I had a client where we recently deployed an exchange server on-site. Everything was tested and working fine, then the next day they inform us that all of their emails are going to their junk folders. So i pull up the logs, and sure enough every email is either getting caught in the DNS Blacklist or URI DNS Blacklist. The culprit in this case was Roadrunner's DNS servers.
During my investigation i sent a mostly blank email from Outlook through my Gmail account to see what it would do. Based on the debug logs, i found that (as it should) the spam filter (GFI MailEssentials in this case) extracted multiple URLs from my email. Most of them were nonsense (references to Microsoft classes), but one of them was causing the issue. The spam software had found that www.w3.org is listed on a SPAM URI Blacklist (multi.surbl.org) and so the message was deemed to be spam.
A little closer investigation found the following when looking it up:
> www.w3.org.multi.surbl.org Server: UnKnown Address: ::1 Non-authoritative answer: Name: www.w3.org.multi.surbl.org Address: 204.232.137.207
As some of you may know w3.org are the people in charge of the standards for the web, so obviously their site is legitimate. As some of you may also note, DNS Blacklists are supposed to respond with localhost IPs (127.0.0.0/8), not a routable address. Sure enough, if you browse to that IP returned, you get a Roadrunner search page. This could be considered partially the fault of GFI for accepting it even though it's not a localhost address, but i'll blame Roadrunner in this case.
The solution for the client was of course to change their DNS servers to something else and clear the cache. I don't know how Roadrunner (and i know they're not the only one) can be so naive to think that they can just send people to a search page when they're being stupid, but hopefully this will save someone a headache.
No comments:
Post a Comment