Overview
The IP DNS Blocklist Filter identifies spam by checking the IP address of the sending mail server against a public list of mail servers known to send spam (DNS Blocklists).
In this article, you will learn how to determine why the IP DNS Blocklist Anti-Spam filter blocked or allowed a message as part of the troubleshooting process.
Introduction
The MailEssentials IP DNS Blocklist filter verifies that the IP address of the sending mail server is not known to send spam emails. The DNS Blacklist module (DNSBL) makes use of DNS to check the IP address of the sending mail server with third-party DNSBLs (like zen.spamhaus.org) that maintain a list of IP addresses of known open relays and IP addresses that are known to send spam emails.
MailEssentials maintains a cache with the results of queries to the DNS Blocklists to avoid querying multiple times for the same IP address, resulting in faster responses for the items that are found in the cache. The side effect of this is that the blocklist query may return an IP address as listed on the DNSBL site when in reality it has been removed. The duration of the cache is specified in milliseconds in config.mdb > antispam2 table > orcachettl. Items remain in the cache for 4 days and are cleared each time the AS Scan Engine service is restarted.
There will be scenarios where customers open support requests wanting to understand why the IP DNS Blocklist filter blocked or allowed specific messages against their expectations. The next section outlines the troubleshooting process to determine the reason behind the actions taken by this filter.
Description
If you are questioning why an email was blocked or allowed by the IP DNS Blocklist filter and would like more information, the best place to start the troubleshooting process is to examine the debug logs.
- Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message-ID.
- Navigate to
..\GFI\MailEssentials\AntiSpam\DebugLogs
and locate the log file for the module. The debug log filename is ase_dnsbl.gfi_log.txt- This debug log file for the module corresponds to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > IP DNS Blocklist on the configuration UI as well as the
antispam2_openrelay
table in theconfig.mdb
database.
- This debug log file for the module corresponds to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > IP DNS Blocklist on the configuration UI as well as the
- Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
- Refer to the scenarios below to determine the reasons behind the action taken by the module. Pay close attention to the lines in bold to understand what happened and why.
Open Relay and Dynamic IP check both disabled. Returning
"ase_dnsbl","--------------------------------------------------------------------------"
"ase_dnsbl",">> Init Message [<0fb196c2a9ed011c0a6734682ccd1646@ec2amaz-tedqdcp>]"
"ase_dnsbl","Initializing DNS Checker..."
"ase_dnsbl",">> Load Config"
"ase_dnsbl","Retrieving DNS Server configuration. Executing query [SELECT * FROM dns_server]"
"ase_dnsbl","Using default DNS Server"
"ase_dnsbl","Retrieving blacklist configuration. Executing query [SELECT checkopenrelay, orcachettl FROM antispam2]"
"ase_dnsbl","Open Relay check enabled"
"ase_dnsbl","Retrieving DNS Blacklists. Executing query [SELECT entry FROM antispam2_openrelay WHERE enabled = 1]"
"ase_dnsbl",">> SetupJobs"
"ase_dnsbl","Job [1] - DNSBL [bl.spamcop.net] - Type [Open Relay Blacklist]"
"ase_dnsbl","<< LoadDNSFailSafeOptions"
"ase_dnsbl","Licensing check: Licensed"
"ase_dnsbl","<< Init Message"
"ase_dnsbl",">> Process Message"
"ase_dnsbl","Engine ID is [1, 0x1]"
Scenario 1: Email was allowed by the module
Successfully retrieved Email
InfoRetriever from Propertybag
Getting connecting IP from InfoRetiever
>> SearchInCache
<< SearchInCache
>> PerformLookup
Performing DNS lookups
Performing Lookup: [161.47.171.209.bl.spamcop.net]
Lookup on DNSBL bl.spamcop.net returned: HAM
If a sender is listed on a Blocklist that you are not checking, you can add it from the IP DNS Blocklist Configuration in the UI.
Scenario 2: Email was blocked by the module
Successfully retrieved Email
InfoRetriever from Propertybag
Getting connecting IP from InfoRetiever
>> SearchInCache
<< SearchInCache
>> PerformLookup
Performing DNS lookups
Performing Lookup: [161.47.171.209.dul.dnsbl.sorbs.net]
Lookup on DNSBL dul.dnsbl.sorbs.net returned: SPAM
Scenario 3: Email was blocked by the module due to an entry in the cache
Successfully retrieved Email
InfoRetriever from Propertybag
Getting connecting IP from InfoRetiever
>> SearchInCache
<< SearchInCache [SPAM]
IP [70.47.43.195] was found in cache: [Open Relay] Setting actions data ...
Spam detected, Stopping ASE Chain [2]...
Setting block report to: 'Sending mail server found on DNS Blocklist cache'
If a sender is in the cache but has been removed from the Blocklist, follow the instructions in the article: Clearing MailEssentials DNS Blacklist Cache Manually.