Re: apache org do get uribl_blocked

[Kevin A. McGrail]

You would report that to the foundation via the Infrastructure PMC.  We 
don't run that system for them.


On 9/26/2022 12:22 PM, Benny Pedersen wrote:


X-Spam-Status: No, score=-0.01 tagged_above=-999 required=6.31
tests=[SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
URIBL_BLOCKED=0.001] autolearn=disabled

provide datafeed or disable is not an option ?


--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

apache org do get uribl_blocked

[Benny Pedersen]

X-Spam-Status: No, score=-0.01 tagged_above=-999 required=6.31
tests=[SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
URIBL_BLOCKED=0.001] autolearn=disabled

provide datafeed or disable is not an option ?

URIBL_BLOCKED (was: Re: Problem with local.cf rules)

[John Hardin]

On Wed, 17 Mar 2021, Peter West wrote:


The most pertinent stuff I found was this this Confluence page:
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver

So it looks as though I have to install a primary nameserver and a secondary 
rbldnsd.

I’m trying to translate this –
Rsync the feed files into /var/lib/rbldnsd

which seems to be this set
dul.dnsbl.sorbs.net:ip4set:dul.dnsbl.sorbs.net
http.dnsbl.sorbs.net:dnset:http.dnsbl.sorbs.net
smtp.dnsbl.sorbs.net:ip4set:smtp.dnsbl.sorbs.net
new.spam.dnsbl.sorbs.net:ip4set:new.spam.dnsbl.sorbs.net
dnsbl-1.uceprotect.net:ip4set:dnsbl-1.uceprotect.net


Agh, no, that's *way* too much to just fix URIBL_BLOCKED...

The critical bit from that Confluence page is this:

  A local DNS caching server should not forward to other DNS servers to
  ensure your queries are not combined with others.

Normally what you do when setting up a computer is you configure it to 
forward DNS requests to your ISP for them to handle. Along with the 
requests from all the ISP's other customers. Which then exceeds the free 
query limits imposed by the various DNSBL providers.


What you need to do is set up a local DNS server that does the name 
resolution itself, rather than passing that work off to your ISP.


So:

(1) install a local nameserver,

(2) configure it to do recursive name resolution (vs. "forwarding") 
(assuming it doesn't come that way out-of-the-box),


(3) point SpamAssassin (and potentially also your MTA) at that nameserver 
rather than at your ISP.


That's it at the most basic level.

*Refinements* include:

- configuring the nameserver so that the DNSBL traffic is resolved locally 
and other traffic is forwarded to your ISP to take advantage of their 
cache - "split resolution"


- configuring a local authoritative DNS server (like rbldnsd) for 
high-volume DNSBL feeds (if your traffic level by itself exceeds their 
free-query limits) and for custom blocklists you maintain yourself


So initially, don't get distracted by the rbldnsd stuff. Just pick a DNS 
server and install it locally, and run the tests in the Testing section of 
that Confluence page. If that works, point SpamAssassin at it as described 
in the Using section of that Confluence page.




On 15 Mar 2021, at 1:29 am, John Hardin  wrote:

On Sun, 14 Mar 2021, jwmi...@gmail.com wrote:


Peter West writes:

And You might want to fix the URIBL_BLOCKED issue.  Fixing the
URIBL_BLOCKED issue will do far more to fix your issues than adding
rules.


Seconded. The keywords here are "local, caching, *NON-FORWARDING* DNS server for 
SpamAssassin".

If that isn't enough to set you on the right path, search the mailing list archives for 
"URIBL-BLOCKED" or "URIBL DNS" for previous discussions of this topic. If that 
history isn't enough, feel free to ask for assistance.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  "A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority."-- Cringely, 4/8/2004
---
 290 days since the first private commercial manned orbital mission (SpaceX)

Re: Question about the 'URIBL_BLOCKED' rule

[Tom]

On 5/3/20 1:16 AM, Bill Cole wrote:
> On 30 Apr 2020, at 14:59, Tom Williams wrote:
>
>> Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
>> used it on and off for a number years.  :)   Recently, (within the
>> past 6 months or so) I enabled it for email in a shared web hosting
>> environment (we host with InMotionHosting). Anyway, due to the volume
>> of email traffic the server receives, I see a *lot* of
>> 'URIBL_BLOCKED' entries in the SpamAssassin header injected in the
>> headers of incoming mail.   If our server can't use URIBL to check
>> mail, will that have an adverse or negative impact on SpamAssassin's
>> ability to detect/identify spam? 
>
> Yes. A quick look at one of the servers I manage shows that about 10%
> of the spam identified by SA would not be over the threshold without
> the contribution of URIBL rules.
>
>
Thanks!  This is the kind of feedback I was most interested in.


Tom

Re: Question about the 'URIBL_BLOCKED' rule

[Bill Cole]

On 30 Apr 2020, at 14:59, Tom Williams wrote:

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've 
used it on and off for a number years.  :)   Recently, (within the 
past 6 months or so) I enabled it for email in a shared web hosting 
environment (we host with InMotionHosting). Anyway, due to the volume 
of email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED' 
entries in the SpamAssassin header injected in the headers of incoming 
mail.   If our server can't use URIBL to check mail, will that have 
an adverse or negative impact on SpamAssassin's ability to 
detect/identify spam? 


Yes. A quick look at one of the servers I manage shows that about 10% of 
the spam identified by SA would not be over the threshold without the 
contribution of URIBL rules.



Our host is running SpamAssassin 3.0 (shudders, I know it's ancient).


Ancient, unsupported, incapable of using many current rules, and unsafe.

I know of no "in the wild" exploits of the known vulnerabilities that 
have been fixed since 3.0, but that just means that any which exist have 
been used carefully. I would not feel safe with anything older than 
3.4.3. Given the fact that we've fixed a lot of issues that are based in 
Perl versions since 5.10, I expect that there are issues in 3.0 that are 
keeping you at some ancient version of Perl which itself has problems.


Update.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: Question about the 'URIBL_BLOCKED' rule

[Tom]

Man thanks to those who responded.  I was mainly wondering how the
inability to do blacklist checks would impact the overall ability of
SpamAssassin to detect spam.  Given the responses, I'll go in a
different direction.  I'll move the site to a VPS, where I can have more
control over SpamAssassin and DNS configuration.

Thanks!

Tom

On 5/2/20 3:25 AM, Jari Fredriksson wrote:
> I have too had a problem of this in my masscheck box. It is a cloud VM
> in Google Cloud and they do like to provide a /etc/resolv.conf for
> their own DNS which has been next to impossible to overcome. I do
> replace it in the beginning of my masscheck process with my own but to
> no avail.
>
> I now figured out I can add this to auto-mass-check.cf and going to
> see how it works.
>
> spam@gauntlet ~ $ grep dns gcloud/auto-mass-check.sh
>     echo "dns_server 127.0.0.1" >> spamassassin/user_prefs
>
> br. jarif
>
> On 30.4.2020 22.28, Richard Doyle wrote:
>> First result on Google:
>> http://cweiske.de/tagebuch/uribl_blocked.htm
>>
>> Short version: URIBL will block you if you use any of the big DNS
>> providers, such as 8.8.8.8.
>>
>>
>> On 4/30/20 11:59 AM, Tom Williams wrote:
>>> Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
>>> used it on and off for a number years.  :)   Recently, (within the past
>>> 6 months or so) I enabled it for email in a shared web hosting
>>> environment (we host with InMotionHosting). Anyway, due to the
>>> volume of
>>> email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
>>> entries in the SpamAssassin header injected in the headers of incoming
>>> mail.   If our server can't use URIBL to check mail, will that have an
>>> adverse or negative impact on SpamAssassin's ability to detect/identify
>>> spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
>>> ancient).
>>>
>>> Thanks in advance!
>>>
>>> Tom
>>>

Re: Question about the 'URIBL_BLOCKED' rule

[RW]

On Sat, 2 May 2020 15:59:27 +0300
Jari Fredriksson wrote:

> On 2.5.2020 13.30, Reindl Harald wrote:
> > and why don't you just replace /etc/resolv.conf and fire up "chattr
> > +i /etc/resolv.conf" like everyone else does for years to keep it
> > untouched (that's even a ducomentaed way to prevent it overwritten
> > by dhcp clients)
> >
> > there is no point using a shared dns from whatever provider and
> > it's a shame that most people are still so bound to it that they
> > often fuckup even tehir own named/unbound setup with forwarders  
> 
> Thanks! I have used Linux since 1994 but was not aware of that. I'll
> try it next.

You shouldn't need to do that as you can configure the DNS cache in your
settings.   

My understanding is that masschecks are supposed to reuse network
results from X-Spam-Status. Presumably the URIBL_BLOCKED warning is
about lookups that occurred during the original scan rather than during
the masscheck. Any network tests repeated during the masscheck would
tend to corrupt the results.

If you have dns_server set during scans and you are getting
URIBL_BLOCKED then you have either found a bug, your DNS is diverted,
or your IP address itself is blocked for some reason.

Re: Question about the 'URIBL_BLOCKED' rule

[Jari Fredriksson]

On 2.5.2020 13.30, Reindl Harald wrote:

and why don't you just replace /etc/resolv.conf and fire up "chattr +i
/etc/resolv.conf" like everyone else does for years to keep it untouched
(that's even a ducomentaed way to prevent it overwritten by dhcp clients)

there is no point using a shared dns from whatever provider and it's a
shame that most people are still so bound to it that they often fuckup
even tehir own named/unbound setup with forwarders


Thanks! I have used Linux since 1994 but was not aware of that. I'll try 
it next.


br. jarif

Re: Question about the 'URIBL_BLOCKED' rule

[Jari Fredriksson]

Still!

Syncing weekly_mass_check
check: dns_block_rule URIBL_BLOCKED hit, 
creating/home/jarif/.spamassassin/dnsblock_multi.uribl.com (This means dnsbl blocked you 
due to too many queries. Set all affected rules score to 0, or use 
"dns_query_restriction deny multi.uribl.com" to disable queries)
 12:34:19 up  1:34,  0 users,  load average: 32.21, 32.29, 32.17
rsync -Pcqz  ham-net-jarif.log spam-net-jarif.log*munged*/
 12:34:43 up  1:34,  0 users,  load average: 21.57, 29.78, 31.34

Bummer.

br. jarif

On 2.5.2020 13.25, Jari Fredriksson wrote:
I have too had a problem of this in my masscheck box. It is a cloud VM 
in Google Cloud and they do like to provide a /etc/resolv.conf for 
their own DNS which has been next to impossible to overcome. I do 
replace it in the beginning of my masscheck process with my own but to 
no avail.


I now figured out I can add this to auto-mass-check.cf and going to 
see how it works.


spam@gauntlet ~ $ grep dns gcloud/auto-mass-check.sh
    echo "dns_server 127.0.0.1" >> spamassassin/user_prefs

br. jarif

On 30.4.2020 22.28, Richard Doyle wrote:

First result on Google:
http://cweiske.de/tagebuch/uribl_blocked.htm

Short version: URIBL will block you if you use any of the big DNS
providers, such as 8.8.8.8.


On 4/30/20 11:59 AM, Tom Williams wrote:

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
used it on and off for a number years.  :)   Recently, (within the past
6 months or so) I enabled it for email in a shared web hosting
environment (we host with InMotionHosting). Anyway, due to the 
volume of

email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
entries in the SpamAssassin header injected in the headers of incoming
mail.   If our server can't use URIBL to check mail, will that have an
adverse or negative impact on SpamAssassin's ability to detect/identify
spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
ancient).

Thanks in advance!

Tom

Re: Question about the 'URIBL_BLOCKED' rule

[Jari Fredriksson]

I have too had a problem of this in my masscheck box. It is a cloud VM 
in Google Cloud and they do like to provide a /etc/resolv.conf for their 
own DNS which has been next to impossible to overcome. I do replace it 
in the beginning of my masscheck process with my own but to no avail.


I now figured out I can add this to auto-mass-check.cf and going to see 
how it works.


spam@gauntlet ~ $ grep dns gcloud/auto-mass-check.sh
    echo "dns_server 127.0.0.1" >> spamassassin/user_prefs

br. jarif

On 30.4.2020 22.28, Richard Doyle wrote:

First result on Google:
http://cweiske.de/tagebuch/uribl_blocked.htm

Short version: URIBL will block you if you use any of the big DNS
providers, such as 8.8.8.8.


On 4/30/20 11:59 AM, Tom Williams wrote:

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
used it on and off for a number years.  :)   Recently, (within the past
6 months or so) I enabled it for email in a shared web hosting
environment (we host with InMotionHosting). Anyway, due to the volume of
email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
entries in the SpamAssassin header injected in the headers of incoming
mail.   If our server can't use URIBL to check mail, will that have an
adverse or negative impact on SpamAssassin's ability to detect/identify
spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
ancient).

Thanks in advance!

Tom

Re: Question about the 'URIBL_BLOCKED' rule

[Richard Doyle]

First result on Google:
http://cweiske.de/tagebuch/uribl_blocked.htm

Short version: URIBL will block you if you use any of the big DNS
providers, such as 8.8.8.8.


On 4/30/20 11:59 AM, Tom Williams wrote:
> Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've
> used it on and off for a number years.  :)   Recently, (within the past
> 6 months or so) I enabled it for email in a shared web hosting
> environment (we host with InMotionHosting). Anyway, due to the volume of
> email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED'
> entries in the SpamAssassin header injected in the headers of incoming
> mail.   If our server can't use URIBL to check mail, will that have an
> adverse or negative impact on SpamAssassin's ability to detect/identify
> spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's
> ancient).
> 
> Thanks in advance!
> 
> Tom
> 

Question about the 'URIBL_BLOCKED' rule

[Tom Williams]

Hi!  I'm new to this mailing list, but not new to SpamAssassin. I've 
used it on and off for a number years.  :)   Recently, (within the past 
6 months or so) I enabled it for email in a shared web hosting 
environment (we host with InMotionHosting). Anyway, due to the volume of 
email traffic the server receives, I see a *lot* of 'URIBL_BLOCKED' 
entries in the SpamAssassin header injected in the headers of incoming 
mail.   If our server can't use URIBL to check mail, will that have an 
adverse or negative impact on SpamAssassin's ability to detect/identify 
spam?  Our host is running SpamAssassin 3.0 (shudders, I know it's ancient).


Thanks in advance!

Tom

Re: URIBL_BLOCKED

[@lbutlr]

On 2018-02-15 (02:10 MST), Tobi  wrote:
> 
> and does your bind server use other forward servers?

Nope. It is its own thing. Nor forwarders. Dunno what the issue was, but it was 
transient AFAICT.

-- 
Forever was over. All the sands had fallen. The great race between
entropy and energy had been run, and the favourite had been the winner
after all. Perhaps he ought to sharpen the blade again?  No. Not much
point, really.

Re: URIBL_BLOCKED

[Dianne Skoll]

On Thu, 15 Feb 2018 16:06:40 +0100
Matus UHLAR - fantomas  wrote:

> >Or if you like using your ISP's servers, most DNS server software
> >lets you forward by default but make exceptions for specific
> >domains.  

> although possible, this does not make sense IMHO.

It makes a lot of sense, IMO.  I'm not H like the rest of you.

> you would need to keep track of DNSBLs you need to access directly,
> while they can change with SA rules without your knowledge.

IMO, it makes no sense to run a mail server without having complete
knowledge of which DNSBLs you use.

Regards,

Dianne.

Re: URIBL_BLOCKED

[Matus UHLAR - fantomas]

On Wed, 14 Feb 2018 14:05:54 -0800 (PST)
John Hardin  wrote:


This detail always gets glossed over: set up a local NON-FORWARDING
resolver.



If you set up a local resolver and it just forwards requests to your
ISP's DNS servers, you have not materially changed the problem.


On 15.02.18 09:57, Dianne Skoll wrote:

Or if you like using your ISP's servers, most DNS server software lets
you forward by default but make exceptions for specific domains.


although possible, this does not make sense IMHO.

you would need to keep track of DNSBLs you need to access directly,
while they can change with SA rules without your knowledge.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

Re: URIBL_BLOCKED

[Dianne Skoll]

On Wed, 14 Feb 2018 14:05:54 -0800 (PST)
John Hardin  wrote:

> This detail always gets glossed over: set up a local NON-FORWARDING 
> resolver.

> If you set up a local resolver and it just forwards requests to your
> ISP's DNS servers, you have not materially changed the problem.

Or if you like using your ISP's servers, most DNS server software lets
you forward by default but make exceptions for specific domains.

Regards,

Dianne.

Re: URIBL_BLOCKED

[Matus UHLAR - fantomas]

On 15 Feb 2018, at 4:10 (-0500), Tobi wrote:


Am 15.02.2018 um 02:35 schrieb @lbutlr:

On 2018-02-14 (09:55 MST), Tobi  wrote:


Am 14.02.2018 um 17:16 schrieb @lbutlr:

I can't imagine why i'd be over limit, my mail server is tiny.


its not the mailserver that got blocked by limits, but the dns 
resolver

your mailserver uses!


I use my own DNS on Bind 9.12, however the block error is not

appearing today, so...




and does your bind server use other forward servers? Or does it 
directly

resolve the queries from the authorative nameservers? All depends
whether you resolver is in forward mode or not. If it's in forward
mode then it sounds that the ips of those forwarders might got limited


On 15.02.18 09:49, Bill Cole wrote:
Another possibility is DNS hijacking. Connection providers pitch it 
as a security measure, and I guess it can be for residential 
customers and small businesses that essentially use their connections 
in the same ways as home users, but it's lethal for mail systems. My 
provider (WOW Business) does it by default.


DNSSEC should avoid that too, however you must get root key via other way
and I have no information about dnsbls signing their zones.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

Re: URIBL_BLOCKED

[Bill Cole]

On 15 Feb 2018, at 4:10 (-0500), Tobi wrote:


Am 15.02.2018 um 02:35 schrieb @lbutlr:

On 2018-02-14 (09:55 MST), Tobi  wrote:


Am 14.02.2018 um 17:16 schrieb @lbutlr:

I can't imagine why i'd be over limit, my mail server is tiny.


its not the mailserver that got blocked by limits, but the dns 
resolver

your mailserver uses!


I use my own DNS on Bind 9.12, however the block error is not

appearing today, so...




and does your bind server use other forward servers? Or does it 
directly

resolve the queries from the authorative nameservers? All depends
whether you resolver is in forward mode or not. If it's in forward
mode then it sounds that the ips of those forwarders might got limited


Another possibility is DNS hijacking. Connection providers pitch it as a 
security measure, and I guess it can be for residential customers and 
small businesses that essentially use their connections in the same ways 
as home users, but it's lethal for mail systems. My provider (WOW 
Business) does it by default.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: URIBL_BLOCKED

[Tobi]

Am 15.02.2018 um 02:35 schrieb @lbutlr:
> On 2018-02-14 (09:55 MST), Tobi  wrote:
>>
>> Am 14.02.2018 um 17:16 schrieb @lbutlr:
>>> I can't imagine why i'd be over limit, my mail server is tiny.
>>
>> its not the mailserver that got blocked by limits, but the dns resolver
>> your mailserver uses!
>
> I use my own DNS on Bind 9.12, however the block error is not
appearing today, so...
>
>
>
and does your bind server use other forward servers? Or does it directly
resolve the queries from the authorative nameservers? All depends
whether you resolver is in forward mode or not. If it's in forward
mode then it sounds that the ips of those forwarders might got limited

Re: URIBL_BLOCKED

[@lbutlr]

On 2018-02-14 (09:55 MST), Tobi  wrote:
> 
> Am 14.02.2018 um 17:16 schrieb @lbutlr:
>> I can't imagine why i'd be over limit, my mail server is tiny.
> 
> its not the mailserver that got blocked by limits, but the dns resolver
> your mailserver uses!

I use my own DNS on Bind 9.12, however the block error is not appearing today, 
so...



-- 
"...and that's not incense"

Re: URIBL_BLOCKED

[John Hardin]

On Wed, 14 Feb 2018, Tobi wrote:




Am 14.02.2018 um 17:16 schrieb @lbutlr:

I can't imagine why i'd be over limit, my mail server is tiny.


its not the mailserver that got blocked by limits, but the dns resolver
your mailserver uses!
If you're using a 3rd party resolver (ex the ones from your provider or
8.8.8.8) you can hit the limits quite fast depending on how many other
users use the same resolver for their uribl queries.
I recommend to setup a local resolver (unbound or something similar) and
use that resolver for your mailserver(s).


This detail always gets glossed over: set up a local NON-FORWARDING 
resolver.


If you set up a local resolver and it just forwards requests to your ISP's 
DNS servers, you have not materially changed the problem.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  A sword is never a killer, it is but a tool in the killer's hands.
  -- Lucius Annaeus Seneca (Martial) 4BC-65AD
---
 8 days until George Washington's 286th Birthday

Re: URIBL_BLOCKED

[Tobi]

Am 14.02.2018 um 17:16 schrieb @lbutlr:
> I can't imagine why i'd be over limit, my mail server is tiny.

its not the mailserver that got blocked by limits, but the dns resolver
your mailserver uses!
If you're using a 3rd party resolver (ex the ones from your provider or
8.8.8.8) you can hit the limits quite fast depending on how many other
users use the same resolver for their uribl queries.
I recommend to setup a local resolver (unbound or something similar) and
use that resolver for your mailserver(s).

Cheers

tobi

Re: URIBL_BLOCKED

[Kevin A. McGrail]

On 2/14/2018 11:16 AM, @lbutlr wrote:

Ah, I didn't know URIBL was a blacklist, I thought it was being used as a 
generic abbreviation variant of RBL.

I can't imagine why i'd be over limit, my mail server is tiny.


It's confusing, I agree.  See 
https://issues.apache.org/jira/browse/COMDEV-267?jql=text%20~%20%22GSOC%202018%22 
for one of the ideas I wrote for improving it.

Re: URIBL_BLOCKED

[@lbutlr]

On 2018-02-13 (14:45 MST), Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> Am 13.02.2018 um 21:21 schrieb @lbutlr:
>> 0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was 
>> blocked.
>> See
>> 
>> http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
>>  for more information.
>> [URIs: cz-salda.ru]
>> So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If 
>> so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried 
>> a `grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results)
> 
> jesus christ click on the link you even quote

I did click on the link.

> "cz-salda.ru" was the domain which would have been checked against URIBL and 
> URIBL said "you are over limit, go away"

Ah, I didn't know URIBL was a blacklist, I thought it was being used as a 
generic abbreviation variant of RBL.

I can't imagine why i'd be over limit, my mail server is tiny.

-- 
Women like silent men, they think they're listening.

Re: URIBL_BLOCKED

[David B Funk]

If you read that informational spamassassin wiki page referenced in that message
you'd know that it has nothing to do with querying a Russian RBL.

That Russian URI is what the query to URIBL was asking.
So your use of URIBL (via spamassassin) hit a threshold and was blocked.

Read that spamassassin wiki page for more information.


On Tue, 13 Feb 2018, @lbutlr wrote:


0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was blocked.
   See
   
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
   [URIs: cz-salda.ru]

So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If 
so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried a 
`grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results)

Also, why would anything be checking a Russian RBL?

Supposedly I can disable this with a line like

Score RCVD_IN_ORBS 0

But “ORBS” wouldn’t be right and there’s nothing in the text above to indicate 
what it might be.





--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

URIBL_BLOCKED

[@lbutlr]

0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information.
[URIs: cz-salda.ru]

So, I’ve never heard of cz-salda.ru, is that the RBL that is blocking me? If 
so, where is it listed in SA’s configuration (FreeBSD 11.1-RELEASE)? (tried a 
`grep salda.ru /usr/local/etc/mail/spamassassin/*` for no results)

Also, why would anything be checking a Russian RBL?

Supposedly I can disable this with a line like

Score RCVD_IN_ORBS 0

But “ORBS” wouldn’t be right and there’s nothing in the text above to indicate 
what it might be.

Re: URIBL_BLOCKED - which one?

[Tom Hendrikx]

Hi,

Note that on at least Ubuntu from some time ago, unbound was
automatically configured to take the dns servers that were received from
an upstream server during DHCP, and configure those as forwarders.

Can you show us output of: unbound-control list_forwards

Kind regards,
Tom

On 13-10-17 18:59, John Hardin wrote:
> 
> I just want to call this out as the critical detail in all the
> back-and-forth:
> 
>> The main thing with setting up a DNS server for DNSBL lookups is not
>> "caching", it is "non-forwarding".  Take a look at your unbound
>> settings and make sure it is doing all of the lookups itself and not
>> forwarding to another server.
> 




signature.asc
Description: OpenPGP digital signature

Re: URIBL_BLOCKED - which one?

[John Hardin]

I just want to call this out as the critical detail in all the 
back-and-forth:


The main thing with setting up a DNS server for DNSBL lookups is not 
"caching", it is "non-forwarding".  Take a look at your unbound settings 
and make sure it is doing all of the lookups itself and not forwarding 
to another server.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The tree of freedom must be freshened from time to time
  with the blood of tyrants and tyrannosaurs.
 -- DW, commenting on the GM6 Lynx .50BMG bullpup
---
 197 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: URIBL_BLOCKED - which one?

[David Jones]

On 10/13/2017 08:45 AM, AJ Weber wrote:

On 10/13/2017 9:23 AM, Reindl Harald wrote:
next time make a notice in your first post that you don#t have a 
serious mailserver but "maybe because I have a DHCP address from a 
major ISP and that's a problem"


OK, I can do that, but there isn't anything in the troubleshooting for 
DNSBL regarding how your IP address is assigned.  It just recommends 
that you use your own, caching DNS server.  If that is important, maybe 
it should be mentioned in the docs?



Am 13.10.2017 um 15:20 schrieb AJ Weber:

I put the following in my local.cf.  This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1

then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as 
expected?  If so, my SA *is* using 127.0.0.1 as the only DNS server.


It should.  Do a test dig @127.0.0.1 to make sure unbound is resolving 
properly.  I am trying to do a test query from my mail servers to 
multi.uribl.com and not getting any response right now.  I have tried 
from multiple locations on the Internet so I could show you exactly how 
to tell you when you are blocked.


According to the SA rules, if you get back a response with xxx.xxx.xxx.1 
then your query volume is too high and you hit URIBL_BLOCKED.  The way 
to resolve this is to run your own local DNS that does it's own full 
recursive lookup and does not forward to any other DNS server.


Forwarding to other DNS servers combines your queries with potentially 
other queries to the RBL and you don't want that.  You want your DNS 
queries to be independent from any other so they are as few as possible 
to stay under free usage limits.


If you are sure your DNS queries are isolated (not forwarding) and you 
still hit URIBL_BLOCKED, then your only option is to disable those RBLs 
by scoring them as 0.


--
David Jones

Re: URIBL_BLOCKED - which one?

[Bowie Bailey]

On 10/13/2017 9:45 AM, AJ Weber wrote:

On 10/13/2017 9:23 AM, Reindl Harald wrote:
next time make a notice in your first post that you don#t have a 
serious mailserver but "maybe because I have a DHCP address from a 
major ISP and that's a problem"


OK, I can do that, but there isn't anything in the troubleshooting for 
DNSBL regarding how your IP address is assigned.  It just recommends 
that you use your own, caching DNS server.  If that is important, 
maybe it should be mentioned in the docs?


This may be an issue with getting your outgoing mail accepted on other 
mail servers, but it shouldn't make a difference with DNSBL lookups.





Am 13.10.2017 um 15:20 schrieb AJ Weber:

I put the following in my local.cf. This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1

then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as 
expected?  If so, my SA *is* using 127.0.0.1 as the only DNS server.


As far as I know, it should work.  I just have it set in my 
/etc/resolv.conf so it is used for everything on the machine.  This is 
the simplest setup unless you have some reason to need a different type 
of DNS for other things.


The main thing with setting up a DNS server for DNSBL lookups is not 
"caching", it is "non-forwarding".  Take a look at your unbound settings 
and make sure it is doing all of the lookups itself and not forwarding 
to another server.


--
Bowie

Re: URIBL_BLOCKED - which one?

[AJ Weber]

On 10/13/2017 9:23 AM, Reindl Harald wrote:
next time make a notice in your first post that you don#t have a 
serious mailserver but "maybe because I have a DHCP address from a 
major ISP and that's a problem"


OK, I can do that, but there isn't anything in the troubleshooting for 
DNSBL regarding how your IP address is assigned.  It just recommends 
that you use your own, caching DNS server.  If that is important, maybe 
it should be mentioned in the docs?



Am 13.10.2017 um 15:20 schrieb AJ Weber:

I put the following in my local.cf.  This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1

then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as 
expected?  If so, my SA *is* using 127.0.0.1 as the only DNS server.

Re: URIBL_BLOCKED - which one?

[AJ Weber]

I put the following in my local.cf.  This does not work?

dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1



On 10/13/2017 8:48 AM, Reindl Harald wrote:



Am 13.10.2017 um 14:40 schrieb AJ Weber:
I guess this qualifies as a newbie question...I've been running SA 
for a while, but haven't really dug into some of the workings...


I occasionally see the URIBL_BLOCKED notice in some of my spam 
results. I read the related web page, and started using unbound as a 
local DNS, but I'm still seeing this


then your machine is *not* using 127.0.0.1 as the only DNS server

Re: URIBL_BLOCKED - which one?

[AJ Weber]

On 10/13/2017 8:57 AM, David Jones wrote:

On 10/13/2017 07:47 AM, Markus Clardy wrote:
URIBL_BLOCKED is in reference to multi.uribl.com 
<http://multi.uribl.com>.

--
  - Markus


To disable queries to multi.uribl.com, put this in your local.cf or 
equivalent in /etc/mail/spamassassin:


score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

Based on my mail flow and other RBLs, I didn't miss this RBL when I 
disabled it years ago.  It may be valuable to some but Spamhaus and 
IVM do most of the heavy lifting on my mail filters.


@Markus, @David: Thank you both.  I started digging into the .cf files 
and did find that reference to multi.uribl.com.


Strange that they are denying my queries.  Maybe because I have a DHCP 
address from a major ISP and that's a problem?  I don't really 
understand how they determine who is querying their RBLs.  I thought 
running unbound locally would help mitigate that problem, but I guess not.


Thanks again.

Re: URIBL_BLOCKED - which one?

[David Jones]

On 10/13/2017 08:01 AM, Reindl Harald wrote:



Am 13.10.2017 um 14:57 schrieb David Jones:
To disable queries to multi.uribl.com, put this in your local.cf or 
equivalent in /etc/mail/spamassassin:


score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

Based on my mail flow and other RBLs, I didn't miss this RBL when I 
disabled it years ago.  It may be valuable to some but Spamhaus and 
IVM do most of the heavy lifting on my mail filters


terrible bad idea and not a solution at all when likely his server is 
not using 127.0.0.1 as the only DNS and so other RBL's also won#t work 
as expected - when you see URIBL_BLACK you have a problem which needs to 
be solved and not burried




His server's /etc/resolv.conf could be pointed to 127.0.0.1 and still 
have too high of volume to hit URLBL_BLOCKED like mine was years ago.


But yes, make sure you have unbound setup and working properly and 
/etc/resolv.conf is pointing to 127.0.0.1.  Then do a manual query to 
127.0.0.1 to confirm it's working:


# dig @127.0.0.1 test.dbl.spamhaus.org

;; ANSWER SECTION:
test.dbl.spamhaus.org.  60  IN  A   127.0.1.2

be sure i scored it not to 6.5 just for fun based on a 8.0 milter-reject 
score


BLOCKED: 1512
URIBL_BLACK: 512

[root@mail-gw:~]$ sa-score.sh URIBL_BLACK
/usr/share/spamassassin
score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2

/var/lib/spamassassin/3.004001/updates_spamassassin_org
score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2

/etc/mail/spamassassin/local-*.cf
score URIBL_BLACK 6.5


Like I said, disabling URIBL didn't impact my mail filtering because of 
other RBLs and my specific mail flow.  Different mail flow from 
different locations around the world/Internet will cause SA to be a 
little different for everyone.  There's no one-size-fits-all with mail 
filtering and SA but we have common issues like URIBL_BLOCKED that are 
generally solved the same way.  If your volume is low enough, you can 
keep it and setup your local DNS server to do full recursive lookups. 
If you volume is too high for their free usage limit, then disable it an 
use other RBLs that could be better for your locale.


--
David Jones

Re: URIBL_BLOCKED - which one?

[David Jones]

On 10/13/2017 07:47 AM, Markus Clardy wrote:

URIBL_BLOCKED is in reference to multi.uribl.com <http://multi.uribl.com>.

On Fri, Oct 13, 2017 at 1:40 PM, AJ Weber <awe...@comcast.net 
<mailto:awe...@comcast.net>> wrote:


I guess this qualifies as a newbie question...I've been running SA
for a while, but haven't really dug into some of the workings...

I occasionally see the URIBL_BLOCKED notice in some of my spam
results.  I read the related web page, and started using unbound as
a local DNS, but I'm still seeing this.

Since I have a number of RBL's setup, is there a way to determine
which of the RBLs blocked my query?  Maybe I have one configured
that I need to "license" or subscribe-to in some way?

Thanks for the troubleshooting assistance.

-AJ




--
  - Markus


To disable queries to multi.uribl.com, put this in your local.cf or 
equivalent in /etc/mail/spamassassin:


score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0

Based on my mail flow and other RBLs, I didn't miss this RBL when I 
disabled it years ago.  It may be valuable to some but Spamhaus and IVM 
do most of the heavy lifting on my mail filters.


--
David Jones

Re: URIBL_BLOCKED - which one?

[Markus Clardy]

URIBL_BLOCKED is in reference to multi.uribl.com.

On Fri, Oct 13, 2017 at 1:40 PM, AJ Weber <awe...@comcast.net> wrote:

> I guess this qualifies as a newbie question...I've been running SA for a
> while, but haven't really dug into some of the workings...
>
> I occasionally see the URIBL_BLOCKED notice in some of my spam results.  I
> read the related web page, and started using unbound as a local DNS, but
> I'm still seeing this.
>
> Since I have a number of RBL's setup, is there a way to determine which of
> the RBLs blocked my query?  Maybe I have one configured that I need to
> "license" or subscribe-to in some way?
>
> Thanks for the troubleshooting assistance.
>
> -AJ
>
>


-- 
 - Markus

URIBL_BLOCKED - which one?

[AJ Weber]

I guess this qualifies as a newbie question...I've been running SA for a 
while, but haven't really dug into some of the workings...


I occasionally see the URIBL_BLOCKED notice in some of my spam results.  
I read the related web page, and started using unbound as a local DNS, 
but I'm still seeing this.


Since I have a number of RBL's setup, is there a way to determine which 
of the RBLs blocked my query?  Maybe I have one configured that I need 
to "license" or subscribe-to in some way?


Thanks for the troubleshooting assistance.

-AJ

Re: apache.org have URIBL_BLOCKED now :/

[Kevin A. McGrail]

On 8/9/2017 10:13 AM, Benny Pedersen wrote:

Kevin A. McGrail skrev den 2017-08-09 15:48:


So I think the X-Spam-Status is also from spamd1-us-west.apache.org

I see that pov but it shouldn't cause mail delivery issues.  It just
means we couldn't fully scan things so I'm not sure what problem Benny
is trying to report.


why did i concenrn a problem on other servers then my own :(

back to my android studio hello world project :=)


It's the language barrier.  I couldn't decipher what you were trying to 
report and the URIBL_BLOCKED issue has been known for a while.  My 
apologies as you were trying to help and I was trying to help you with 
your server.  Ships in the night...



Best,

KAM

Re: apache.org have URIBL_BLOCKED now :/

[Benny Pedersen]

Kevin A. McGrail skrev den 2017-08-09 15:48:


So I think the X-Spam-Status is also from spamd1-us-west.apache.org

I see that pov but it shouldn't cause mail delivery issues.  It just
means we couldn't fully scan things so I'm not sure what problem Benny
is trying to report.


why did i concenrn a problem on other servers then my own :(

back to my android studio hello world project :=)

Re: apache.org have URIBL_BLOCKED now :/

[Kevin A. McGrail]

On 8/9/2017 9:37 AM, Merijn van den Kroonenberg wrote:

According to the headers he posted, it is not Benny who hit the
URIBL_BLOCKED but indeed apache infra:

X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org

So I think the X-Spam-Status is also from spamd1-us-west.apache.org
I see that pov but it shouldn't cause mail delivery issues.  It just 
means we couldn't fully scan things so I'm not sure what problem Benny 
is trying to report.

Re: apache.org have URIBL_BLOCKED now :/

[Merijn van den Kroonenberg]

> Hi Benny,
>
> As Michael pointed out and I emailed you off-list, yes, you are reading
> the header incorrectly.
>
> Focusing on just the tests, you hit URIBL_BLOCKED.  Here's the

According to the headers he posted, it is not Benny who hit the
URIBL_BLOCKED but indeed apache infra:

X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org

So I think the X-Spam-Status is also from spamd1-us-west.apache.org

> description for that test:
> ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See
> http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more
> information.
>
> HTH, KAM
>
> On 8/9/2017 8:46 AM, Benny Pedersen wrote:
>>
>> do i read headers incorect ?
>>
>> X-Spam-Status: No, score=-5.102 tagged_above=-999 required=6.31
>> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
>> RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
>> SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
>
>
>

Re: apache.org have URIBL_BLOCKED now :/

[Kevin A. McGrail]

Hi Benny,

As Michael pointed out and I emailed you off-list, yes, you are reading 
the header incorrectly.


Focusing on just the tests, you hit URIBL_BLOCKED.  Here's the 
description for that test:
ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See 
http://wiki.apache.org/spamassassin/DnsBlocklists\#dnsbl-block for more 
information.


HTH, KAM

On 8/9/2017 8:46 AM, Benny Pedersen wrote:


do i read headers incorect ?

X-Spam-Status: No, score=-5.102 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled 

Re: apache.org have URIBL_BLOCKED now :/

[Benny Pedersen]

Michael Orlitzky skrev den 2017-08-08 23:39:


URIBL_BLOCKED means that the URIBL refused your DNS query:

  http://uribl.com/refused.shtml

The name "apache.org" isn't blacklisted, and there's nothing apache can
do to fix it. You need to make your DNS queries from somewhere else,
probably.


do i read headers incorect ?

Received: (qmail 1703 invoked by uid 500); 8 Aug 2017 20:18:12 -
Mailing-List: contact users-h...@spamassassin.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:users-h...@spamassassin.apache.org>
list-unsubscribe: <mailto:users-unsubscr...@spamassassin.apache.org>
List-Post: <mailto:users@spamassassin.apache.org>
List-Id: 
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 1693 invoked by uid 99); 8 Aug 2017 20:18:12 -
Received: from pnap-us-west-generic-nat.apache.org (HELO 
spamd1-us-west.apache.org) (209.188.14.142)
by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Aug 2017 20:18:12 
+

Received: from localhost (localhost [127.0.0.1])
by spamd1-us-west.apache.org (ASF Mail Server at 
spamd1-us-west.apache.org) with ESMTP id B8CA0C37B1
for <users@spamassassin.apache.org>; Tue,  8 Aug 2017 20:18:11 + 
(UTC)

X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -5.102
X-Spam-Level:
X-Spam-Status: No, score=-5.102 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
dkim=pass (1024-bit key) header.d=junc.eu
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, 
port 10024)

with ESMTP id H8f21Ce-uPKN for <users@spamassassin.apache.org>;
Tue,  8 Aug 2017 20:18:09 + (UTC)
Received: from linode.junc.eu (linode.junc.eu [176.58.121.172])
by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) 
with ESMTPS id 031AE5FCB5
for <users@spamassassin.apache.org>; Tue,  8 Aug 2017 20:18:08 + 
(UTC)

Received: from localhost.junc.eu (localhost.junc.eu [127.0.0.1])
by localhost.junc.eu (Postfix) with ESMTP id A7CE71BE112
for <users@spamassassin.apache.org>; Tue,  8 Aug 2017 21:18:08 +0100 
(BST)

X-Spam-ASN:
X-Spam-dcc_result:
X-Spam-Uri-Domains: gt.net
Received: from localhost.junc.eu (localhost.junc.eu [IPv6:::1])
by linode.junc.eu (Postfix) with ESMTPSA id 847331BE084
for <users@spamassassin.apache.org>; Tue,  8 Aug 2017 21:18:08 +0100 
(BST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=junc.eu; 
s=default;

t=1502223488; x=1502655488;
bh=ACeA4nE20azqhWy2oTSvIBD+bT388AqX7TJhMDuvlcA=;
h=Date:From:To:Subject:In-Reply-To:References;
b=qKmTUlrBK35djC6I7UYWeQXPS5+PzFk+01Mqx5bCIbL/D19Unu7t91ZA+iQTZatUG
 SqaXotlpIkhh4LA4rrFhl7bdIXRk2ohNxrETijGs47+glwBc/BqRxjYpgG31l6qiWk
 yq2M9cC/IgFBkHaGtIfg1nh7Pb0YQVRJUkFs4XVg=
X-Virus-Status: Clean
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 08 Aug 2017 22:18:08 +0200
From: Benny Pedersen <m...@junc.eu>
To: users@spamassassin.apache.org
Subject: Re: Bayes auto-learn - not happening
Organization: Jersore Underground Network Center
In-Reply-To: <150802318-138072.p...@n5.nabble.com>
References: <0d5d01d31071$0d6be500$2843af00$@org>
 <40e49a6ef18d255c5b83fa7038337...@junc.eu>
 <150802318-138072.p...@n5.nabble.com>
Message-ID: <f18b283a08c9327a75de52592fd50...@junc.eu>
X-Sender: m...@junc.eu
User-Agent: Roundcube Webmail/1.2.5

Re: apache.org have URIBL_BLOCKED now :/

[Michael Orlitzky]

On 08/08/2017 02:32 PM, Benny Pedersen wrote:
> subj might concern infra staff
> 
> forward please to infra
> 

URIBL_BLOCKED means that the URIBL refused your DNS query:

  http://uribl.com/refused.shtml

The name "apache.org" isn't blacklisted, and there's nothing apache can
do to fix it. You need to make your DNS queries from somewhere else,
probably.

Re: apache.org have URIBL_BLOCKED now :/

[Kevin A. McGrail]

On 8/8/2017 2:32 PM, Benny Pedersen wrote:

subj might concern infra staff

forward please to infra


Thanks.  Can you give more details?  I just sent a test message from my 
kmcgr...@apache.org and don't see an issue.  Is there a specific RBL?



Return-Path: 
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by intel1.peregrinehw.com (8.14.9/8.14.9) with SMTP id v78Iaik9025060
for ; Tue, 8 Aug 2017 14:36:45 -0400
Received: (qmail 79636 invoked by uid 99); 8 Aug 2017 18:36:44 -
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) 
(140.211.11.15)
by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Aug 2017 18:36:44 +
Received: from [10.10.11.221] (pool-100-36-131-234.washdc.fios.verizon.net 
[100.36.131.234])
by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) 
with ESMTPSA id 7AAFD1A00A6
for ; Tue,  8 Aug 2017 18:36:43 + (UTC)
To: kmcgr...@pccc.com
From: "Kevin A. McGrail" 
Subject: test
Message-ID: <8bd8f6f4-5f64-9ade-4c98-4b7f527de...@apache.org>
Date: Tue, 8 Aug 2017 14:36:55 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-PCCC-Virus-Scan: Enabled
X-KAM-Reverse: Passed - Reverse DNS of hermes.apache.org/140.211.11.3
X-Spam-Status: No, hits=-11.0 required=5.8  
tests=KAM_RPTR_PASSED,RCVD_IN_DNSWL_HI,RCVD_IN_HOSTKARMA_W,
  RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD,
  SPF_PASS,TXREP

apache.org have URIBL_BLOCKED now :/

[Benny Pedersen]

subj might concern infra staff

forward please to infra

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Kevin A. McGrail]

On 5/19/2017 1:59 PM, David Jones wrote:

Would it be beneficial to add a local.cf config option to allow SA to
specify a different DNS server rather than what the OS is using in
/etc/resolv.conf?


I believe there is also an idea in bugzilla to specify this on a per RBL 
basis.  I can't find it but I know his issue crops up from time to time.


Regards,
KAM

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>Would it be beneficial to add a local.cf config option to allow SA to
>specify a different DNS server rather than what the OS is using in
>/etc/resolv.conf?

Nevermind.  David Funk just posted about "dns_server" that I wasn't
able to find earlier.  Seems like setting that would be the best option
for those where the /etc/resolv.conf is being managed.

I will update the wiki page with this config option.

Dave
  

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Kris Deugau]

David Jones wrote:

Would it be beneficial to add a local.cf config option to allow SA to
specify a different DNS server rather than what the OS is using in
/etc/resolv.conf?


IIRC it does, and a quick scan of the Mail::SpamAssassin::Conf man page 
turned up:


   dns_server ip-addr-port  (default: entries provided by Net::DNS)
   Specifies an IP address of a DNS server, and optionally its
   port number.  The dns_server directive may be specified
   multiple times, each entry adding to a list of available
   resolving name servers. The ip-addr-port argument can either
   be an IPv4 or IPv6 address, optionally enclosed in brackets,
   and optionally followed by a colon and a port number. In
   absence of a port number a standard port number 53 is
   assumed. When an IPv6 address is specified along with a port
   number, the address must be enclosed in brackets to avoid
   parsing ambiguity regarding a colon separator. A scoped
   link-local IP address is allowed (assuming underlying
   modules allow it).

   Examples :
dns_server 127.0.0.1
dns_server 127.0.0.1:53
dns_server [127.0.0.1]:53
dns_server [::1]:53
dns_server fe80::1%lo0
dns_server [fe80::1%lo0]:53

   In absence of dns_server directives, the list of name
   servers is provided by Net::DNS module, which typically
   obtains the list from /etc/resolv.conf, but this may be
   platform dependent. Please consult the Net::DNS::Resolver
   documentation for details.

-kgd

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: Robert Kudyba 

>> Wiki page updated and simplified.

>> https://wiki.apache.org/spamassassin/CachingNameserver 

>For Fedora, since NetworkMangler (as many are fond to call it) is enabled
>by default it might be worthwhile to mention this comment at, but note that
>/etc/resolv.conf will be managed by dnssec-trigger daemon:
>https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver
>#How_to_get_Unbound_and_dnssec-trigger_running

>"If you use NetworkManager, configure it to use unbound. Add the
>following line into /etc/NetworkManager/NetworkManager.conf
>dns=unbound"

The wiki says to search for details in other online articles like that link.
I would prefer not to try to keep up with every little detail like this on
this wiki page since it seems to only get updated every 3 years.  In fact,
I was already thinking about removing any detail and just mention the
DNS servers so there are no details to become invalid in a year or two
like the reference to njabl.org.

Would it be beneficial to add a local.cf config option to allow SA to
specify a different DNS server rather than what the OS is using in
/etc/resolv.conf?

Dave
  

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David B Funk]

On Fri, 19 May 2017, John Hardin wrote:


On Thu, 18 May 2017, Rob McEwen wrote:

In many cases, they explain to me that their settings got auto-overwritten 
by their hoster - who just HAD to switch their resolv.conf file back to 
8.8.8.8


cron. job.


Wouldn't the SA config parameter "dns_server" over-ride what's in the 
resolv.conf, or doesn't that work for RBL queries?


EG, set:
  dns_server 127.0.0.1

in your local.cf file and don't worry about what's in the resolv.conf


--
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[John Hardin]

On Thu, 18 May 2017, Rob McEwen wrote:

In many cases, they explain to me that their settings got auto-overwritten by 
their hoster - who just HAD to switch their resolv.conf file back to 8.8.8.8


cron. job.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  News flash: Lowest Common Denominator down 50 points
---
 50 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

>
> Wiki page updated and simplified.
>
> https://wiki.apache.org/spamassassin/CachingNameserver


For Fedora, since NetworkMangler (as many are fond to call it) is enabled
by default it might be worthwhile to mention this comment at, but note that
/etc/resolv.conf will be managed by dnssec-trigger daemon:
https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#How_to_get_Unbound_and_dnssec-trigger_running
"If you use NetworkManager, configure it to use unbound. Add the following
line into /etc/NetworkManager/NetworkManager.conf
dns=unbound"

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

From: Matus UHLAR - fantomas 
    
>On 18.05.17 17:05, Robert Kudyba wrote:
>> The link to http://njabl.org/rsync.html is broken at the moment.

>njabl.org is dead four (4) years

>On 18.05.17 14:39, John Hardin wrote:
>>I think this part of the wiki page may not be stressed stongly enough:
>[...]
>>/* Disable forwarding for DNSBL queries */
>[...]
>>zone "combined.njabl.org" { type forward; forward first; forwarders {}; };

>see above

>>zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; 
>>};

>rfc-ignorant.org is dead for years.

Wiki page updated and simplified.  

https://wiki.apache.org/spamassassin/CachingNameserver

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Matus UHLAR - fantomas]

On 18.05.17 17:05, Robert Kudyba wrote:

The link to http://njabl.org/rsync.html is broken at the moment.


njabl.org is dead four (4) years

On 18.05.17 14:39, John Hardin wrote:

I think this part of the wiki page may not be stressed stongly enough:

[...]

/* Disable forwarding for DNSBL queries */

[...]

zone "combined.njabl.org" { type forward; forward first; forwarders {}; };


see above


zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };


rfc-ignorant.org is dead for years.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Rob McEwen]

On 5/18/2017 5:46 PM, David Jones wrote:

it should be pretty clear now to not use a forwarding DNS server locally and
do not point the server to another DNS server in /etc/resolv.conf.


Thanks David!

Some may be interested to know at least 15% of my entire labor 
"overhead" for running invaluement - involves playing "whack a mole" (so 
to speak) with both testers and existing subscribers - whose DNS 
settings CONSTANTLY revert back to sending direct queries to invaluement 
via Google and/or OpenDNS - which are then blocked - even as the 
instructions were extremely clear about how/why not to do it that way.


In many cases, they explain to me that their settings got 
auto-overwritten by their hoster - who just HAD to switch their 
resolv.conf file back to 8.8.8.8


In some rare worst case scenarios - I have to "fire the customer", due 
to many repeated incidents where the labor involved in constantly 
babysitting their settings - was no longer worth their subscription payment.


And unfortunately there is just basically a very sizable portion of IT 
professionals in the entire world... probably hundreds of thousands of 
IT people - who have been convinced that pointing all DNS to 8.8.8.8 is 
standard operating procedure that they think is always the best way.


For me, it feels like annoying busy work. Imagine that for at least one 
hour out of your day - you have to stop what you're doing and dig a hole 
in your back yard - and then fill it back in.


So I'm grateful every time I see thread like this that pushes back 
against that, and encourages others to run industry standard 
non-forwarding caching DNS servers.


THANKS!

--
Rob McEwen
http://www.invaluement.com

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Martin Gregorie]

On Thu, 2017-05-18 at 21:46 +, David Jones wrote:
> > From: John Hardin 
> > I think this part of the wiki page may not be stressed stongly
> > enough:
> > Non-forwarding
> > If you have a large ISP or are using large public DNS provider(s)
> > it is 
> > recommended you not forward mail-related DNS traffic through their
> > DNS 
> > servers (though non-mail DNS traffic from your site shouldn't have 
> > problems.) With bind, this means not having any "forwarders"
> > listed. Or, 
> > at a minimum, you could create exemptions by defining empty
> > forwarders for 
> > DNSBL zones, like this:
> 
> https://wiki.apache.org/spamassassin/CachingNameserver
> 
> I just simplified that page quite a bit.  It needs a little more work
> on it but it
> should be pretty clear now to not use a forwarding DNS server locally
> and do
> not point the server to another DNS server in /etc/resolv.conf.
> 
Minor correction: The Bind for RedHat section of the page needs changes
to bring it into like with the unbound instructions.

For Fedora you'd use: 

dnf install bind
systemctl enable bind
systemctl start bind

Can't comment about RHEL/CentOS


Martin

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Bill Cole]

On 18 May 2017, at 17:05, Robert Kudyba wrote:


On May 18, 2017, at 4:41 PM, David Jones  wrote:


From: Robert Kudyba 



Am 18.05.2017 um 22:30 schrieb Reindl Harald:
"with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT 
CAN#T
you are forwarding to some other nameserver and you are not the 
only one



But the nameserver I’m forwarding to is in our university.


Your server needs to do it's on full recursive DNS lookups.


So dnsmasq is no longer an option?


It never was a reasonable option for anything more than a toy mail 
server on a network with real recursers that aren't shared by mail 
servers doing significant volume.


If you want a mail server to perform decently while using all the modern 
tools for fraud & spam detection (DNSBLs, SPF, DKIM, DMARC, DANE, 
requiring FCrDNS with a non-generic name, etc.) you need a fully 
recursive (never-forwarding) DNS resolver with a sizable cache on the 
same machine or at worst the same physical LAN. A substantial fraction 
of the time it takes to accept or reject a piece of mail is spent 
waiting for DNS replies, especially if you are relying on a cache that 
in on the other side of a router.



/etc/resolv.dnsmasq
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx


Tangent: You do know that your email address a complete Received trail 
is in your mail, right? Not much point in obfuscation...


Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just 
following the
instructions at  
https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_spamassassin_CachingNameserver-23=DwIFEA=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=Xfhs5TxObQNstiygWZx6rtuJIMJ_Q65ueMPfIdG6MPw=YjlCBF15mxOWWMeVSUh_L9Jz1s8o454zFPqUC_5chAU=

Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
link to instructions.


Evidence that the wiki does not see a lot of maintenance. There's a LOT 
of staleness there.




I see there’s rbldnsd.


ONLY if you have a way to get full copies of the zones you want, because 
rbldnsd is ONLY authoritative. It is useful if you're paying for a 
subscription to a DNSBL provider like Spamhaus, but it's NOT a 
general-purpose resolver.


On Fedora and one of our 2 servers, we run NIS & ypbind. One runs 
NetworkManager and the other just the network service. I guess I’m 
looking for the best recommendation and easy configuration without 
conflicts.


IMHO NetworkMangler doesn't belong on ANY server, but that's a rant for 
elsewhere...


Unbound is by far my favorite for pure simple caching fully-recursive 
resolvers. I use BIND as well, but only where I need complex rigs that I 
have not yet tried to implement with Unbound.


The link to http://njabl.org/rsync.html  
is broken at the moment.


It shall remain so until such time as it is removed, as NJABL is long 
dead.

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: John Hardin 

>I think this part of the wiki page may not be stressed stongly enough:

>Non-forwarding

>If you have a large ISP or are using large public DNS provider(s) it is 
>recommended you not forward mail-related DNS traffic through their DNS 
>servers (though non-mail DNS traffic from your site shouldn't have 
>problems.) With bind, this means not having any "forwarders" listed. Or, 
>at a minimum, you could create exemptions by defining empty forwarders for 
>DNSBL zones, like this:

https://wiki.apache.org/spamassassin/CachingNameserver

I just simplified that page quite a bit.  It needs a little more work on it but 
it
should be pretty clear now to not use a forwarding DNS server locally and do
not point the server to another DNS server in /etc/resolv.conf.

Dave

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[John Hardin]

On Thu, 18 May 2017, Robert Kudyba wrote:




Am 18.05.2017 um 22:30 schrieb Reindl Harald:

"with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
you are forwarding to some other nameserver and you are not the only one


But the nameserver I’m forwarding to is in our university.


/etc/resolv.dnsmasq
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx

seriously - what do you think happens?
you and everybody else on planet earth using 150.xx.xx.xx are coming with the 
same IP to the DNSBL/URIBL hosts


Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just 
following the instructions at 
https://wiki.apache.org/spamassassin/CachingNameserver#Installing_dnsmasq_as_a_Caching_Nameserver 
which BTW has a broken link to instructions.


I think this part of the wiki page may not be stressed stongly enough:



Non-forwarding

If you have a large ISP or are using large public DNS provider(s) it is 
recommended you not forward mail-related DNS traffic through their DNS 
servers (though non-mail DNS traffic from your site shouldn't have 
problems.) With bind, this means not having any "forwarders" listed. Or, 
at a minimum, you could create exemptions by defining empty forwarders for 
DNSBL zones, like this:


/* Disable forwarding for DNSBL queries */
zone "multi.uribl.com" { type forward; forward first; forwarders {}; };
zone "dnsbl.sorbs.net" { type forward; forward first; forwarders {}; };
zone "combined.njabl.org" { type forward; forward first; forwarders {}; };
zone "activationcode.r.mail-abuse.com" { type forward; forward first; 
forwarders {}; };
zone "nonconfirm.mail-abuse.com" { type forward; forward first; forwarders {}; 
};
zone "iadb.isipp.com" { type forward; forward first; forwarders {}; };
zone "bl.spamcop.net" { type forward; forward first; forwarders {}; };
zone "fulldom.rfc-ignorant.org" { type forward; forward first; forwarders {}; };
zone "list.dnswl.org" { type forward; forward first; forwarders {}; };
zone "blackholes.mail-abuse.org" { type forward; forward first; forwarders {}; 
};
zone "bl.score.senderscore.com" { type forward; forward first; forwarders {}; };
zone "zen.spamhaus.org" { type forward; forward first; forwarders {}; };


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If you are "fighting for social justice," then you are defining
  yourself as someone who considers regular old everyday
  *equal* justice to be something you don't want.   -- GOF at TSM
---
 49 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

On May 18, 2017 5:11 PM, "Reindl Harald"  wrote:



Am 18.05.2017 um 23:05 schrieb Robert Kudyba:

>
> On May 18, 2017, at 4:41 PM, David Jones  djo...@ena.com>> wrote:
>>
>> From: Robert Kudyba >
>>>
>>
>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:

> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
> you are forwarding to some other nameserver and you are not the only
> one
>

>> But the nameserver I’m forwarding to is in our university.
>>>
>>
>> Your server needs to do it's on full recursive DNS lookups.
>>
>
> So dnsmasq is no longer an option?
>

it was never - no dns software which needs another nameserver for it's job
is suiteable on a inbound spamfilter

I will fix this wiki page now…
>>
>
> I see there’s rbldnsd. On Fedora and one of our 2 servers, we run NIS &
> ypbind. One runs NetworkManager and the other just the network service. I
> guess I’m looking for the best recommendation and easy configuration
> without conflicts. The link to https://urldefense.proofpoint.
> com/v2/url?u=http-3A__njabl.org_rsync.html=DwID-g=aqMfXO
> EvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3
> lLNo4tOL1ry_m7-psV3GejY=_GpsD3DHYXO7rQ_TtNdtAq_0iO39u8Q
> BVn0morPE0hs=-BaByTtCkQ37-fWpZVVp9ZMa7nLIUpa8OWscKkMi3T8=  is broken
> at the moment
>

rbldnsd is a completly different thing and supposed to host your *own*
dnsbl zones

what you you need is a *basic* namesever just donig recursion and tell your
mailserver just use it

* get rid of other crap
* dnf install unbound
* systemctl enable unbound
* systemctl start unound
* just use your unbound on 127.0.0.1


It looks like I'll have to

   - Add the following line into /etc/NetworkManager/NetworkManager.conf

dns=unbound

or ask the idiot maintaining "I'm forwarding to is in our university" why
he is forwarding queries outside your university to google instead doing
recursion


Probably because the university uses gmail. Our department does not.

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

> On May 18, 2017, at 4:41 PM, David Jones  wrote:
> 
>> From: Robert Kudyba 
> 
>>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
 "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
 you are forwarding to some other nameserver and you are not the only one
> 
>> But the nameserver I’m forwarding to is in our university.
> 
> Your server needs to do it's on full recursive DNS lookups.

So dnsmasq is no longer an option?

> 
>>> /etc/resolv.dnsmasq
>>> search subdomain.ourschool.edu ourschool.edu
>>> nameserver 150.108.x.yy
>>> nameserver 150.108.y.xx
>>> 
>>> seriously - what do you think happens?
>>> you and everybody else on planet earth using 150.xx.xx.xx are coming with
>> the same IP to the DNSBL/URIBL hosts
> 
> He's being rude but he's right.  You can't guarantee that all of the other DNS
> queries being made through your university DNS servers isn't going over the
> free limit on the URIBL DNS servers.
> 
>> Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following 
>> the
>> instructions at  
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.apache.org_spamassassin_CachingNameserver-23=DwIFEA=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY=Xfhs5TxObQNstiygWZx6rtuJIMJ_Q65ueMPfIdG6MPw=YjlCBF15mxOWWMeVSUh_L9Jz1s8o454zFPqUC_5chAU=
>>  
>> Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
>> link to instructions.
> 
> I will fix this wiki page now…

I see there’s rbldnsd. On Fedora and one of our 2 servers, we run NIS & ypbind. 
One runs NetworkManager and the other just the network service. I guess I’m 
looking for the best recommendation and easy configuration without conflicts. 
The link to http://njabl.org/rsync.html  is broken 
at the moment. 

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: Robert Kudyba 

>> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>>> you are forwarding to some other nameserver and you are not the only one

>But the nameserver I’m forwarding to is in our university.

Your server needs to do it's on full recursive DNS lookups.

>> /etc/resolv.dnsmasq
>> search subdomain.ourschool.edu ourschool.edu
>> nameserver 150.108.x.yy
>> nameserver 150.108.y.xx
>> 
>> seriously - what do you think happens?
>> you and everybody else on planet earth using 150.xx.xx.xx are coming with
>the same IP to the DNSBL/URIBL hosts

He's being rude but he's right.  You can't guarantee that all of the other DNS
queries being made through your university DNS servers isn't going over the
free limit on the URIBL DNS servers.

>Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the
>instructions at  https://wiki.apache.org/spamassassin/CachingNameserver#
> Installing_dnsmasq_as_a_Caching_Nameserver which BTW has a broken
>link to instructions.

I will fix this wiki page now...

Dave

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[David Jones]

>From: Robert Kudyba 

>host -tTXT test.uribl.com.multi.uribl.com
>test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. 
>See
> http://uribl.com/refused.shtml for more information [Your DNS IP: 
> 74.125.19.15]"

>Some logs to show dnsmasq in use:
>May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.yy#53
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.zz#53
>May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
>May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 127.0.0.1#53

You can't use dnsmasq since it only forwards to other DNS servers.  You need to
use unbound, BIND, or my favorite PowerDNS recursor so that your server does
it's own full recursive DNS lookups and doesn't rely on any other servers.  When
you rely on other DNS servers, then your DNS queries will be combined with all
of the other queries pushing you over the URIBL free usages limit.

Dave

Re: URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

> Am 18.05.2017 um 22:30 schrieb Reindl Harald:
>> "with working dnsmasq" says all - DNSMASQ DON'T DO RECURSION - IT CAN#T
>> you are forwarding to some other nameserver and you are not the only one

But the nameserver I’m forwarding to is in our university.

> /etc/resolv.dnsmasq
> search subdomain.ourschool.edu ourschool.edu
> nameserver 150.108.x.yy
> nameserver 150.108.y.xx
> 
> seriously - what do you think happens?
> you and everybody else on planet earth using 150.xx.xx.xx are coming with the 
> same IP to the DNSBL/URIBL hosts

Isn’t the point of enabling dnsmasq to cache DNS calls? I’m just following the 
instructions at 
https://wiki.apache.org/spamassassin/CachingNameserver#Installing_dnsmasq_as_a_Caching_Nameserver
 which BTW has a broken link to instructions.

URIBL_BLOCKED on 2 Fedora 25 servers with working dnsmasq, w/ NetworkManager service

[Robert Kudyba]

I know this has been covered before, e.g., 
https://lists.gt.net/spamassassin/users/198845/?page=1;mh=-1; & 
https://lists.gt.net/spamassassin/users/199135 as well as off list at Ubuntu at 
https://serverfault.com/questions/644707/uribl-blocked-on-ubuntu-14-04-server-with-working-dnsmasq.
 Here’s what we’re getting on 2 Fedora 25 servers:

host -tTXT test.uribl.com.multi.uribl.com
test.uribl.com.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. 
See http://uribl.com/refused.shtml for more information [Your DNS IP: 
74.125.19.15]"
[root@storm audit]# 

Note the DNS IP is a Google IP and always changes when I run the command.

I just want to make sure I’m not missing something. NetworkManager and network 
service are running and here you can see dnsmasq running with NM:

NetworkManager.service - Network Manager
   Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; 
vendor preset: enabled)
   Active: active (running) since Wed 2017-05-17 17:07:27 EDT; 17h ago
 Docs: man:NetworkManager(8)
 Main PID: 24310 (NetworkManager)
Tasks: 4 (limit: 4915)
   CGroup: /system.slice/NetworkManager.service
   ├─24310 /usr/sbin/NetworkManager --no-daemon
   └─24468 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground 
--no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid 
--listen-address=127.0.0.1 --cache-size=400 --conf-file=/dev/null 
--proxy-dnssec --enable-dbus=org.free

Some logs to show dnsmasq in use:
May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.yy#53
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 150.108.x.zz#53
May 17 14:23:32 ourserver dnsmasq[2336]: reading /etc/resolv.conf
May 17 14:23:32 ourserver dnsmasq[2336]: using nameserver 127.0.0.1#53

cat /etc/resolv.conf
# Generated by NetworkManager
search subdomain.ourdomain.edu
nameserver 127.0.0.1

dns=dnsmasq is set in the [main] section of 
/etc/NetworkManager/NetworkManager.conf 

And some digs to show before/after:
dig www.google.co.nz

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> www.google.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50850
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.google.co.nz.  IN  A

;; ANSWER SECTION:
www.google.co.nz.   299 IN  A   172.217.10.67

;; Query time: 20 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 18 10:52:59 EDT 2017
;; MSG SIZE  rcvd: 61

[root@storm audit]# dig www.google.co.nz

; <<>> DiG 9.10.4-P8-RedHat-9.10.4-5.P8.fc25 <<>> www.google.co.nz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53814
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.co.nz.  IN  A

;; ANSWER SECTION:
www.google.co.nz.   297 IN  A   172.217.10.67

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 18 10:53:01 EDT 2017
;; MSG SIZE  rcvd: 61


host -tA 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com has address 127.0.0.1

/etc/dnsmasq.conf
port=0
resolv-file=/etc/resolv.dnsmasq
strict-order
no-dhcp-interface=enp7s0f0
bind-interfaces
listen-address=127.0.0.1,150.108.xx.yy,127.0.1.1
interface=enp7s0f0
domain=ourdomain.ourschool.edu

/etc/resolv.dnsmasq 
search subdomain.ourschool.edu ourschool.edu
nameserver 150.108.x.yy
nameserver 150.108.y.xx

 /etc/resolv.conf
# Generated by NetworkManager
search subdomain.ourschool.edu
nameserver 127.0.0.1

Am I missing something?

Re: Fwd: Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Bowie Bailey]

On 2/14/2017 10:01 AM, Emin Akbulut wrote:


-- Forwarded message --
From: *Bowie Bailey* <bowie_bai...@buc.com
<mailto:bowie_bai...@buc.com>>
Date: Tue, Feb 14, 2017 at 5:44 PM
Subject: Re: Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to
URIBL was blocked.
To: users@spamassassin.apache.org
<mailto:users@spamassassin.apache.org>

That page is suggesting that you find the authoritative server for
blacklist domains and force those domain queries to go to those
servers.  This will fix the problem, but it is a bit fragile since
your lookups will start failing if those domains ever change their
DNS setup.
A better idea is to have your server stop forwarding altogether. 
Let your DNS server query the root servers and figure out the

authoritative DNS servers for the domains itself.  This is how DNS
servers were designed to work and there are few reasons not to do
it this way.  Unfortunately, I have no idea where those settings
are in the Windows DNS server.


That was the problem. I couldn't find the correct IP addresses. That's 
why I asked here how to configure conditional forwarders correctly, I 
mean IP addresses for uribl.com <http://uribl.com>, etc.


The page you referenced actually showed how to do that.

C:\> nslookup -querytype=ns uribl.com

uribl.com   nameserver = v.uribl.net
uribl.com   nameserver = o.icudp.com
uribl.com   nameserver = c.sarules.net
uribl.com   nameserver = p.icudp.net

c.sarules.net   internet address = 52.9.94.53
o.icudp.com internet address = 54.149.125.143
p.icudp.net internet address = 94.228.131.217
v.uribl.net internet address = 52.71.102.73

The IP addresses listed are all nameservers for uribl.com.

Now my DNS server runs like a DNS server, uses root DNS servers to 
resolve names.


A much better idea.


fbb
I think I should "subscibe" to uribl's paid system if any.


You don't need to unless you continue to get blocked.  Or if you just 
want to support them.


Before you think about paying, make absolutely sure that you are 
querying them directly.  The paid service still won't work (afaik) if 
you are using forwarding.


--
Bowie

Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Benny Pedersen]

Emin Akbulut skrev den 2017-02-14 16:03:

It's Gmail. When I hit the reply button, it only sends the last
poster, -in this reply, it's you and I manually added users@-


gmail ignores List-* headers, leading to much more problems then users 
using gmail


if you need more support on there broken gmail ask them

Re: Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Benny Pedersen]

Emin Akbulut skrev den 2017-02-14 15:27:

I'm confused a bit. Should I use forwarders or not?


no stop any forward dns


I was trying to follow that guide:


i do not care of windows problems here

use spamasassin docs on how to use specific ip as dns server, but not 
global, only for spamassassin you should stay at 127.0.0.1, you windows 
problemativ dns server should do the rest for you, if it still not 
working ask where thay know more about windows then here

Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Emin Akbulut]

It's Gmail. When I hit the reply button, it only sends the last poster,
-in this reply, it's you and I manually added users@-

On Tue, Feb 14, 2017 at 5:57 PM, Reindl Harald <h.rei...@thelounge.net>
wrote:

> what is wrong with your mailprogram that it appearently is lacking a
> "reply" button and so you seem to need forward messages which breaks
> threading in any sane mail-client and list-archive?
>
> Am 14.02.2017 um 15:43 schrieb Emin Akbulut:
>
>>
>> -- Forwarded message --
>> From: *David Jones* <djo...@ena.com <mailto:djo...@ena.com>>
>>     Date: Tue, Feb 14, 2017 at 5:33 PM
>> Subject: Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL
>> was blocked.
>> To: "users@spamassassin.apache.org
>> <mailto:users@spamassassin.apache.org>"
>> <users@spamassassin.apache.org <mailto:users@spamassassin.apache.org
>> >>
>>
>>
>> Note that if your mail volume is high enough, you may
>> still hit their free usage limit even after doing this.
>> Dave
>>
>>
>>
>> I've got plenty of inboxes. I've read SpamAssassin's info page about the
>> block and it says:
>>
>> Resolving the block might be as simple as using your
>> own non-forwarding
>> <https://wiki.apache.org/spamassassin/CachingNameserver#Non-
>> forwarding> caching
>> nameserver
>> <https://wiki.apache.org/spamassassin/CachingNameserver> to avoid
>> being lumped together with other users queries; setting up your own
>> mirror of the DNS-blocklist; or paying to use the blocklist. The
>> choice is up to the DNS-Blocklist administrator.
>>
>>
>>
>> Then I found myself at configuring DNS cond. forwarder because of an
>> incorrect advise
>>
>

Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Benny Pedersen]

Emin Akbulut skrev den 2017-02-14 14:21:


How can I set the DNS conditional forwarders properly?


setup spamasassin to use 127.0.0.1 as dns server, not any remote ips

i dont know anything on how windows works :=)

Fwd: Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Emin Akbulut]

> -- Forwarded message --
> From: Bowie Bailey <bowie_bai...@buc.com>
> Date: Tue, Feb 14, 2017 at 5:44 PM
> Subject: Re: Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL
> was blocked.
> To: users@spamassassin.apache.org
>
> That page is suggesting that you find the authoritative server for
> blacklist domains and force those domain queries to go to those servers.
> This will fix the problem, but it is a bit fragile since your lookups will
> start failing if those domains ever change their DNS setup.
> A better idea is to have your server stop forwarding altogether.  Let your
> DNS server query the root servers and figure out the authoritative DNS
> servers for the domains itself.  This is how DNS servers were designed to
> work and there are few reasons not to do it this way.  Unfortunately, I
> have no idea where those settings are in the Windows DNS server.


That was the problem. I couldn't find the correct IP addresses. That's why
I asked here how to configure conditional forwarders correctly, I mean IP
addresses for uribl.com, etc.

Now my DNS server runs like a DNS server, uses root DNS servers to resolve
names.

I think I should "subscibe" to uribl's paid system if any.

Re: Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Bowie Bailey]

On 2/14/2017 9:27 AM, Emin Akbulut wrote:

I'm confused a bit. Should I use forwarders or not?
I was trying to follow that guide:

-

As your issue with UTIBL_BLOCKED is a well-known one

I would like to point you the FAQ section of  our homepage:


http://www.jam-software.com/spamassassin_in_a_box/online_manual/EN/configuredns.html



Here you will find detailed information on how to configure

a Microsoft Windows DNS server to do a conditional forwarding.



That page is a bit confusing since it shows screenshots of the DNS query 
results, but never actually shows a screenshot of the setting you are 
supposed to be changing.


That page is suggesting that you find the authoritative server for 
blacklist domains and force those domain queries to go to those 
servers.  This will fix the problem, but it is a bit fragile since your 
lookups will start failing if those domains ever change their DNS setup.


A better idea is to have your server stop forwarding altogether. Let 
your DNS server query the root servers and figure out the authoritative 
DNS servers for the domains itself.  This is how DNS servers were 
designed to work and there are few reasons not to do it this way.  
Unfortunately, I have no idea where those settings are in the Windows 
DNS server.


--
Bowie

Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Emin Akbulut]

> -- Forwarded message --
> From: David Jones <djo...@ena.com>
> Date: Tue, Feb 14, 2017 at 5:33 PM
> Subject: Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
> blocked.
> To: "users@spamassassin.apache.org" <users@spamassassin.apache.org>
>
>
> Note that if your mail volume is high enough, you may
> still hit their free usage limit even after doing this.
> Dave



I've got plenty of inboxes. I've read SpamAssassin's info page about the
block and it says:

Resolving the block might be as simple as using your own non-forwarding
> <https://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding> 
> caching
> nameserver <https://wiki.apache.org/spamassassin/CachingNameserver> to
> avoid being lumped together with other users queries; setting up your own
> mirror of the DNS-blocklist; or paying to use the blocklist. The choice is
> up to the DNS-Blocklist administrator.
>


Then I found myself at configuring DNS cond. forwarder because of an
incorrect advise.

Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[David Jones]

>From: RW <rwmailli...@googlemail.com>
>Sent: Tuesday, February 14, 2017 7:51 AM
>To: users@spamassassin.apache.org
>Subject: Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was 
>blocked.
    
>On Tue, 14 Feb 2017 16:21:04 +0300
>Emin Akbulut wrote:

>> Hi
>> 
>> URIBL checks are blocked. I think bec. of so many queries. I'm
>> advised to set up conditional forwarder on Windows DNS Server.>

>If you mean that you should *stop* forwarding this traffic than that
>is correct. You need to be doing your own look-ups to the
>whitelist/blacklist servers from your own IP address, forwarding to a
>shared server is what causes the problem.

This is a common problem and has been discussed on this list
many times before.  I wish SpamAssassin had a better way to
handle this rule hit and explaining to the server admin but I
don't think this is possible.

Basically you need to point to a DNS server that you manage
or know for sure that it's not forwarding to another DNS server.
It's not required to have a local DNS server on your SA box but
it's the best way to know for sure that it's doing full recursive
lookups, not forwarding to other DNS servers that will
consolidate your queries with others pushing you over the
free usage limits and thus hitting this rule.

Note that if your mail volume is high enough, you may
still hit their free usage limit even after doing this.

Dave

Fwd: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Emin Akbulut]

I'm confused a bit. Should I use forwarders or not?
I was trying to follow that guide:

-

As your issue with UTIBL_BLOCKED is a well-known one
>
> I would like to point you the FAQ section of  our homepage:
>
>
>
> http://www.jam-software.com/spamassassin_in_a_box/online_
> manual/EN/configuredns.html
>
>
>
> Here you will find detailed information on how to configure
>
> a Microsoft Windows DNS server to do a conditional forwarding.
>


-

Re: URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[RW]

On Tue, 14 Feb 2017 16:21:04 +0300
Emin Akbulut wrote:

> Hi
> 
> URIBL checks are blocked. I think bec. of so many queries. I'm
> advised to set up conditional forwarder on Windows DNS Server.

If you mean that you should *stop* forwarding this traffic than that
is correct. You need to be doing your own look-ups to the
whitelist/blacklist servers from your own IP address, forwarding to a
shared server is what causes the problem.



> How can I set the DNS conditional forwarders properly?

This is a question about Windows.

URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.

[Emin Akbulut]

Hi

URIBL checks are blocked. I think bec. of so many queries. I'm advised to
set up conditional forwarder on Windows DNS Server.

I've added uribl.com as DNS zone and  54.149.125.143 as IP.

SA still tags the messages.

How can I set the DNS conditional forwarders properly?

Re: Anyone seeing URIBL_BLOCKED?

[Matus UHLAR - fantomas]

On 06.12.16 16:58, Mark London wrote:
Hi - Around 7PM yesterday (US eastern time), I started seeing 
URIBL_BLOCKED, and it didn't go away after midnight.  I tried 
switching to one of our other local name servers, and that didn't 
help.  I've been using this service for many years.   Do you know if 
their policy has changed?   Thanks. - Mark


how many mails you process daily?
how many clients use your DNS servers?
are you using other kind of URI checking (e.g. on proxy server)?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Re: Anyone seeing URIBL_BLOCKED?

[Mark London]

I'm not using dns forwarding.

Sent from my iPhone

> On Dec 6, 2016, at 5:13 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
> 
> get rid of dns forwarding and use dns servers with *real* recursion, that 
> topic makes people sick after so many years
> 
>> Am 06.12.2016 um 22:58 schrieb Mark London:
>> Hi - Around 7PM yesterday (US eastern time), I started seeing
>> URIBL_BLOCKED, and it didn't go away after midnight.  I tried switching
>> to one of our other local name servers, and that didn't help.  I've been
>> using this service for many years.   Do you know if their policy has
>> changed?   Thanks. - Mark

Anyone seeing URIBL_BLOCKED?

[Mark London]

Hi - Around 7PM yesterday (US eastern time), I started seeing 
URIBL_BLOCKED, and it didn't go away after midnight.  I tried switching 
to one of our other local name servers, and that didn't help.  I've been 
using this service for many years.   Do you know if their policy has 
changed?   Thanks. - Mark

Re: URIBL_BLOCKED while using local BIND

[Matus UHLAR - fantomas]

On 16.09.15 09:50, Bowie Bailey wrote:
The SA config is probably a better solution than the bind exemptions.  


I would say just the opposite. For example, MTA at SMTP level can look up
RBLs, and SA would benefit from having records in local cache.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes. 

Re: URIBL_BLOCKED while using local BIND

[Bowie Bailey]

On 9/18/2015 4:25 PM, Matus UHLAR - fantomas wrote:

On 16.09.15 09:50, Bowie Bailey wrote:
The SA config is probably a better solution than the bind exemptions. 


I would say just the opposite. For example, MTA at SMTP level can look up
RBLs, and SA would benefit from having records in local cache


True.  I was thinking more in terms of the amount of work needed in 
setup and maintenance.  Whenever SA changes it's RBL list (which is, 
admittedly, not that often), you need to update the exemption list in 
bind.  And if you make a typo in the domain name, it is not immediately 
obvious since you are still getting results from the query.


On the other hand, if you point SA to it's own non-forwarding DNS 
server, it just works and you don't have to touch it again.


--
Bowie

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

Hi Adam,

that's a great workarround and perfectly fits my needs! Thank you for 
that! :)


I'll use this if I cannot find out why my exemptions do not work in a 
reasonable amount of time.


Best regards,
Marc

Am 15.09.2015 um 20:14 schrieb Adam Major:

Hi.

If you don't want change DNS resolver for all DNS queries from your
server you can add in SA config line:

dns_server x.y.z.k:53

where z.y.z.k is IP DNS server using to resolve only by SA.


Then in resolv.conf you can use different (ex. ISP) DNS server.


More info:

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#port



Best Regards.

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

Hi Dave,

you are right: That is a measurement of "how fast is my ISP's cache?". 
But literally, that's all I want:
I do not want "better" DNS results than I got from my ISPs DNS servers 
so far. I'd like to keep up the benefit of using a large DNS cache, 
without blocking these resources on my host. My ISPs DNS servers are 
dedicated to resolve and cache the results. Why shouldn't I make use of 
these cached data, but build up an own pool of cached data for a second 
time, blocking resources on my machine, which can make good use of these 
resources for another workload?
Also, this caches are preserved when my machines are restarted. And WHY 
these results are faster provided is technically an unfair comparison, 
yes, but summed up to what's important for my case it isn't.


All I want is to make queries to the DNSBL services on my own and not 
using my ISPs servers, since these have drained their free contingent 
all the time.


That's why I have tried to configure bind as suggested at 
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding , 
but this seems not to work.


Best regards,
Marc

Am 15.09.2015 um 16:41 schrieb Dave Funk:

However you did not empty your ISP's dns server cache.
That 2 msec response time is from his cache, the 543 msec for your
server is when it's not in your server's cache.
So you're not making a fair comparison.

A response from a cache is always going to be faster, that's why people
use caching servers.
However with everybody & his cat using your ISP's server it gets query
blocked and thus is caching the bad (blocked) response.

So either you get bad data fast or good data slowly.

Once you get a second spam with similar contents, queries for that copy
will be in your cache and be fast.

Given that a modern SA parallelizes DNS queries a somewhat slow DNS
response (hundreds of Msecs) won't have too much overall affect on the
spam processing time.

On Tue, 15 Sep 2015, Marc Richter wrote:


Yes

Am 15.09.2015 um 13:30 schrieb Axb:

On 09/15/2015 01:23 PM, Marc Richter wrote:

Also, you shouldn't make assumptions without measuring something:

1. without forwarding:

;; Query time: 543 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

2. with forwarding to my ISP's servers:

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

That's 271 times faster than root-servers's lookup.


did you EMPTY cache after each query?

Re: URIBL_BLOCKED while using local BIND

[Reindl Harald]

Am 16.09.2015 um 11:36 schrieb Marc Richter:

I am - it's the very same setup you describe like I'm using. The only
difference is that I do not rely on a dedicated DNS resolver I setup
myself, but the centralized nameserver of my ISP, which works exactly
like any nameserver I'd setup myself.


no it does not

ISP nameservers have proven all sort of troubles over the years like 
ignoring TTL, spit out random expired responses, from one day to the 
next decide to answer wildcard instead NXDOMAIN which kills any 
mailservice from one moment to the next and so on



Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding

This seems to not be working, so I'm heading for this ML to find out why.


well, that would be a question for the bind-ML


you should read and
understand their posts in full before doing so at least, to not look
like a jackass additional to an impolite person.


obviously it don't work


That's right - so let's work out the reasons for it and not fight
against each other. This setup is described in the official SA wiki and
not working. So let's improve this public resource together.


until now it is not sure that your setup is correct (only using 
127.0.0.1 as nameserver)



What I wrote is:

 >> ... but created the exemptions as listed at the very bottom of that
 >> site, to make sure my bind don't forward requests on these services
 >> to my ISP's DNS ...


but it does forward otherwise the problem would be solved


You are right. I double-checked in the meantime (and awaited some spams
to arrive) by disabling forwarding completely. It does work then.
I do and did not doubt this - but the issue remains: I'd still like to
forward all of my requests to take the advantage of my ISPs DNS caches.
But those queries to the DNSBL zones should be resolved exceptionally by
my local recursion nameserver.

Why is the example in the SA wiki not working?


maybe you did not tell SA directly or the OS in /etc/resolv.conf *only* 
use 127.0.0.1 as DNS server



I do - and you are right with what you described. But all you mentioned
is not important for my setup and specific application. Fast resolution
and a huge DNS cache is. I know, that those aren't the times achieved
when my ISPs DNS servers initiate a recursive query on the data, but
deliver what they already have cached, only. But that is OK for me. I
only need these cached data


well, you only benefit from the ISP cache when another customer within 
the TTL did the same request, in any other case the response would be 
slower because one hop more


you are still missing the whole picture!


When I would do the recursive resolvings on my own, not only my initiate
queries would take quite a long time compared to those my ISPs does, but
I would "waste" a lot of resources needed to provide these caches on my
own servers. My setup simply isn't big enough to reasonably dedicate a
box on it's own or use that resources of my apps host, only to provide
nearly the same my ISP already serves.


you just need 64-128 MB RAM for a reasonable cache and when it comes to 
ressources i would use unbound instead named as caching-only resolver


*all* blacklist services have a very low TTL, with unbound you even 
cache *much* better than any ISP resolver because you can sepcifiy that 
responses are cached for at least 10 minutes instead ask every 5 seconds 
again and again - they are doing that to enforce hit their limits by 
intention


 msg-cache-size: 64m
 neg-cache-size: 64m
 rrset-cache-size: 128m
 cache-min-ttl: 600
 cache-max-ttl: 10800



signature.asc
Description: OpenPGP digital signature

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

Hi Axb,

yes, I did c the config block from the wiki 1:1 into my BIND setup.
I have added that zone - exemption you suggested into my config.

I'll wait for a few spams to arrive to see the results.

Thank you for sharing your thoughts.

Best regards,
Marc

Am 16.09.2015 um 11:41 schrieb Axb:

On 09/16/2015 11:36 AM, Marc Richter wrote:

Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding

This seems to not be working, so I'm heading for this ML to find out why.


are you doing this:

zone "multi.uribl.com" { type forward; forward first; forwarders {}; };

if yes try adding:

zone "uribl.com" { type forward; forward first; forwarders {}; };

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

if you are trying to insult people at all costs


really?

you would recognize it when i intend to do so


Please read your previous reply again. You will find that you used a 
very harsh tone against someone who comes here asking questions in a 
reasonable and moderate tone. Yes - maybe I *am* doing something wrong - 
that's even likely, since otherwise I'd be not the first to find such an 
issue in such a widely used software. But I expect the same reasonable 
tone in the answers to my question like I'm writing my questions in.



*any* expierienced mailadmin out there has a local recursion nameserver
on his MTA or at least somewhere in his LAN to use a central local cache
but only you can't do it?


I am - it's the very same setup you describe like I'm using. The only 
difference is that I do not rely on a dedicated DNS resolver I setup 
myself, but the centralized nameserver of my ISP, which works exactly 
like any nameserver I'd setup myself.


Although, the intended setup with exemptions by defining empty 
forwarders for DNSBL zones was not my idea - this scenario is described 
on the SA wiki as a working solution: 
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding


This seems to not be working, so I'm heading for this ML to find out why.


you should read and
understand their posts in full before doing so at least, to not look
like a jackass additional to an impolite person.


obviously it don't work


That's right - so let's work out the reasons for it and not fight 
against each other. This setup is described in the official SA wiki and 
not working. So let's improve this public resource together.



What I wrote is:

 >> ... but created the exemptions as listed at the very bottom of that
 >> site, to make sure my bind don't forward requests on these services
 >> to my ISP's DNS ...


but it does forward otherwise the problem would be solved


You are right. I double-checked in the meantime (and awaited some spams 
to arrive) by disabling forwarding completely. It does work then.
I do and did not doubt this - but the issue remains: I'd still like to 
forward all of my requests to take the advantage of my ISPs DNS caches. 
But those queries to the DNSBL zones should be resolved exceptionally by 
my local recursion nameserver.


Why is the example in the SA wiki not working?


 > and *no* the ISP nameserver is *not* a lot faster in most cases

Also, you shouldn't make assumptions without measuring something:

1. without forwarding:

;; Query time: 543 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

2. with forwarding to my ISP's servers:

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

That's 271 times faster than root-servers's lookup.


*lol* yes, the second hit already in your local cache when you don't
clear it before, you never ever have 2 ms with a forwarding reslover on
the internet asked - never ever!

for *that* one specific request if you have the luck it's in his cache
it *can* be faster, otherwise the ISP would need to do the whole
recursion itself and then answer to your cache with one additional hop

what you also ignore is the fact that you get the lowered TTL depending
on how old the cache entry on the forwarder is while you own cache entry
with recursion would be valid the whole TTL of the SOA

in other words: you don't look at the whole picture


I do - and you are right with what you described. But all you mentioned 
is not important for my setup and specific application. Fast resolution 
and a huge DNS cache is. I know, that those aren't the times achieved 
when my ISPs DNS servers initiate a recursive query on the data, but 
deliver what they already have cached, only. But that is OK for me. I 
only need these cached data.
When I would do the recursive resolvings on my own, not only my initiate 
queries would take quite a long time compared to those my ISPs does, but 
I would "waste" a lot of resources needed to provide these caches on my 
own servers. My setup simply isn't big enough to reasonably dedicate a 
box on it's own or use that resources of my apps host, only to provide 
nearly the same my ISP already serves.



anyways 543 msec is high

;; Query time: 121 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Di Sep 15 13:27:59 CEST 2015
;; MSG SIZE  rcvd: 57



That's correct and one of the reasons I'd like to rely on my ISPs data, 
since changing this is out of my hands.


Best regards,
Marc

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

Hi Bowie,

thanks for your reply.


I would suggest temporarily removing the forward completely as a test
and see if this fixes the problem.  If so, then your exemptions are not
working correctly.  If not, then double-check that you are actually
using the local server and not still querying the ISP's server.


I did exactly this the last hours and let spam reach my box during that 
time. When forwarding is disabled completely, the DNSBL services work. 
So, as you said, something's not OK with the exemptions.


This makes me wonder a bit, since these are described on the SA wiki 
site 
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding and 
they were copied 1:1 into my setup.


I'll try to find out what's wrong in the Bind-community, too.

Best regards,
Marc

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

Hi Axb,

Am 16.09.2015 um 11:41 schrieb Axb:

Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding

This seems to not be working, so I'm heading for this ML to find out why.


are you doing this:

zone "multi.uribl.com" { type forward; forward first; forwarders {}; };

if yes try adding:

zone "uribl.com" { type forward; forward first; forwarders {}; };


looks like this is it! I changed this as suggested and send myself some 
spams. The DNSBL Checks are working now, Thank you :)



Best regards,
Marc

Re: URIBL_BLOCKED while using local BIND

[Reindl Harald]

Am 16.09.2015 um 13:38 schrieb Marc Richter:

Am 16.09.2015 um 11:41 schrieb Axb:

Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding

This seems to not be working, so I'm heading for this ML to find out
why.


are you doing this:

zone "multi.uribl.com" { type forward; forward first; forwarders {}; };

if yes try adding:

zone "uribl.com" { type forward; forward first; forwarders {}; };


looks like this is it! I changed this as suggested and send myself some
spams. The DNSBL Checks are working now, Thank you :)


you need to maintain this everytime domains / subdomains are changing 
and probably new lists are added - you need to take care about all of 
this when rule-updates arrive


* what about barracuda RBL
* what about mailspike

both used in SA and not mentioned there

a local unbound cache with 64-128 MB RAM and a minimal TTL of 10 minutes 
would save you a lot of headache and result in even better caching




signature.asc
Description: OpenPGP digital signature

Re: URIBL_BLOCKED while using local BIND

[Benny Pedersen]

Reindl Harald skrev den 2015-09-16 15:35:


"cache-min-ttl" is AFAIK a unbound-only feature because it violates
RFC's but in case of a mailserver it's your decision and if you don#t
set it for days normally not a problem


so configure unbound to listing only on 127.0.0.2 and in named.conf use 
forward only to that ip, make sure bind does not bind to 127.0.0.2


then one can have ttl ignored for spamassassin dns but rfc ok for others

or just set dns_servers in local.cf for 127.0.0.2

even it for did all that right both bind and unbound will work together

wehn dns servers enforce small ttl and not tell there orher servers with 
a soa notify thay make there own problems

Re: URIBL_BLOCKED while using local BIND

[Bowie Bailey]

The SA config is probably a better solution than the bind exemptions.  
As was pointed out elsewhere in this thread, URIBL is not the only 
DNS-based blacklist that enforces usage limits and it may not be as easy 
to tell that you are being blocked with some of the others.


If you add in the 'dns_server' entry to the config, then SA will use the 
local nameserver for everything and you don't have to worry about 
keeping track of which blacklist queries you need to exempt from forwarding.


Set your resolv.conf back to your ISP, remove forwarding from your local 
name server, and add 'dns_server 127.0.0.1' to your local.cf.


Bowie

On 9/16/2015 5:44 AM, Marc Richter wrote:

Hi Adam,

that's a great workarround and perfectly fits my needs! Thank you for 
that! :)


I'll use this if I cannot find out why my exemptions do not work in a 
reasonable amount of time.


Best regards,
Marc

Am 15.09.2015 um 20:14 schrieb Adam Major:

Hi.

If you don't want change DNS resolver for all DNS queries from your
server you can add in SA config line:

dns_server x.y.z.k:53

where z.y.z.k is IP DNS server using to resolve only by SA.


Then in resolv.conf you can use different (ex. ISP) DNS server.


More info:

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#port 





Best Regards.

Re: URIBL_BLOCKED while using local BIND

[Reindl Harald]

Am 16.09.2015 um 15:22 schrieb Marc Richter:

All this is true.

As you already pointed out in a previous post, resolving is quite slow
on that host. I have no influence on the networking arround that box. So
I did not want other things starting to go slow by this.


well, and there unbound with "cache-min-ttl: 3600" on 127.0.0.1 will 
save you a ton of DNS requests outside your network for repeatly 
hammering clients / urls, the ones which ar enot very active are most 
likely in no cache anyways


"cache-min-ttl" is AFAIK a unbound-only feature because it violates 
RFC's but in case of a mailserver it's your decision and if you don#t 
set it for days normally not a problem


you just need to outweight caching/timing and how much junk slips 
because you cache a NXDOMAIN for a DNSBL/URIBL while 10 minutes later it 
may be listed


you need also to look very careful if it always is that slow or just for 
some domains - the slowdown can also be caused by the DNS server 
responsible for a domain/PTR-zone and you would only benefit from the 
ISP cache if another user already asked the same question there, if not 
you have to wait the same time because the ISP cache can't make the SOA 
server faster



Am 16.09.2015 um 13:43 schrieb Reindl Harald:


Am 16.09.2015 um 13:38 schrieb Marc Richter:

Am 16.09.2015 um 11:41 schrieb Axb:

Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is
described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding

This seems to not be working, so I'm heading for this ML to find out
why.


are you doing this:

zone "multi.uribl.com" { type forward; forward first; forwarders {}; };

if yes try adding:

zone "uribl.com" { type forward; forward first; forwarders {}; };


looks like this is it! I changed this as suggested and send myself some
spams. The DNSBL Checks are working now, Thank you :)


you need to maintain this everytime domains / subdomains are changing
and probably new lists are added - you need to take care about all of
this when rule-updates arrive

* what about barracuda RBL
* what about mailspike

both used in SA and not mentioned there

a local unbound cache with 64-128 MB RAM and a minimal TTL of 10 minutes
would save you a lot of headache and result in even better caching



--

Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 (676) 40 221 40, p: +43 (1) 595 3999 33
icq: 154546673, http://www.thelounge.net/

http://www.thelounge.net/signature.asc.what.htm



signature.asc
Description: OpenPGP digital signature

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

All this is true.

As you already pointed out in a previous post, resolving is quite slow 
on that host. I have no influence on the networking arround that box. So 
I did not want other things starting to go slow by this.


But you convinced me - I now also thing that the other way bears too 
much stumbling blocks.


Marc

Am 16.09.2015 um 13:43 schrieb Reindl Harald:



Am 16.09.2015 um 13:38 schrieb Marc Richter:

Am 16.09.2015 um 11:41 schrieb Axb:

Although, the intended setup with exemptions by defining empty
forwarders for DNSBL zones was not my idea - this scenario is described
on the SA wiki as a working solution:
http://wiki.apache.org/spamassassin/CachingNameserver#Non-forwarding

This seems to not be working, so I'm heading for this ML to find out
why.


are you doing this:

zone "multi.uribl.com" { type forward; forward first; forwarders {}; };

if yes try adding:

zone "uribl.com" { type forward; forward first; forwarders {}; };


looks like this is it! I changed this as suggested and send myself some
spams. The DNSBL Checks are working now, Thank you :)


you need to maintain this everytime domains / subdomains are changing
and probably new lists are added - you need to take care about all of
this when rule-updates arrive

* what about barracuda RBL
* what about mailspike

both used in SA and not mentioned there

a local unbound cache with 64-128 MB RAM and a minimal TTL of 10 minutes
would save you a lot of headache and result in even better caching

Re: URIBL_BLOCKED while using local BIND

[Adam Major]

Hi.

If you don't want change DNS resolver for all DNS queries from your
server you can add in SA config line:

dns_server x.y.z.k:53

where z.y.z.k is IP DNS server using to resolve only by SA.


Then in resolv.conf you can use different (ex. ISP) DNS server.


More info:

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html#port



Best Regards.

Re: URIBL_BLOCKED while using local BIND

[Bowie Bailey]

On 9/15/2015 6:51 AM, Marc Richter wrote:

Hi everyone,

I recently read the following in all my filtered Mail:

0.0 URIBL_BLOCKED   ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See  http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.

So I read what's written there and setup a local DNS server, as 
described at http://wiki.apache.org/spamassassin/CachingNameserver .
I did choose to forward the requests to my ISP's DNS servers, since it 
is a lot faster, but created the exemptions as listed at the very 
bottom of that site, to make sure my bind don't forward requests on 
these services to my ISP's DNS, but resolve them using DNS Root servers.


But even the IP of my server was sending just 2 requests for incomming 
spam since I have integrated BIND, these messages contain this 
ADMINISTRATOR NOTICE also. How can I hit the free usage limit by just 
2 requests?


I would suggest temporarily removing the forward completely as a test 
and see if this fixes the problem.  If so, then your exemptions are not 
working correctly.  If not, then double-check that you are actually 
using the local server and not still querying the ISP's server.


--
Bowie

URIBL_BLOCKED while using local BIND

[Marc Richter]

Hi everyone,

I recently read the following in all my filtered Mail:

0.0 URIBL_BLOCKED   ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See  http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.

So I read what's written there and setup a local DNS server, as 
described at http://wiki.apache.org/spamassassin/CachingNameserver .
I did choose to forward the requests to my ISP's DNS servers, since it 
is a lot faster, but created the exemptions as listed at the very bottom 
of that site, to make sure my bind don't forward requests on these 
services to my ISP's DNS, but resolve them using DNS Root servers.


But even the IP of my server was sending just 2 requests for incomming 
spam since I have integrated BIND, these messages contain this 
ADMINISTRATOR NOTICE also. How can I hit the free usage limit by just 2 
requests?


Best regards,
Marc

Re: URIBL_BLOCKED while using local BIND

[Axb]

On 09/15/2015 12:51 PM, Marc Richter wrote:

Hi everyone,

I recently read the following in all my filtered Mail:

0.0 URIBL_BLOCKED   ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See  http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.

So I read what's written there and setup a local DNS server, as
described at http://wiki.apache.org/spamassassin/CachingNameserver .
I did choose to forward the requests to my ISP's DNS servers, since it
is a lot faster, but created the exemptions as listed at the very bottom
of that site, to make sure my bind don't forward requests on these
services to my ISP's DNS, but resolve them using DNS Root servers.

But even the IP of my server was sending just 2 requests for incomming
spam since I have integrated BIND, these messages contain this
ADMINISTRATOR NOTICE also. How can I hit the free usage limit by just 2
requests?


remove the forwarding to your iSP .
unless a wider range is being blocked, your problem should be solved


btw: adding a hop to every query isn't faster.

Re: URIBL_BLOCKED while using local BIND

[Marc Richter]

Yes

Am 15.09.2015 um 13:30 schrieb Axb:

On 09/15/2015 01:23 PM, Marc Richter wrote:

Also, you shouldn't make assumptions without measuring something:

1. without forwarding:

;; Query time: 543 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

2. with forwarding to my ISP's servers:

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

That's 271 times faster than root-servers's lookup.


did you EMPTY cache after each query?