1
spamassassin is firing the URIBL_BLOCKED rule
Problem reported by Eric Bourland - April 15, 2015 at 12:32 PM
Not A Problem
SmaterMail 13.3
 
Notes and research: http://uribl.com/refused.shtml
 
In the header of all incoming email messages I see this SmarterMail exception:
 
X-SmarterMail-SpamDetail: 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked.
 
In SmarterMail, I have changed the Primary and Secondary IP addresses to: 127.0.0.1
 
... So that DNS resolves on the immediate, local SmarterMail server ... I had hoped this would fix the problem.
 
However, queries to URIBL are still blocked.
 
How have other folks here resolved this?

Thanks as always for your help.
 
Eric

9 Replies

Reply to Thread
1
Employee Replied
April 15, 2015 at 4:00 PM
Employee Post
Hello Eric,
 
Thanks for the information. Can you please confirm if you have the URIBL:URIBL Spam check enabled in the AntiSpam Administration section ?  I would advise to either remove or uncheck that option. There has been some issues with the Spam check throwing erroneous values and weights causing emails to be flagged with higher numbers.
 
Thanks.
0
Eric Bourland Replied
April 15, 2015 at 5:09 PM
Dear Joe,
 
Thank you for your reply! I have a number of URIBLs enabled in my Antispam configuration screen. Are you saying I should remove all of the URIBL checks?

Thank you again for your help.
 
best from Eric
 
 
1
Bruce Barnes Replied
April 15, 2015 at 7:15 PM
Since DNS queries are expected to come from verifiable IP addresses, and 127.0.0.1 cannot be mapped to a public IP address, the query probably failed because the RBL / BRBL could not identify a public IP address.
 
In addition, the use of RBL and URIBL databases is generally, by agreement with the RBL / BRBL for public use of their databases, limited to no more than 100K queries from ANY SINGLE DNS SERVER IP ADDRESS in a given day.
 
So, while the error which was logged:
 
"X-SmarterMail-SpamDetail: 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked"
 
indicates that the query was blocked, in this case, probably because it came from a non-mappable, LOOPBACK IP address, the queries can also fail when using public DNS IP addresses when the number of queries in a single day exceeds 100K queries per day to the RBL or URIBL database(es).
 
In the example given by Eric Bourland, the failure appears to be because the LOOPBACK IP ADDRESS cannot be mapped to a public IP address, so the URIBL blocked the query:

"X-SmarterMail-SpamDetail: 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked"
 
This is a new failure response from RBL/URIBL databases.  Previously, when failing queries, the antispam databases always returned a response that indicated that the message being checked was spam.
 
Because a failure from an RBL / URIBL does not necessarily indicate that the message begin checked is spam, it is always preferable to have a valid RBL / URIBL lookup failure reason, as is the case in Borland's example.
 
That is why SmarterMail should always point to a LOCAL DNS SERVER, with a PUBLICALLY MAPABLE IP ADDRESS, used for both the primary and secondary SmarterMail DNS servers as those DNS servers will be doing the FQDN lookups when the RBL and URIBL databases are queried and they will not trigger the 100K limit of queries from a single, public DNS server.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Steve Reid Replied
April 16, 2015 at 5:48 AM
Keep in mind everyone that this is in reference to SpamAssassin in a box.
 
I believe you should contact support for Jam Software. I have needed to contact them in the past and they have been very helpful.
 
I do not see these errors.
1
Bruce Barnes Replied
April 16, 2015 at 7:48 AM
The RBLs still expect the DNS query to come from a publically accessible DNS server and 127.0.0.1 is not a public DNS server IP address.
 
They need to validate the IP address of the DNS server to check the number of queries which originate from any given DNS server in a 24 hour period (sorry, I cannot tell you what time zone they are synchronized to, but I will assume their local time zone) as most now deny further queries after a single DNS server IP address reached 100K or more.
 
They deny further queries because they want large providers to subscribe to their services and databases.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Bruce Barnes Replied
April 16, 2015 at 8:47 AM
First, the issue raised is using 127.0.0.1 as a DNS server.  That is a LOOPBACK ADDRESS and is never a valid address from outside the server.
 
Second:  this is not false information.  The RBLs clearly state, in their AUP statements, that the RBL and BRBL databases  count the number of queries received from any DNS server in a given 24 hour period and deny queries above a given threshold from a single DNS server's IP address, generally 100K queries in any given 24 hour period.
 
To properly count queries from a DNS server, it must have either a PUBLIC or PUBLICALLY MAPPED, IP address.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Steve Reid Replied
April 16, 2015 at 9:18 AM
This is a problem with SpamAssassin in a box, and not directly Smartermail, I will focus on that actual problem.
 
SpamAssassin in a box likely uses the DNS servers that are registered on your network adapter. You should insure you are not using a public dns IP on the server level.
0
Eric Bourland Replied
April 16, 2015 at 9:48 AM
Hi, friends,
 
These are very helpful replies.
 
>>>The RBLs still expect the DNS query to come from a publically accessible DNS server and 127.0.0.1 is not a public DNS server IP address.


Got it -- this makes sense. However, I was getting this URIBL blocked error (
"X-SmarterMail-SpamDetail: 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was blocked")
before, when I was using the public DNS server IP addresses provided by my ISP:
 
IP of Primary DNS: 208.77.208.4
IP of Secondary DNS: 208.77.208.5
 
Although my ISP points out that the low-volume usage limit was probably reached:

> > > ----------------------------------------
> > > From: "Luke Blodgett via RT" <support@support.viviotech.net>
> > > Sent: Tuesday, April 14, 2015 2:05 PM
> > > To: eric@ebwebwork.com
> > > Subject: [support.viviotech.net #395958] DNS question in SmarterMail
> > on
> > > tarsier: "The query to URIBL was blocked"
> > > Eric
> > >
> > > If the server is set to use our resolvers for DNS it may be getting
> > > blocked because URIBL is for 'low volume usage' and we have many
> > servers
> > > using our DNS for URIBL look ups.
> > > http://uribl.com/refused.shtml
> > >
> > > It may be that you need to start using one of your servers for DNS
> > > lookups.
 
Per Steve's note, I will contact JAM Software.
 
I have a couple more questions:
 
1) Does this mean that, currently, none of my RBL and URIBL lookups are doing anything at all?
 
2) If 127.0.0.1 will not work as an IP for SmarterMail, and if the public DNS IPs will not work -- what else can I do?

Thank you as always for this very useful discussion.
 
Eric
1
Eric Bourland Replied
April 16, 2015 at 7:01 PM
FYI. I think I have fixed this; I did two things:
 
1) set up forwarding for two domains: dnswl.org and uribl.org, per notes in spamassassin in a box FAQ
2) set two IP addresses for smartermail: 127.0.0.1, and the public IP address of the mail server itself
 
This seems to have dispelled the blocked URIBL problem.
 
Friends, thanks very much for your help, and for your time and wise words.  As always, take care.
 
Eric

Reply to Thread