RBL or DBL blocking doesn't seem to be working.

Problem

Not enough Spam is being blocked with a high confidence level and it is suspected that checks against the RBL and DBL servers are not working

Background Information

SpamSentinel is configured to check RBL and DBL data from the Spamhaus Zen service.  SpamSentinel also needs to be specific configured to ignore internal relay servers for RBL checks to be effective.

Possible Solutions

1.  Check for and fix issues at DNS level preventing RBL data from being acquired.

SpamSentinel includes the use of a licensed key in the form of a unique hostname at SpamHaus against which RBL checks are made.  This is important as servers using Google DNS (and others) won't process requests without using our licensed key. Not all DNS servers allow or handle RBL/DBL queries properly and some public DNS servers prohibit their use.

How to check if your server's DNS configuration supports RBL/DBL

1. For a Standard installation run these test from the server where Domino is installed.
2. For a Checking Machine installation, run these tests from the WIndows machine where SpamSentinel programs are installed.

Run a quick general test of RBL results

NOTE: For further reference: https://www.spamhaus.org/faq/section/DNSBL%20Usage#553

Run the following command from a DOS prompt.  This uses our specific licensed host name.

C:/> nslookup 2.0.0.127.m5zdzzezz2y6ry2utob5rk2mju.zen.dq.spamhaus.net

You should get these results:

127.0.0.4

127.0.0.2

127.0.0.10

Test Specific IP addresses or DNS Servers

Here is the syntax. If the IP address from the IPLast is 1.2.3.4 you must invert it as follows:

nslookup 4.3.2.1.m5zdzzezz2y6ry2utob5rk2mju.zen.dq.spamhaus.net

using the machines DNS

nslookup 6.51.195.188.bad.psky.me

Using ANY DNS service, add it to the end.

nslookup 6.51.195.188.bad.psky.me nsvip01.windstream.net

 IP addresses work too:

nslookup 6.51.195.188.bad.psky.me 8.8.8.8

Here is our license but using windstream DNS

nslookup 226.173.155.94.m5zdzzezz2y6ry2utob5rk2mju.zen.dq.spamhaus.net nsvip01.windstream.net

 Successful replies are

127.0.0.1

127.0.0.2

127.0.0.3

etc

The red arrow shows Google refusing to run the DNS.

If the server is NOT on the RBL, the result looks like this (ie it is not listed in the DNS of spamhaus)

Test is DBL's are working

Known 'listed' (bad) domain 'dbtest.com' should always return a result

C:\>ping dbltest.com.dbl.spamhaus.org

Pinging dbltest.com.dbl.spamhaus.org [127.0.1.2] with 32 bytes of data:

Reply from 127.0.1.2: bytes=32 time<1ms TTL=128

Known 'not-listed' (good) domain 'dbtest.com' should always return a result

C:\>ping example.com.dbl.spamhaus.org

Ping request could not find host example.com.dbl.spamhaus.org. Please check the

name and try again. 

2.  Skip evaluating the external IP address of any relay servers

By default SpamSentinel is configured to check the 'Last IP Address' in the SMTP hop list against the SpamHaus RBL.  This is a problem for customers who have dedicated SMTP relay servers which accept internet mail in front of their Domino server.  SpamSentinel needs to know that if one of these IP addresses is encountered as the 'Last IP Address', it should be ignored and instead the prior IP address should be the one evaluated against SpamHaus.

By default, SpamSentinel is configured to skip all if the standardized 'Internal' IP address ranges.

If the hop through the relay server is captured in the headers with any other ip addresses, those should be identified and entered into the SpamSentinel Server Configuration document.

Look on the tab 'Verisend' then the sub-tab Relay Servers Listing for the field 'IP Addresses of Relaying Servers.  If you do not know all your inbound relay server addresses, you can use the helpful Relay Detection Wizard which is available a little further down in the document.