Quote:
Originally Posted by J65nko
Can you do a manual DNSBL lookup?
Does tcpdump show any attempts of sendmail to do a DNSBL lookup?
Code:
# tcpdump -nv -i re0 host 192.168.222.10 and port domain
This example assumes 192.168.222.10 is your DNSBL box.
|
Thanks for the reply. I've run the commands, adjusted to match my hardware and network configurations.
Quote:
root@darkweb# tcpdump -nv -i sis0 host 192.168.1.10 and port domain
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes
00:25:56.173316 IP (tos 0x0, ttl 64, id 20868, offset 0, flags [none], proto UDP (17), length 74) 192.168.1.10.53567 > 192.168.1.1.53: 23645+ A? 81.141.137.78.bl.spamcop.net. (46)
00:25:56.284145 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 127) 192.168.1.1.53 > 192.168.1.10.53567: 23645 NXDomain 0/1/0 (99)
00:25:56.286047 IP (tos 0x0, ttl 64, id 21168, offset 0, flags [none], proto UDP (17), length 91) 192.168.1.10.55018 > 192.168.1.1.53: 7184+[|domain]
00:25:56.318625 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 150) 192.168.1.1.53 > 192.168.1.10.55018: 7184 NXDomain[|domain]
|
Is the result of running -
Quote:
nathan@darkweb% nslookup 81.141.137.78.bl.spamcop.net
Server: 192.168.1.1
Address: 192.168.1.1#53
** server can't find 81.141.137.78.bl.spamcop.net: NXDOMAIN
|
I used 81.141.137.78 as it was my IP address at the time of writing. The results of tcpdump indicate DNSBL lookups are taking place. I apologise if I have misunderstood your suggestions, and would appreciate any further help you may be able to offer.
By chance, whilst I was writing this post I left tcpdump monitoring the NIC. It shows two DNSBL lookups taking place via Sendmail -
Quote:
00:27:53.254451 IP (tos 0x0, ttl 64, id 12157, offset 0, flags [none], proto UDP (17), length 75) 192.168.1.10.63366 > 192.168.1.1.53: 42274+ A? 80.152.123.222.bl.spamcop.net. (47)
00:27:53.366346 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 128) 192.168.1.1.53 > 192.168.1.10.63366: 42274 NXDomain 0/1/0 (100)
00:27:53.366561 IP (tos 0x0, ttl 64, id 60466, offset 0, flags [none], proto UDP (17), length 77) 192.168.1.10.52480 > 192.168.1.1.53: 42275+ A? 80.152.123.222.zen.spamhaus.org. (49)
00:27:53.454784 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 93) 192.168.1.1.53 > 192.168.1.10.52480: 42275 1/0/0 80.152.123.222.zen.spamhaus.org. (65)
|
Could it be that the DNSBL lists I am using don't contain the IP addresses used by spammers? This seems unlikely as all spam gets through regardless of DNSBL use.
Last edited by NathanPardoe; 12th May 2008 at 11:31 PM.
|