URIBL_BLOCKED
URIBL_BLOCKED
Hi All,
Just to make some users aware.
if you check your Reports -> Spamassassin Rule Hits.
If you see that is affecting a lot of your emails (based on the count vs the total emails). For me during testing, it was 99% of emails hit this rule.
This means that you are using your ISP or some public DNS servers like Google(8.8.8.8)
The reason is that these DNS is doing too much lookups to those RBL DNS. These RBL DNS blocks request above a certain number of queries per IP unless you are a paid subscriber.
To avoid that, ideally you should have your DNS recursor that does direct queries to these RBL DNS. This allows these RBL DNS to only see your recursor IP and not mix with hundreds of other anti-spam servers requests.
For me, I disabled the dnsmasq and installed unbound recursor within the same vm.
Unbound is nice because you can specify the amount of memory to use for dns cache and its own memory footprint is small which is important if you have a memory limit.
named has a fixed memory limit but its own code is bloated and uses memory. Powerdns recursor cache size is based on number of entries which is a bit tricky to manage memory utilisation.
Regards,
Michael
Just to make some users aware.
if you check your Reports -> Spamassassin Rule Hits.
If you see that is affecting a lot of your emails (based on the count vs the total emails). For me during testing, it was 99% of emails hit this rule.
This means that you are using your ISP or some public DNS servers like Google(8.8.8.8)
The reason is that these DNS is doing too much lookups to those RBL DNS. These RBL DNS blocks request above a certain number of queries per IP unless you are a paid subscriber.
To avoid that, ideally you should have your DNS recursor that does direct queries to these RBL DNS. This allows these RBL DNS to only see your recursor IP and not mix with hundreds of other anti-spam servers requests.
For me, I disabled the dnsmasq and installed unbound recursor within the same vm.
Unbound is nice because you can specify the amount of memory to use for dns cache and its own memory footprint is small which is important if you have a memory limit.
named has a fixed memory limit but its own code is bloated and uses memory. Powerdns recursor cache size is based on number of entries which is a bit tricky to manage memory utilisation.
Regards,
Michael
Re: URIBL_BLOCKED
Made the post sticky as it seems more and more users are running in to this issue.
Version eFa 4.x now available!
-
- Posts: 4
- Joined: 22 Apr 2015 21:17
Re: URIBL_BLOCKED
Can we get more of an explanation on this? I'm getting a ton of delayed emails coming from google mail servers ever since the 3.0.0.7 update and as soon as I whitelist an address the delays stop so its definitely something in E.F.A. causing them. Not seeing anything on the wiki regarding this.
Re: URIBL_BLOCKED
Delayed mail <> URIBL_BLOCKED
Your issue is different, if I'm understanding what you've said correctly. Your issue sounds like you don't like grey listing.
Your issue is different, if I'm understanding what you've said correctly. Your issue sounds like you don't like grey listing.
Re: URIBL_BLOCKED
Ok, so I've followed the instructions at http://tecadmin.net/setup-caching-names ... os-redhat/ to install a caching nameserver on the efa box. I've also updated the primary dns under option 4 -> 4 of the EFA config program. I'm still getting the error.
When I try the command listed to test the setup I get
74.125.74.81 is apparently a google ip, but I have no idea where it is coming from..?
I've restarted the named service, do I need to reboot the entire system? (or am I going in the entirely wrong direction?)
When I try the command listed to test the setup I get
Code: Select all
[root@efa3 MailScanner]# host -tTXT 3.0.0.127.multi.uribl.com
3.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 74.125.74.81]"
I've restarted the named service, do I need to reboot the entire system? (or am I going in the entirely wrong direction?)
Re: URIBL_BLOCKED
I knew I'd find the solution as soon as I posted the question Based on the bug report (https://github.com/E-F-A/v3/issues/150) I ended up at a commit (https://github.com/E-F-A/v3/commit/34e2 ... f3e78c018d) where I noticed that dnsmasq is a service... A quick
and it is working from the command line
.. and the errors are gone -- yay
Code: Select all
service dnsmasq restart
Code: Select all
[root@efa3 MailScanner]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: URIBL_BLOCKED
The next update will fix this permanently for users affected.
Re: URIBL_BLOCKED
After my success message above, I got a message from gmail saying:
<xxx@mydomain.com>: mail for [email.mydomain.com] loops back to myself
so obviously something wasn't correctly configured. I forget what I did to get it working again, but during the upgrade this problem popped up again - after the kernel update and preventing the EFA-Update from working (something like "downloaded version file is corrupt" - I forgot to take a copy of the message).
I uninstalled (yum remove) bind and bind-chroot, reset the DNS to our domain controller, rebooted, and was able to run EFA-Update. Mail is again flowing, but I'm still getting
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
Was this supposed to be fixed in the 3.0.0.8 release?
<xxx@mydomain.com>: mail for [email.mydomain.com] loops back to myself
so obviously something wasn't correctly configured. I forget what I did to get it working again, but during the upgrade this problem popped up again - after the kernel update and preventing the EFA-Update from working (something like "downloaded version file is corrupt" - I forgot to take a copy of the message).
I uninstalled (yum remove) bind and bind-chroot, reset the DNS to our domain controller, rebooted, and was able to run EFA-Update. Mail is again flowing, but I'm still getting
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
Was this supposed to be fixed in the 3.0.0.8 release?
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: URIBL_BLOCKED
You will need to turn on full recursive DNS on your EFA appliance.
EFA-Configure --> 4) IP Settings -->4) DNS Recursion
Make sure your EFA can query DNS outbound on port 53.
EFA-Configure --> 4) IP Settings -->4) DNS Recursion
Make sure your EFA can query DNS outbound on port 53.
Re: URIBL_BLOCKED
I'm using DNS Recursion but i'm getting the block message. Any ideas?
Re: URIBL_BLOCKED
Verify your DNS settings.
Are you really recursing? or are you actually using someone else's DNS server to make the query on your behalf?
Are you using a shared IP?
Are you really recursing? or are you actually using someone else's DNS server to make the query on your behalf?
Are you using a shared IP?
Re: URIBL_BLOCKED
Hello! Here some things:
[root@efa /]# cat /etc/resolv.conf
nameserver 127.0.0.1
[root@efa /]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
I only see this message"ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information." when i test my dkim against http://dkimvalidator.com
This message is to they or for me?
Can you send a email test to http://dkimvalidator.com (they will geive you a random mail to test)
And.. how I debug it on my box? /var/log/maillog show nothing. Thanks
[root@efa /]# cat /etc/resolv.conf
nameserver 127.0.0.1
[root@efa /]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
I only see this message"ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information." when i test my dkim against http://dkimvalidator.com
This message is to they or for me?
Can you send a email test to http://dkimvalidator.com (they will geive you a random mail to test)
And.. how I debug it on my box? /var/log/maillog show nothing. Thanks
Re: URIBL_BLOCKED
As pdwalker stated
Dig multiple times and check the query time. ( should be ;; Query time: 0 msec)
Could you list the content ofVerify your DNS settings. -What dns server do you use?
- 1. /etc/unbound/unbound.conf
2. /etc/unbound/conf.d/forwarders.conf
Code: Select all
unbound-control stats_noreset |grep total
Code: Select all
dig @127.0.0.1 dcc.nova53.net
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: URIBL_BLOCKED
/etc/unbound/unbound.conf
https://pastebin.com/asuWcuS6
/etc/unbound/conf.d/forwarders.conf
https://pastebin.com/nCW3X6Vz
[root@efa ~]# unbound-control stats_noreset |grep total
https://pastebin.com/qEEbAtS4
Thanks!
https://pastebin.com/asuWcuS6
/etc/unbound/conf.d/forwarders.conf
https://pastebin.com/nCW3X6Vz
[root@efa ~]# unbound-control stats_noreset |grep total
https://pastebin.com/qEEbAtS4
Thanks!
Re: URIBL_BLOCKED
Hi sxfx,
Your config is the default config and seems to work fine. ( from your EFA machine viewpoint)
As your resolv.conf points to-> nameserver 127.0.0.1 What is your DNS server to forward dns requests?
Since DNS queries are expected to come from verifiable IP addresses, and 127.0.0.1 cannot be mapped to a public IP address, the query probably failed because the RBL / BRBL could not identify a public IP address.On top of that its generally limited to no more than 100K queries from ANY SINGLE DNS SERVER IP ADDRESS in a given day.( So try point to a LOCAL DNS SERVER, with a PUBLICALLY MAPABLE IP ADDRESS)
You could force a forwarding dns server in /etc/unbound/conf.d/forwarders.conf
Or take a look at viewtopic.php?t=2567
Your config is the default config and seems to work fine. ( from your EFA machine viewpoint)
As your resolv.conf points to-> nameserver 127.0.0.1 What is your DNS server to forward dns requests?
Since DNS queries are expected to come from verifiable IP addresses, and 127.0.0.1 cannot be mapped to a public IP address, the query probably failed because the RBL / BRBL could not identify a public IP address.On top of that its generally limited to no more than 100K queries from ANY SINGLE DNS SERVER IP ADDRESS in a given day.( So try point to a LOCAL DNS SERVER, with a PUBLICALLY MAPABLE IP ADDRESS)
You could force a forwarding dns server in /etc/unbound/conf.d/forwarders.conf
Code: Select all
forward-zone:
name: "."
forward-addr: xxx.xxx.xxx.xxx # Forward dns server IP
forward-first: yes
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
-
- Posts: 1
- Joined: 19 Jul 2019 06:42
Re: URIBL_BLOCKED
I was facing the same problem, but know it has fixed. There is no problem know.
-
- Posts: 5
- Joined: 28 Jan 2020 11:18
Re: URIBL_BLOCKED
I'm running a fresh EFA 4.0.1 and I have the above mentioned problems.
Based on the post bove thought it was already patched on 4.0.1, would someone instruct me how to solve it?
1.00 SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
Thanks!
Based on the post bove thought it was already patched on 4.0.1, would someone instruct me how to solve it?
1.00 SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
Thanks!
-
- Posts: 10
- Joined: 17 Sep 2018 18:56
Re: URIBL_BLOCKED
I'm running eFa 4 as well and I'm getting the URIBL_BLOCKED error as well. Looking at the console I'm noticing that DNS Recursion is enabled:
4) IP Settings
10) DNS Recursion <-- ENABLED
Looking at the help for the DNS Recursion setting it would appear that setting this value to enabled would fix the URIBL_BLOCKED issue but it doesn't. Is this setting supposed to configure the machine to use unbound for DNS? Or does this setting only enable and start the unbound service and I'm supposed to edit the required file so that spamassassin uses the correct DNS server?
I checked in /etc/resolv.conf and noticed that NetworkManager is placing the actual DNS server for my network there. I was expecting to see 127.0.0.1 in this file after enabling DNS Recursion.
I also checked in /etc/mail/spamassassin/local.cf for the dns_available and dns_server settings but they aren't there. I was expecting to see the following in /etc/mail/spamassassin/local.cf after enabling DNS Recursion:
dns_available yes
dns_server 127.0.0.1
4) IP Settings
10) DNS Recursion <-- ENABLED
Looking at the help for the DNS Recursion setting it would appear that setting this value to enabled would fix the URIBL_BLOCKED issue but it doesn't. Is this setting supposed to configure the machine to use unbound for DNS? Or does this setting only enable and start the unbound service and I'm supposed to edit the required file so that spamassassin uses the correct DNS server?
I checked in /etc/resolv.conf and noticed that NetworkManager is placing the actual DNS server for my network there. I was expecting to see 127.0.0.1 in this file after enabling DNS Recursion.
I also checked in /etc/mail/spamassassin/local.cf for the dns_available and dns_server settings but they aren't there. I was expecting to see the following in /etc/mail/spamassassin/local.cf after enabling DNS Recursion:
dns_available yes
dns_server 127.0.0.1
-
- Posts: 10
- Joined: 17 Sep 2018 18:56
Re: URIBL_BLOCKED
Looked at this a bit more and it would seem that there are some spamassassin configuration files located in the /etc/MailScanner directory as well.
It looks like the dns_enabled and dns_server settings would go in the /etc/MailScanner/spamassassin.conf file.
Thanks,
It looks like the dns_enabled and dns_server settings would go in the /etc/MailScanner/spamassassin.conf file.
Thanks,
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: URIBL_BLOCKED
I ran into this issue on a cloud instance, turned out that cloud-init was overwriting DNS in /etc/resolv.conf
-
- Posts: 10
- Joined: 17 Sep 2018 18:56
Re: URIBL_BLOCKED
Shawn,
Should the behavior be that whenever you enable DNS Recursion the /etc/MailScanner/spamassassin.conf file gets updated with the following:
dns_available yes
dns_server 127.0.0.1
According to this, https://cwiki.apache.org/confluence/dis ... Nameserver (the Using section), it would prevent the case where /etc/resolv.conf gets overwritten by NetworkManager. I won't be able to test whether adding these two lines will fix this issue until later this evening.
Should the behavior be that whenever you enable DNS Recursion the /etc/MailScanner/spamassassin.conf file gets updated with the following:
dns_available yes
dns_server 127.0.0.1
According to this, https://cwiki.apache.org/confluence/dis ... Nameserver (the Using section), it would prevent the case where /etc/resolv.conf gets overwritten by NetworkManager. I won't be able to test whether adding these two lines will fix this issue until later this evening.
-
- Posts: 10
- Joined: 17 Sep 2018 18:56
Re: URIBL_BLOCKED
Setting the following in /etc/MailScanner/spamassassin.conf didn't work:
dns_available yes
dns_server 127.0.0.1
I resorted to using Network Manager command-line tool to update the DNS settings for my install:
> nmcli con mod <connectionName> ipv4.dns "127.0.0.1"
> nmcli con mod <connectionName> ipv4.ignore-auto-dns yes
> nmcli con down <connectionName>
> nmcli con up <connectionName>
Be careful bringing your interface down if you are remoted into the machine via SSH; you won't be able to bring the machine's interface back up. One option would be to run the commands under screen:
> screen "nmcli con down <connectionName>; nmcli con up <connectionName>"
dns_available yes
dns_server 127.0.0.1
I resorted to using Network Manager command-line tool to update the DNS settings for my install:
> nmcli con mod <connectionName> ipv4.dns "127.0.0.1"
> nmcli con mod <connectionName> ipv4.ignore-auto-dns yes
> nmcli con down <connectionName>
> nmcli con up <connectionName>
Be careful bringing your interface down if you are remoted into the machine via SSH; you won't be able to bring the machine's interface back up. One option would be to run the commands under screen:
> screen "nmcli con down <connectionName>; nmcli con up <connectionName>"
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: URIBL_BLOCKED
Do you think we need eFa to do this out of the box so that DNS doesn't get overridden?