hostkarma problem

[SteScho]

Hi all.

One of our mail gates is listed on hostkarma.junkemailfilter.com. A dns query reports two results but pyhtons gethostbyname uses only one of them.

check result: root@icinga:/tmp# /usr/lib/nagios/plugins/check_rbl.py -w1 -c1 -h 144.xx.xx.237 CRITICAL: 144.xx.xx.237 on 1 blacklist(s): hostkarma.junkemailfilter.com

manual dns lookup: wartung@h2436360:~$ host 237.xx.xx.144.hostkarma.junkemailfilter.com 237.xx.xx.144.hostkarma.junkemailfilter.com has address 127.0.1.1 237.xx.xx.144.hostkarma.junkemailfilter.com has address 127.0.0.3

The 127.0.0.3 says we are yellow listed which means that we have no blacklist entry: http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#List_Logic

The 127.0.1.1 is experimental data as explained here: http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#Experimental_Return_Codes

My problem is that gethostbyname only uses one ip address and that you can't tell that 127.0.0.3 is a blacklist entry on hostkarma.

Greetings, Steffen

[hmoffatt]

Hi Steffen, thanks for the report.. this is interesting.

So you have two problems.

1. Multiple A records from the DNSBL but check_rbl only sees one. This can be fixed using socket.getaddrinfo or dnspython I think.

2. "Yellowlisted" code. I'm not clear what you what to happen here - do you want 127.0.0.3 to be treated as not listed, and 127.0.1.1 too? Unfortunately it looks like these codes are not standardized, as 127.0.0.3 from SBL is definitely bad (https://www.spamhaus.org/faq/section/DNSBL%20Usage#200). We would have to add some codes for each service in the list I guess.

[SteScho]

Hi.

Yes, I have those two problems.

1. I'm not that python guru that I can tell in detail - but I also think that changing to getaddrinfo or something simular should work.
2. Yes, that is very bad - the RBLs didn't have one set of result codes which all of them are using. In the Hostkarma Wiki (http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists) you can read that the 127.0.1.1 is an experimental header with some statistic information. That one is uninteresting for the rbl check and can be ignored. The 127.0.0.3 means that our server is yellow listed. That means "no white listing and stop searching for black list entries". That is a state for the "big ones" as google, hotmail and others.

It would be so easy if we/you could expect that all lists always returns the same result sets. That would be great if so. I would be very happy as mail admin, too. But I'm with you that it is necessary for some entries in the list to have the possibility to change the filter for "is blacklisted". Maybe regex or something else.

Greetings, Steffen

Hamish Moffatt notifications@github.com 08.01.2018 23:40 >>> Hi Steffen, thanks for the report.. this is interesting. So you have two problems.

1. Multiple A records from the DNSBL but check_rbl only sees one. This can be fixed using socket.getaddrinfo or dnspython I think.

2. "Yellowlisted" code. I'm not clear what you what to happen here - do you want 127.0.0.3 to be treated as not listed, and 127.0.1.1 too? Unfortunately it looks like these codes are not standardized, as 127.0.0.3 from SBL is definitely bad (https://www.spamhaus.org/faq/section/DNSBL%20Usage#200). We would have to add some codes for each service in the list I guess. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub ( https://github.com/egeland/nagios-rbl-check/issues/21#issuecomment-356119635) , or mute the thread ( https://github.com/notifications/unsubscribe-auth/AGPUxywwpt6Pns3uVPbYXzBdjAZyQVYwks5tIplEgaJpZM4RUX0I) .

[stefandewal]

Hi, we have the same issue with our primary smtp server. we are also yellow listed. is there any way around this besides deleting the hostkarma check ?