Re: cbl RBL
Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 06:52:29PM -0500, Thomas Bolioli wrote: /etc/procmail and it is fired off with a user .forward file |IFS=' ' exec /usr/bin/procmail || exit 75 #tpblists. Still looking into Net::DNS. A few ideas. First, do DROPPRIVS=yes if you haven't already. Second, why are you using a .forward file? Just set procmail as the MDA. DROPPRIVS is already set to yes. In answer to the second question, legacy. This machine has an upgrade legacy of 6 years. I set it up this way because I was not having SA do checks for every account and I was experimenting when I first setup spam filtering. Changing that may become my sunday morning task... I am still at a complete loss to explain why some users (when running SA from the cmdline) can do rbl checks and others can't. I have set the user_prefs files to be exactly the same, eliminating any config deltas from potentially causing this. I have confirmed though that the problem is that the DNS queries are definitely timing out and upping the timeout to 60 secs does nothing but delay the inevitable. I was mistaken that it was the SPF* tests zeroed out that was causing the issue. But it looked that way for a while. Now, the only thing clustering the groups (ie; those that work, and those that do not) is the two accounts (there may be more but I will not be digging into my clients email accounts) that do not successfully check RBLs get by far the most amount of spam compared to the others that work. Anyone with ideas, they would be greatly appreciated but right now I need to determine if it is SA that is having issues with the lookups or are the accounts screwed up in some way. bind does not seem to be throttled either so the volume of queries should not be the issue either.
Re: cbl RBL (RESOLVED)
Thomas Bolioli wrote: Anyone with ideas, they would be greatly appreciated but right now I need to determine if it is SA that is having issues with the lookups or are the accounts screwed up in some way. bind does not seem to be throttled either so the volume of queries should not be the issue either. After doing a diff between the home dirs of some of these users, I found .resolv.conf files in the offending users directories. I am not sure how they got there (they were ~2-3 yrs old and formatted in such a way it leads me to believe they were put there by an application) but they were pointing at older DNS servers that went offline about a month or two ago. I removed them and now the spam coming in is firing off on one or more rbls. Somehow the presence of these did not interfere with non-DNS specific requests. ie; GET would work with this there. Thanks for the help everyone. Tom
cbl RBL
I am trying to get lookups against cbl (http://cbl.abuseat.org/) and
it does not seem to be working. Below is what I am adding to the local
cf but it is not firing off. Also, I tried both check_rbl() and
check_rbl_txt(). What am I doing wrong here.
Thanks,
Tom
FYI: CBL is catching a lot of these spam bot spams...
header RCVD_IN_CBL eval:check_rbl_txt('cbl', 'cbl.abuseat.org.')
describe RCVD_IN_CBL Received from an IP in cbl.abuseat.org
tflags RCVD_IN_CBL net
score RCVD_IN_CBL 0.1
header RCVD_IN_CBL_IP eval:check_rbl_sub('cbl', '127.0.0.2')
describe RCVD_IN_CBL_IPCBL: sender is a bot
tflags RCVD_IN_CBL_IP net
reuse RCVD_IN_CBL_IP
score RCVD_IN_CBL_IP 0.1
Re: cbl RBL
[EMAIL PROTECTED] wrote: I am trying to get lookups against cbl (http://cbl.abuseat.org/) and it does not seem to be working. Not a direct answer to your rules question, but isn't the CBL already included in the XBL check? -- A.
Re: cbl RBL
Alexis Manning wrote: [EMAIL PROTECTED] wrote: I am trying to get lookups against cbl (http://cbl.abuseat.org/) and it does not seem to be working. Not a direct answer to your rules question, but isn't the CBL already included in the XBL check? -- A. Right you are... Then I have another issue. My RBL checks are not firing off...
Re: cbl RBL
Thomas Bolioli [EMAIL PROTECTED] wrote: Right you are... Then I have another issue. My RBL checks are not firing off... If you're not seeing *any* BLs ever firing in your SA-marked up mails then it'd sound like a DNS issue, e.g. misconfigured firewall or router. If you're seeing some intermittently then perhaps your DNSBL checks are timing out and you'd need to increase rbl_timeout in your local.cf -- A.
Re: cbl RBL
On Sat, Jan 27, 2007 at 09:19:40PM -, Alexis Manning wrote: If you're not seeing *any* BLs ever firing in your SA-marked up mails then it'd sound like a DNS issue, e.g. misconfigured firewall or router. Or you've disabled rules, or disabled rbl checks, or you're running in local mode, or ... -- Randomly Selected Tagline: Linux! Guerrilla UNIX Development Venimus, Vidimus, Dolavimus. (By [EMAIL PROTECTED], Mark A. Horton KA4YBR) pgpcmoXgF8zmP.pgp Description: PGP signature
Re: cbl RBL
Alexis Manning wrote: Thomas Bolioli [EMAIL PROTECTED] wrote: Right you are... Then I have another issue. My RBL checks are not firing off... If you're not seeing *any* BLs ever firing in your SA-marked up mails then it'd sound like a DNS issue, e.g. misconfigured firewall or router. If you're seeing some intermittently then perhaps your DNSBL checks are timing out and you'd need to increase rbl_timeout in your local.cf -- A. DNS is working. I am running queryperf right now to see what impact timeouts could be having. The machine is a DNS server and I am sure it is working. I also saw lint output that was able to lookup intel.com and the other network tests are firing. I do not think they are intermittent.
Re: cbl RBL
Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 09:19:40PM -, Alexis Manning wrote: If you're not seeing *any* BLs ever firing in your SA-marked up mails then it'd sound like a DNS issue, e.g. misconfigured firewall or router. Or you've disabled rules, or disabled rbl checks, or you're running in local mode, or ... Definitely not disabled (rules or rbl checks). local mode What is that?
Re: cbl RBL
Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 09:19:40PM -, Alexis Manning wrote: If you're not seeing *any* BLs ever firing in your SA-marked up mails then it'd sound like a DNS issue, e.g. misconfigured firewall or router. Or you've disabled rules, or disabled rbl checks, or you're running in local mode, or ... This is really odd... The RBL checks fired off from the command line (while a queryperf was running against the DNS server...) but not when postfix passes the email off through procmail as the same users ID. This is stumping me. Any ideas?
Re: cbl RBL
Thomas Bolioli wrote: Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 09:19:40PM -, Alexis Manning wrote: If you're not seeing *any* BLs ever firing in your SA-marked up mails then it'd sound like a DNS issue, e.g. misconfigured firewall or router. Or you've disabled rules, or disabled rbl checks, or you're running in local mode, or ... This is really odd... The RBL checks fired off from the command line (while a queryperf was running against the DNS server...) but not when postfix passes the email off through procmail as the same users ID. This is stumping me. Any ideas? Actually, this is getting even odder. There is one account on the system that the RBL checks do not fail to execute when run through postfix su'd. That is acct x and it uses nothing special and has a blank user_prefs (plain vanilla account). Accounts a-y are a mix of plain vanilla ones and customized ones. Yet, account x is the only one that RBL lookups is working on. Is there anything in how SA deals with DNS lookups that could cause this? Tom
Re: cbl RBL
On Sat, Jan 27, 2007 at 05:25:59PM -0500, Thomas Bolioli wrote: vanilla ones and customized ones. Yet, account x is the only one that RBL lookups is working on. Is there anything in how SA deals with DNS lookups that could cause this? SA calls Net::DNS, which as far as I know just looks at resolv.conf, then makes queries. I'd probably run a mail through spamassassin in debug mode to see what these other accounts are doing. -- Randomly Selected Tagline: Bit - The increment by which programmers slowly go mad. pgpVViWV2758x.pgp Description: PGP signature
Re: cbl RBL
On Sat, Jan 27, 2007 at 04:38:54PM -0500, Thomas Bolioli wrote: Definitely not disabled (rules or rbl checks). local mode What is that? Local mode is the -L commandline parameter to spamassassn and spamd. It disables all network rules. -- Randomly Selected Tagline: When cryptography is outlawed, gjklj nbvmiou wtkj kd;ie4 skt klbjxdf. - Unknown pgpVRy8QsNUIQ.pgp Description: PGP signature
Re: cbl RBL
On Sat, Jan 27, 2007 at 04:52:23PM -0500, Thomas Bolioli wrote: The RBL checks fired off from the command line (while a queryperf was running against the DNS server...) but not when postfix passes the email off through procmail as the same users ID. This is stumping me. Any ideas? /etc/procmailrc or .procmailrc? What does it look like? -- Randomly Selected Tagline: I had a linguistics professor who said that it's man's ability to use language that makes him the dominant species on the planet. That may be. But I think there's one other thing that separates us from animals. We aren't afraid of vacuum cleaners. - Jeff Stilson pgpzKkvibhO8D.pgp Description: PGP signature
Re: cbl RBL
Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 04:52:23PM -0500, Thomas Bolioli wrote: The RBL checks fired off from the command line (while a queryperf was running against the DNS server...) but not when postfix passes the email off through procmail as the same users ID. This is stumping me. Any ideas? /etc/procmailrc or .procmailrc? What does it look like? /etc/procmail and it is fired off with a user .forward file |IFS=' ' exec /usr/bin/procmail || exit 75 #tpblists. Still looking into Net::DNS.
Re: cbl RBL
Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 05:25:59PM -0500, Thomas Bolioli wrote: vanilla ones and customized ones. Yet, account x is the only one that RBL lookups is working on. Is there anything in how SA deals with DNS lookups that could cause this? SA calls Net::DNS, which as far as I know just looks at resolv.conf, then makes queries. I'd probably run a mail through spamassassin in debug mode to see what these other accounts are doing. resolve.conf is fine. When I run them using su as those users, it works fine. It appears to be something with how procmail runs them.
Re: cbl RBL
On Sat, Jan 27, 2007 at 06:52:29PM -0500, Thomas Bolioli wrote: /etc/procmail and it is fired off with a user .forward file |IFS=' ' exec /usr/bin/procmail || exit 75 #tpblists. Still looking into Net::DNS. A few ideas. First, do DROPPRIVS=yes if you haven't already. Second, why are you using a .forward file? Just set procmail as the MDA. -- Randomly Selected Tagline: I'm sorry, this piece still has a bit of penguin on it. - Theo explaining what dirty ice is. pgpqb7ALWD7ca.pgp Description: PGP signature
Re: cbl RBL
Thomas Bolioli wrote: Theo Van Dinter wrote: On Sat, Jan 27, 2007 at 05:25:59PM -0500, Thomas Bolioli wrote: vanilla ones and customized ones. Yet, account x is the only one that RBL lookups is working on. Is there anything in how SA deals with DNS lookups that could cause this? SA calls Net::DNS, which as far as I know just looks at resolv.conf, then makes queries. I'd probably run a mail through spamassassin in debug mode to see what these other accounts are doing. resolve.conf is fine. When I run them using su as those users, it works fine. It appears to be something with how procmail runs them. Actually, I stand corrected. There are some accounts which reliably do the rbl checks and others that do not. The ones that do not do it had SPF tests zero'd out. I am into new and unchartered territory but does that seem like a bug?
