dnsbl [blocks the whole Internet]
Masalah ini muncul sejak tanggal 20 Maret 2013,
bermula dari laporan sesama staff kantor bahwa dia tidak menerima e-mail apapun di account-nya, suatu hal yang tidak semestinya terjadi karena ia berlangganan milis yg cukup aktif.
Hasil pemeriksaan awal di maillog ditemukan beberapa hal yg sedikit mengaburkan permasalahan sebenarnya, seperti:
Apr 2 03:01:01 students sendmail[98938]: gethostbyaddr(192.168.2.2) failed: 1
Apr 2 03:01:02 students sendmail[98983]: gethostbyaddr(192.168.2.2) failed: 1
error diatas [sebenarnya] tidak berkaitan dengan problem yang saya bahas, karena IP address tersebut berada di interface yang tidak digunakan (disable), untuk mencegah munculnya pesan diatas maka hapus setting IP address di interface tsb.
Kemudian ada pesan:
Apr 2 02:42:30 students sendmail[98806]: r31JgNd1098806: Losing ./qfr31JgNd1098806: savemail panic
Apr 2 02:42:30 students sendmail[98806]: r31JgNd1098806: SYSERR(www): savemail: cannot save rejected email anywhere
Sedikit membingungkan kenapa pesan tersebut tiba-tiba muncul, padahal tidak ada perubahan setting apapun di server, baik setting sendmail, aliases dll
Langkah berikutnya, coba kirim mail testing dan lihat apa yang terjadi di maillog
Apr 2 08:40:01 students sm-mta[803]: ruleset=check_relay, arg1=mail.????.ac.id, arg2=118.98.96.151, relay=mail.????.ac.id [IP_address_mail_server], reject=554 5.7.1 Mail from IP_address_mail_server rejected, site listed on http://www.spamhaus.org
Ini hal yang tidak wajar, karena hampir tidak mungkin IP address mail server kami diblokir di spamhaus, dan hasil query ke spamhaus pun mengkonfirmasi hal ini (IP server tidak diblokir oleh spamhaus)
Setelah diperhatikan dengan teliti, terasa ada kejanggalan dibaris tersebut , yaitu arg2=118.98.96.151 karena biasanya query yg sukses ke spamhaus akan memberi nilai arg2=127.0.0.x [nilai x bisa berubah-ubah]
Hasil traceroute ke IP 118.98.96.151
traceroute to 118.98.96.151 (118.98.96.151), 64 hops max, 40 byte packets
1 222.124.??.?? (222.124.??.??) 1.173 ms 0.665 ms 0.856 ms
2 192.168.102.2 (192.168.102.2) 13.481 ms 11.375 ms 11.103 ms
3 118.98.96.151 (118.98.96.151) 11.973 ms 11.483 ms 11.471 ms
Hasil googling maupun bertanya ke technical support provider menunjukkan bahwa IP address tersebut milik ISP.
Darisini sudah jelas bahwa masalah ini terjadi karena query ke zen.spamhaus.org dibelokkan oleh DNS provider ke IP 118.98.96.151, menurut penjelasan dari sisi ISP memang belakangan ini ada masalah di DNS mereka.
FAQ spamhaus punya penjelasan yg sangat cocok utk kasus diatas:
http://www.spamhaus.org/faq/section/DNSBL%2520Usage#243
Your DNSBL blocks the whole Internet!
There can be several reasons why a DNSBL appears to list all IPv4 addresses (when it really doesn't):
When you implement Spamhaus DNSBL filtering in your mail server, you must check that the zone you have just entered is spelled properly. If you accidentally put in a wrong domain such as 'spamhous.org' or 'spamhouse.com', the DNS queries generated by your mail server will go to some entirely different and unrelated place which can answer your queries with a valid A record containing an IP address (this is often done by "typosquatters" to catch web traffic). Even if this IP is not a conventional DNSBL answer in the 127.0.0.x range, your mail server may still interpret it as a "listed" answer, and block the mail accordingly.
Another problem we have seen is where ISPs "hijack" some DNS replies. This is done to monetize website traffic. Rather than returning an NXDOMAIN ("not found") answer for a DNS request that cannot be found (resolved), a pointer to an advertizing page or search page is given. Many public or "open" resolvers, as well as some secure resolvers on cloud-based or wide area networks, use NXDOMAIN hijacking. For example, USA ISP, Cox Communication has been doing this in some areas and points people to a webpage like this one. As Spamhaus' "not listed in our zone" replies are the same as a webpage not found reply, users behind this sort of DNS monetization will always see an IP address returned rather than the correct NXDOMAIN DNS answer. If this is the issue, contact your ISP to see if you can opt out. Cox Communication has an informational page with opt-out instructions. Or, for best results, set up your own DNS resolver.
A second form of DNS hijacking has been seen, where an ISP cuts off DNS traffic to DNS servers it feels are being queried too often. That may also return an IP value, which will cause all email to be flagged as spam. They may even null the value of the DNSBL's name. That can cause unpredictable results and you will need to contact your ISP.
Solusi sementara adalah dengan tidak menggunakan DNS server milik provider & beralih ke OpenDNS
UPDATE: penyebabnya bukan masalah di DNS tapi memang disengaja, akibatnya jika user mengakses URL yang [dianggap] salah atau tidak valid maka akan dibelokkan ke http://mercusuar.info
dan nampaknya sistem ini menganggap bahwa URL utk query IP spammer tersebut sebagai invalid.
bermula dari laporan sesama staff kantor bahwa dia tidak menerima e-mail apapun di account-nya, suatu hal yang tidak semestinya terjadi karena ia berlangganan milis yg cukup aktif.
Hasil pemeriksaan awal di maillog ditemukan beberapa hal yg sedikit mengaburkan permasalahan sebenarnya, seperti:
Apr 2 03:01:01 students sendmail[98938]: gethostbyaddr(192.168.2.2) failed: 1
Apr 2 03:01:02 students sendmail[98983]: gethostbyaddr(192.168.2.2) failed: 1
error diatas [sebenarnya] tidak berkaitan dengan problem yang saya bahas, karena IP address tersebut berada di interface yang tidak digunakan (disable), untuk mencegah munculnya pesan diatas maka hapus setting IP address di interface tsb.
Kemudian ada pesan:
Apr 2 02:42:30 students sendmail[98806]: r31JgNd1098806: Losing ./qfr31JgNd1098806: savemail panic
Apr 2 02:42:30 students sendmail[98806]: r31JgNd1098806: SYSERR(www): savemail: cannot save rejected email anywhere
Sedikit membingungkan kenapa pesan tersebut tiba-tiba muncul, padahal tidak ada perubahan setting apapun di server, baik setting sendmail, aliases dll
Langkah berikutnya, coba kirim mail testing dan lihat apa yang terjadi di maillog
Apr 2 08:40:01 students sm-mta[803]: ruleset=check_relay, arg1=mail.????.ac.id, arg2=118.98.96.151, relay=mail.????.ac.id [IP_address_mail_server], reject=554 5.7.1 Mail from IP_address_mail_server rejected, site listed on http://www.spamhaus.org
Ini hal yang tidak wajar, karena hampir tidak mungkin IP address mail server kami diblokir di spamhaus, dan hasil query ke spamhaus pun mengkonfirmasi hal ini (IP server tidak diblokir oleh spamhaus)
Setelah diperhatikan dengan teliti, terasa ada kejanggalan dibaris tersebut , yaitu arg2=118.98.96.151 karena biasanya query yg sukses ke spamhaus akan memberi nilai arg2=127.0.0.x [nilai x bisa berubah-ubah]
Hasil traceroute ke IP 118.98.96.151
traceroute to 118.98.96.151 (118.98.96.151), 64 hops max, 40 byte packets
1 222.124.??.?? (222.124.??.??) 1.173 ms 0.665 ms 0.856 ms
2 192.168.102.2 (192.168.102.2) 13.481 ms 11.375 ms 11.103 ms
3 118.98.96.151 (118.98.96.151) 11.973 ms 11.483 ms 11.471 ms
Hasil googling maupun bertanya ke technical support provider menunjukkan bahwa IP address tersebut milik ISP.
Darisini sudah jelas bahwa masalah ini terjadi karena query ke zen.spamhaus.org dibelokkan oleh DNS provider ke IP 118.98.96.151, menurut penjelasan dari sisi ISP memang belakangan ini ada masalah di DNS mereka.
FAQ spamhaus punya penjelasan yg sangat cocok utk kasus diatas:
http://www.spamhaus.org/faq/section/DNSBL%2520Usage#243
Your DNSBL blocks the whole Internet!
There can be several reasons why a DNSBL appears to list all IPv4 addresses (when it really doesn't):
When you implement Spamhaus DNSBL filtering in your mail server, you must check that the zone you have just entered is spelled properly. If you accidentally put in a wrong domain such as 'spamhous.org' or 'spamhouse.com', the DNS queries generated by your mail server will go to some entirely different and unrelated place which can answer your queries with a valid A record containing an IP address (this is often done by "typosquatters" to catch web traffic). Even if this IP is not a conventional DNSBL answer in the 127.0.0.x range, your mail server may still interpret it as a "listed" answer, and block the mail accordingly.
Another problem we have seen is where ISPs "hijack" some DNS replies. This is done to monetize website traffic. Rather than returning an NXDOMAIN ("not found") answer for a DNS request that cannot be found (resolved), a pointer to an advertizing page or search page is given. Many public or "open" resolvers, as well as some secure resolvers on cloud-based or wide area networks, use NXDOMAIN hijacking. For example, USA ISP, Cox Communication has been doing this in some areas and points people to a webpage like this one. As Spamhaus' "not listed in our zone" replies are the same as a webpage not found reply, users behind this sort of DNS monetization will always see an IP address returned rather than the correct NXDOMAIN DNS answer. If this is the issue, contact your ISP to see if you can opt out. Cox Communication has an informational page with opt-out instructions. Or, for best results, set up your own DNS resolver.
A second form of DNS hijacking has been seen, where an ISP cuts off DNS traffic to DNS servers it feels are being queried too often. That may also return an IP value, which will cause all email to be flagged as spam. They may even null the value of the DNSBL's name. That can cause unpredictable results and you will need to contact your ISP.
Solusi sementara adalah dengan tidak menggunakan DNS server milik provider & beralih ke OpenDNS
UPDATE: penyebabnya bukan masalah di DNS tapi memang disengaja, akibatnya jika user mengakses URL yang [dianggap] salah atau tidak valid maka akan dibelokkan ke http://mercusuar.info
dan nampaknya sistem ini menganggap bahwa URL utk query IP spammer tersebut sebagai invalid.
Comments
Post a Comment