Tuesday, 17 November 2015

Exchange 2013, 2016 - Zen Spamhaus RBL not working

Zen Spamhaus give you a way of testing whether your block list transport agent is working. An interesting scenario can occur where this doesn’t work.


How to test your Block List Provider is working?


To test that your Zen Spamhaus block list provider is working, send an email from your Exchange account to nelson-sbl-test@crynwr.com. It’ll attempt to send you an email from a blacklisted IP and then send you the SMTP conversation by email. You should get a reply back like below:


Testing your SBL block. See http://www.crynwr.com/spam/ for more info.

Testing your SBL block. See http://www.crynwr.com/spam/ for more info.

Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.

Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address.

I connected to <your IP> and here's the conversation I had:

220 server.domain.com Microsoft ESMTP MAIL Service ready at Tue, 25 Aug 2015 15:38:07 +0100 helo sbl.crynwr.com
250 server.domain.com Hello [192.203.178.107] mail from:<>
250 2.1.0 Sender OK
rcpt to:<mark@mydomain.co.uk>
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
From: nelson-SBL-test@crynwr.com
To: mark@mydomain.co.uk
Date: Tue, 25 Aug 2015 14:38:22 -0000
Message-Id: <1440513502@sbl.crynwr.com>
Precedence: junk
Test message
250 2.6.0 <1440513502@sbl.crynwr.com> [InternalId=219] Queued mail for delivery quit Successful termination. As far as I can tell, the email was delivered. That might not be what you want.


As you can see, the email was delivered. That’s definitely not what we want.  


How to fix the Zen SpamHaus block list provider?


The problem here is that our internal DNS server is using a DNS forwarder that cannot resolve the names we require. The way it needs to work is that when your Exchange server receives a connection from an IP which is submitting an email, it does a DNS forward lookup on <the IP in reverse>.zen.spamhaus.org.

To demonstrate a failed DNS lookup for Zen SpamHaus, we can do a lookup for 2.0.0.127.zen.spamhaus.org (127.0.0.2 in reverse) on Google’s DNS servers like below:

nslookup
server 8.8.8.8
2.0.0.127.zen.spamhaus.org

image

As you can see above, this fails: Non-existent domain

If we change the DNS server to use one of the domain controllers (192.168.0.8) that is configured to use the root hints and no forwarders then this works:

nslookup
server 192.168.0.8
2.0.0.127.zen.spamhaus.org

image

We can now go ahead and send another test email to nelson-sbl-test@crynwr.com and we get a response as below to say that the email is blocked as it was found on an RBL:



Testing your SBL block. See http://www.crynwr.com/spam/ for more info.

Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.

Note that some sites don't apply the SBL block to postmaster, so I use your envelope sender as the To: address.

I connected to <your IP> and here's the conversation I had:
220 server.domain.com Microsoft ESMTP MAIL Service ready at Thu, 12 Nov 2015 21:50:20 +0000 helo sbl.crynwr.com
250 server.domain.com Hello [192.203.178.107] mail from:<>
250 2.1.0 Sender OK
rcpt to:<mark@mydomain.co.uk>
550 5.7.1 Recipient not authorized, your IP has been found on a block list Terminating conversation



This looks much better. All the best!

8 comments:

  1. dear Mark,
    i am enabled Antispam Agent on hub transport , when do nslookup test i got the below result:
    C:\>nslookup
    Default Server: dc.domain.com
    Address173.16.10.100
    > 2.0.0.127.zen.spamhaus.org
    Server: dc.domain.com
    Address: 173.16.10.100
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to dc.domain.com timed-out
    >
    note: DNS forwards not enable i using root hints

    ReplyDelete
  2. Hi,

    Is this the DNS server used by Exchange? Exchange TCP/IP settings need to be set to use internal DNS servers which can resolve all AD related zones. You can configure the Transport Server to use a specific DNS server where you can specify any DNS server. Is this what you have done? Are you able to resolve other addresses such as www.google.com?

    Thanks.

    ReplyDelete
  3. i have Dc and ADC server in my network, Preferred DNS on Exchange Pointing To DC server, please mark help me to make sure my configuration Ok

    ReplyDelete
  4. please Mark help to ensure Antispam Agent Working Fine

    ReplyDelete
  5. Please check that the IP 173.16.10.100 is correct. This is a public IP. Is this meant to be 172.16.10.100?

    ReplyDelete
  6. 173.16.10.100 this Private IP , this IP address for my Domain controller.

    ReplyDelete
  7. This doesn't work. I have tried everything including a fresh install of Exchange. NOTHING works. Yes I setup DNS correctly.
    Address: 192.168.1.100

    Non-authoritative answer:
    Name: 2.0.0.127.zen.spamhaus.org
    Addresses: 127.0.0.10
    127.0.0.4
    127.0.0.2

    ReplyDelete
  8. Does not work for me either. I removed the existing dns forwarders. Here is my dns query:
    [PS] E:\Exchange Server\Scripts>nslookup
    Standardserver: dc01.domain.de
    Address: 10.10.10.21

    > server 8.8.8.8
    Standardserver: google-public-dns-a.google.com
    Address: 8.8.8.8

    > 2.0.0.127.zen.spamhaus.org
    Server: google-public-dns-a.google.com
    Address: 8.8.8.8

    Nicht autorisierende Antwort:
    Name: 2.0.0.127.zen.spamhaus.org.domain.de
    Address: 212.185.87.xxx

    > server 10.10.10.21
    Standardserver: [10.10.10.21]
    Address: 10.10.10.21

    > 2.0.0.127.zen.spamhaus.org
    Server: [10.10.10.21]
    Address: 10.10.10.21

    Name: 2.0.0.127.zen.spamhaus.org
    Addresses: 127.0.0.2
    127.0.0.10
    127.0.0.4

    When I try test for a blocked site it does not work properly. Not every Test is successful.

    [PS] E:\Exchange Server\Scripts>Test-IPBlockListProvider -IPAddress 46.5.55.123 Spamhaus

    RunspaceId : 9e9deb2b-1395-4efc-af18-1fac0fe1d470
    Provider : Spamhaus
    ProviderResult : {}
    Matched : False

    What else is wrong here?

    ReplyDelete