can't recieve mails - All senders recieve 550-JunkMail rejected

alex_funky_dj

Member
Oct 30, 2004
21
0
151
Alexandria, Egypt.
Here's a failure reply for hotmail user:
Code:
Diagnostic-Code: smtp;550-"JunkMail rejected - col0-omc2-s3.col0.hotmail.com [65.55.34.77] is in an
550 RBL, see DNS queries to spamhaus.org zones not allowed"
Another mail sent from Japanese University
Code:
550-"JunkMail rejected - aarelay1.noc.n-bone.net (aarelay1-s.noc.n-bone.net) 550-[138.243.40.11] is in an RBL, see DNS queries to spamhaus.org zones not 550 allowed"
and finally, mail sent from Google Apps :
Code:
550 550-"JunkMail rejected - mail-ew0-f222.google.com [209.85.219.222] is in an
550 RBL, see DNS queries to spamhaus.org zones not allowed" (state 14).
EDITED :
**SOLUTION**
WHM ==> Exim Configuration Editor ==> RBLS [Manage] ==> uncheck all
 
Last edited:

Spamhaus Ops

Registered
Jan 19, 2010
3
1
53
The message "DNS queries to spamhaus.org zones not allowed" is not coming from Spamhaus. A rogue DNS server is hijacking your queries to spamhaus.org and returning "listed" to everything along with that message. To find the culprit you need to look at what DNS servers you are using to resolve those queries on the mail server. Once you know which DNS server (or DNS service) is causing it, please contact [email protected] and tell us, as we want to know who is causing the problem you saw.
 

Spamhaus Ops

Registered
Jan 19, 2010
3
1
53
Your server is using some DNS server(s) to resolve DNS, ask you server engineer which ones they are.

Also, can you tell me which DNSBLs were configured in Exim Configuration Editor ==> RBLS [Manage]? Did you only have spamhaus.org ones checked or were there others?
 

alex_funky_dj

Member
Oct 30, 2004
21
0
151
Alexandria, Egypt.
Here's the content of my resolve.conf :
search hosted.static.webnx.com
nameserver 206.251.73.9
nameserver 4.2.2.2

and both following were checked:
RBL: bl.spamcop.net
RBL: zen.spamhaus.org [?]
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,544
11
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
Here's the content of my resolve.conf :
search hosted.static.webnx.com
nameserver 206.251.73.9
nameserver 4.2.2.2

and both following were checked:
RBL: bl.spamcop.net
RBL: zen.spamhaus.org [?]
Before editing the resolver configuration I recommend saving a fresh backup, such as by using the following command:
Code:
# cp -pv /etc/resolv.conf /etc/resolv.conf.backup
I've not usually had any trouble with the secondary resolver listed ("4.2.2.2"); however, the primary resolver listed I'm not familiar with. More information about the primary resolver may be obtained using the following commands:
Code:
# whois 206.251.73.9
# dig -x 206.251.73.9
When testing a new set of resolvers, to help minimize possible unforeseen difficulty I would consider commenting or removing the "search" line unless it is absolutely needed; I noticed the search entry has the same domain as what is used in the PTR record of the primary DNS resolver:
Code:
# dig +noall +answer -x 206.251.73.9
9.73.251.206.in-addr.arpa. 85884 IN	PTR	ns.webnx.com.
Here is an alternate set of resolvers, using Google Public DNS:
Code:
# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
Reference:
Google Public DNS
Introduction to Google Public DNS
Using Google Public DNS
 

Spamhaus Ops

Registered
Jan 19, 2010
3
1
53
No, Google DNS won't work either, see:

<http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#261>

The problem is basically that Spamhaus is the most used DNSBL on the internet, so DNS traffic for free DNSBLs like zen.spamhaus.org is so high that it represents a large portion of many public DNS service's requests. In some cases the public DNS service decides to stop transporting those queries to reduce their traffic, and in some cases Spamhaus itself must firewall a public DNS service that is massively abusing our DNSBL servers.

So currently you will find that Google DNS will not resolve spamhaus.org DNSBL queries. (not resolve means that it simply will not answer, so it will appear as if the DNSBL does not work - meaning you will not see any spam blocked). You need to use a more professional DNS service, as with some free public ones you get what you pay for...
 

EcoHosting

Member
Mar 6, 2004
23
0
151
Montreal
So are there any suggestions as to which DNS servers will not have this issue? I, and I imagine like most people, use my datacenter's nameservers as my primary resolvers.

One solution could be to simply hardcode the IP to zen.spamhaus.org in our hosts file. This would avoid the repeated lookups that is causing the excessive bandwidth at Spamhaus and have the added benefit of improving the speed of the local servers by avoiding the wait associated with the lookups. Seems like a win-win situation.

Only problem with this is it would depend on how static the zen.spamhaus.org ip (or ip's) actually are.

Spamhaus Ops: Do you think this would work? If not do you have any other suggestions other than buying 'professional' DNS services as you suggested?