We have received several reports about an increased false positive rate in ORF installations. After a brief investigation, it seems the legitimate emails were all blocked by the uribl.com URL Blacklist with the following log message:
Blacklisted by the UB-BLACK SURBL (domain:”example.com”, DNS lookup result: 127.0.0.1)
By default, the uribl.com definition in ORF is configured to consider any response form the queried server as a hit, but actually, the 127.0.0.1 response indicates that uribl.com does not accept any queries from the DNS server.
After investigating this further, it seems the affected ORF users all use Google public DNS servers for the queries (or use such servers as forwarders in their local DNS configuration). Uribl.com is known to simply ignore queries initiated by DNS servers exceeding their query limit, but all of a sudden they have started to return 127.0.0.1 instead.
In other words, these queried domains found in incoming emails are not listed in uribl.com, but if you use Googe public DNS servers, ORF thinks they are.
Quick fix
- Start the Administration Tool
- Navigate to the Configuration / Filtering – On Arrival / URL Blacklists page using the navigation tree on the left
- Double-click uribl.com Blacklist
- Click the Lookup results tab, uncheck the Blacklist if DNS record exists (regardless record data) option
- Click New
- Add 127.0.0.2, click OK, then OK again
- Save your configuration to apply the changes by pressing Ctrl + S
This will ensure uribl.com will block the email only if it returns a response explicitly indicating a hit (127.0.0.2). We will also change this in the default definition file shipped with future ORF versions.
To avoid such problems in the future, make sure you local DNS server queries the root servers directly. The DNS servers configured in ORF should/must meet the following requirements:
They must support recursion
Recursion means the DNS server returns the query result in a single step instead of redirecting ORF to the root DNS servers. This feature in enabled by default in Microsoft® DNS servers.
They should be on the local network or on the ORF computer
Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged: you have no control of the configuration of such third-party party DNS servers, and these are usually banned by free DNS and URL Blacklist lookup services (i.e., they will not respond to the queries or return false data).
They should not use forwarders
Forwarders usually work with a large cache, which is usually no problem in simple name resolution, but will cause inaccurate (outdated) query results to be returned when checking online DNS and URL blacklists, causing degraded filtering performance. Also, using public DNS servers as forwarders may cause unexpected issues (see above).
They should not be the DNS server authoritative for your own domain (and supports your Active Directory)
Occasionally, ORF may need to query the records of your own domain (e.g., for the SPF test). The authoritative DNS server may not see your public MX or A/CNAME record if your internal AD domain name is the same as your public domain name (e.g., domain.com, instead of domain.local or domain.internal), resulting in false positives.
It is not solely related to using Google’s DNS servers as we had a customer with the problem yesterday and they don’t use their DNS forwarders at all.
Will tweak their ORF config and re-enable the URL Blacklist checking.
Alan
@Alan: do they use the DNS server of their ISP by any chance, or OpenDNS? If they use a local DNS server without forwarders, how many emails are checked by ORF a day?
Is there any sort of alert service where vamsoft might email current customers when something this important comes up? I totally missed this until complaints started rolling in.
@Alan – omg you’re here too :) I ran into you several times on Experts-Exchange (bryon44035v3)
sadly shortly after about 1.2M points i dropped out when our first child arrived.
anyway great to see your name again
@Bryon: currently, we send out email alerts only if a serious bug is found in ORF itself, other problems with 3rd party services possibly affecting ORF users are only announced in our blog, forums (News & Announcements) and news section currently (plus our Facebook and Twitter pages).
Though we sometimes make an exception from the policy above, the problem affected relatively small amount of ORF users according to the number of support inquiries we received, so we decided not to send out any emails regarding this issue (most people are very sensitive when it comes to email notifications, so we should tread lightly here).
All I can suggest is subscribing to the RSS feed of our blog, news, and forum to be notified if something similar comes up.
Thank you for your understanding.