Answer
GFI MailEssentials will use the information within the email message header to determine the IP addresses of the SMTP servers the mail has passed through. GFI MailEssentials will query the DNS blocklist to check if the IP addresses are found on their list. If GFI MailEssentials receives a positive reply, the mail is blocked.
You can use the following procedure to manually confirm the results returned by the DNS blocklist for particular emails.
1. View the message header
The following explains how to view the messages headers in either Microsoft Outlook or Microsoft Outlook Express. If you are using a different email client, refer to its documentation to confirm how to read the email headers using your email client.
- Microsoft Outlook
- From the Microsoft Outlook Client double click on the email message to open it.
- Click on View -> Options
- The Internet Headers frame will contain all the Message Header
- Microsoft Outlook Express
- From Outlook Express double click on the email message to open it
- Click on File -> Properties -> Details tab
- Click on Message Source in order to view the Message headers clearly
2. Locate the IP address of each mail server the mail has passed through
The Message Headers located in step one are used to be able to trace all the mail servers the email has passed through before being delivered to the SMTP server on the GFI MailEssentials machine.
In the message headers, locate each line starting with Received: from and take note of the IP address of the mail server from where the mail was received.
For Example:
"Received: from mailgate.domain.com ([66.220.30.30]) by mailgate.domain.com with Microsoft SMTPSVC
The message header will therefore have record of all the IP addresses that have processed the message.
3. Check whether any of the mail servers is blocklisted
Once you have a list of all the IP addresses of mail servers the mail has passed through, you need to check whether any of these is listed as blocked by one or more of the DNS blocklists you have enabled in the GFI MailEssentials configuration. This can be checked using one of the following procedures:
- Using Ping
- Open Command Prompt (Start -> Run -> CMD)
- Type ping <reversed IP>.<relay blocklist>
For Example: To check whether the IP address 66.220.30.30 is blocklisted by sbl.spamhaus.org you would type in the following:
ping 30.30.220.66.sbl.spamhaus.org
(Note: The IP address needs to be inverted)
- A result similar to:
Ping request could not find host 30.30.220.66.sbl.spamhaus.org. Please check the name and try again
would indicate that the IP address being checked is not in sbl.spamhaus.org. You can proceed to check the IP address with the other DNS Blocklists enabled in GFI MailEssentials, or check the other IP addresses found in the email header.
- A result similar to:
Pinging 30.30.220.66.sbl.spamhaus.org [127.0.0.2] with 32 bytes of data
would indicate that the IP address is found on the DNS Blocklist being checked.
Note that you do not need to check that you get a reply to your ping request. You just need to check that the host (30.30.220.66.sbl.spamhaus.org) resolves to an IP address (127.0.0.2 in this case). Note also that the IP address to which it resolves is not important either
- Using Nslookup
- Open Command Prompt (Start -> Run -> CMD)
- Type nslookup <reversed IP>.<relay blocklist>
For Example: To check whether the IP address 66.220.30.30 is blocklisted by bl.spamcop.net you would type in the following:
nslookup 30.30.220.66.sbl-xbl.spamhaus.org
(Note: The IP address needs to be inverted)
- A reply similar to
DNS Server can't find 30.30.220.66.sbl-xbl.spamhaus.org: Non-existent domain:
indicates that the IP address is not in sbl-xbl.spamhaus.org blocklist. You can proceed to check the IP address with the other DNS Blocklists enabled in GFI MailEssentials, or check the other IP addresses found in the email header
- A reply similar to
Non-authoritative answer:
Name: 3.66.66.216.sbl-xbl.spamhaus.org
Address: 127.0.0.2
indicates that the IP address is found on the sbl-xbl.spamhaus.org blocklist
Notes:
- GFI MailEssentials caches results obtained from the blocklists. Therefore a domain / IP address could be removed from the backlist but emails coming from these mail servers will still be blocked by GFI MailEssentials. The items will remain in the cache for 4 days. The cache can be cleared by restarting the IIS Admin Service from the Services control manager
- The following are possible causes for false positives from the DNS blocklist feature:
- Normally the problem is due to a DNS server which is not correctly configured. By default GFI MailEssentials will make use of the DNS server configured on the local machine. You can configure GFI MailEssentials to use a different DNS server from the GFI MailEssentials configuration -> right click on Anti-Spam and select properties -> DNS Server tab
- The problem may also be due to the DNS Blocklist issuing wrong results. In this case, you would need to choose a different DNS Blocklist
- If most or all of your emails are being blocked by the DNS Blocklist feature, most probably your email server has been added to a DNS Blocklist. First ensure that your mail server is not an open relay. You would then need to use the procedure above to determine which DNS Blocklist your mail server is listed on, and contact the DNS Blocklist provider directly