Reverse DNS not working correct!? - ORF Forums

Reverse DNS not working correct!? RSS Back to forum

1

Hello community,
in Configuration "Blacklists"->"Reverse DNS Tests" we have checked "Enable Sender IP Reverse Name Validation".

Especially in the last few days more and more mails are let through, where the LogViewer reports "No Host Name in DNS" next to "Related IP". According to my configuration these mails should be blocked?

Kind regards
Uwe

by uwe.kortkamp 9 months ago
2

@uwe.kortkamp: Hello Uwe,

Were those emails *whitelisted* by any chance? What is the "Message" logged for the emails in question?

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

3

Hello Daniel,
thanks for your answer... ONE Example (out of ~30)

-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 08.12.2020 20:42:42 GMT+0100 Mitteleuropäische Zeit
Sender Email: (not available)
Recipient Email: TO_ME
Related IP: 13.68.157.170
Action: (not available)
Email Subject: (not available)

-- EVENT MESSAGE --
Recipient passed checks.

-- EVENT DETAILS --
Filtering Point: Before Arrival
Event Class: Pass
Severity: Information
Server: OUR_SERVER
Event Source: SMTPSVC-2
HELO Domain: (not available)
Message ID: (not available)
Log Mode: Verbose
ORF Version: 6.3 RELEASE

-------------------------------------------------------------------------------


-------------------------------------------------------------------------------
-- EVENT SUMMARY --
Time: 08.12.2020 20:42:43 GMT+0100 Mitteleuropäische Zeit
Sender Email: (not available)
Recipient Email: TO_ME
Related IP: 13.68.157.170
Action: (not available)
Email Subject: ~Verdiene 7000 Euro pro Tag von zu Hause aus

-- EVENT MESSAGE --
Email passed checks.

-- EVENT DETAILS --
Filtering Point: On Arrival
Event Class: Pass
Severity: Information
Server: OUR_SERVER
Event Source: SMTPSVC-2
HELO Domain: (not available)
Message ID:
Log Mode: Verbose
ORF Version: 6.3 RELEASE
-------------------------------------------------------------------------------

by uwe.kortkamp 9 months ago
4

@uwe.kortkamp: Thank you Uwe.

Could you send us your ORF configuration file (C:\ProgramData\ORF Fusion\orfent.ini) and the relevant ORF log file (i.e. orfee-2020-12-08.log) for analysis to , please? The ORF logs can be found on the configured ORF logging path (default: C:\ProgramData\ORF Fusion\TextLogs).

I will get back to you regarding this issue as soon as possible.

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

5

@uwe.kortkamp: Hello Uwe,

The only explanation I have after reviewing the logs is that the "spam cannon" and the related DNS records have been removed by the time you clicked the "Lookup" button. Spam operations typically move from one "throw-away" IP range/domain to another after a few "shots" to avoid triggering red flags. It should be noted, however, that in this case the spam could have been blocked by the "GBUdb.com Truncate" DNS blacklist but it is currently disabled. I suggest enabling the recommended set of DNS Blacklists (all of them) to improve the spam catch rate:

/ORF Administration Tool: Blacklists > DNS Blacklists/

• Spamhaus ZEN
• Hostkarma (JMF) Blacklist
• Weighted Private Block List
• Barracuda Reputation Block List
• Passive Spam Block List
• Mailspike Combined List
• GBUdb.com Truncate

I hope this proves helpful to you, but let me know if you need further assistance.

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

6

Thanks for your quick help.

In the meantime I have also figured out THOSE Spammer with keyword filter.

Our Spam Catch Ratio is extremely good - the more it annoys me, if some of them manage to get through with SPAM mails :-)

I will activate the "missing" DNS Blacklist.

Thanks again.

by uwe.kortkamp 9 months ago
7

@uwe.kortkamp: I am glad I was able to help :)

by Daniel Novak (Vamsoft) 9 months ago
(in reply to this post)

8

DNS are always tricky to handle. It's great to see how community is helping each other and that's how a community grows and expands.

by davidd00656 5 months ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2