DNS BL does not work: emails are being accepted from blacklisted IPs

Created:

2017-01-19 18:43:54 UTC

Modified:

2017-08-08 13:45:53 UTC

0

Was this article helpful?


Have more questions?

Submit a request

DNS BL does not work: emails are being accepted from blacklisted IPs

Question

Why emails are being accepted from blacklisted IPs in DNS BL lists? For example, an IP 10.10.10.10 is blacklisted in zen.spamhaus.org, b.barracudacentral.org, spamcop.net or any other blacklist checkers that Plesk uses, but email is still accepted::

postfix/smtpd[13881]: dns_query: 10.10.10.10.zen.spamhaus.org (A): Host not found

Some IPs are correctly detected as spam by the same blacklist checks:

postfix/smtpd[13881]: dns_query: 10.10.10.10.zen.spamhaus.org (A): OK

Also emails from certain IPs are not checked by DNS BL at all: emails are accepted by the mail server without checking them upon DNS blacklists. The following entries are missing in /var/log/maillog:

When email is checked by DNS BL and is filtered as blacklisted:

postfix/smtpd[13881]: dns_query: 10.10.10.10.zen.spamhaus.org (A): OK

When email is checked by DNS BL and is not found in blacklists:

postfix/smtpd[13881]: dns_query: 10.10.10.10.zen.spamhaus.org (A): Host not found

Answer

IP was blacklisted later, after the mail was delivered to the server.

Log entries for checking emails upon DNS BL may be missing in /var/log/maillog for the following reason:

Postfix uses RBL answers caching: each smtpd process has cached its own DNSBL lookup results. Those results are not shared with other Postfix processes. Each smtpd process will be reused until max_use or max_idle reached. When smtpd process dies, the RBL cache will be lost too. When the new smtpd process was created by master daemon, it will pick up new configuration on /etc/postfix/main.cf (including max_idle and max_use).

For example, here is how storing an IP in cache looks like in logs:

postfix/smtpd[17268]: dns_query: 10.10.10.10.zen.spamhaus.org (A): Host not found  <--- dns request
postfix/smtpd[17268]: ctable_locate: install entry key 10.10.10.10.zen.spamhaus.org   <--- store result in cache
postfix/smtpd[17268]: ctable_locate: move existing entry key 10.10.10.10.zen.spamhaus.org  <--- use cached result

The following records specify that DNS request against 10.10.10.10 IP was performed earlier and the result cached in inner storage:

postfix/smtpd[24454]: reject_rbl_addr: Client host 10.10.10.10 
postfix/smtpd[24454]: ctable_locate: move existing entry key 10.10.10.10.zen.spamhaus.org
postfix/smtpd[24454]: generic_checks: name=reject_rbl_client status=0

Thus, for this address, the request will not be performed again and a spam message reaches a mailbox.

 

Have more questions? Submit a request
Please sign in to leave a comment.