Determining why the IP DNS Blocklist Filter Blocked or Allowed a Message

Overview

The IP DNS Blocklist Filter identifies spam by checking the IP address of the sending mail server against a public list of mail servers known to send spam (DNS Blocklists).

In this article, you will learn how to determine why the IP DNS Blocklist Anti-Spam filter blocked or allowed a message as part of the troubleshooting process.

Introduction

The MailEssentials IP DNS Blocklist filter verifies that the IP address of the sending mail server is not known to send spam emails. The DNS Blacklist module (DNSBL) makes use of DNS to check the IP address of the sending mail server with third-party DNSBLs (like zen.spamhaus.org) that maintain a list of IP addresses of known open relays and IP addresses that are known to send spam emails.

MailEssentials maintains a cache with the results of queries to the DNS Blocklists to avoid querying multiple times for the same IP address, resulting in faster responses for the items that are found in the cache. The side effect of this is that the blocklist query may return an IP address as listed on the DNSBL site when in reality it has been removed. The duration of the cache is specified in milliseconds in config.mdb > antispam2 table > orcachettl. Items remain in the cache for 4 days and are cleared each time the AS Scan Engine service is restarted.

There will be scenarios where customers open support requests wanting to understand why the IP DNS Blocklist filter blocked or allowed specific messages against their expectations. The next section outlines the troubleshooting process to determine the reason behind the actions taken by this filter.

Description

If you are questioning why an email was blocked or allowed by the IP DNS Blocklist filter and would like more information, the best place to start the troubleshooting process is to examine the debug logs.

Follow the below procedure to find the log file and information regarding the email message under review, and thereafter use the examples provided to interpret and determine why the message was either blocked or allowed:

Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message-ID.
Navigate to ..\GFI\MailEssentials\AntiSpam\DebugLogs and locate the log file for the module. The debug log filename is ase_dnsbl.gfi_log.txt
- This debug log file for the module corresponds to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > IP DNS Blocklist on the configuration UI as well as the antispam2_openrelay table in the config.mdb database.
Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
Refer to the scenarios below to determine the reasons behind the action taken by the module. Pay close attention to the lines in bold to understand what happened and why.

The debug log file will indicate whether IP DNS Blocklist is enabled and any actions taken by the filter while scanning emails. The following will be logged if the filter is disabled:

Open Relay and Dynamic IP check both disabled. Returning

The following lines after the Message-ID confirm that the IP DNS Blocklist filter is enabled and has successfully loaded the configuration:

"ase_dnsbl","--------------------------------------------------------------------------"
"ase_dnsbl",">> Init Message [<0fb196c2a9ed011c0a6734682ccd1646@ec2amaz-tedqdcp>]"
"ase_dnsbl","Initializing DNS Checker..."
"ase_dnsbl",">> Load Config"
"ase_dnsbl","Retrieving DNS Server configuration. Executing query [SELECT * FROM dns_server]"
"ase_dnsbl","Using default DNS Server"
"ase_dnsbl","Retrieving blacklist configuration. Executing query [SELECT checkopenrelay, orcachettl FROM antispam2]"
"ase_dnsbl","Open Relay check enabled"
"ase_dnsbl","Retrieving DNS Blacklists. Executing query [SELECT entry FROM antispam2_openrelay WHERE enabled = 1]"
"ase_dnsbl",">> SetupJobs"
"ase_dnsbl","Job [1] - DNSBL [bl.spamcop.net] - Type [Open Relay Blacklist]"
"ase_dnsbl","<< LoadDNSFailSafeOptions"
"ase_dnsbl","Licensing check: Licensed"
"ase_dnsbl","<< Init Message"
"ase_dnsbl",">> Process Message"
"ase_dnsbl","Engine ID is [1, 0x1]"

Back to top

Scenario 1: Email was allowed by the module

Successfully retrieved Email

InfoRetriever from Propertybag

Getting connecting IP from InfoRetiever
>> SearchInCache
<< SearchInCache
>> PerformLookup
Performing DNS lookups
Performing Lookup: [161.47.171.209.bl.spamcop.net]
Lookup on DNSBL bl.spamcop.net returned: HAM

If a sender is listed on a Blocklist that you are not checking, you can add it from the IP DNS Blocklist Configuration in the UI.

Scenario 2: Email was blocked by the module

Successfully retrieved Email

InfoRetriever from Propertybag

Getting connecting IP from InfoRetiever
 >> SearchInCache
 << SearchInCache
 >> PerformLookup
 Performing DNS lookups
 Performing Lookup: [161.47.171.209.dul.dnsbl.sorbs.net]
 Lookup on DNSBL dul.dnsbl.sorbs.net returned: SPAM

If a valid sender is on a Blocklist, it is the sender's responsibility to have themselves removed from the blocklist. GFI has no control over the third-party blocklists.

Scenario 3: Email was blocked by the module due to an entry in the cache

Successfully retrieved Email

InfoRetriever from Propertybag
 Getting connecting IP from InfoRetiever
 >> SearchInCache
 << SearchInCache [SPAM]
 IP [70.47.43.195] was found in cache: [Open Relay] Setting actions data ...
 Spam detected, Stopping ASE Chain [2]...
 Setting block report to: 'Sending mail server found on DNS Blocklist cache'

If a sender is in the cache but has been removed from the Blocklist, follow the instructions in the article: Clearing MailEssentials DNS Blacklist Cache Manually.

How to configure the IP DNS Blocklist Anti-Spam filter

Back to top

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment