Quick Fix for SpamHaus Not Blocking Spam

We had an issue where a server would not be rejecting mail from IP’s listed at zen.spamhaus.org, and found this pretty interesting:

Check what DNS resolvers you are using: If you are using a free “open DNS resolver” service such as Google Public DNS or Level3′s public DNS servers to resolve your DNSBL requests, in most cases you will receive a “not listed” (NXDOMAIN) reply from Spamhaus’ public DNSBL servers. Please use your own DNS servers when doing DNSBL queries to Spamhaus.

From: http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#261

In other words, commonly used public resolvers such as Google’s (8.8.8.8 / 8.8.4.4) and 4.2.2.1 – 4.2.2.6 would not work with SpamHaus as shown here:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @4.2.2.1 5.176.107.189.zen.spamhaus.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;5.176.107.189.zen.spamhaus.org.	IN	A

;; AUTHORITY SECTION:
zen.spamhaus.org.	150	IN	SOA	need.to.know.only. hostmaster.spamhaus.org. 1008091715 3600 600 432000 150

;; Query time: 153 msec
;; SERVER: 4.2.2.1#53(4.2.2.1)
;; WHEN: Mon Aug  9 10:18:33 2010
;; MSG SIZE  rcvd: 112

However, we found that OpenDNS would work properly with SpamHaus in an OpenDNS support article here: http://www.opendns.com/support/article/33

Quick test using OpenDNS’s public resolvers shows that it is working as intended:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @208.67.220.220 5.176.107.189.zen.spamhaus.org
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61511
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;5.176.107.189.zen.spamhaus.org.	IN	A

;; ANSWER SECTION:
5.176.107.189.zen.spamhaus.org.	185 IN	A	127.0.0.11

;; Query time: 14 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Mon Aug  9 10:19:25 2010
;; MSG SIZE  rcvd: 64

To fix this up, just modify /etc/resolv.conf to use OpenDNS’s public DNS servers:

nameserver 208.67.222.222
nameserver 208.67.220.220

1 Comment

  1. Sewana says:

    You\’ve hit the ball out the park! Inrcedilbe!

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Blog is powered by WordPress and designed by Chico Web Design