So you thought you were using an RBL lookup to fight spam eh? Try this query in a command prompt on windows and see if you are or aren’t! By the way, shameless plug – both my humor and technical skills are for hire. I’m a young gunslinger in the wild west of bits and bytes. HMU!
Command:
nslookup 2.0.0.127.zen.spamhaus.org
Result:
Non-authoritative answer:
Name: 2.0.0.127.zen.spamhaus.org
Addresses: 127.0.0.4
127.0.0.2
127.0.0.10
The above is a GOOD answer…yes, you’re actually using the RBL. This was from a Charter connection. Amazing that their stuff works (HA!).
nslookup 2.0.0.127.zen.spamhaus.org
Result:
Server: ns2.atcbb.co
Address: 216.81.120.101
Name: 2.0.0.127.zen.spamhaus.org
Served by:
– e.root-servers.net
192.203.230.10
– l.root-servers.net
199.7.83.42
– d.root-servers.net
199.7.91.13
– f.root-servers.net
– a.root-servers.net
– m.root-servers.net
– i.root-servers.net
– h.root-servers.net
– c.root-servers.net
– g.root-servers.net
This is a BAD result from ns2.atcbroadband.com – the DNS server the mail server uses to look up RBL’s. Sometimes you get a result that says NXDOMAIN (*** dnsserver can’t find eiouaoiafsjasfioeurehcod.net: Non-existent domain) or maybe even worse you get an error that blocks all legitimate email!
RBL’s are real time block lists, some say “real time black lists”…potato pota(h)to…whatever (technically it’s Real-time Blachhole List but I like calling them block lists because it makes more sense in my head BL = Block List).
Point is…what you don’t know CAN hurt you! Find out with the simple query above. IF you’re NOT querying RBL’s properly your RBL look ups won’t matter and your spam filter will be deprecated in usefulness. Note that a lot of IT losers use 3rd parties to filter their spam like App River because mostly…they’re lazy and who can blame them? So if you’re one of those people you can stop reading (ixnayyay onyay ethay ITyay oserlay this is 256 bit PL Encryption). As it stood the RBL’s from the inception of putting them in were NEVER using the RBL’s they were set to use so the client was NEVER getting any RBL results. All the spam filtering came from the other mechanisms like grey listing, missing ptr settings (block on missing ptr for example), no match on an rDNS lookup or the scoring process on the bits of emails like no subject, words like “viagra”, etc.
If you’re not an IT loser soldier on!
So what’s an IT winner to do about this problem if you find yourself on a network with a derpy ISP who doesn’t let you properly query their DNS servers for your RBL lookups? Well…on WinderPs you can do what’s called a “conditional forwarder”. That’s a spot in your DNS console not used too often. It allows a query to hit your DNS server and for example if a query comes in for a domain name like “what’s 2.0.0.127.zen.spamhaus.org DNS server” it will say…oh, don’t use the typical forwarder setups…use this other set of DNS servers instead. So you can basically redirect your DNS queries for all your RBL lookups PAST your derpy ISP’s lame DNS servers.
What you need to do though thanks to Windows stellar engineering team is this:
Find your RBL’s NS’s:
nslookup -type=NS zen.spamhaus.org
At the time of this post they are:
zen.spamhaus.org nameserver = q.ns.spamhaus.org
zen.spamhaus.org nameserver = 4.ns.spamhaus.org
zen.spamhaus.org nameserver = c.ns.spamhaus.org
zen.spamhaus.org nameserver = 3.ns.spamhaus.org
zen.spamhaus.org nameserver = 5.ns.spamhaus.org
zen.spamhaus.org nameserver = t.ns.spamhaus.org
zen.spamhaus.org nameserver = h.ns.spamhaus.org
zen.spamhaus.org nameserver = g.ns.spamhaus.org
zen.spamhaus.org nameserver = o.ns.spamhaus.org
zen.spamhaus.org nameserver = k.ns.spamhaus.org
zen.spamhaus.org nameserver = 0.ns.spamhaus.org
zen.spamhaus.org nameserver = 7.ns.spamhaus.org
zen.spamhaus.org nameserver = x.ns.spamhaus.org
zen.spamhaus.org nameserver = 8.ns.spamhaus.org
zen.spamhaus.org nameserver = d.ns.spamhaus.org
zen.spamhaus.org nameserver = i.ns.spamhaus.org
zen.spamhaus.org nameserver = b.ns.spamhaus.org
zen.spamhaus.org nameserver = f.ns.spamhaus.org
zen.spamhaus.org nameserver = 2.ns.spamhaus.org
I chose 5 of them to use for my conditional forwarder. You ping the host name to get the IP’s, yes…you have to query the spamhaus name server IP’s directly. For some reason Winderps can’t use host names…why? Ugh…who knows! Note the IP’s you find then you run this command:
In power shell this would be the command…I think you need PS 4.0 and above:
Add-DnsServerConditionalForwarderZone -Name “zen.spamhaus.org” -ReplicationScope “Forest” -MasterServers 50.22.152.254 68.71.33.14 108.168.155.183 50.22.152.254 185.5.138.232
** This is an active directory integrated zone by the way.
From the command line if you’re not special enough in life to have PS 4.0 + then you’re a lowly command line user like me:
dnscmd your_DNS_server_here /zoneadd zen.spamhaus.org /forwarder 50.22.152.254 68.71.33.14 108.168.155.183 50.22.152.254 185.5.138.232
** I believe you have to do this for ALL your DNS servers in your infrastructure that your mail server uses for DNS.
Now that you’ve got your conditional forwarders in place run the test again (you can see this in the DNS GUI also if you refresh the DNS console conditional forwarder folder):
nslookup 2.0.0.127.zen.spamhaus.org
You should get the correct response.
Name: 2.0.0.127.zen.spamhaus.org
Addresses: 127.0.0.4
127.0.0.2
127.0.0.10
A similar result to the above means it’s on the list and you got the correct answer according to Spamhaus’s instructions on testing the list.
The return codes mean:
Return Code Zone Description
127.0.0.2 SBL Spamhaus SBL Data
127.0.0.3 SBL Spamhaus SBL CSS Data
127.0.0.4 XBL CBL Data
127.0.0.9 SBL Spamhaus DROP/EDROP Data (in addition to 127.0.0.2, since 01-Jun-2016)
127.0.0.10 PBL ISP Maintained
127.0.0.11 PBL Spamhaus Maintained
So they’re listed on the SBL, XBL and PBL and now I need a PB&J!
Now…NOW dear reader you’re using the rBLS and I would suspect you’ll be getting less spam. The unfortunate thing is now you have to go do the same process for ALL the BLS you want to use and that’s IPBLBS but it will save your bacon from the evil spammers, bot losers, hacker derps, people on phishing expeditions or the evil spear phisherman! That’s what you get for using Windows DNS 😛