Blacklisted but Passed - ORF Forums

Blacklisted but Passed RSS Back to forum

1

I am trying to understand how an email was passed when it appears it was blacklisted by one server but passed by another. ORF 6.1.1 two Exchange 2016 servers. ORF is configured with a subscription between the two.

I have a screenshot of the log entries but cannot figure out how to attach it so I have posted the two records below.


-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 2020-03-03 11:10:34 AM GMT-0500 Eastern Standard Time
Sender Email:
Recipient Email:
Related IP: 89.249.67.40
Action: (not available)
Email Subject: UPDATED SECURITY FOR

-- EVENT MESSAGE --
Email passed checks.

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server: PMCEX2.xxxxx
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 6.1.1 RELEASE

-------------------------------------------------------------------------------

-- EVENT SUMMARY --
Time: 2020-03-03 11:10:34 AM GMT-0500 Eastern Standard Time
Sender Email:
Recipient Email:
Related IP: 89.249.67.40
Action: Rejected
Email Subject: UPDATED SECURITY FOR

-- EVENT MESSAGE --
Blacklisted by the HOSTKARMA DNS Blacklist (DNS lookup result: 127.0.0.2/127.0.1.1).

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Blacklist
Severity: Information
Server: PMCEX1.xxxxxxxx
Event Source: MSEXCHANGE
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 6.1.1 RELEASE

-------------------------------------------------------------------------------

by PMC 4 months ago
2

@PMC: Hello PMC,

As the email was blacklisted by the DNS Blacklist test, on PMCEX1, this could be an issue with the DNS server or configuration subscription settings on PMCEX2. Please check the following on PMCEX2:

- The IP address/hostname of the DNS server(s) you specified for ORF to use (System > DNS > DNS Settings). Click the "Check health" and "Run Test" button to test them (even if you use the "built-in resolver"). Do NOT use any ISP or public DNS resolver, such as Google's 8.8.8.8, because most DNS Blacklist and SURBL providers refuse to answer (aggregated) DNS queries that come from those sources. Note that DNS settings are not synced between ORF servers by default (System > Configuration Subscription > Local Features).

- Verify that that both servers use the same DNS Blacklist settings. Navigate to the Blacklists > DNS Blacklists page. You should see "this feature is currently not editable" if PMCEX2 is subscribed to PMCEX1, and the DNS Blacklist settings are not set to "local" .

- Start the ORF log viewer and load the log file from the day of the incident (i.e. orfee-2020-03-03.log). Look for the problematic email and see if you can find any warnings or errors logged for that email.

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Thank you for the prompt reply. PMCEX1 is subscribed to PMCEX2. The DNS settings cannot be edited directly on PMCEX1. The Blacklists are also controlled on PMCEX2 and subscribed to by PMCEX1. There are no DNS errors logged near the time the problematic email was processed. The DNS health check on PMCEX2 completed successfully with no errors.

by PMC 4 months ago
(in reply to this post)

4

@PMC: Thank you for the clarification. Could you verify that PMCEX1 can connect to PMCEX2 to retrieve the configuration? (ORF Administration Tool: System > Configuration Subscription > Publisher Access > Test Connection).

In addition, please check the logs on both servers for any remote login or configuration subscription errors. Use the Log Viewer's filter builder tool (Shift + Ctrl + F) or simply sort the log entries by descending severity (click the "Severity" column) to have the error messages listed at the top.

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

5

@Daniel Novak (Vamsoft): The Test Connection action completed successfully.

In the past 168 hours there are three errors related to remote login or subscription errors but these coincide with a brief outage (less than two minutes) between sites and a server reboot.

by PMC 4 months ago
(in reply to this post)

6

@PMC: I see. Could you send us (to ) the following files for analysis, please?

- The ORF configuration and configuration backup files from the Publisher server (PMCEX2): %ProgramData%\ORF Fusion\orfent.ini + cs-inventory.xml + cs-storage.zip

- The ORF configuration file from the Subscriber server (PMCEX1): %ProgramData%\ORF Fusion\orfcs.ini + orfcs.remote.ini

- The ORF logs from the past 5-7 days from both servers, which can be found on the configured logging path (ORF Administration Tool : System > Log > ORF Text Log > Configure > Settings)

Thank you.

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2