[MDaemon-L] false positive?
On 19/09/16 19:18, Andy Sujoto wrote:
>> Beda prosedur pemasukkan antar keduanya, juga beda cara request
> removalnya.
> Maksudnya server pengirim dikategorikan spammer?
> Dan kenapa untuk IP yang sama, 203.125.80.26, cuma beda sekitar sejam,
> hasilnya berbeda, dari tadinya pass, jadi failed.
Itu salah DNS resolver yang kasih informasi yang salah.
Baca tambahan komentar saya yang tadi
http://www.mail-archive.com/mdaemon-l@dutaint.com/msg40159.html
> IP 36.86.63.180 itu ip apa ya?
Itu IP milik Telkom.net.id, yang bisa jadi ciri bahwa resolvenya salah.
istilah teknis resminya terjadi "DNS hijacking"
https://www.spamhaus.org/faq/section/DNSBL%20Usage#202
|--quote -->
Your DNSBL blocks the whole Internet!
Another problem we have seen is where ISPs "hijack" some DNS replies.
This is done to monetize website traffic. Rather than returning an
NXDOMAIN ("not found") answer for a DNS request that cannot be found
(resolved), a pointer to an advertising page or search page is given.
Many public or "open" resolvers, as well as some secure resolvers on
cloud-based or wide area networks, use NXDOMAIN hijacking. As Spamhaus'
"not listed in our zone" replies are the same as a "webpage not found"
reply, users behind this sort of DNS monetization schemes will always
see an IP address returned rather than the correct NXDOMAIN DNS answer.
If this is the issue, there are three possible ways to resolve it: (1)
instruct your mail server to ignore all response codes that are not in
127.0.0.0/8 as they come from a "man in the middle" hijacking, not from
us; (2) contact your ISP or DNS provider to see if you can opt out,
otherwise change DNS resolvers; or (3) set up your own DNS resolver
(technically the best).
A second form of DNS hijacking has been seen, where an ISP cuts off DNS
traffic to DNS servers it feels are being queried too often. That may
also return an IP value, which will cause all email to be flagged as
spam. They may even null the value of the DNSBL's name. That can cause
unpredictable results and you will need to contact your ISP.
<--|
Tetapi bisa juga terjadi sebaliknya.
|-- quote -->
Your DNSBL blocks nothing at all!
First, check our FAQ answer for "Your DNSBL blocks the whole Internet!"
and make sure you've not made a spelling mistake in your mailserver
configuration.
Check what DNS resolvers you are using: If you are using a free "open
DNS resolver" service such as the Google Public DNS or large
cloud/outsourced public DNS servers, such as Level3's or Verizon's, to
resolve your DNSBL requests, in most cases you will receive a "not
listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. We
recommend using your own DNS servers when doing DNSBL queries to Spamhaus.
<--|
Masalahnya spamhaus.org mengenakan kriteria "free and non free".
https://www.spamhaus.org/organization/dnsblusage/
|--quote -->
Spamhaus DNSBL Usage Terms
Datafeed Service
If you are using the Spamhaus DNSBLs (SBL, XBL, PBL, DBL or ZEN) to
filter your mail you need to know whether you qualify for free use or
not. This is especially important in a corporate environment.
Too often staff set their company's mail server to use the Spamhaus
DNSBLs without checking these Usage Terms to see if their company
qualifies for free use. Some weeks or months down the line this then
causes problems when Spamhaus's public servers detect a high query
volume from a particular source and firewall it from the public DNSBL
network.
Free Use is satisfactory for private mail systems with low traffic, but
mail server administrators are responsible for ensuring their servers
remain constantly below the free use limits. Professional Use (known as
the Datafeed Service) provides a completely different and dependable
level of service, using your choice of either
Free Use
Spamhaus serves billions of DNSBL queries to the world every day, free
of charge, from its public DNSBL servers. This free public DNSBL service
is sustained thanks to donations of equipment and bandwidth and is
backed financially by an autonomous commercial service that delivers
Spamhaus data to ISPs, commercial networks and spam filter services. To
qualify for free Spamhaus DNSBL query service, mail server operators
must ensure they meet the criteria for free use.
Use of the Spamhaus DNSBLs via DNS queries to our public DNSBL servers
is free of charge if you meet all three of the following criteria:
1) Your use of the Spamhaus DNSBLs is non-commercial*,
and
2) Your email traffic is less than 100,000 SMTP connections
per day, and
3) Your DNSBL query volume is less than 300,000 queries
per day.
If you do not fit all three of these criteria then please do not use our
public DNSBL servers, instead see 'Professional Use'.
<--|
>> - yang pertama, hanya check connecting IP saja, tidak melakukan deep
> header check (seluruh IP flow dicheck).
> Saya belum paham, tolong dijelaskan, harus setting dimana?
baca tautan yang tadi diberikan, baca semua thread
[MDaemon-L] false positive?
On 19/09/16 18:09, Andy Sujoto wrote: Ini tambahan. > Fri 2016-09-16 11:28:52.614: Performing DNS-BL lookup (202.171.22.3 - > connecting IP) > > Fri 2016-09-16 11:28:52.771: * zen.spamhaus.org - failed - 36.86.63.180 yang diatas adalah false positive result (salah duga) karena DNS query terfilter. $ dig +short 3.22.171.202.zen.spamhaus.org ..no result... artinya 203.125.80.26 tidak masuk dalam DNS-BL zen.spamhaus.org bisa di periksa silang ke https://www.spamhaus.org/lookup/ > Fri 2016-09-16 11:28:53.021: * bl.spamcop.net - passed > Fri 2016-09-16 13:01:17.442: Performing DNS-BL lookup (203.125.80.26 - > connecting IP) > > Fri 2016-09-16 13:01:17.771: * zen.spamhaus.org - passed > > Fri 2016-09-16 13:01:18.177: * bl.spamcop.net - failed - 36.86.63.180 yang diatas ini juga salah duga, penyebabnya sama dengan query ke zen.spamhaus.org diatas. Bisa diperiksa silang ke https://www.spamcop.net/bl.shtml > Fri 2016-09-16 15:12:16.521: Performing DNS-BL lookup (61.47.9.220 - > connecting IP) > > Fri 2016-09-16 15:12:16.536: * zen.spamhaus.org - failed - 127.0.0.4 > > Fri 2016-09-16 15:12:16.755: * bl.spamcop.net - failed - 127.0.0.2 Kalau yang diatas ini sudah valid. $ dig +short 220.9.47.61.zen.spamhaus.org 127.0.0.4 $ dig +short 220.9.47.61.bl.spamcop.net 127.0.0.2 Singkatnya, kalau pakai DNS-BL maka DNS resolver yang jadi rujukan MDaemon tidak boleh difilter agar hasilnya akurat. -- syafril --- Syafril Hermansyah MDaemon-L Moderators, MDaemon 16.5-64, SP 5.0.1-64 Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. Masa depan bukan mrpkan terusan masa silam. Masa depan akan mrpkan rangkaian peristiwa yg diskontinyu. Kita hrs lupakan cara menghdpi masa silam utk menangani masa depan -- Charles Handy -- --MDaemon-L-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 16.5.0, SP 5.0.1, OC 4.0, SG 4.0.1
[MDaemon-L] false positive?
> Beda prosedur pemasukkan antar keduanya, juga beda cara request removalnya. Maksudnya server pengirim dikategorikan spammer? Dan kenapa untuk IP yang sama, 203.125.80.26, cuma beda sekitar sejam, hasilnya berbeda, dari tadinya pass, jadi failed. IP 36.86.63.180 itu ip apa ya? > - yang pertama, hanya check connecting IP saja, tidak melakukan deep header check (seluruh IP flow dicheck). Saya belum paham, tolong dijelaskan, harus setting dimana? > - yang kedua, kalau pakai multi DNS-BL maka setelah mendapat response positive dari salah satu DNS-BL lalu stop, tidak perlu check ke DNS-BL host berikutnya untuk menghemat > resources. Segera di aktifkan. > - yang ketiga, tidak melakukan deception (pengelabuhan) agar sender tidak salah action. Saya belum paham, tolong dijelaskan, harus setting dimana? > - yang keempat gunakan DNS-BL yang paling tinggi akurasinya, terendah kesalahannya dan punya fasilitas removal yang tidak aneh-2x. Saran bapak pakai yang mana? Berhubung list tersebut beberapa yang teratas, walaupun akurasi tinggi namun inakurasi juga tinggi. -- --MDaemon-L-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 16.5.0, SP 5.0.1, OC 4.0, SG 4.0.1
[MDaemon-L] false positive?
On 19/09/16 18:09, Andy Sujoto wrote: > Saya kutip beberapa line dari Log file sebagaimana dibawah ini. Kenapa > kadang-kadang spamhaus pass dan kadang failed (untuk IP sama) dan kadang > kebalikannya dengan spamcop, kadang malah keduanya failed. Beda prosedur pemasukkan antar keduanya, juga beda cara request removalnya. Spamhaus pakai ROKSO (The Register of Known Spam Operations) https://www.spamhaus.org/faq/section/ROKSO%20FAQ spamcop pakai SCBL (SpamCop Blocking List) https://www.spamcop.net/fom-serve/cache/297.html keduanya pakai volunteer, tetapi beda kriteria. Rokso's member adalah ISP, sementara SCBL's member bisa privater. Spamhaus list permanent, sementara Spamcop hanya temporary (2x24 jam). > Setting apa yang terbaik di DBS-BL? - yang pertama, hanya check connecting IP saja, tidak melakukan deep header check (seluruh IP flow dicheck). - yang kedua, kalau pakai multi DNS-BL maka setelah mendapat response positive dari salah satu DNS-BL lalu stop, tidak perlu check ke DNS-BL host berikutnya untuk menghemat resources. - yang ketiga, tidak melakukan deception (pengelabuhan) agar sender tidak salah action. - yang keempat gunakan DNS-BL yang paling tinggi akurasinya, terendah kesalahannya dan punya fasilitas removal yang tidak aneh-2x. http://www.mail-archive.com/mdaemon-l@dutaint.com/msg23162.html http://www.mail-archive.com/mdaemon-l@dutaint.com/msg20483.html -- syafril --- Syafril Hermansyah MDaemon-L Moderators, MDaemon 16.5-64, SP 5.0.1-64 Harap tidak cc: atau kirim ke private mail untuk masalah MDaemon. Learning is not child's play; we cannot learn without pain --- Aristotle -- --MDaemon-L-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 16.5.0, SP 5.0.1, OC 4.0, SG 4.0.1
[MDaemon-L] false positive?
Dear Pak Syafril, Saya kutip beberapa line dari Log file sebagaimana dibawah ini. Kenapa kadang-kadang spamhaus pass dan kadang failed (untuk IP sama) dan kadang kebalikannya dengan spamcop, kadang malah keduanya failed. Setting apa yang terbaik di DBS-BL? Thanks, Andy Fri 2016-09-16 11:28:52.614: Performing DNS-BL lookup (202.171.22.3 - connecting IP) Fri 2016-09-16 11:28:52.771: * zen.spamhaus.org - failed - 36.86.63.180 Fri 2016-09-16 11:28:53.021: * bl.spamcop.net - passed Fri 2016-09-16 13:01:17.442: Performing DNS-BL lookup (203.125.80.26 - connecting IP) Fri 2016-09-16 13:01:17.771: * zen.spamhaus.org - passed Fri 2016-09-16 13:01:18.177: * bl.spamcop.net - failed - 36.86.63.180 Fri 2016-09-16 14:41:12.896: Performing DNS-BL lookup (203.125.80.26 - connecting IP) Fri 2016-09-16 14:41:14.161: * zen.spamhaus.org - failed - 36.86.63.180 Fri 2016-09-16 14:41:14.458: * bl.spamcop.net - failed - 36.86.63.180 Fri 2016-09-16 15:12:16.521: Performing DNS-BL lookup (61.47.9.220 - connecting IP) Fri 2016-09-16 15:12:16.536: * zen.spamhaus.org - failed - 127.0.0.4 Fri 2016-09-16 15:12:16.755: * bl.spamcop.net - failed - 127.0.0.2 -- --MDaemon-L-- Milis ini untuk Diskusi antar pengguna MDaemon Mail Server. Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette Arsip: http://mdaemon-l.dutaint.com Dokumentasi : http://mdaemon.dutaint.co.id Henti Langgan: Kirim mail ke MDaemon-L-unsubscribe [at] dutaint.com Berlangganan: kirim mail ke MDaemon-L-subscribe [at] dutaint.com Versi terakhir MD 16.5.0, SP 5.0.1, OC 4.0, SG 4.0.1
