Reverse DNS anti-spam weight not being added to total spam score
Problem reported by Ben Conner - August 27, 2014 at 7:30 PM
Submitted
Hi,
 
On the current Enterprise version of SM, I'm seeing IP addresses with no reverse dns not having their score added to the total score weight.  Example:
 
I have my Reverse DNS score set to 30 and enabled. 
 
From today's SMTP and Delivery log files:
 
[2014.08.27] 10:22:16 [107.150.8.3][9243328] rsp: 220 mail.webworldinc.com
[2014.08.27] 10:22:16 [107.150.8.3][9243328] connected at 8/27/2014 10:22:16 AM
[2014.08.27] 10:22:16 [107.150.8.3][9243328] cmd: EHLO powerless.tk
[2014.08.27] 10:22:16 [107.150.8.3][9243328] rsp: 250-mail.webworldinc.com Hello [107.150.8.3]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-STARTTLS250 OK
[2014.08.27] 10:22:16 [107.150.8.3][9243328] cmd: MAIL FROM:<newz@powerless.tk>
[2014.08.27] 10:22:22 [107.150.8.3][9243328] rsp: 250 OK <newz@powerless.tk> Sender ok
[2014.08.27] 10:22:22 [107.150.8.3][9243328] cmd: RCPT TO:<mlk@webworldinc.com>
[2014.08.27] 10:22:27 [107.150.8.3][9243328] rsp: 250 OK <mlk@webworldinc.com> Recipient ok
[2014.08.27] 10:22:27 [107.150.8.3][9243328] cmd: DATA
[2014.08.27] 10:22:31 [107.150.8.3][9243328] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2014.08.27] 10:22:31 [107.150.8.3][9243328] rsp: 250 OK
[2014.08.27] 10:22:31 [107.150.8.3][9243328] Data transfer succeeded, writing mail to 43301569.eml
[2014.08.27] 10:22:32 [107.150.8.3][9243328] cmd: MAIL FROM:<newz@powerless.tk>
[2014.08.27] 10:22:36 [107.150.8.3][9243328] rsp: 250 OK <newz@powerless.tk> Sender ok
[2014.08.27] 10:22:36 [107.150.8.3][9243328] cmd: RCPT TO:<ben@webworldinc.com>
[2014.08.27] 10:22:41 [107.150.8.3][9243328] rsp: 250 OK <ben@webworldinc.com> Recipient ok
[2014.08.27] 10:22:41 [107.150.8.3][9243328] cmd: DATA
[2014.08.27] 10:22:46 [107.150.8.3][9243328] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2014.08.27] 10:22:46 [107.150.8.3][9243328] rsp: 250 OK
[2014.08.27] 10:22:46 [107.150.8.3][9243328] Data transfer succeeded, writing mail to 43301571.eml
[2014.08.27] 10:22:46 [107.150.8.3][9243328] cmd: QUIT
[2014.08.27] 10:22:46 [107.150.8.3][9243328] rsp: 221 Service closing transmission channel
[2014.08.27] 10:22:46 [107.150.8.3][9243328] disconnected at 8/27/2014 10:22:46 AM
Delivery log:
[2014.08.27] 10:22:42 [01571] Delivery started for newz@powerless.tk at 10:22:42 AM
[2014.08.27] 10:22:59 [01571] Spam check results: [_SPF: Pass], [BARRACUDA -BRBL: passed], [SORBS - DYNAMIC IP: passed], [SPAMCOP: passed], [SPAMHAUS - ZEN: passed], [_REVERSEDNSLOOKUP: passed], [_BAYESIANFILTERING: passed], [_INTERNALSPAMASSASSIN: 0:0], [_DK: None], [_DKIM: None], [_CUSTOMRULES: ], [SPAMHAUS - DBL: passed]
[2014.08.27] 10:23:00 [01571] Starting local delivery to ben@webworldinc.com
[2014.08.27] 10:23:00 [01571] Delivery for newz@powerless.tk to ben@webworldinc.com has completed (Delivered) Filter: None
[2014.08.27] 10:23:00 [01571] End delivery to ben@webworldinc.com
[2014.08.27] 10:23:00 [01571] Delivery finished for newz@powerless.tk at 10:23:00 AM    [id:43301571]
 
And when the message was delivered, the headers reflected:
 
From - Wed Aug 27 10:31:18 2014
X-Account-Key: account1
X-UIDL: sm_00029BE6_282e18b847194d3a976d8306103a8d29
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <newz@powerless.tk>
Received: from powerless.tk (UnknownHost [107.150.8.3]) by mail.webworldinc.com with SMTP;
   Wed, 27 Aug 2014 10:22:46 -0700
To: ben@webworldinc.com
Subject: Why you need a new walk-in tub
Message-ID: <96a2874520528d97072b82b78bc69a8f@cost.cf>
Return-Path: newz@powerless.tk
Date: Wed, 27 Aug 2014 11:55:25 -0400
From: "Walk-inTub" <newz@powerless.tk>
Reply-To: newz@powerless.tk
MIME-Version: 1.0
X-Mailer-LID: 94
List-Unsubscribe: <http://cost.cf/unsubscribe.php?M=224865&C=87c386e0e42b67c9c4549a7e7acb7729&L=94&N=382>
X-Mailer-RecptId: 224865
X-Mailer-SID: 382
X-Mailer-Sent-By: 1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-SmarterMail-Spam: SPF_Pass, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None, Custom Rules []
X-SmarterMail-TotalSpamWeight: 0
 
I verified this had no reverse dns.  ?
 
--Ben
 

11 Replies

Reply to Thread
0
Steve Reid Replied
Hello;
 
Everything looks to be working properly.
 
 
That site shows the domain does indeed have a reverse PTR or rDNS.
0
Ben Conner Replied
Hi Steve,
 
The problem with DNS lookups is they are very dynamic.  That said, I just checked again on my own servers as well as outside my network and it did not have rdns defined. 
 
But actually...  that wasn't the question I raised.
 
From the log files posted, the response SM received was no dns, or 'UnknownHost' as it reports it in the log files. And given that, the score I assigned to a failed rdns check (30 in my case) did not get added to the spam score.
 
--Ben
0
Steve Reid Replied
I answered your question precisely.I do not think you are reading the logs correctly. Just because the sending server has Unkown Host in it's HELO has zero relivance to rDNS. Later in the log you can see [_REVERSEDNSLOOKUP: passed], which clearly indicates that your smartermail did indeed see the rDNS that IS active for that domain as I already verfied with proof.
0
W. Troy Leaver Replied
Steve, rDNS is IP based, not hostname based. I don't understand how you got a positive rDNS by looking up a hostname at intodns.com. Doing a reverse lookup of 107.150.8.3 shows no ptr record exists, so indeed it would seem that the OP is correct, no rDNS but SmarterMail seems to think there is, based on [_REVERSEDNSLOOKUP: passed] in the logs posted.
0
Steve Reid Replied
I stand down, seems I was confused. I thought I tested the ip as well...
0
Steve Reid Replied
Are you running your own dns servers?
0
Ben Conner Replied
Sorry for the late response on my part. Had router issues recently that needed immediate attention.

While I know how to walk the rdns tree, I typically just use online sites that do that already. Googling rdns lookup gives me plenty of options. Since SM is reporting the RDNS lookup passed and that clearly isn't the case, I would like to know if anyone at SM can investigate this and correct it as needed?

--Ben
0
Ben Conner Replied
PS--and yes, I run 4 name servers, and have been managing them since 1995.

--Ben
0
Bruce Barnes Replied
"Steve, rDNS is IP based, not hostname based. I don't understand how you got a positive rDNS by looking up a hostname at intodns.com. Doing a reverse lookup of 107.150.8.3 shows no ptr record exists, so indeed it would seem that the OP is correct, no rDNS but SmarterMail seems to think there is, based on [_REVERSEDNSLOOKUP: passed] in the logs posted"
 
To clarify this further: rDNS is HOST NAME BASED and must map to a FULLY QUALIFIED DOMAIN NAME.  If no domain name is provided as part of the lookup transaction, then rDNS is subject to FAIL, IE:
 
In computer networking, reverse DNS lookup or reverse DNS resolution (rDNS) is the determination of a domain name that is associated with a given IP address using the Domain Name System (DNS) of the Internet.
 
Computer networks use the Domain Name System to determine the IP address associated with a domain name. This process is also known as forward DNS resolution. Reverse DNS lookup is the inverse process, the resolution of an IP address to its designated domain name.
 
The reverse DNS database of the Internet is rooted in the Address and Routing Parameter Area (arpa) top-level domain of the Internet. IPv4 uses the in-addr.arpa domain and the ip6.arpa domain is delegated for IPv6. The process of reverse resolving an IP address uses the pointer DNS record type (PTR record).
 
Informational RFCs (RFC 1033, and RFC 1912 Section 2.1) specify that "Every Internet-reachable host should have a name"  and that such names match with a reverse pointer record, but it is not a requirement of standards governing operation of the DNS itself.
 
There's plenty of other rDNS to FQDN name supporting information available via Google at: https://www.google.com/?gws_rd=ssl#q=rdns%20lookup
 
Bruce Barnes
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
W. Troy Leaver Replied
Oh geez. Yes, all dns lookups are technically done on a hostname. However, the purpose of rDNS is to map an IP address to its hostname, thus you start with an IP address. Sure, by the time you actually run the query, you've reversed the IPs octets and fashioned them into a host in the .arpa zone for lookup, but the point is rDNS *is* ip based--you start with an IP address. The point being, you can't look up the hostname of the IP address and get any rDNS information from it.

How does even this further this discussion?
0
Benjamin Breedlove Replied
Has this issue been resolved?
 
I am ALSO having the same issue where I have SPAM settings for emails that do not have a Reverse DNS Lookup to get a score of "30", but the SM is not adding the weight to the TotalSpamWeight.  
 
If I am reading your posts above correctly, why do we even have the Reverse DNS Lookup specified if it isn't going to correctly interpret emails?  
 
Below is a copy of the headers of an email.  TotalSpamWeight should be 32 not 2.
 

X-Smartermail-Spam: ⁨Reverse DNS Lookup [Failed], ISpamAssassin 0 [raw: 0], SPF_Pass, DKIM_Pass, UCEProtect Level 2⁩

Dkim-Signature: ⁨v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=survipen.bid; h=Mime-Version:Content-Type:Date:From:Reply-To:Subject:To:Message-ID; i=support@survipen.bid; bh=tqmQq/DSY9xLCeTdb7YOiZmr28E=; b=HvFgRd90ElhlMRh2bDEhQfNZu04ta3iedwuQhjHslhgPRqm9B5kqIBYXwofuzye3Tp4mzGQVe9je tmdy/xXSckJIKD5vPuqgSBkT+Vr+JNP6XiSk2ON7zr6M07xA/xRb5r7Yu3SGHrq/bdiuaHo4A7oY yhupWkG8mhm8VpptrxY=⁩

Return-Path: ⁨<3275-4210-607-853-bbreedlove=conhagen.com@mail.survipen.bid>⁩

Received: ⁨from austin.survipen.bid (UnknownHost [162.244.14.137]) by mail.conhagen.com with SMTP; Tue, 12 Jun 2018 10:39:39 -0500⁩

⁨<opz693k63kk7eqyq-i9v4hn4q411onykd-1072-25f@survipen.bid>⁩

X-Smartermail-Totalspamweight: ⁨2

Reply to Thread