Militantly FREE software support.
Militantly FREE software support.
NavigationUser loginSpam?See spam posts on this site? If so, please don't reply to the spam! Instead, just report the URL to the webmaster. |
Blacklisting (postfix rbl) - recent issue with blackhole.securitysage.comHi folks, Yesterday, I received multiple reports from users that they had trouble What are you thoughts on this? maillog: [....] Best regards, -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This email and any attachment is intended for the If you are not the addressee, please notify the sender Hensel Hosting and/or its employees shall not be liable -- Bookmark/Search this post with: 
|
• Debian Weekly News - Essential reading for any Debian fan. • Documentation - Debian's own authoritative documentation, including installation docs. • FAQ - Got questions about Debian GNU/Linux? • From Windows to Debian - Tips for converting from Windows to Debian GNU/Linux • Package of the Day. • Security - Security information and alerts! • Bug System - Bug tracking and instructions on reporting bugs. • CD Images - Where/how to get Debian GNU/Linux CD images. • Mailing List Subscription - Dozens of Debian-specific support mailing lists! • Mailing List Archives - Searchable archives of Debian's mailing lists. • Free Software Guidelines - Learn Debian's idea of what "free" software really is. • Package Listings - A very valuable tool: searchable, integrated with bug reports. • Apt-Get Sources - Sources for *.debs which are not official Debian packages. • Backports - Unofficial new software packages that have been "back-ported" to work with the Debian stable/official release. • Developer's Corner - Info about the people behind Debian, policies, and how to package *.deb files.
Blacklisting (postfix rbl) - recent issue with blackhole.securit
Le jeudi 15 mars 2007 20:34, Robert Hensel (Hensel Hosting) a écrit :
> Hi folks,
>
> Yesterday, I received multiple reports from users that they had trouble
> mailing us. After checking the maillog I discovered that
> blackhole.securitysage.com seemed to block a whole lot of mail to us
> (read: all)! I of course immediatly deleted this blacklist from our
> reject_rbls but the host blackhole.securitysage.com was just
> unreacheable (also see this page
> http://wiki.openrbl.org/wiki/Blackhole.securitysage.com). Now it seems
> weird that if the rbl host is unreachable Postfix decides to simply take
> that as a "ah well, just block everything then", or maybe something else
> was going on?
I just see that on my own postfix too !
> What are you thoughts on this?
You're right, a non response is not the same as a negative response.
Postfix could consider a non response has "not blacklisted".
As I say that, I realize that it opens a breach.
Spammers have just to DDOS theses blacklists and spam will spread...
Blacklisting (postfix rbl) - recent issue with blackhole.securit
On Thu, Mar 15, 2007 at 08:34:39PM +0100, Robert Hensel (Hensel Hosting) wrote:
> Yesterday, I received multiple reports from users that
> they had trouble mailing us. After checking the maillog I
> discovered that blackhole.securitysage.com seemed to block a
> whole lot of mail to us (read: all)! I of course immediatly
> deleted this blacklist from our reject_rbls but the host
> blackhole.securitysage.com was just unreacheable (also see this page
> http://wiki.openrbl.org/wiki/Blackhole.securitysage.com). Now it
> seems weird that if the rbl host is unreachable Postfix decides to
> simply take that as a "ah well, just block everything then", or maybe
> something else was going on?
postfix doesn't do that.
if it can't get an answer from an RBL, it just ignores it.
> What are you thoughts on this?
>
> maillog:
>
> [....]
> >Mar 14 11:01:03 hostname postfix/smtpd[28035]: NOQUEUE: reject: RCPT
> >from hostname[ip]: 554 5.7.1 Service unavailable; Client host
> >[hostname] blocked using blackhole.securitysage.com;
> >from= to= proto=ESMTP
> >helo=
blackhole.securitysage.com must have returned a response that said
"block this".
note: the fact that their web site was down doesn't mean that their RBL
name server was down.
craig
--
craig sanders
One man's theology is another man's belly laugh.
--
Blacklisting (postfix rbl) - recent issue with blackhole.securit
++ 15/03/07 20:34 +0100 - Robert Hensel (Hensel Hosting):
>http://wiki.openrbl.org/wiki/Blackhole.securitysage.com). Now it seems
>weird that if the rbl host is unreachable Postfix decides to simply take
>that as a "ah well, just block everything then", or maybe something else
>was going on?
As far as I know, this is not default behaviour of Postfix. In other
words, Postfix does not behave like this or you may have configured
Postfix to behave like this.
>>Mar 14 11:01:03 hostname postfix/smtpd[28035]: NOQUEUE: reject: RCPT
>>from hostname[ip]: 554 5.7.1 Service unavailable; Client host
>>[hostname] blocked using blackhole.securitysage.com;
>>from= to= proto=ESMTP
>>helo=
It is quite useless to paste (sections of) logfiles, while munging most
of it. I could have come up with this line myself. The most important
part has been munged as well: the connecting IP address which has been
checked against the blackhole.securitysage.com rbl.
--
Rejo Zenger https://rejo.zenger.nl
Blacklisting (postfix rbl) - recent issue with blackhole.securit
Rejo Zenger wrote:
++ 15/03/07 20:34 +0100 - Robert Hensel (Hensel Hosting):
http://wiki.openrbl.org/wiki/Blackhole.securitysage.com). Now it seems
weird that if the rbl host is unreachable Postfix decides to simply take
that as a "ah well, just block everything then", or maybe something else
was going on?
As far as I know, this is not default behaviour of Postfix. In other
words, Postfix does not behave like this or you may have configured
Postfix to behave like this.
Postfix is not configured in any strange way here, and you're right; as
far as I'm aware it does indeed not act like this when an rbl host is
down (which is something I haven't seen much anyway), of course this
raises the question again to which extend 3th parties influence the
behaviour of mailservers. I'm pretty interested in what happened at
securitysage (quite an established blacklist if I'm not mistaken), if
it wasn't really "down" and was blacklisting all clients that would
make this a bigger issue from my point of view.
Mar 14 11:01:03 hostname postfix/smtpd[28035]: NOQUEUE: reject: RCPT
>from hostname[ip]: 554 5.7.1 Service unavailable; Client host
[hostname] blocked using blackhole.securitysage.com;
from=<address@addresss.com> to=<address@address.com> proto=ESMTP
helo=<hostname>
It is quite useless to paste (sections of) logfiles, while munging most
of it. I could have come up with this line myself. The most important
part has been munged as well: the connecting IP address which has been
checked against the blackhole.securitysage.com rbl.
Since it is clearly an issue that is not related to a specific host,
since multiple systems (inbound and servers) had the same problem I do
not find it usefull or necessary to disclose that information. Also see
the email below I received from securitysage (can also be found on the
wiki link):
Hello!
We have received e-mails
from you telling us that some
specific domains are blacklisted using blackhole.securitysage.com. None
of your
domains are blacklisted. Our RHSBL server stopped responding last night
and we
have worked starting at 6:00 AM local time to fix this issue. We
figured out it
was a DNS problem and it has been fixed since 9:00 AM.
Because it was a DNS
issue it will take 4 to 24, maximum 48
hours to replicate the changes that we made to all DNS servers in the
world.
We apologize for the
inconvenience and we want to assure you
that we are doing our best to prevent this from happening in the future.
We appreciate your
patience and your understanding.
Best regards,
Tech Support Team
SecuritySage Inc.
Best regards,
Robert
Blacklisting (postfix rbl) - recent issue with blackhole.securit
On Fri, Mar 16, 2007 at 01:56:14AM +0100, Robert Hensel wrote:
> >Hello!
> >
> >
> >
> >We have received e-mails from you telling us that some specific
> >domains are blacklisted using blackhole.securitysage.com. None of your
> >domains are blacklisted. Our RHSBL server stopped responding last
> >night and we have worked starting at 6:00 AM local time to fix this
> >issue. We figured out it was a DNS problem and it has been fixed since
> >9:00 AM.
> >
> >Because it was a DNS issue it will take 4 to 24, maximum 48 hours to
> >replicate the changes that we made to all DNS servers in the world.
> >
> >We apologize for the inconvenience and we want to assure you that we
> >are doing our best to prevent this from happening in the future.
> >
> >We appreciate your patience and your understanding.
Well, looking at the DNS for the blackhole:
$ host blackhole.securitysage.com
blackhole.securitysage.com is an alias for resalehost.networksolutions.com.
resalehost.networksolutions.com has address 205.178.189.128
blackhole.securitysage.com is an alias for resalehost.networksolutions.com.
blackhole.securitysage.com is an alias for resalehost.networksolutions.com.
$
The website at www.securitysage.com also appears to go to a
networksolutions holding page...
I'd suggest removing securitysage from your blacklists at this point -
DNS lookups against "resalehost.networksolutions.com" fail, and there's
no telling how long it's going to take them to fix it.
Cheers,
--
Brett Parker
--
Blacklisting (postfix rbl) - recent issue with blackhole.securit
On Fri, Mar 16, 2007 at 01:56:14AM +0100, Robert Hensel wrote:
> >>>Mar 14 11:01:03 hostname postfix/smtpd[28035]: NOQUEUE: reject: RCPT
> >>>
> >>>from hostname[ip]: 554 5.7.1 Service unavailable; Client host
> >>
> >>>[hostname] blocked using blackhole.securitysage.com;
> >>>from= to= proto=ESMTP
> >>>helo=
> >>>
> >
> >It is quite useless to paste (sections of) logfiles, while munging most
> >of it. I could have come up with this line myself. The most important
> >part has been munged as well: the connecting IP address which has been
> >checked against the blackhole.securitysage.com rbl.
> >
> Since it is clearly an issue that is not related to a specific host,
> since multiple systems (inbound and servers) had the same problem I do
> not find it usefull or necessary to disclose that information. Also see
> the email below I received from securitysage (can also be found on the
> wiki link):
of course the client IP is essential information - how else are we, who
you have asked for help, to check whether it IS actually listed in any
RBLs?
munging the recipient address is OK, that is privacy-sensitive
information, but revealing the client IP a) doesn't infringe anyone's
privacy (because it doesn't identify an individual) and b) is essential
for diagnostic purposes.
craig
--
craig sanders
BOFH excuse #187: Reformatting Page. Wait...
--
Blacklisting (postfix rbl) - recent issue with blackhole.securit
also sprach Robert Hensel (Hensel Hosting) [2007.03.15.2034 +0100]:
> reject_rbls but the host blackhole.securitysage.com was just
> unreacheable (also see this page
> http://wiki.openrbl.org/wiki/Blackhole.securitysage.com). Now it
> seems weird that if the rbl host is unreachable Postfix decides to
> simply take that as a "ah well, just block everything then", or
> maybe something else was going on?
The domain was returned to networksolutions.com, which answer every
A query. Not nice. Stop using it.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
NP: Rage Against The Machine / Rage Against The Machine