We have received several reports about an increased false positive rate in ORF installations. After a brief investigation, it seems the legitimate emails were all blocked by the uribl.com URL Blacklist with the following log message:
Blacklisted by the UB-BLACK SURBL (domain:”example.com”, DNS lookup result: 127.0.0.1)
By default, the uribl.com definition in ORF is configured to consider any response form the queried server as a hit, but actually, the 127.0.0.1 response indicates that uribl.com does not accept any queries from the DNS server.
After investigating this further, it seems the affected ORF users all use Google public DNS servers for the queries (or use such servers as forwarders in their local DNS configuration). Uribl.com is known to simply ignore queries initiated by DNS servers exceeding their query limit, but all of a sudden they have started to return 127.0.0.1 instead.
In other words, these queried domains found in incoming emails are not listed in uribl.com, but if you use Googe public DNS servers, ORF thinks they are.
Quick fix
- Start the Administration Tool
- Navigate to the Configuration / Filtering – On Arrival / URL Blacklists page using the navigation tree on the left
- Double-click uribl.com Blacklist
- Click the Lookup results tab, uncheck the Blacklist if DNS record exists (regardless record data) option
- Click New
- Add 127.0.0.2, click OK, then OK again
- Save your configuration to apply the changes by pressing Ctrl + S
This will ensure uribl.com will block the email only if it returns a response explicitly indicating a hit (127.0.0.2). We will also change this in the default definition file shipped with future ORF versions.
To avoid such problems in the future, make sure you local DNS server queries the root servers directly. The DNS servers configured in ORF should/must meet the following requirements:
They must support recursion
Recursion means the DNS server returns the query result in a single step instead of redirecting ORF to the root DNS servers. This feature in enabled by default in Microsoft® DNS servers.
They should be on the local network or on the ORF computer
Using ISP DNS servers and third-party DNS resolution services (such as OpenDNS or Google Public DNS) is discouraged: you have no control of the configuration of such third-party party DNS servers, and these are usually banned by free DNS and URL Blacklist lookup services (i.e., they will not respond to the queries or return false data).
They should not use forwarders
Forwarders usually work with a large cache, which is usually no problem in simple name resolution, but will cause inaccurate (outdated) query results to be returned when checking online DNS and URL blacklists, causing degraded filtering performance. Also, using public DNS servers as forwarders may cause unexpected issues (see above).
They should not be the DNS server authoritative for your own domain (and supports your Active Directory)
Occasionally, ORF may need to query the records of your own domain (e.g., for the SPF test). The authoritative DNS server may not see your public MX or A/CNAME record if your internal AD domain name is the same as your public domain name (e.g., domain.com, instead of domain.local or domain.internal), resulting in false positives.