Reputation service not blocking any email


This article applies to:

  • Trustwave MailMarshal (SEG)

Symptoms:

  • A reputation service such as Spamhaus or Marshal IP Reputation Service is not blocking anything

Causes:

If you find that you are not blocking any mail with a reputation service, then there may be a DNS issue which causes a negative result for every IP address checked, even if the IP is really listed on the Reputation Service list. The net result is that e-mail will not get blocked by the service. 

Information:

We can use NSLookup to check that your DNS server is configured to perform the RBL checks correctly. 

  1. From a command prompt, enter NSLookup
  2. Select your DNS server (not RBL server) as necessary.

    • To test against the DNS server used by MailMarshal, enter the DNS IP listed in the Configurator under Tools | Server Properties | Delivery.


      >
      server 10.12.2.12
      Default Server:  dns1.mydomain.corp
      Address:  10.12.2.12
      >

    • Set type to "any":
      >set type=any
    • Select IP address to check. The address 127.0.0.2 is generally listed on RBL lists for testing. 
    • Determine a reputation service domain, such as sbl.spamhaus.org or bl.spamcop.net.
    • Reverse the IP address and join it with the reputation service domain as in the example below:


      127.0.0.2 with bl.spamcop.net becomes:
      2.0.0.127.bl.spamcop.net


      This give a positive result of:

      >2.0.0.127.bl.spamcop.net
      Server:  dns1.mydomain.corp
      Address:  10.12.2.12

      Non-authoritative answer:
      2.0.0.127.bl.spamcop.net        internet address = 127.0.0.2
      2.0.0.127.bl.spamcop.net        text =  "Blocked - see
      http://www.spamcop.net/bl.shtml?127.0.0.2"


      A positive result from SpamHaus looks like this:


      > 2.0.0.127.sbl.spamhaus.org
      Server:  dns1.mydomain.corp
      Address:  10.12.2.12

      Non-authoritative answer:
      2.0.0.127.sbl.spamhaus.org      internet address = 127.0.0.2
      2.0.0.127.sbl.spamhaus.org      text = "
      http://www.spamhaus.org/SBL/sbl.lasso?query=SBL233
      "


      A negative result should occur if testing 127.0.0.1 (instead of 127.0.0.2).


      > 1.0.0.127.sbl.spamhaus.org
      Server:  dns1.mydomain.corp
      Address:  10.12.2.12

      *** dns1.mydomain.corp can't find 1.0.0.127.sbl.spamhaus.org: Non-existent
      domain
      >

If you do not get the positive result for 127.0.0.2 and a negative result for 127.0.0.1, then your DNS is not configured to handle the RBL checks correctly. Either correct the issue in your DNS server, or use an alternative DNS server which passes the above tests. Note that some ISPs deliberately block DNS requests to RBL lists to reduce the extra load on their servers.

Troubleshooting your DNS server setup is beyond the scope of Trustwave Support.

This article was previously published as:
NETIQKB39092

 

 


Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10737.aspx