Created on 12-01-2004 12:00 AM Edited on 06-10-2022 04:06 AM By Anthony_E
Description
This article describes how to manually test an IP address connecting to the SMTP server to verify whether it is considered a Spam source by various RBL/ORDBL/DNSBL services.
Solution
This example uses a Microsoft Windows system running the Command Prompt.
Before to begin, identify the IP address in question by viewing the SMTP server logs or viewing the received email header detail.
For this example, the IP address to verify is 81.66.47.103.
To verify the IP address enter the following commands at the command prompt:
C:\>nslookup
> 103.47.66.81.dynablock.njabl.org
The response returned is:
Server: [your server]
Address: [your server IP address]
Non-authoritative answer:
Name: 103.47.66.81.dynablock.njabl.org
Address: 127.0.0.3
The dynablock.njabl.org database returned an address of 127.0.0.3, which is designated as a Spam source.
Typically, an IP of 127.0.0.x is a type of Spam category.
The FortiGate unit will recognize all of these results as Spam.
A search on the text record provides further details on the SPAM source.
To search on the text record, enter the following commands at the command prompt:
> set type=txt
> 103.47.66.81.dynablock.njabl.org
The response provides the following information:
Non-authoritative answer:
103.47.66.81.dynablock.njabl.org text =
"Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html"
dynablock.njabl.org nameserver = ns5.njabl.org
dynablock.njabl.org nameserver = ns6.njabl.org
dynablock.njabl.org nameserver = ns1.njabl.org
dynablock.njabl.org nameserver = ns2.njabl.org
dynablock.njabl.org nameserver = ns3.njabl.org
dynablock.njabl.org nameserver = ns4.njabl.org
ns1.njabl.org internet address = 209.208.0.96
ns2.njabl.org internet address = 69.28.95.74
ns3.njabl.org internet address = 69.28.95.42
ns4.njabl.org internet address = 209.208.92.254
ns5.njabl.org internet address = 209.208.0.111
ns6.njabl.org internet address = 69.28.95.66
Receiving different results.
Different databases may show different results. In the following example, the sbl.spamhaus.org service does not identify the same IP address as a spam source.
> 103.47.66.81.sbl.spamhaus.org
Server: [your server]
Address: [your server IP address]
*** ns-cache0.oleane.net can't find 103.47.66.81.sbl.spamhaus.org: Non-existent domain
Note that if multiple RBL/ORDBL/DNSBL services is configured on the FortiGate, the first positive Spam hit returned by any service, is sufficient to mark the email as Spam.
That is, all configured RBL/ORDBL/DNSBL services will have to return a negative result before the incoming email is not considered as Spam.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.