URIBL_BLOCKED

General eFa discussion
Michaelv
Posts: 16
Joined: 29 Apr 2014 14:01

URIBL_BLOCKED

Post by Michaelv »

Hi All,

Just to make some users aware.
if you check your Reports -> Spamassassin Rule Hits.

If you see that is affecting a lot of your emails (based on the count vs the total emails). For me during testing, it was 99% of emails hit this rule.

This means that you are using your ISP or some public DNS servers like Google(8.8.8.8)

The reason is that these DNS is doing too much lookups to those RBL DNS. These RBL DNS blocks request above a certain number of queries per IP unless you are a paid subscriber.

To avoid that, ideally you should have your DNS recursor that does direct queries to these RBL DNS. This allows these RBL DNS to only see your recursor IP and not mix with hundreds of other anti-spam servers requests.

For me, I disabled the dnsmasq and installed unbound recursor within the same vm.
Unbound is nice because you can specify the amount of memory to use for dns cache and its own memory footprint is small which is important if you have a memory limit.
named has a fixed memory limit but its own code is bloated and uses memory. Powerdns recursor cache size is based on number of entries which is a bit tricky to manage memory utilisation.

Regards,

Michael
User avatar
darky83
Site Admin
Posts: 540
Joined: 30 Sep 2012 11:03
Location: eFa
Contact:

Re: URIBL_BLOCKED

Post by darky83 »

Made the post sticky as it seems more and more users are running in to this issue.
Version eFa 4.x now available!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: URIBL_BLOCKED

Post by pdwalker »

linked to the wiki
Mcoulianos
Posts: 4
Joined: 22 Apr 2015 21:17

Re: URIBL_BLOCKED

Post by Mcoulianos »

Can we get more of an explanation on this? I'm getting a ton of delayed emails coming from google mail servers ever since the 3.0.0.7 update and as soon as I whitelist an address the delays stop so its definitely something in E.F.A. causing them. Not seeing anything on the wiki regarding this.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: URIBL_BLOCKED

Post by pdwalker »

Delayed mail <> URIBL_BLOCKED

Your issue is different, if I'm understanding what you've said correctly. Your issue sounds like you don't like grey listing.
thebjorn
Posts: 5
Joined: 03 May 2015 12:47

Re: URIBL_BLOCKED

Post by thebjorn »

Ok, so I've followed the instructions at http://tecadmin.net/setup-caching-names ... os-redhat/ to install a caching nameserver on the efa box. I've also updated the primary dns under option 4 -> 4 of the EFA config program. I'm still getting the error.

When I try the command listed to test the setup I get

Code: Select all

[root@efa3 MailScanner]# host -tTXT 3.0.0.127.multi.uribl.com
3.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 74.125.74.81]"
74.125.74.81 is apparently a google ip, but I have no idea where it is coming from..?

I've restarted the named service, do I need to reboot the entire system? (or am I going in the entirely wrong direction?)
thebjorn
Posts: 5
Joined: 03 May 2015 12:47

Re: URIBL_BLOCKED

Post by thebjorn »

I knew I'd find the solution as soon as I posted the question ;-) Based on the bug report (https://github.com/E-F-A/v3/issues/150) I ended up at a commit (https://github.com/E-F-A/v3/commit/34e2 ... f3e78c018d) where I noticed that dnsmasq is a service... A quick

Code: Select all

service dnsmasq restart
and it is working from the command line

Code: Select all

[root@efa3 MailScanner]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"
.. and the errors are gone -- yay :-)
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: URIBL_BLOCKED

Post by shawniverson »

The next update will fix this permanently for users affected.
thebjorn
Posts: 5
Joined: 03 May 2015 12:47

Re: URIBL_BLOCKED

Post by thebjorn »

After my success message above, I got a message from gmail saying:

<xxx@mydomain.com>: mail for [email.mydomain.com] loops back to myself

so obviously something wasn't correctly configured. I forget what I did to get it working again, but during the upgrade this problem popped up again - after the kernel update and preventing the EFA-Update from working (something like "downloaded version file is corrupt" - I forgot to take a copy of the message).

I uninstalled (yum remove) bind and bind-chroot, reset the DNS to our domain controller, rebooted, and was able to run EFA-Update. Mail is again flowing, but I'm still getting

0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.

Was this supposed to be fixed in the 3.0.0.8 release?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: URIBL_BLOCKED

Post by shawniverson »

You will need to turn on full recursive DNS on your EFA appliance.

EFA-Configure --> 4) IP Settings -->4) DNS Recursion

Make sure your EFA can query DNS outbound on port 53.
thebjorn
Posts: 5
Joined: 03 May 2015 12:47

Re: URIBL_BLOCKED

Post by thebjorn »

You're awsome! :clap:
sxfx
Posts: 10
Joined: 04 Dec 2017 19:05

Re: URIBL_BLOCKED

Post by sxfx »

I'm using DNS Recursion but i'm getting the block message. Any ideas?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: URIBL_BLOCKED

Post by pdwalker »

Verify your DNS settings.

Are you really recursing? or are you actually using someone else's DNS server to make the query on your behalf?

Are you using a shared IP?
sxfx
Posts: 10
Joined: 04 Dec 2017 19:05

Re: URIBL_BLOCKED

Post by sxfx »

Hello! Here some things:

[root@efa /]# cat /etc/resolv.conf
nameserver 127.0.0.1


[root@efa /]# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "permanent testpoint"

I only see this message"ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information." when i test my dkim against http://dkimvalidator.com

This message is to they or for me?

Can you send a email test to http://dkimvalidator.com (they will geive you a random mail to test)

And.. how I debug it on my box? /var/log/maillog show nothing. Thanks
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: URIBL_BLOCKED

Post by henk »

As pdwalker stated
Verify your DNS settings. -What dns server do you use?
Could you list the content of
  • 1. /etc/unbound/unbound.conf
    2. /etc/unbound/conf.d/forwarders.conf
and list stats

Code: Select all

unbound-control stats_noreset |grep total 
Dig multiple times and check the query time. ( should be ;; Query time: 0 msec)

Code: Select all

dig @127.0.0.1  dcc.nova53.net
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
sxfx
Posts: 10
Joined: 04 Dec 2017 19:05

Re: URIBL_BLOCKED

Post by sxfx »

/etc/unbound/unbound.conf
https://pastebin.com/asuWcuS6

/etc/unbound/conf.d/forwarders.conf
https://pastebin.com/nCW3X6Vz

[root@efa ~]# unbound-control stats_noreset |grep total
https://pastebin.com/qEEbAtS4

Thanks!
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: URIBL_BLOCKED

Post by henk »

Hi sxfx,

Your config is the default config and seems to work fine. ( from your EFA machine viewpoint)

As your resolv.conf points to-> nameserver 127.0.0.1 What is your DNS server to forward dns requests?

Since DNS queries are expected to come from verifiable IP addresses, and 127.0.0.1 cannot be mapped to a public IP address, the query probably failed because the RBL / BRBL could not identify a public IP address.On top of that its generally limited to no more than 100K queries from ANY SINGLE DNS SERVER IP ADDRESS in a given day.( So try point to a LOCAL DNS SERVER, with a PUBLICALLY MAPABLE IP ADDRESS)

You could force a forwarding dns server in /etc/unbound/conf.d/forwarders.conf

Code: Select all

forward-zone:
  name: "."
  forward-addr: xxx.xxx.xxx.xxx      # Forward dns server IP
  forward-first: yes
Or take a look at viewtopic.php?t=2567
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Janvhirashe
Posts: 1
Joined: 19 Jul 2019 06:42

Re: URIBL_BLOCKED

Post by Janvhirashe »

I was facing the same problem, but know it has fixed. There is no problem know.
BarkingMail
Posts: 5
Joined: 28 Jan 2020 11:18

Re: URIBL_BLOCKED

Post by BarkingMail »

I'm running a fresh EFA 4.0.1 and I have the above mentioned problems.
Based on the post bove thought it was already patched on 4.0.1, would someone instruct me how to solve it?

1.00 SURBL_BLOCKED ADMINISTRATOR NOTICE: The query to SURBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.
0.00 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/Dns ... nsbl-block for more information.

Thanks!
kris240376
Posts: 10
Joined: 17 Sep 2018 18:56

Re: URIBL_BLOCKED

Post by kris240376 »

I'm running eFa 4 as well and I'm getting the URIBL_BLOCKED error as well. Looking at the console I'm noticing that DNS Recursion is enabled:

4) IP Settings
10) DNS Recursion <-- ENABLED

Looking at the help for the DNS Recursion setting it would appear that setting this value to enabled would fix the URIBL_BLOCKED issue but it doesn't. Is this setting supposed to configure the machine to use unbound for DNS? Or does this setting only enable and start the unbound service and I'm supposed to edit the required file so that spamassassin uses the correct DNS server?

I checked in /etc/resolv.conf and noticed that NetworkManager is placing the actual DNS server for my network there. I was expecting to see 127.0.0.1 in this file after enabling DNS Recursion.

I also checked in /etc/mail/spamassassin/local.cf for the dns_available and dns_server settings but they aren't there. I was expecting to see the following in /etc/mail/spamassassin/local.cf after enabling DNS Recursion:

dns_available yes
dns_server 127.0.0.1
kris240376
Posts: 10
Joined: 17 Sep 2018 18:56

Re: URIBL_BLOCKED

Post by kris240376 »

Looked at this a bit more and it would seem that there are some spamassassin configuration files located in the /etc/MailScanner directory as well.

It looks like the dns_enabled and dns_server settings would go in the /etc/MailScanner/spamassassin.conf file.

Thanks,
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: URIBL_BLOCKED

Post by shawniverson »

I ran into this issue on a cloud instance, turned out that cloud-init was overwriting DNS in /etc/resolv.conf :oops:
kris240376
Posts: 10
Joined: 17 Sep 2018 18:56

Re: URIBL_BLOCKED

Post by kris240376 »

Shawn,

Should the behavior be that whenever you enable DNS Recursion the /etc/MailScanner/spamassassin.conf file gets updated with the following:

dns_available yes
dns_server 127.0.0.1

According to this, https://cwiki.apache.org/confluence/dis ... Nameserver (the Using section), it would prevent the case where /etc/resolv.conf gets overwritten by NetworkManager. I won't be able to test whether adding these two lines will fix this issue until later this evening.
kris240376
Posts: 10
Joined: 17 Sep 2018 18:56

Re: URIBL_BLOCKED

Post by kris240376 »

Setting the following in /etc/MailScanner/spamassassin.conf didn't work:

dns_available yes
dns_server 127.0.0.1

I resorted to using Network Manager command-line tool to update the DNS settings for my install:

> nmcli con mod <connectionName> ipv4.dns "127.0.0.1"
> nmcli con mod <connectionName> ipv4.ignore-auto-dns yes
> nmcli con down <connectionName>
> nmcli con up <connectionName>

Be careful bringing your interface down if you are remoted into the machine via SSH; you won't be able to bring the machine's interface back up. One option would be to run the commands under screen:

> screen "nmcli con down <connectionName>; nmcli con up <connectionName>"
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: URIBL_BLOCKED

Post by shawniverson »

Do you think we need eFa to do this out of the box so that DNS doesn't get overridden?
Post Reply