. >Until catching on to the limitations around DNSBL resolution >limitations, I'd been quite happy with public resolvers. Spamhaus has >been warning about them for a while, so I can't be surprised. I just >wasn't thinking much about it. The people in the Netherlands who wrote unbound know what they're doing. It's only a recursive resolver which avoids a lot of the crud associated with bind. (For authoritative DNS, there's the separate NSD program.) >(On my XNND DNS tools site, the web-based DNS tools by default will >rotate through a list of common public DNS servers, to help spread the >joy around. Maybe I'll add an allow list of DNSBL domains that use a >local resolver instead.) Just set up a local resolver and point all your queries at it. Unless your tools site is busy enough to need load balancers, the query load on unbound will be insignificant. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On Sat, Jul 17, 2021 at 1:24 AM John Brahy via mailop wrote: > > Spam Haus is one of the worst. They’ll blacklist a company’s Corporate emails > if they think they send advertising emails even if they never use their > corporate domain to send email. Really dirty. Son, you might be in the wrong business. Cheers, Al Iverson -- Al Iverson // Wombatmail // Chicago Deliverability: https://spamresource.com DNS Tools: https://xnnd.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
Tim Bray via mailop writes: > apt install unbound > > It comes configured fairly safely, listening only on localhost. > > and edit /etc/resolv.conf to say > > nameserver 127.0.0.1 > > And there isn't much else to it for single machine. Indeed it is > quite a good way to bring DNSSEC up to the local machine. You should also add the line options edns0 to your /etc/resolv.conf for DNSSEC to work properly. (See e.g. https://www.dns-oarc.net/oarc/services/replysizetest for details.) -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On Fri, Jul 16, 2021 at 5:29 PM Tim Bray via mailop wrote: > > On 16/07/2021 17:58, Al Iverson via mailop wrote: > > If you want to guide this dummy on how to run a local resolver like > > that, I'd appreciate the tips.:) I was trying to get out of the DNS > > business but if I want to do any local DNSBL querying, I guess I have > > to reconsider that. > > On an debian/ubuntu system just > > apt install unbound > > It comes configured fairly safely, listening only on localhost. > > and edit /etc/resolv.conf to say > > nameserver 127.0.0.1 > > And there isn't much else to it for single machine. Indeed it is quite > a good way to bring DNSSEC up to the local machine. Thanks! I'll give that a shot, much appreciated. Sounds quite easy and just what I need. I'm struggling to get past my 20 year old mindset of "don't run a DNS server if you don't have to" because bind was a common hax0r vector, once upon a time. Until catching on to the limitations around DNSBL resolution limitations, I'd been quite happy with public resolvers. Spamhaus has been warning about them for a while, so I can't be surprised. I just wasn't thinking much about it. (On my XNND DNS tools site, the web-based DNS tools by default will rotate through a list of common public DNS servers, to help spread the joy around. Maybe I'll add an allow list of DNSBL domains that use a local resolver instead.) Cheers, Al Iverson -- Al Iverson // Wombatmail // Chicago Deliverability: https://spamresource.com DNS Tools: https://xnnd.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On 16/07/2021 17:58, Al Iverson via mailop wrote: If you want to guide this dummy on how to run a local resolver like that, I'd appreciate the tips.:) I was trying to get out of the DNS business but if I want to do any local DNSBL querying, I guess I have to reconsider that. On an debian/ubuntu system just apt install unbound It comes configured fairly safely, listening only on localhost. and edit /etc/resolv.conf to say nameserver 127.0.0.1 And there isn't much else to it for single machine. Indeed it is quite a good way to bring DNSSEC up to the local machine. Resident memory usage is about 15mb. The whole thing comes in at 30mb including all the libraries and bits. For a network, you'd want more threads, cache, a /64 pool of ipv6 addresses to guard against cache poisons ... but out of the box actually very sensible for a single machine. Bill Cole said: From the message you seem to be replying to: I use my own local resolver (unbound 1.13.1) with no forwarders configured. I didn't actually see that bit, so sorry. But my reason for saying was because I got screwed by one of my staff deciding there was a DNS issue (there wasn't) and deploying the automatic fix of 8.8.8.8 and not telling anybody and mail stopped for 50% of messages. -- Tim Bray Huddersfield, GB t...@kooky.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On Thu, 15 Jul 2021, Bastian Blank wrote: Did you check the result of those RBL requests? Spamhaus also provides specific codes for errors, so you _must_ explicitely list what codes you want to accept. See https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 what those mean. I've been consuming SBL-XBL for years. But I don't have Postfix checking for specific results -- I'm not sure I care whether those addresses were temporarily listed (127.0.0.0/16), nor my 200 queries a day managed to trip some policy limit (127.255.255.255), nor were the queries via a public/open resolver (127.255.255.254), nor were they DBL queries that might have been malformed (127.255.255.252), it has become problematic for me to continue using. Perhaps it was due to a bug -- we'll see what Matthew finds -- in which case I might risk using it again provided a fix is also described as having been made. /mark ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
Just make it simple, set your DNS servers to be your upstream provider.. You pay them money, use their services if you don't want to run your own DNS server.. PS, don't even THINK of using DoH ;) BTW, everyone keeps talking about 1.1.1.1 and 8.8.8.8, but consider that.. 'https://download.dnscrypt.info/resolvers-list/json/public-resolvers.json' Anything in that list may not be able to look up DNS queries to RBL's.. Oh, and even some of the LARGEST companies have DNS servers that they forgot to put a reverse DNS/PTR on.. If you don't have a PTR record, I won't believe you are a DNS server.. On 2021-07-16 10:48 a.m., Brielle via mailop wrote: On 7/16/21 10:58 AM, Al Iverson via mailop wrote: Each resolver node is set up of multiple pools that consist of resolvers I run, my provider, and 8.8.8.8/1.1.1.1. If you want to guide this dummy on how to run a local resolver like that, I'd appreciate the tips. :) I was trying to get out of the DNS business but if I want to do any local DNSBL querying, I guess I have to reconsider that. In the meantime, is it bad vibes to query Spamhaus directly against a.gns.spamhaus.org - e.gns.spamhaus.org? What kind of query level might invite blocking? Cheers, Al I've had a few people ask, so put up one of the example configs here: https://sosdg.org/general/dnsdist I'll prob add another config that is used for supporting auth servers behind dnsdist later on today. It's also possible to have dnsdist route queries for both auth and recursive appropriately. If anyone has specific questions, feel free to drop me a line. I'm not an expert on dnsdist, but I do have a bit of configuration experience. For those that don't know... So the general idea with dnsdist is that its smart in how it routes queries. It will test servers in the pools to make sure they are functioning, as well as track their latency. If a server goes offline, it's marked as down until it returns, removing it temp from the pool. More complicated setups allow you to have fine grained control how it distributes queries in the pool, can support query quotas for clients, block potential DDoS attacks from hitting the backend DNS servers, and quite a bit more. -- "Catch the Magic of Linux..." Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On Fri, 16 Jul 2021, Al Iverson wrote: is it bad vibes to query Spamhaus directly against a.gns.spamhaus.org - e.gns.spamhaus.org? Those are the servers that would normally be queried, in that they are the listed NS for the DBL, PBL, SBL, XBL, SBL-XBL and ZEN zones. /mark ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On 7/16/21 10:58 AM, Al Iverson via mailop wrote: Each resolver node is set up of multiple pools that consist of resolvers I run, my provider, and 8.8.8.8/1.1.1.1. If you want to guide this dummy on how to run a local resolver like that, I'd appreciate the tips. :) I was trying to get out of the DNS business but if I want to do any local DNSBL querying, I guess I have to reconsider that. In the meantime, is it bad vibes to query Spamhaus directly against a.gns.spamhaus.org - e.gns.spamhaus.org? What kind of query level might invite blocking? Cheers, Al I've had a few people ask, so put up one of the example configs here: https://sosdg.org/general/dnsdist I'll prob add another config that is used for supporting auth servers behind dnsdist later on today. It's also possible to have dnsdist route queries for both auth and recursive appropriately. If anyone has specific questions, feel free to drop me a line. I'm not an expert on dnsdist, but I do have a bit of configuration experience. For those that don't know... So the general idea with dnsdist is that its smart in how it routes queries. It will test servers in the pools to make sure they are functioning, as well as track their latency. If a server goes offline, it's marked as down until it returns, removing it temp from the pool. More complicated setups allow you to have fine grained control how it distributes queries in the pool, can support query quotas for clients, block potential DDoS attacks from hitting the backend DNS servers, and quite a bit more. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On Thu, Jul 15, 2021 at 3:52 PM Brielle via mailop wrote: > > On 7/15/21 12:26 PM, John Levine via mailop wrote: > > It appears that Tim Bray via mailop said: > >> Just check which DNS servers you are using. And lot of the 8.8.8.8 > >> and 9.9.9.9 of the world and similar don't work very well for RBLs > > > > s/very well/at all/ > > > >> I usually install a local unbound. > > > > You have to unless the ISP DNS resolver is small enough not to run > > into the query limits that Spamhaus and other large BLs have. > > > > R's, > > John > > Off topic slightly, but someone might find the setup useful... > > I use a combination of dnsdist and powerdns recursor to give me a bit of > flexibility and reliability. > > Each resolver node is set up of multiple pools that consist of resolvers > I run, my provider, and 8.8.8.8/1.1.1.1. If you want to guide this dummy on how to run a local resolver like that, I'd appreciate the tips. :) I was trying to get out of the DNS business but if I want to do any local DNSBL querying, I guess I have to reconsider that. In the meantime, is it bad vibes to query Spamhaus directly against a.gns.spamhaus.org - e.gns.spamhaus.org? What kind of query level might invite blocking? Cheers, Al -- Al Iverson // Wombatmail // Chicago Deliverability: https://spamresource.com DNS Tools: https://xnnd.com ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On 2021-07-15 at 09:06:14 UTC-0400 (Thu, 15 Jul 2021 14:06:14 +0100) Tim Bray via mailop is rumored to have said: Just check which DNS servers you are using. And lot of the 8.8.8.8 and 9.9.9.9 of the world and similar don't work very well for RBLs I usually install a local unbound. Sorry if that is too obvious, but has caught me out before. From the message you seem to be replying to: I use my own local resolver (unbound 1.13.1) with no forwarders configured. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On 7/15/21 12:26 PM, John Levine via mailop wrote: It appears that Tim Bray via mailop said: Just check which DNS servers you are using. And lot of the 8.8.8.8 and 9.9.9.9 of the world and similar don't work very well for RBLs s/very well/at all/ I usually install a local unbound. You have to unless the ISP DNS resolver is small enough not to run into the query limits that Spamhaus and other large BLs have. R's, John Off topic slightly, but someone might find the setup useful... I use a combination of dnsdist and powerdns recursor to give me a bit of flexibility and reliability. Each resolver node is set up of multiple pools that consist of resolvers I run, my provider, and 8.8.8.8/1.1.1.1. For stuff relating to big CDNs, its set to route queries to my upstream (CenturyLink for example) DNS servers for best possible geolocation based performance. For DNSbl queries, it routes to my own resolvers only. For general queries and any time the above pools are marked as 'down', its routed to the best performing 'up' servers built from the above pools plus the big ones (8.8.8.8, 1.1.1.1, opendns). Since queries are directed in pools towards the resolvers with lowest latency, it offers a pretty good combination of performance and reliability. I'd be happy to share the config with people if anyone wants to toy with it. Also works really really well as a load balancer and ddos filter for authorative servers. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org/ http://www.ahbl.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
It appears that Tim Bray via mailop said: >Just check which DNS servers you are using. And lot of the 8.8.8.8 >and 9.9.9.9 of the world and similar don't work very well for RBLs s/very well/at all/ >I usually install a local unbound. You have to unless the ISP DNS resolver is small enough not to run into the query limits that Spamhaus and other large BLs have. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
Hi On Thu, Jul 15, 2021 at 04:29:24AM -0700, Mark Milhollan via mailop wrote: > Spamhaus has been working fine for me and has been a wonderful resource for > many years, but I recently decided I had to disable using them on my > personal, low volume mail server because of a few recent surprises (that's > right, I don't look at Spamhaus rejects, timestamps are UTC): Did you check the result of those RBL requests? Spamhaus also provides specific codes for errors, so you _must_ explicitely list what codes you want to accept. See https://www.spamhaus.org/faq/section/DNSBL%20Usage#200 what those mean. Bastian -- "What terrible way to die." "There are no good ways." -- Sulu and Kirk, "That Which Survives", stardate unknown ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
On 15/07/2021 12:29, Mark Milhollan via mailop wrote: Spamhaus has been working fine for me and has been a wonderful resource for many years, but I recently decided I had to disable using them on my personal, low volume mail server because of a few recent surprises (that's right, I don't look at Spamhaus rejects, timestamps are UTC): Just check which DNS servers you are using. And lot of the 8.8.8.8 and 9.9.9.9 of the world and similar don't work very well for RBLs I usually install a local unbound. Sorry if that is too obvious, but has caught me out before. -- Tim Bray Huddersfield, GB t...@kooky.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] I disabled Spamhaus checking due to false-positives
Mark, Replying off list to see if we can figure out what is going on. On 7/15/2021 7:29 AM, Mark Milhollan via mailop wrote: > Spamhaus has been working fine for me and has been a wonderful > resource for many years, but I recently decided I had to disable using > them on my personal, low volume mail server because of a few recent > surprises (that's right, I don't look at Spamhaus rejects, timestamps > are UTC): > > Jul 10 22:20:34 mm-new smtpd[28996]: NOQUEUE: reject: RCPT from > s0.eburgsquare.com[104.223.145.19]: 554 5.7.1 Service unavailable; > Unverified Client host [s0.eburgsquare.com] blocked using > dbl.spamhaus.org; > https://www.spamhaus.org/query/domain/eburgsquare.com; > from= to=<[elided]@milhollan.com> > proto=ESMTP helo= > Jul 13 21:59:33 mm-new smtpd[20435]: NOQUEUE: reject: RCPT from > liaoningosaurus.mktdns.com[192.28.148.54]: 554 5.7.1 Service > unavailable; Client host [192.28.148.54] blocked using > sbl-xbl.spamhaus.org; > from=<733-ksk-625.0.175526.0.0.16914.9.10824...@email1.digium.com> > to=<[elided]@milhollan.com> proto=ESMTP helo= > Jul 14 00:13:04 mm-new smtpd[22318]: NOQUEUE: reject: RCPT from > mail-ej1-f68.google.com[209.85.218.68]: 554 5.7.1 Service unavailable; > Client host [209.85.218.68] blocked using sbl-xbl.spamhaus.org; > from= > to=<[elided]@milhollan.com> proto=ESMTP helo= > Jul 14 15:25:30 mm-new smtpd[3627]: NOQUEUE: reject: RCPT from > gk-w94-email.usps.gov[56.0.84.94]: 554 5.7.1 Service unavailable; > Client host [56.0.84.94] blocked using sbl-xbl.spamhaus.org; > from= > to=<[elided]@milhollan.com> proto=ESMTP helo= > Jul 14 22:37:33 mm-new smtpd[10015]: NOQUEUE: reject: RCPT from > my-mail.splashtop.com[34.208.80.28]: 554 5.7.1 Service unavailable; > Client host [34.208.80.28] blocked using sbl-xbl.spamhaus.org; > from= to=<[elided]@milhollan.com> > proto=ESMTP helo= > Jul 15 06:17:18 mm-new smtpd[14530]: NOQUEUE: reject: RCPT from > mta0.tedlarbagsale.com[134.73.145.18]: 554 5.7.1 Service unavailable; > Unverified Client host [mta0.tedlarbagsale.com] blocked using > dbl.spamhaus.org; > https://www.spamhaus.org/query/domain/tedlarbagsale.com; > from= to=<[elided]@milhollan.com> > proto=ESMTP helo= > Jul 15 10:00:11 mm-new smtpd[3294]: NOQUEUE: reject: RCPT from > mx.mailop.org[91.132.147.157]: 554 5.7.1 Service unavailable; Client > host [91.132.147.157] blocked using sbl-xbl.spamhaus.org; > from= to=<[elided]@milhollan.com> > proto=ESMTP helo= > > Both DBL rejections look to be spam. But all but 1 of these SBL-XBL > rejections were non-spam (I know those senders and want their > messages) so for me are false-positives -- the Gmail rejection looks > like spam (I don't know that sender). 16 rejections (9 good > rejections not shown) between Jul 10 00:00Z and Jul 15 10:20Z, 4 of > which were not appropriate makes for a not good ratio. > > Manually checking the SBL-XBL rejections on the mail server shortly > after the last rejection yielded null/NXDOMAIN responses via DNS using > getent/dig and showed "no issues" via the Spamhaus web site reputation > center. I use my own local resolver (unbound 1.13.1) with no > forwarders configured. > > > /mark > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
