Blacklisted by the UB-BLACK SURBL - ORF Forums

Blacklisted by the UB-BLACK SURBL RSS Back to forum


I am getting emails saying that someone is trying to send messages to our company email addresses and that they are being denied. I looked in the logs and saw that it said "Blacklisted by the UB-BLACK SURBL (domain: "", DNS lookup result:"
I checked the address and it does not seem to be listed in a blacklist on Spamhaus. How do I go about determining why these emails are being blocked and how do I fix this? Also, is there a chance that UB-BLACK SURBL is giving other false positives?

by Customer 9 years ago

@Customer: The "" domain is indeed listed now in the UB-BLACK SURBL (you can verify this at, but does not appear to be listed in other SURBLs.

"How do I go about determining why these emails are being blocked and how do I fix this?"

The emails are blacklisted because they contain a link to and this domain is listed in the URL blacklist. As to how to fix this, you can either request a removal on the above website and/or add this domain to the URL Domain Blacklist exception list in the ORF Admin Tool.

"Also, is there a chance that UB-BLACK SURBL is giving other false positives?"

There is always a chance for false positives in spam filtering. If you have lost your trust in, simply disable the blacklist in ORF. We have noticed a few false positives with this blacklist in the past, but so did we even with the most reliable blacklists.

by Peter Karsai (ORF Team) 9 years ago
(in reply to this post)


@Peter Karsai (ORF Team): domains that are not blacklisted are showing up as being blacklisted via ORF.

Blacklisted by the UB-BLACK SURBL (domain: "", DNS lookup result: this is just a sample domain.

i disabled DNS blacklist lookup why are these emails still being blacklisted.

by chana atar 8 years ago
(in reply to this post)


@chana atar: You are receiving codes, which means your DNS server (or the upstream DNS server) has been banned from querying the public mirrors (see regarding this).

The fair use policy of says that you must not exceed 300,000 lookups a day. Depending on your ORF settings, this might be reached from 100,000 emails a day in extreme cases, but thanks to repeated domains and DNS caching, you typically need an ISP-level traffic to trigger this banning.

I suspect the issue is caused by the upstream DNS server, which accumulates DNS traffic from many different DNS servers and thus triggers the ban. Please make sure all of the DNS servers specified for ORF follow the recommendations below. This should fix the problem.

* The DNS server must support recursion (enabled by default in Microsoft® DNS)

* The server should be on the local network or on the ORF computer. Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged.

* The server should not use forwarders (e.g. ISP DNS servers)

* The server should not be the same DNS server that supports your Active Directory.

You can configure your ORF DNS server list under Configuration / System / DNS and Lookups.

Please let me know if this has helped.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)


@Peter Karsai (ORF Team): I started receiving on November 3rd. I disabled this test. I've been using it fine for over a year before this.

by Graham 8 years ago
(in reply to this post)


We have been using this fine for a while -a nd recently started getting blacklisted for which is not listed at

Blacklisted by the UB-BLACK SURBL (domain: "", DNS lookup result:

It was also blocking which we use often.

by Craig 7 years ago

@Craig: See above: they do not have these domains blacklisted, but as you use a public DNS server for the lookup (or have a local DNS with a public forwarder configured), they return a response to each lookup (regardless of the listed/not listed status of the queried domain), which ORF considers a hit in all cases. To fix this, you should

1. Update your SURL definitions so ORF will not consider this SMTP response a hit
2. Use a local DNS server with no public forwarders configured (i.e., it should query the root servers directly using root hints)

by Krisztián Fekete (Vamsoft) 7 years ago
(in reply to this post)


UB-Black is a real problem today for me
removig from al my servers.

by darrellpro 7 years ago

I get the error

Blacklisted by the UB-BLACK SURBL (domain: "", DNS lookup result:

However I don't understand your solution
"1. Update your SURL definitions so ORF will not consider this SMTP response a hit"

Could you explain it?

by redder 7 years ago

@redder: When an email comes in, ORF scans the body for clickable URLs, then it checks whether any of the the harvested URLs are listed on online URL Blacklists (SURBLs) by sending DNS queries to the lists you have enabled using the DNS server you configured in ORF. If the queried domain is listed, the URL blacklist service return an IP address, if it is not listed, they reply with NXDOMAIN (non-existent domain) to your DNS server.

Some URL blacklists have multiple sublists and may return various IP addresses (depending on which one the queried domain is listed). Moreover, they may return other IP addresses in other scenarios (e.g., when your DNS server exceeds their daily quota of free queries).

ORF can be configured either to consider any reply a hit, or only some. had a single response for years, so the default SURBL definition in ORF was configured to consider any IP address this list returns as a hit. And this worked without issues for years.

Then suddenly (without prior notice), decided they will return to all DNS queries originated from DNS servers which exceed their daily quota for free queries. Later, they changed this response to Public DNS servers (such as OpenDNS, Google DNS servers, DNS servers of large ISPs, etc) are used by many people and quickly exceed this limit. If you have such DNS server configured in ORF, or a local DNS server with such public DNS server added as a forwarder, you will receive this response to all queries.

Since ORF considers any response a hit, it will blacklist all emails with URLs in it, as it queries which replies with the response above.

This problem could be addressed by updating the SURBL definition to consider only response a hit, but this will not change the fact that refuses to reply to your queries properly. To address that problem, you should remove the public DNS servers from your ORF configuration and remove the public DNS forwarders (or setup conditional forwarding).

by Krisztián Fekete (Vamsoft) 7 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2