Reverse DNS

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Mon Feb 11, 2008 1:34 pm

To answer your "external program" question (which I didn't see because I was typing my response above, it's not an external program...just another great feature of eWall!

Junior Member
User avatar
Posts: 60
Joined: Wed Sep 19, 2007 3:31 pm

Postby SteveT » Mon Feb 11, 2008 3:48 pm

Dave,

Thanks. I will give it a try.
--
Regards,
Steve Topilnycky
ArGoStuff [color="Red"]|[/color] Top Cat Computing

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Wed Feb 13, 2008 11:46 pm

Dave, I'd recommend change DNS server and see if problem will disappear. I have tried to test surbl.org for last two days, but get permanent timeout. Perhaps, they are DoS'ed, or my ISP is broken and I don't have a route. The other eWall DNS-based features seems fine.

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Thu Feb 14, 2008 12:07 pm

Yikes! Two different topics getting mixed together.

Sorry Alex, SURBL isn't my problem...I only answered a question for SteveT.

Let met start over: From personal experience, I would NEVER block email based on "no reverse DNS", because I've seen reverse DNS fail on people who have already emailed many times (and reverse DNS is fine), yet one day something is buggy and it doesn't work. Therefore, a perfectly good email got killed.

After a customer of mine yelled at me for it, I changed the reverse DNS test from "Delete email" to "Add message to subject ("Possible spam").

This doesn't happen often...maybe once a month, but one good email killed (when my customer is talking to the person on the phone and just asked him to send it that second) is too much.

Alex, here's a test I'm hoping you can do, because for me to do it would cause every email for every domain to be marked "Possible spam", and I won't have happy customers. Can you point your test setup for eWall to DNS servers that either refuse to respond to your requests (because they are cofigured to ignore requests from non-authorized IP's), or IP addresses that are non-existent, and see what happens? You could try mine because I *think* I've got mine set to block such requests: d n s 1 . i w p s . c o m

My concern is that if eWall can't connect to the DNS server, it returns a "None" for an answer, and that fails the reverse DNS test, forcing good email to be marked spam. However, a failed DNS lookup really needs to return another condition (perhaps "Error"?), which means that we can't make a judgment call in that particular case.

Thanks!

[color="Red"]Correction, it's: n s 1 . i w p s . com[/color]
Sorry

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Fri Feb 15, 2008 12:50 am

OK, I got it. I'll check the code and will let you know.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Sat Feb 16, 2008 2:24 pm

I'm confused. I've checked the code and not found where eWall blocks the clients without DNS records. You can play with eWall's DNS client yourself. Telnet at port 32001 and perform DNS command in format

DNS type=[A|PTR|MX] query=[...]

for example

DNS type=A query=sssolutions.net

Please let me know if you find something.

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Mon Feb 18, 2008 1:17 pm

I've got it! I was able to confirm that if eWall can't get a valid response from a DNS server, the existing test will mark it as spam. Here's what I did:

1. I changed my DNS servers in eWall to an invalid IP address (1.1.1.1)
2. Using Yahoo, I sent myself an email
3. Upon receipt, the email was marked "Possible Spam". Here are the logs as to why that happened:
Code: Select all
2/18/2008 7:50:22 AM   1177   151401   Checking condition 'X-User-Host is blank'
2/18/2008 7:50:22 AM   1177   151401   Is blank
2/18/2008 7:50:22 AM   1177   151401   Checking condition 'SPF result is None or Neutral or Fail or Soft Fail or Error (permanent)'
2/18/2008 7:50:22 AM   1177   151402   SPF result: None (Domain YAHOO.COM does not publish SPF record)
2/18/2008 7:50:22 AM   1177   151402   Applying action 'add POSSIBLE SPAM (NO RDNS) -  to the subject'


Note that my attempt to "catch" this codition of qualifying the result with SPF failed too, because Yahoo (the morons) don't publish an SPF record.

Regarding the telnet test you asked me to try Alex, here are my resutls:

With good DNS entries
250 68.142.205.137 (71 ms) [RCODE:0]

With DNS servers set to 1.1.1.1
NOT-FOUND (29988 ms) [RCODE:3]

So, here's the point. If eWall cannot connect to the DNS servers for whatever reason, eWall must not return a "NOT-FOUND", but something else. The original filter tests for "if X-User-host is blank", but this is a flawed test if the domain is valid but DNS mistakenly fails for some reason.

We almost need two test:
"if X-User-host is blank and X-User-host not equal 'error'" then...

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Mon Feb 18, 2008 10:13 pm

I could try separate "None" and "DNS error" results, but don't see the practical use. Are you sure, you want to block the sending client just because they don't publish SPF record? I think eWall is correct saying "None" for YAHOO.COM, they really don't publish SPF record but they are valid (as eWAll said, None (Domain YAHOO.COM does not publish SPF record).

Expert
Posts: 265
Joined: Tue May 04, 2004 1:07 pm

Postby dave » Tue Feb 19, 2008 12:04 pm

Sorry Alex, there I go again mixing up two separate issues. The real issue is reverse DNS, and how much I don't trust it. If you look back on how this thread started, it was about blocking email that doesn't have reverse DNS, yet I found (as my test above) that it's a dangerous thing to do. Sometimes, for some reason I can't explain, reverse DNS fails. Maybe the servers are busy, maybe it's my connection, but regardless, it fails.

I was getting enough reverse DNS failures (and subsequently deleted emails) that I added a second test to insure reverse DNS isn't acting stupid; I added an SPF test. I figured that if reverse DNS failed but SPF passed, it can't be spam. That is why I added SPF to this whole equation, but again, that's just me complicating things. As my test shows, SPF doesn't do much when reverse DNS fails and there is no SPF record.

So, back on topic, eWall doesn't distinguish between a failure to connect to the DNS servers for reverse DNS lookup, and no reverse DNS. Where before I used to kill email on "no reverse DNS", I later changed it to a subject line warning ("Possible spam"). After doing this test, I disabled it completely.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Postby Alexander Telegin » Tue Feb 19, 2008 12:51 pm

Oops... that SPF test completely confused me.

Yes, you are right. The DNS tests are not reliable, especially getting PTR record, for reason you have described above, plus some ISP misconfigured and just don't publish PTR zone for dynamic IPs, plus cache at some intermediate DNS server keeping old records. So, I'd not recommend make the final decision the message is spam only because sender IP has not publish PTR record. This theme was discussed many times years ago at mail server forums, but users asked for this option, and it was added to eWall.

Concerning DNSBL or SPF test, I think eWall behave correctly, expecting only specific response and not blocking email if there's a (temporary) DNS failure. Please correct me if I'm wrong.

PreviousNext

Return to Filters and scripts

Who is online

Users browsing this forum: No registered users and 1 guest