DNS implications to modifying resolv.conf

[keat63]

My daughter gets about 5 spammy emails per day, all loosely based on the same subject.
They are obviously coming from the same source, as the opt out info contains the same address.
However, i'm pretty sure that the opt out is probably a lie, as each email comes from a different domain.
I don't trust that opting out works with these spammers, and that they will just continue to spam from the other (who knows how many) domains they have.

I'm trying to block these at filter level, and looking in the headers this morning found this

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
URIs: www.gov.uk

So I ran the following command
host -t TXT 2.0.0.127.multi.uribl.com

Which produces:

2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: xxx.xxx.xxx.251]"
(on the same subnet, but not mine)

I've since edited etc/resolv.conf and added my own name servers to the top of the list, which produces 2.0.0.127.multi.uribl.com descriptive text "permanent testpoint

Are there any serious DNS implications to modifying resolv.conf

 

[cPanelMichael]

Hello

Have you considered creating a filter based on the message subject instead? Otherwise, you may find the following thread helpful if you want to use your own name servers as resolvers:

Setup Own DNS Resolvers

Thank you.

 

[keat63]

The message subject is always different.
And they appear to have at least 12 different domains, maybe more.
The email consists of HTML code, so repetitive filterable data is not shown in the headers or body.
It's always related to health insurance, which I could no doubt block.

as for setting up my own DNS resolver, that thread just confused me

 

[cPanelMichael]

Hello

I don't advise setting up your server as a DNS resolver and adding it to the /etc/resolv.conf. Have you implemented any RBL blacklist options available in WHM?

Thank you.

 

[keat63]

I do have SpamCop and SpamHaus configured.

And i've created a rule in the short term to block these.

However, my technical question was really regarding the connection refused from multi.uribl.com

From what i can make out, each IP address has a certain amount of daily multi.uribl.com connection requests.
When these have been exhausted, all subsequent requests for that day are rejected.

Because my data centers dns is apparently being resolved as doing the requests, i'm sharing it with who knows how many others, so no doubt it's exhausting it's daily limit.
Other than hosting my own DNS resolver, is there any way around this ?

 

[cPanelMichael]

Other than hosting my own DNS resolver, is there any way around this ?

Setting up your own DNS resolvers or configuring your cPanel server as a DNS resolver is really the only way around this.

Thank you.

 

[keat63]

Which you don't advise

I take it, there is no config in Spam Assassin which would tell multi.uribl.com where the request originated.

 

[cPanelMichael]

Right, I don't believe there are any configuration changes you can make to have the list see the specific server as opposed to the resolver IP address. I'm not saying you can't make your own server a resolver, but remember to configure the "allow-recursion" directive when doing so. EX:

Setting up own DNS resolvers

Thank you.

 

[keat63]

Did a little more reading up on this, and think i may have a chaching name server already configured.
My server is a name server.
Spam Assassin talks about installing Bind, which I already have installed.
So i made some changes in Resolver Config.
I'll run it over the weekend and see what comes of it.

 

[nyoman]

Hi all...

I make a test on the server to use a URIBL too

And on first day i got this on the header

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
DnsBlocklists - Spamassassin Wiki
for more information.
[URIs: amazonses.com]

And after a few days, now i got this:

Content analysis details: (0.3 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: idealwarm.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.6 HTML_IMAGE_RATIO_04 BODY: HTML has a low ratio of text to image area
0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Flag: NO

Is that mean, my server can access/use URIBL list ?

Thanks

 

[keat63]

Nyoman

As i understand it, The IP associated with your DNS resolver has a set number of connections to URIBL per day.
Because you probably share the DNS resolver with hundreds more other servers or vps, then the limit is being eaten up.
Once the daily limit is eaten up, no more connections from that IP are allowed.

There are tests you can perform at ssh.
host -t TXT 2.0.0.127.multi.uribl.com
which will show you if you are being blocked and which DNS resolver is performing the queries.

 

[nyoman]

Thanks keat63 for the answer

I share my own DNS for 2 server (dedicated) only, currently when i test i got a permanent testpoint

[email protected]:[~] # host -t TXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"

 

[keat63]

Bind as a caching nameserver, connection refused messages.

For about a week, i've been researching the issue with Spam Assassin not being able to connect to URIBL.
( 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.)

The general consensus is to create a cached name server, which it transpires "bind" already is.
And my server acts as my name server.
So I changed the resolvers in WHM/Resolver Config, restarted DNS, Exim and Spamd.

It seems that the Spam Assassin errors connecting to URIBL have now diminished, but I am seeing the occasional connection refused resolving error in the message log.

named[3549]: error (connection refused) resolving 'someone-i-know.co.uk/MX/IN': xxx.xxx.xx.xx#53

Considering the above message indicated a domain that we actually deal with, and as it's MX related i'm assuming this was failing to connect during an email transmission. I've temporarily had to roll back.

Any pointers that I might be missing something fundamental ?
It was only running about 24 hours, I understand DNS takes time to propagate, maybe 24 hours just wasn't enough ?

 

[cPanelMichael]

Re: Bind as a caching nameserver, connection refused messages.

It seems that the Spam Assassin errors connecting to URIBL have now diminished, but I am seeing the occasional connection refused resolving error in the message log.

named[3549]: error (connection refused) resolving 'someone-i-know.co.uk/MX/IN': xxx.xxx.xx.xx#53

I did find the following website that you may find helpful:

URIBL.COM - Realtime URI Blacklist

Here is a snippet:

For low volume end users, we provide public DNS mirrors distributed around the world to answer your queries through products like SpamAssassin which have built in support for URIBL.COM. Many other commercial anti-spam products support realtime DNS blacklists. Consult your documentation on how to configure your software to utilize multi.uribl.com for domain reputation.

As far as the error message you reported, was that for a remote domain name? Did you try running the "dig" command to verify if the issue continued after that message (it's possible that it was a temporary connection issue with the remote server)?

Thank you.

 

[keat63]

To be fair, i don't even know what dig is.
I saw the error in one of my logs, and could see that it was related to a very important business associate, so i jumped ship and rolled back.
Spam is my pet hate, so i do need to look in to this in more depth, but making changes like this can only really happen at the weekend when i'm at home.

 

[cPanelMichael]

To be fair, i don't even know what dig is.

It's documented at:

Dig Command

Thank you.

 

[lorio]

@keat63: What is your long time experience with your own resolver? Did you use your cpanel dnsonly servers? Or did you add a additional server dedicated to resolving?

@cPanelMichael: A fresh thread or FAQ about setting up a dedicated resolver or reconfiguring the cpanel dns only servers would be good. It would be better if WHM would offer a way to change the resolvers for the activated RBLs.
That might would make it possible, to use the resolver of the ISP/Datacenter for all queries except the one for RBLs.

When using two or more DNSonly, the local BIND or other DNSdaemons are deactivated.
Which of the different solutions described in this article http://wiki.apache.org/spamassassin/CachingNameserver can be implemented in future cpanel releases, to allow the usage of different resolvers?

 

[mtindor]

Queries to URIBLs are done through SpamAssassin, not the configured RBLs in Exim.

If you want those queries to be successful, you almost always have to use nameservers other than public resolvers. Using Google, OpenDNS or other public resolvers likely will yield the same bad results.

If you are running SpamAssassin 3.4, you can add the "dns_server" directive to your /etc/mail/spamassassin/local.cf file, specifying the nameservers that you want SpamAssassin to use for its queries -- that way you can leave /etc/resolv.conf alone.

If you do add the dns_server directive in local.cf, be sure to restart spamd.


See: http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html

dns_server ip-addr-port (default: entries provided by NetDNS)

Specifies an IP address of a DNS server, and optionally its port number. The dns_server directive may be specified multiple times, each entry adding to a list of available resolving name servers. The ip-addr-port argument can either be an IPv4 or IPv6 address, optionally enclosed in brackets, and optionally followed by a colon and a port number. In absence of a port number a standard port number 53 is assumed. When an IPv6 address is specified along with a port number, the address must be enclosed in brackets to avoid parsing ambiguity regarding a colon separator. A scoped link-local IP address is allowed (assuming underlying modules allow it).

Examples : dns_server 127.0.0.1 dns_server 127.0.0.1:53 dns_server [127.0.0.1]:53 dns_server [::1]:53 dns_server fe80::1%lo0 dns_server [fe80::1%lo0]:53

In absence of dns_server directives, the list of name servers is provided by NetDNS module, which typically obtains the list from /etc/resolv.conf, but this may be platform dependent. Please consult the NetDNS::Resolver documentation for details.