Blacklisted by the UB-BLACK SURBL - ORF Forums

@Customer: The "hfflp.com" domain is indeed listed now in the UB-BLACK SURBL (you can verify this at https://admin.uribl.com/), but does not appear to be listed in other SURBLs.

"How do I go about determining why these emails are being blocked and how do I fix this?"

The emails are blacklisted because they contain a link to hfflp.com and this domain is listed in the uribl.com URL blacklist. As to how to fix this, you can either request a removal on the above website and/or add this domain to the URL Domain Blacklist exception list in the ORF Admin Tool.

"Also, is there a chance that UB-BLACK SURBL is giving other false positives?"

There is always a chance for false positives in spam filtering. If you have lost your trust in uribl.com, simply disable the blacklist in ORF. We have noticed a few false positives with this blacklist in the past, but so did we even with the most reliable blacklists.

@chana atar: You are receiving 127.0.0.255 codes, which means your DNS server (or the upstream DNS server) has been banned from querying the public uribl.com mirrors (see http://www.uribl.com/about.shtml regarding this).

The fair use policy of uribl.com says that you must not exceed 300,000 lookups a day. Depending on your ORF settings, this might be reached from 100,000 emails a day in extreme cases, but thanks to repeated domains and DNS caching, you typically need an ISP-level traffic to trigger this banning.

I suspect the issue is caused by the upstream DNS server, which accumulates DNS traffic from many different DNS servers and thus triggers the ban. Please make sure all of the DNS servers specified for ORF follow the recommendations below. This should fix the problem.

* The DNS server must support recursion (enabled by default in Microsoft® DNS)

* The server should be on the local network or on the ORF computer. Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged.

* The server should not use forwarders (e.g. ISP DNS servers)

* The server should not be the same DNS server that supports your Active Directory.

You can configure your ORF DNS server list under Configuration / System / DNS and Lookups.

Please let me know if this has helped.

@Craig: See above: they do not have these domains blacklisted, but as you use a public DNS server for the lookup (or have a local DNS with a public forwarder configured), they return a 127.0.0.1 response to each lookup (regardless of the listed/not listed status of the queried domain), which ORF considers a hit in all cases. To fix this, you should

1. Update your SURL definitions so ORF will not consider this SMTP response a hit
2. Use a local DNS server with no public forwarders configured (i.e., it should query the root servers directly using root hints)

@redder: When an email comes in, ORF scans the body for clickable URLs, then it checks whether any of the the harvested URLs are listed on online URL Blacklists (SURBLs) by sending DNS queries to the lists you have enabled using the DNS server you configured in ORF. If the queried domain is listed, the URL blacklist service return an IP address, if it is not listed, they reply with NXDOMAIN (non-existent domain) to your DNS server.

Some URL blacklists have multiple sublists and may return various IP addresses (depending on which one the queried domain is listed). Moreover, they may return other IP addresses in other scenarios (e.g., when your DNS server exceeds their daily quota of free queries).

ORF can be configured either to consider any reply a hit, or only some. Uribl.com had a single response for years, so the default SURBL definition in ORF was configured to consider any IP address this list returns as a hit. And this worked without issues for years.

Then suddenly (without prior notice), uribl.com decided they will return 127.0.0.255 to all DNS queries originated from DNS servers which exceed their daily quota for free queries. Later, they changed this response to 127.0.0.1. Public DNS servers (such as OpenDNS, Google DNS servers, DNS servers of large ISPs, etc) are used by many people and quickly exceed this limit. If you have such DNS server configured in ORF, or a local DNS server with such public DNS server added as a forwarder, you will receive this response to all queries.

Since ORF considers any response a hit, it will blacklist all emails with URLs in it, as it queries uribl.com which replies with the response above.

This problem could be addressed by updating the SURBL definition to consider only response 127.0.0.2 a hit, but this will not change the fact that uribl.com refuses to reply to your queries properly. To address that problem, you should remove the public DNS servers from your ORF configuration and remove the public DNS forwarders (or setup conditional forwarding).