False positive on SpamHaus
-
Cloudron keeps saying that my IP is in they database, but SpamHause says it 'has no issues'.
The issue has been noticed like a week ago and is still there.
Cloudron - both 8.2.3 and 8.2.4
How can I troubleshoot / collect more information?
-
What does https://mxtoolbox.com/blacklists.aspx say?
-
What does https://mxtoolbox.com/blacklists.aspx say?
@jdaviescoates all good!
-
J joseph marked this topic as a question on
-
Did you check both ipv4
and ipv6? is there anything in the box logs?edit: i was wrong, cloudron does not check ipv6 (cc @girish
maybe you can try
host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150on your server . This is what Cloudron does to determine if it's listed or not. If your IP is say1.2.3.4, then reverse-ip is you have to look up4.3.2.1.zen.spamhaus.org. If listed, it will return some loopback address -
Did you check both ipv4
and ipv6? is there anything in the box logs?edit: i was wrong, cloudron does not check ipv6 (cc @girish
maybe you can try
host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150on your server . This is what Cloudron does to determine if it's listed or not. If your IP is say1.2.3.4, then reverse-ip is you have to look up4.3.2.1.zen.spamhaus.org. If listed, it will return some loopback address@joseph thank you - it returns me
127.255.255.254. For all IP addresses I've tried - including 127.0.0.1:host -t A 1.0.0.127.zen.spamhaus.org -
@potemkin_ai see https://www.spamhaus.org/resource-hub/dnsbl/spamhaus-dnsbl-return-codes-technical-update/ . this means you are using an open resolver (like Google DNS or Cloudflare DNS) . Maybe you configured unbound to use them .
-
@potemkin_ai see https://www.spamhaus.org/resource-hub/dnsbl/spamhaus-dnsbl-return-codes-technical-update/ . this means you are using an open resolver (like Google DNS or Cloudflare DNS) . Maybe you configured unbound to use them .
@joseph not that I did something on purpose - how do I check that?
And how reliable is that kind of check then, if I can't use DNS servers of choice? -
@potemkin_ai here - https://contact-center.spamhaus.org/ . Might be worth asking them why it thinks your server IP is an open resolver .
-
@joseph , how do I verify if the DNS configuration suits your requirements?
And what do you mean about 'open resolver'? This server is no way opened to anyone - that's for sure!
-
@joseph , how do I verify if the DNS configuration suits your requirements?
And what do you mean about 'open resolver'? This server is no way opened to anyone - that's for sure!
@potemkin_ai they have a more technical article here - https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/ and https://www.spamhaus.com/product/help-for-spamhaus-public-mirror-users/. Open resolver refers to the DNS server ultimately resolving your DNS queries and not your Cloudron server.
-
@joseph , I'm sorry, that might be awkward, but I would like to figure out what is wrong with Cloudron, that I'm the only one person that is getting this error.
You mentioned that Cloudron relies on DNS server resolving - may I kindly ask you to let me know how exactly that works? What is getting called?
I would rather fix my system as opposed to hack even more to get troubles on the next update...
-
@joseph , I'm sorry, that might be awkward, but I would like to figure out what is wrong with Cloudron, that I'm the only one person that is getting this error.
You mentioned that Cloudron relies on DNS server resolving - may I kindly ask you to let me know how exactly that works? What is getting called?
I would rather fix my system as opposed to hack even more to get troubles on the next update...
@potemkin_ai just a quick write up explaining the whole thing.
DNSBL is a way to figure if an IP is a spammer or not. The DNSBL "protocol" is to do a DNS A record query for
<reverse-ip-address>.zen.spamhaus.org. This is done usinghost -t A <reverse-ip-address>.zen.spamhaus.org.Some DNSBL services such as zen spamhaus block resolution of DNS via open resolvers. If your server or network indirectly uses Google/Cloudflare DNS etc, then the above resolution will not work since the spamhaus service rejects the DNS requests (it's their policy).
On Cloudron, we use
unbound- a DNS resolver. It's whole purpose is to do the DNS lookup on it's own and not use external Google/Cloudflare etc. This runs on 127.0.0.150 (systemctl status unbound). On Cloudron, the equivalent is :host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150(i.e look up via unbound) . If you remove the 127.0.0.150 it will use your server's default DNS settings (most likely systemd-resolved).If the above via unbound is not working on yours (as shown in your output), I can only think of three reasons:
- your server's IP is blacklisted
- you have configured unbound to forward requests to an open resolver
- your server/network uses some open resolver indirectly/without your knowledge
I don't have a step-by-step guide to debug this (tbh, I don't know how to figure if a server/network uses an open resolver indirectly), but I think it might be easiest to reach out to SpamHaus to ask them if your server IP is blocked for a start. And if you have not added any explicit unbound config, you can then ask your VPS provider next.
-
@potemkin_ai just a quick write up explaining the whole thing.
DNSBL is a way to figure if an IP is a spammer or not. The DNSBL "protocol" is to do a DNS A record query for
<reverse-ip-address>.zen.spamhaus.org. This is done usinghost -t A <reverse-ip-address>.zen.spamhaus.org.Some DNSBL services such as zen spamhaus block resolution of DNS via open resolvers. If your server or network indirectly uses Google/Cloudflare DNS etc, then the above resolution will not work since the spamhaus service rejects the DNS requests (it's their policy).
On Cloudron, we use
unbound- a DNS resolver. It's whole purpose is to do the DNS lookup on it's own and not use external Google/Cloudflare etc. This runs on 127.0.0.150 (systemctl status unbound). On Cloudron, the equivalent is :host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150(i.e look up via unbound) . If you remove the 127.0.0.150 it will use your server's default DNS settings (most likely systemd-resolved).If the above via unbound is not working on yours (as shown in your output), I can only think of three reasons:
- your server's IP is blacklisted
- you have configured unbound to forward requests to an open resolver
- your server/network uses some open resolver indirectly/without your knowledge
I don't have a step-by-step guide to debug this (tbh, I don't know how to figure if a server/network uses an open resolver indirectly), but I think it might be easiest to reach out to SpamHaus to ask them if your server IP is blocked for a start. And if you have not added any explicit unbound config, you can then ask your VPS provider next.
@girish thank you!
My DNS servers setup to Hetzner's ones, as per
resolvctl.I believe I messed up with DNS unintentionally. unbound is up and running - how do I make sure the system use it?
Or, to rephrase, how do you setup the system to use unbound initially?
-
@potemkin_ai just a quick write up explaining the whole thing.
DNSBL is a way to figure if an IP is a spammer or not. The DNSBL "protocol" is to do a DNS A record query for
<reverse-ip-address>.zen.spamhaus.org. This is done usinghost -t A <reverse-ip-address>.zen.spamhaus.org.Some DNSBL services such as zen spamhaus block resolution of DNS via open resolvers. If your server or network indirectly uses Google/Cloudflare DNS etc, then the above resolution will not work since the spamhaus service rejects the DNS requests (it's their policy).
On Cloudron, we use
unbound- a DNS resolver. It's whole purpose is to do the DNS lookup on it's own and not use external Google/Cloudflare etc. This runs on 127.0.0.150 (systemctl status unbound). On Cloudron, the equivalent is :host -t A <reverse-ip-address>.zen.spamhaus.org 127.0.0.150(i.e look up via unbound) . If you remove the 127.0.0.150 it will use your server's default DNS settings (most likely systemd-resolved).If the above via unbound is not working on yours (as shown in your output), I can only think of three reasons:
- your server's IP is blacklisted
- you have configured unbound to forward requests to an open resolver
- your server/network uses some open resolver indirectly/without your knowledge
I don't have a step-by-step guide to debug this (tbh, I don't know how to figure if a server/network uses an open resolver indirectly), but I think it might be easiest to reach out to SpamHaus to ask them if your server IP is blocked for a start. And if you have not added any explicit unbound config, you can then ask your VPS provider next.
@girish I am the second person having this problem my isp is Verizon fios with static ip and they provided specific dns instructions and i doubled checked my cloud xg gateway from unify it shouldn't use dnsec but still spamhouse is block this is i am getting false positive
i restart netplan after applying dns directly in netplan provided by netplan and it came negative but after few seconds it went back again to positive please see the next picture below
-
@potemkin_ai @DualOSWinWiz one caveat I rediscovered recently (sorry, I forgot this entirely) is this file : https://git.cloudron.io/platform/box/-/blob/master/setup/start/unbound/prefer-ip4.conf?ref_type=heads
We do spamhaus queries via unbound. If your server has IPv6, then older version of unbound might use IPv6 and SpamHaus often fails those queries. From ubuntu 24, there is a flag to tell unbound to prefer ipv4 instead of the ipv6 . Does this situation apply to either of you ? i.e do you have ubuntu < 24 and ipv6 ? if so, this might be the issue
-
@potemkin_ai @DualOSWinWiz one caveat I rediscovered recently (sorry, I forgot this entirely) is this file : https://git.cloudron.io/platform/box/-/blob/master/setup/start/unbound/prefer-ip4.conf?ref_type=heads
We do spamhaus queries via unbound. If your server has IPv6, then older version of unbound might use IPv6 and SpamHaus often fails those queries. From ubuntu 24, there is a flag to tell unbound to prefer ipv4 instead of the ipv6 . Does this situation apply to either of you ? i.e do you have ubuntu < 24 and ipv6 ? if so, this might be the issue
@girish ipv6 has been disabled wherever possible, but it seems like it can't be switched off completely, even with
sysctlcalls.But, yeah - I'm running 22.04 and the config file is not there.
Shall I create one at
/etc/unbound/unbound.conf.d/? Willsystemctl restart unboundbe sufficient afterwards? -
@girish ipv6 has been disabled wherever possible, but it seems like it can't be switched off completely, even with
sysctlcalls.But, yeah - I'm running 22.04 and the config file is not there.
Shall I create one at
/etc/unbound/unbound.conf.d/? Willsystemctl restart unboundbe sufficient afterwards? -
@potemkin_ai you have to upgrade ubuntu for that option to work. the old unbound doesn't start with that option .
@girish afraid can't do that at the moment...
I can see that I have unbound 1.13.1 on my Ubuntu.
From the issue discussion at the year 2021 I can see they are discussing that option with unbound 1.13; and unbound 1.13.1 has been released at 9 Feb 2021 - which all leads me to believe that this option could be recognized... Unless I'm missing something?
I wonder if spamhaus has some support.