DNS error. Test: "RDNS/PTR", built-in DNS resolver, domain: "162.250.98.114", record type: PTR. DNS response: DNS server or domain failure (SERVFAIL, RCODE 2). - ORF Forums

DNS error. Test: "RDNS/PTR", built-in DNS resolver, domain: "162.250.98.114", record type: PTR. DNS response: DNS server or domain failure (SERVFAIL, RCODE 2).

Spam is getting through with this error every 5-6 minutes. Per the Online Knowledge Database I am using the built in DNS resolver. Any ideas? Thanks in advance for any help.

I'll chime in since ORF support may not get back to you until tomorrow. They may override my answer but this can get you started today.

I think this error is normal for an IP that does not support Reverse DNS (it is up to the ISP that controls that IP and perhaps the user via their account management to be sure reverse DNS is supported).

Some of us choose to "Enable Sender IP Reverse Name Validation" in the Reverse DNS test to avoid accepting emails from IP's with no reverse DNS. You can decide if that is what you want.

Here is what I get when I checked RDNS for that IP (confirming there is no Reverse DNS for that IP published)

Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\...>nslookup

> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> type=ptr
Server: google-public-dns-a.google.com
Address: 8.8.8.8

*** google-public-dns-a.google.com can't find type=ptr: Non-existent domain
> 162.250.98.114
Server: google-public-dns-a.google.com
Address: 8.8.8.8

*** google-public-dns-a.google.com can't find 162.250.98.114: Server failed
>

@Sam Russo: Thank you for your reply Sam. I do have "Enable Sender IP Reverse Name Validation" enabled in the Reverse DNS test. But I also have enabled 'Sender Domain Validation.' Maybe both should not be enabled? An either/or proposition?

@michael.mulhern: I also have both enabled so no, I don't think that is a problem.

You may want to consider an IP Range Blacklist entry as a stopgap until tomorrow when Vamsoft can get back to you.

Using tcpiputils.com you can see that this IP range is assigned to Fevvo. Depending on what you want you can set a tight or loose range.
162.250.96.0/21 - loose
162.250.98.114/24 - tight

You can view your logs to see if you get legit email from this range before setting an IP blacklist. Its up to you but this should take care of the immediate blast until tomorrow.

Good luck,
Sam

@michael.mulhern: If you are not already using them, I would recommend subscribing to SpamHaus. They are good for IP reputation although it takes an hour or more for new IPs to appear in their list so if your spammer likes to jump around to new IP ranges it may not help much.

@michael.mulhern: A multi-layer approach works best here too: I see *.top spam from that range you cited and I've been catching it with a Sender Blacklist for common top-level domains that are spammy. You may need to customize this for your own needs. It is a regex in the form of (?!exceptions)(?=targets)

(?!.*(berlitz|linkedin))(?=.*\@.+\.(asia|(co|or)\.at|biz|bg|cc|email|ga|gdn|kz|link|in\.net|ml|pt|rocks|tk|co\.tz|top|website|win|us)$)

I have other rules regarding garbage TLDs but that's another story.

Not sure how much experience you have with ORF but it takes a while to build up the rules to make it effective for your user base.

Thank you for your suggestions. I'll play around with the TLD Filter and see where it takes me. Thanks again!