Blacklisted by the UB-BLACK SURBL RSS

1

I am getting emails saying that someone is trying to send messages to our company email addresses and that they are being denied. I looked in the logs and saw that it said "Blacklisted by the UB-BLACK SURBL (domain: "hfflp.com", DNS lookup result: 127.0.0.2)."
I checked the address and it does not seem to be listed in a blacklist on Spamhaus. How do I go about determining why these emails are being blocked and how do I fix this? Also, is there a chance that UB-BLACK SURBL is giving other false positives?


by Customer 8 years ago
2

@Customer: The "hfflp.com" domain is indeed listed now in the UB-BLACK SURBL (you can verify this at https://admin.uribl.com/), but does not appear to be listed in other SURBLs.

"How do I go about determining why these emails are being blocked and how do I fix this?"

The emails are blacklisted because they contain a link to hfflp.com and this domain is listed in the uribl.com URL blacklist. As to how to fix this, you can either request a removal on the above website and/or add this domain to the URL Domain Blacklist exception list in the ORF Admin Tool.

"Also, is there a chance that UB-BLACK SURBL is giving other false positives?"

There is always a chance for false positives in spam filtering. If you have lost your trust in uribl.com, simply disable the blacklist in ORF. We have noticed a few false positives with this blacklist in the past, but so did we even with the most reliable blacklists.

by Peter Karsai (ORF Team) 8 years ago
(in reply to this post)

3

@Peter Karsai (ORF Team): domains that are not blacklisted are showing up as being blacklisted via ORF.


Blacklisted by the UB-BLACK SURBL (domain: "axis.com", DNS lookup result: 127.0.0.255). this is just a sample domain.

i disabled DNS blacklist lookup why are these emails still being blacklisted.

by chana atar 7 years ago
(in reply to this post)

4

@chana atar: You are receiving 127.0.0.255 codes, which means your DNS server (or the upstream DNS server) has been banned from querying the public uribl.com mirrors (see http://www.uribl.com/about.shtml regarding this).

The fair use policy of uribl.com says that you must not exceed 300,000 lookups a day. Depending on your ORF settings, this might be reached from 100,000 emails a day in extreme cases, but thanks to repeated domains and DNS caching, you typically need an ISP-level traffic to trigger this banning.

I suspect the issue is caused by the upstream DNS server, which accumulates DNS traffic from many different DNS servers and thus triggers the ban. Please make sure all of the DNS servers specified for ORF follow the recommendations below. This should fix the problem.

* The DNS server must support recursion (enabled by default in Microsoft® DNS)

* The server should be on the local network or on the ORF computer. Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged.

* The server should not use forwarders (e.g. ISP DNS servers)

* The server should not be the same DNS server that supports your Active Directory.

You can configure your ORF DNS server list under Configuration / System / DNS and Lookups.

Please let me know if this has helped.

by Peter Karsai (ORF Team) 7 years ago
(in reply to this post)

5

@Peter Karsai (ORF Team): I started receiving 127.0.0.255 on November 3rd. I disabled this test. I've been using it fine for over a year before this.

by Graham 7 years ago
(in reply to this post)

6

We have been using this fine for a while -a nd recently started getting blacklisted for ritzcarlton.com which is not listed at https://admin.uribl.com/.

Blacklisted by the UB-BLACK SURBL (domain: "ritzcarlton.com", DNS lookup result: 127.0.0.1).

It was also blocking which we use often.

by Craig 6 years ago
7

@Craig: See above: they do not have these domains blacklisted, but as you use a public DNS server for the lookup (or have a local DNS with a public forwarder configured), they return a 127.0.0.1 response to each lookup (regardless of the listed/not listed status of the queried domain), which ORF considers a hit in all cases. To fix this, you should

1. Update your SURL definitions so ORF will not consider this SMTP response a hit
2. Use a local DNS server with no public forwarders configured (i.e., it should query the root servers directly using root hints)

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

8

UB-Black is a real problem today for me
removig from al my servers.

by darrellpro 6 years ago
9

Hi,
I get the error

Blacklisted by the UB-BLACK SURBL (domain: "googlemail.com", DNS lookup result: 127.0.0.1).

However I don't understand your solution
"1. Update your SURL definitions so ORF will not consider this SMTP response a hit"

Could you explain it?

by redder 6 years ago
10

@redder: When an email comes in, ORF scans the body for clickable URLs, then it checks whether any of the the harvested URLs are listed on online URL Blacklists (SURBLs) by sending DNS queries to the lists you have enabled using the DNS server you configured in ORF. If the queried domain is listed, the URL blacklist service return an IP address, if it is not listed, they reply with NXDOMAIN (non-existent domain) to your DNS server.

Some URL blacklists have multiple sublists and may return various IP addresses (depending on which one the queried domain is listed). Moreover, they may return other IP addresses in other scenarios (e.g., when your DNS server exceeds their daily quota of free queries).

ORF can be configured either to consider any reply a hit, or only some. Uribl.com had a single response for years, so the default SURBL definition in ORF was configured to consider any IP address this list returns as a hit. And this worked without issues for years.

Then suddenly (without prior notice), uribl.com decided they will return 127.0.0.255 to all DNS queries originated from DNS servers which exceed their daily quota for free queries. Later, they changed this response to 127.0.0.1. Public DNS servers (such as OpenDNS, Google DNS servers, DNS servers of large ISPs, etc) are used by many people and quickly exceed this limit. If you have such DNS server configured in ORF, or a local DNS server with such public DNS server added as a forwarder, you will receive this response to all queries.

Since ORF considers any response a hit, it will blacklist all emails with URLs in it, as it queries uribl.com which replies with the response above.

This problem could be addressed by updating the SURBL definition to consider only response 127.0.0.2 a hit, but this will not change the fact that uribl.com refuses to reply to your queries properly. To address that problem, you should remove the public DNS servers from your ORF configuration and remove the public DNS forwarders (or setup conditional forwarding).

by Krisztián Fekete (Vamsoft) 6 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed