One of the main features of SpamAssassin, the core spam filtering component in the MDaemon Messaging Server, is the ability to do DNS lookups. One of the available lookups is a query to URIBL which keeps a list of web addresses, or URLs, that are found in the body of SPAM email.
The example below shows what you might see in your spam report when troubleshooting why a spam message is getting through the filters to the local user.
Tue 2014-07-22 01:34:17: * 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE:The query to URIBL was blocked.
Tue 2014-07-22 01:34:17: * See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
Tue 2014-07-22 01:34:17: * for more information.
Tue 2014-07-22 01:34:17: * [URIs: ccsoftware.ca]
When this happens the first question we always get asked is: Why was the lookup blocked and what does it mean? (ok first two questions!)
The answer is that you, the customer, is not specifically being blocked. The problem is that the URIBL service has a free usage limit. Typically MDaemon customers will use their ISP’s DNS servers or, another popular choice, Google’s DNS servers. These DNS servers are making queries for many different companies , and when the connection count limit is breached further lookups are blocked for everyone using these DNS servers. This decreases your spam filter’s effectiveness!
What can you do to get the URIBL lookups working again?
The link provided in the spam report will suggest having SpamAssassin use a non-forwarding caching name server to do the lookups. By running your own caching nameserver, or DNS server, requests will then be seen as coming from your own public IP address, and not the IP address of your ISP, or Google’s DNS servers. This will give you the added benefit of a performance increase since repeated DNS queries are cached and don’t need to be looked up again.
What is a non-forwarding caching DNS server?
Microsoft says, “caching-only servers have only one function: they perform queries, cache the answers, and return the results. Caching-only DNS servers are not authoritative for any domains, and their information that they contain is limited to what they cache while they resolve queries.“.
In the past we have supplied customers with the information provided on the SpamAssassin web site, but many feel intimidated by the thought of running their own DNS server. This may be due to the fact that the instructions that are given are for UNIX/Linux environments. 99.9% of the time we are dealing with customers that only have a MS Windows infrastructure. Installing a UNIX/Linux server to run a caching-only DNS daemon would be overkill!
What if you could run a Windows Server and use the built in DNS server baked right into the Windows Server OSs?
As it turns out this is ridiculously easy to set up! I can sum up the official Microsoft instructions on how to install a cache only DNS server using the Windows’ DNS Server in one sentence.– Launch the Windows ‘Server Manager’, add a New Role, and select DNS Server. That’s it. You’re done creating a basic cache only DNS server.
Why was this so easy?
- This is a non-forwarding DNS server so there are no Forwarders to configure.
- There are no DNS records that need to be created. (Think Zone files)
- Very little to configure in the firewall/router. The DNS server should be on the same LAN as the MDaemon server. Outside access to the DNS server is not needed nor recommended.
DISCLAIMER: We are not DNS experts and do not support the installation or maintenance of any DNS servers.
How Do I Configure SpamAssassin To Use My New Cache Only DNS Server?
Thought I forgot about this one? Nope not a chance. All that is required is to configure MDaemon itself to use the new DNS server. MDaemon’s DNS options are found by opening the MDaemon GUI and clicking Setup | Server Settings | DNS. Remove the check mark from the option “Use Windows DNS servers”, and then enter the internal IP address of your DNS server in the field provided below. Apply and OK the change.
If you have seen this block error in the past you should now have a fully functioning SpamAssassin installation again.
What should I see in my SPAM report if everything is working correctly?
Below is an example of a successful lookup on a URL. If you don’t see any lookups on URLs being performed then let’s ensure MDaemon is configured to allow SpamAssassin to do the lookups.
Open the MDaemon GUI and click Security | Spam Filter | Options. Look for the option “Is DNS service available?” Ensure this option is set to Yes or Test in order to have SpamAssassin query URIBL for blacklisted URLs.
Mon 2014-07-28 14:38:52: 07: [012878] Passing message through Spam Filter (Size: 594)…
Mon 2014-07-28 14:39:03: 07: [012878] * 1.7 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
Mon 2014-07-28 14:39:03: 07: [012878] * [URIs: familypharmacydeal.ru]
Mon 2014-07-28 14:39:03: 07: [012878] * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
Mon 2014-07-28 14:39:03: 07: [012878] * [URIs: familypharmacydeal.ru]
Mon 2014-07-28 14:39:03: 07: [012878] * 0.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
Mon 2014-07-28 14:39:03: 07: [012878] * [URIs: familypharmacydeal.ru]
Mon 2014-07-28 14:39:03: 07: [012878] * 1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
Mon 2014-07-28 14:39:03: 07: [012878] * [URIs: familypharmacydeal.ru]
Mon 2014-07-28 14:39:03: 07: [012878] * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
Mon 2014-07-28 14:39:03: 07: [012878] —- End SpamAssassin results
I already have a Windows DNS server configured. Can I use my existing DNS server, or do I need to configure a new DNS server?
You can use your own existing DNS server, even though it may be using forwarders. Remember a stand alone cache only DNS server is one without forwarders. What you will need to do is add a conditional forwarder for the uribl.com domain that use “root hints” servers a through m. Below is a link to a Microsoft article on how to create this conditional forwarder.
Assign a Conditional Forwarder for a Domain Name
Any questions? Need help? Send us an email! support@ccsoftware.ca
Updated December 4th, 2015
