Chris-Linfoot.net

In the above example, I have used this field to give a longer and more meaningful text to accompany the 554 permanent failure code that the Domino SMTP task will issue to the remote client when it is found in a DNS or local blacklist.

Note that when these fields are used by the server, the first occurrence of %s is substituted with the IP address of the blocked system and the second with the name of the blacklist causing the rejection. For example:

554 Your email was not delivered because the host which attempted delivery, 192.168.0.1, is listed in the block list at list.example.dnsbl. Please see http://www.example.com/spam for more information and help.

Note that where a connection is blocked because a host is listed in our private list, we do not reveal this fact explicitly.

In most cases (I would say all, but you can never be absolutely sure), this error text is delivered in full back to the in-box of the sender of the bounced message.

Closing the loop

You will see that my example custom SMTP error response text includes the URL of a spam microsite which the sender of a bounced message can click to find out more about what happened. Our microsite contains:

• a simple, non-technical description of blacklisting
• an additional technical page for the benefit of mail system administrators
• a form which a sender can fill in to report a false positive

You can build this form using any web technology at your disposal. Ours isn't on a Domino server, so is implemented using Perl and it sends an email via a whitelisted host to a mail-in.

It asks for 5 pieces of information all but one of which are optional - name, company, intended recipient, nature of business and the full text of the bounce message received (554 etc as above).

An administrator is able to review these messages and make a decision which may be:

• to whitelist an additional host or network
• to reduce the scope of an overly aggressive block
• to do nothing - perhaps this is unwanted email

In summary, this provides an excellent means for closing the loop and ensuring that rejected email is reported to the sender who has an opportunity to request a review. Suspected spam is not delivered to a vast wasteland called a spam folder where it may or may not be noticed by the recipient and where the sender never knows his message was not received.

Oh, and how often is this used?

We've had two requests so far this year, both resulting in additional whitelist entries - if you have the right balance of whitelists and blacklists, false positives will be very few anyway.

Category: SnTT
Technorati: DNSBLs Domino Show-n-Tell Thursday ShownTellThursday SnTT

1. Latha03/08/2006 12:17:46

Hi,

We have Lotus Domino 6.5.3FP1 on Windows 2000. Recently we added the following DNS Blacklist filters to our configuration.

relays.ordb.org; bl.spamcop.net; njabl.org; cbl.abuseat.org; hil.habeas.com; bogons.cymru.com; no-more-funn.moensted.dk; sbl.spamhaus.org; blackholes.wirehub.net; dnsbl.njabl.org; relays.visi.com; ipwhois.rfc-ignorant.org; list.dsbl.org; psbl.surriel.com; opm.blitzed.org; proxies.blackholes.easynet.nl; t1.bl.reynolds.net.au; dynablock.wirehub.net; dun.dnsrbl.net; spews.dnsbl.sorbs.net; spews.block.transip.nl

We have received complaints from some organisations saying that mails are not getting delivered. When we made a study all the oraganisations report they have Exchange Servers

Log shows that the connection is established but it immediately gets disconnected

08/03/2006 11:56:31 AM SMTP Server: 59.163.116.76.static.vsnl.net.in (59.163.116.76) connected
08/03/2006 11:56:31 AM SMTP Server: 59.163.116.76.static.vsnl.net.in (59.163.116.76) disconnected. 0 message(s) received

We have Cisco PIX firewall, but SMTP Fixup protocol is disabled in that.

Niether of these domains or ipaddresses are blocked by DNS Blacklists.The connecting hosts are form known sites.

The connecting hosts are not able to sustain the delay happening due to DNS Lookups(DNS Blacklist databases).

Is there any way to set smtp transaction delays in Lotus Domino?

I have even added the following parameters to notes.ini

SMTPNONSTANDARDLINETERMINATION=1
SMTPNONSTANDARDMIMETERMINATION=1

Any other suggestions??


Kindly help to resolve this issue at the earliest.

2. Chris Linfoot03/08/2006 12:58:09

This may be a timeout issue. Try telnetting into port 25 of your server. How long till you see a 220 greeting? I'm betting it takes a while.

Your list of DNSBLs is absurdly long. There is duplication and you are using some lists that are defunct and others that are subscription only so unless you paid a subscription, they won't be working anyway. You really need to trim it back.

- Lose any easynet zones (defunct)
- Lose reynolds unless you have a sub
- lose the individual sbl and cbl lists and use the combined sbl-xbl.spamhaus.org zone (two lists for the price of one)
- lose bogons (you don't need it)
- lose rfc-ignorant
- check the listing policies of the others - some are very aggressive and you don't want them
- do you really need spews twice?

If you get down to a well chosen list of 5-6 DNSBLs then that will probably solve the problem.

However, if it isn't caused by timing, then it may be MTU size. See here.

http://chris-linfoot.net/d6plinks/CWLT-5WADL5

3. Latha04/08/2006 12:43:50

Hi Chris...Thanks a lot...

I have even posted same query in Lotus Forum. I was expecting reply from you in the Lotus Forums. I liked all your postings. So i have put the quetion in your site also. I have even searthed Forum by author i.e. all the postings of you.

Actually we have CA eTrust Secure Content Manager SMTP filtering software. But we have not implemented that on production. I have chosen the DNSBLs from that product.

Trimmed List :
bl.spamcop.net; sbl-xbl.spamhaus.org; no-more-funn.moensted.dk; spews.block.transip.nl; list.dsbl.org; dynablock.wirehub.net

Trimming down DNSBLs could solve my problem.

Would you please suggest any additions or deletions to the list to stop the Spam and Virus 100%? Is there anyway to configure whitelists in Domino 6.5.3?

I have some more doubts..where can i do my postings in your site?

4. Chris Linfoot04/08/2006 20:43:47

Given no ND7 I have serious doubts about most of your DNSBL choices if you are using log and deny, not log and tag. The one safe one is sbl-xbl.spamhaus.org.

You really need D7 and a whitelist. Then your choice of DNSBLs seems reasonable, though I am unfamiliar with no-more-funn (I know the name but have never used it).

I rarely post to the forums any more - I'm very busy and this is just a hobby really - but you may email me at either the address in my dW profile or the address here. Just don't overdo it

5. Mark Schultz02/10/2006 22:17:17

This isn't exactly a false positive, but perhaps guilt by association. I have mail suers of my server which are home subscribers to large cable companies. they are using MY mailboxes and my routing, but are being knocked down by dnsbl.sorbs.net on the way out.

The "ignore" policy for authenticated users only applies to relaying, and I can't see how to make exclusions for local users... not sure I WANT to anyway, if their machines are dirty.

However, I do need to allow my people to communicate with memebrs and clients. If they are pulling (semi-)dynamic IPs from their ISPs, I imagine that even adding their current IP to the whitelist (which I had to do for my own home account, it being flagged by sorbs as well) will fail at some point or another when the curernt IP expires or is somehow grabbed by another client. I know it is not frequent, but it happens.

Worse, I will have to walk through the relateively painful process - painful for my intensely non-technical users - of figuring out what their home router's external IP is. Ugh.

I tried searching for a post in your multitude of documents, but came up blank. Is there an elegant solution to this issue, or must I whitelist their entire ISP -- and leave us open to the rest of the mob as well?

Thanks for your thoughts.

6. Chris Linfoot03/10/2006 08:41:16

The answer is simple conceptually but may pose a problem for small sites.

Don't use the same Domino (or other) SMTP for both message submission by users and message delivery by servers (MX).

We have a separate Domino box here which only acts as an MSA (message submission agent) for POP/SMTP users. It listens on the standard port for MSA (587) and requires authentication, but does no blacklisting.

Possibly a topic for a longer blog piece at some stage (have been considering this for SnTT anyway).

Unable to post a comment? Please read this for a possible explanation...