Thread: Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0)
View Single Post
  #4   (View Single Post)  
Old 12th May 2008
NathanPardoe's Avatar
NathanPardoe NathanPardoe is offline
Real Name: Nathan Pardoe
New User
  
Join Date: May 2008
Location: United Kingdom
Posts: 6
Default
Quote:
Originally Posted by J65nko View Post
Can you do a manual DNSBL lookup?

Does tcpdump show any attempts of sendmail to do a DNSBL lookup?
Code:
# tcpdump -nv -i re0 host 192.168.222.10 and port domain
This example assumes 192.168.222.10 is your DNSBL box.
Thanks for the reply. I've run the commands, adjusted to match my hardware and network configurations.
Quote:
root@darkweb# tcpdump -nv -i sis0 host 192.168.1.10 and port domain
tcpdump: listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes
00:25:56.173316 IP (tos 0x0, ttl 64, id 20868, offset 0, flags [none], proto UDP (17), length 74) 192.168.1.10.53567 > 192.168.1.1.53: 23645+ A? 81.141.137.78.bl.spamcop.net. (46)
00:25:56.284145 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 127) 192.168.1.1.53 > 192.168.1.10.53567: 23645 NXDomain 0/1/0 (99)
00:25:56.286047 IP (tos 0x0, ttl 64, id 21168, offset 0, flags [none], proto UDP (17), length 91) 192.168.1.10.55018 > 192.168.1.1.53: 7184+[|domain]
00:25:56.318625 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 150) 192.168.1.1.53 > 192.168.1.10.55018: 7184 NXDomain[|domain]
Is the result of running -
Quote:
nathan@darkweb% nslookup 81.141.137.78.bl.spamcop.net
Server: 192.168.1.1
Address: 192.168.1.1#53

** server can't find 81.141.137.78.bl.spamcop.net: NXDOMAIN
I used 81.141.137.78 as it was my IP address at the time of writing. The results of tcpdump indicate DNSBL lookups are taking place. I apologise if I have misunderstood your suggestions, and would appreciate any further help you may be able to offer.

By chance, whilst I was writing this post I left tcpdump monitoring the NIC. It shows two DNSBL lookups taking place via Sendmail -
Quote:
00:27:53.254451 IP (tos 0x0, ttl 64, id 12157, offset 0, flags [none], proto UDP (17), length 75) 192.168.1.10.63366 > 192.168.1.1.53: 42274+ A? 80.152.123.222.bl.spamcop.net. (47)
00:27:53.366346 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 128) 192.168.1.1.53 > 192.168.1.10.63366: 42274 NXDomain 0/1/0 (100)
00:27:53.366561 IP (tos 0x0, ttl 64, id 60466, offset 0, flags [none], proto UDP (17), length 77) 192.168.1.10.52480 > 192.168.1.1.53: 42275+ A? 80.152.123.222.zen.spamhaus.org. (49)
00:27:53.454784 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 93) 192.168.1.1.53 > 192.168.1.10.52480: 42275 1/0/0 80.152.123.222.zen.spamhaus.org. (65)
Could it be that the DNSBL lists I am using don't contain the IP addresses used by spammers? This seems unlikely as all spam gets through regardless of DNSBL use.
__________________
Best regards,

Nathan Pardoe
TickleStix
www.ticklestix.co.uk
Last edited by NathanPardoe; 12th May 2008 at 11:31 PM.
Reply With Quote