Introduction

This article provides a solution to a configuration problem causing all non-whitelisted emails with any URLs in the body to be blacklisted by the uribl.com SURBL (UB-BLACK).

Symptoms

Legitimate emails are blacklisted with the following message recorded in the ORF log:

When checked on the website of uribl.com, the domain name does not appear to be blacklisted.

Causes

The problem is caused by the combination of two configuration issues:

• ORF is configured to consider any response it gets from uribl.com a hit
  This is due to an outdated SURBL definition in ORF. Uribl.com used to return a response code to DNS queries only if the domain was listed in their blacklist, so the SURBL definition in older ORF versions was configured accordingly. Now uribl.com may return response codes in other scenarios as well, which ORF interprets as a hit, causing false positives. These definitions are not updated automatically when upgrading to a new ORF version: it has to be done manually (see below).
• a public DNS server is involved in the query
  Either a public DNS server is set in ORF on the System / DNS page, or a local DNS server, but with a public DNS server configured as a forwarder. A majority of online blacklist providers tend to ban such public DNS servers (OpenDNS servers, Google DNS servers, ISP DNS servers, etc.) as they are used by many people concurrently and they receive a large number of queries from them (which exceeds their free usage quota).

So, when an email comes in with a URL in the body, ORF checks whether the domain in the URL is listed in the uribl.com database. Uribl.com detects the query is originated from a banned public DNS server and returns code 127.0.0.1 (indicating Query blocked, possibly due to high volume). ORF incorrectly considers this as a hit and the email gets blacklisted.

Solutions

Updating the SURBL definition set

ORF should be told that only response 127.0.0.2 indicates a hit. The easiest way is importing an up-to-date SURBL definition set, overwriting the outdated one. See the following Knowledge Base articles for detailed instructions:

• Updating the blacklist definitions of ORF 5.0 and later versions
• Updating the blacklist definitions of ORF 4.4 and earlier versions

Disabling uribl.com

Optionally, you can disable uribl.com and use the currently recommended SURBLs only.

Ensuring ORF can query online blacklist properly via DNS

Note that the above solutions will take care of the false positive problem only: uribl.com will still refuse to reply properly to the queries of ORF, since they are sent through a banned public DNS server. Other online blacklist services may also choose not to reply, which leads to degraded spam filtering performance.

To solve the problem for good, you should:

• Use the built-in DNS resolver (available from ORF 5.4 or newer) or make sure the DNS server configured for ORF lookups meets all requirements, i.e., it is a local server sending all queries to the root servers using root hints, without any forwarders configured, or
• If you insist on using public forwarders, you should set up conditional forwarding in the local DNS server. In other words, the DNS server must be told to send the request directly to the authoritative name server(s) of online blacklists (bypassing forwarders) when querying them, while in all other cases, it can use the public forwarders for DNS lookups.