zen.spamhaus.org not working for me? RESULT: MAKE SURE NOT TO USE GOOGLE DNS!

Hi,

I'm running several UTMs as hardware appliances, but I also do run one UTM Home Edition installation for my personal use.

Somehow I do have a problem integrating zen.spamhaus.org, When I add it do the DNSBLs for some reason mails don't get blocked by it and I don't understand why.

Any other DNSBL I add does work, zen.spamhaus.org not.

Does Sophos somehow prevent the use of it?

Is there any log I can check if it does query Spamhaus for data?

I received a new IP by my provider and still it doesn't work. At first I thought maybe Spamhaus blocked me, but their usage terms are pretty clear:

1) Your use of the Spamhaus DNSBLs is non-commercial*,
    and
2) Your email traffic is less than 100,000 SMTP connections
    per day, and
3) Your DNSBL query volume is less than 300,000 queries
    per day.

 

so I should be more than ok...

Thank you.

  • Hi wolfman1,

    do you have the problem only in one or all or the UTMs?

    BR

  • In reply to Alexander Busch:

    Tried two systems, same result.

  • In reply to wolfman1:

    Enabled debug log

    https://community.sophos.com/kb/en-us/115325

    looked up log

    Looks like I'm not getting any data from Spamhaus.

    19996 cached data used for lookup of myself.com_RBL_EXTRA
    19996 in /etc/exim.conf.profile
    19996 lookup yielded: sbl.spamhaus.org:xbl.spamhaus.org:ix.dnsbl.manitu.net:bb.barracudacentral.org:new.dnsbl.sorbs.net:bl.spamcop.net:spam.spamrats.com:db.wpbl.info:dul.dnsbl.sorbs.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net
    19996 check dnslists = ${lookup{${lc:$domain}_RBL_EXTRA}nwildlsearch{/etc/exim.conf.profile}}
    19996 = sbl.spamhaus.org:xbl.spamhaus.org:ix.dnsbl.manitu.net:bb.barracudacentral.org:new.dnsbl.sorbs.net:bl.spamcop.net:spam.spamrats.com:db.wpbl.info:dul.dnsbl.sorbs.net:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net
    19996 DNS list check: sbl.spamhaus.org
    19996 new DNS lookup for 85.150.142.213.sbl.spamhaus.org
    19996 DNS lookup of 85.150.142.213.sbl.spamhaus.org (A) gave HOST_NOT_FOUND
    19996 returning DNS_NOMATCH
    19996 DNS lookup for 85.150.142.213.sbl.spamhaus.org failed
    19996 => that means 213.142.150.85 is not listed at sbl.spamhaus.org
    19996 DNS list check: xbl.spamhaus.org
    19996 new DNS lookup for 85.150.142.213.xbl.spamhaus.org
    19996 DNS lookup of 85.150.142.213.xbl.spamhaus.org (A) gave HOST_NOT_FOUND
    19996 returning DNS_NOMATCH
    19996 DNS lookup for 85.150.142.213.xbl.spamhaus.org failed
    19996 => that means 213.142.150.85 is not listed at xbl.spamhaus.org
    19996 DNS list check: ix.dnsbl.manitu.net
    19996 new DNS lookup for 85.150.142.213.ix.dnsbl.manitu.net
    19996 DNS lookup of 85.150.142.213.ix.dnsbl.manitu.net (A) gave HOST_NOT_FOUND
    19996 returning DNS_NOMATCH
    19996 DNS lookup for 85.150.142.213.ix.dnsbl.manitu.net failed
    19996 => that means 213.142.150.85 is not listed at ix.dnsbl.manitu.net
    19996 DNS list check: bb.barracudacentral.org
    19996 new DNS lookup for 85.150.142.213.bb.barracudacentral.org
    19996 DNS lookup of 85.150.142.213.bb.barracudacentral.org (A) gave HOST_NOT_FOUND
    19996 returning DNS_NOMATCH
    19996 DNS lookup for 85.150.142.213.bb.barracudacentral.org failed
    19996 => that means 213.142.150.85 is not listed at bb.barracudacentral.org
    19996 DNS list check: new.dnsbl.sorbs.net
    19996 new DNS lookup for 85.150.142.213.new.dnsbl.sorbs.net
    19996 DNS lookup of 85.150.142.213.new.dnsbl.sorbs.net (A) gave HOST_NOT_FOUND
    19996 returning DNS_NOMATCH
    19996 DNS lookup for 85.150.142.213.new.dnsbl.sorbs.net failed
    19996 => that means 213.142.150.85 is not listed at new.dnsbl.sorbs.net
    19996 DNS list check: bl.spamcop.net
    19996 new DNS lookup for 85.150.142.213.bl.spamcop.net
    19996 DNS lookup of 85.150.142.213.bl.spamcop.net (A) gave HOST_NOT_FOUND
    19996 returning DNS_NOMATCH
    19996 DNS lookup for 85.150.142.213.bl.spamcop.net failed
    19996 => that means 213.142.150.85 is not listed at bl.spamcop.net
    19996 DNS list check: spam.spamrats.com
    19996 new DNS lookup for 85.150.142.213.spam.spamrats.com
    19996 DNS lookup of 85.150.142.213.spam.spamrats.com (A) succeeded
    19996 DNS lookup for 85.150.142.213.spam.spamrats.com succeeded (yielding 127.0.0.38)
    19996 DNS lookup of 85.150.142.213.spam.spamrats.com (TXT) succeeded
    19996 => that means 213.142.150.85 is listed at spam.spamrats.com
    19996 check set acl_c0 = rbl
    19996 check set acl_c1 = $dnslist_domain
    19996 = spam.spamrats.com
    19996 search_open: pgsql "NULL"
    19996 cached open
    19996 search_find: file="NULL"
    ...
    19996 H=(lootsnap.icu) [213.142.150.85]:10407 F=<morale@lootsnap.icu> rejected RCPT <me@myself.com>: 213.142.150.85 blacklisted at spam.spamrats.com

    Thing is that during that time 213.142.150.85] was listed (from Spamhaus website)":

    213.142.150.85 is listed in the SBL, in the following records:

     

    So why is Spamhaus giving me empty results?

    I've used dig to manually check and got nothing with Spamhaus:

    dig 85.150.142.213.sbl.spamhaus.org

    ; <<>> DiG 9.9.6-P1 <<>> 85.150.142.213.sbl.spamhaus.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22630
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;85.150.142.213.sbl.spamhaus.org. IN A

    ;; AUTHORITY SECTION:
    sbl.spamhaus.org. 9 IN SOA need.to.know.only. hostmaster.spamhaus.org. 2002102209 3600 600 432000 10

    ;; Query time: 15 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon Feb 10 23:10:28 CET 2020
    ;; MSG SIZE rcvd: 124

     

     

    using dig with Spamrats gave me a result:
    dig 85.150.142.213.spam.spamrats.com

    ; <<>> DiG 9.9.6-P1 <<>> 85.150.142.213.spam.spamrats.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51361
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;85.150.142.213.spam.spamrats.com. IN A

    ;; ANSWER SECTION:
    85.150.142.213.spam.spamrats.com. 475 IN A 127.0.0.38


    And while writing all this down I gave it another thought and started to remember why it is not working. Stupid me!!! NEVER USE GOOGLE DNS!!!

    https://www.spamhaus.org/faq/section/DNSBL%2520Usage#261

    Your DNSBL blocks nothing at all! 

    First, check our FAQ answer for "Your DNSBL blocks the whole Internet!" and make sure you've not made a spelling mistake in your mailserver configuration.

    Check what DNS resolvers you are using: If you are using a free "open DNS resolver" service such as the Google Public DNS (8.8.8.8) and others (eg. Alternate DNS, Comodo Secure, DNS.Watch, DynDNS, FreeDNS, Hurricane, NeuStar DNS Advantage, Norton ConnectSafe, OpenNIC, Puncat, Quad9, SafeDNS, Uncensored, Verisign, Yandex.DNS), or large cloud/outsourced public DNS servers, such as Level3's, Verizon's or AT&T's to resolve your DNSBL requests, in most cases you will receive a "not listed" (NXDOMAIN) reply from Spamhaus' public DNSBL servers. We recommend using your own DNS servers when doing DNSBL queries to Spamhaus. If this is not possible, contact us for other options.

     

    And of course I do have Google DNS 8.8.8.8 set in my Sophos UTM 

    After setting DNS to Cloudflare 1.1.1.1 and my provider as a backup Spamhaus is working again:

    dig 85.150.142.213.zen.spamhaus.org
    ; <<>> DiG 9.9.6-P1 <<>> 85.150.142.213.zen.spamhaus.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44321
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;85.150.142.213.zen.spamhaus.org. IN A

    ;; ANSWER SECTION:
    85.150.142.213.zen.spamhaus.org. 60 IN A 127.0.0.3


    Whoop whoop!

  • In reply to wolfman1:

    And btw: Maybe Sophos could get their documenation straight:

    https://community.sophos.com/kb/en-us/120283

    They are suggesting Google, but maybe they should add if you choose Google for DNS that Spamhaus will not work!!!

  • In reply to wolfman1:

    Hi wolfman1,

    just checked my log to make sure spamhaus was working. Glad to hear you find the DNS Server as cause for that. I agree Sophos could add a note in that KBA. (But after all it's not direct UTM related)
    Again, thanks for posting your results.

    Best regards

    Alex

  • In reply to wolfman1:

    Good work, wolfman1!

    That KB article was copied years ago from my DNS best practice post and then only reformatted last year.  My post has been updated many times (note the Change Log at the bottom of the post) since someone copied it.  I just added your caution about using Google DNS.

    Cheers - Bob