Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎12-01-2004 12:00 AM Edited on ‎06-10-2022 04:06 AM By Community Manager

Article Id 194252

Technical Tip: Manual RBL/ORDBL/DNSBL SPAM troubleshooting

Description


This article describes how to manually test an IP address connecting to the SMTP server to verify whether it is considered a Spam source by various RBL/ORDBL/DNSBL services.

 

Solution

 

This example uses a Microsoft Windows system running the Command Prompt.

Before to begin, identify the IP address in question by viewing the SMTP server logs or viewing the received email header detail.

 

For this example, the IP address to verify is 81.66.47.103.

 

To verify the IP address enter the following commands at the command prompt:

 

C:\>nslookup 
> 103.47.66.81.dynablock.njabl.org

The response returned is:

Server: [your server]
Address: [your server IP address]

Non-authoritative answer:
Name: 103.47.66.81.dynablock.njabl.org
Address: 127.0.0.3

 

The dynablock.njabl.org database returned an address of 127.0.0.3, which is designated as a Spam source.

Typically, an IP of 127.0.0.x is a type of Spam category.

The FortiGate unit will recognize all of these results as Spam.

 

A search on the text record provides further details on the SPAM source. 

To search on the text record, enter the following commands at the command prompt:

 

> set type=txt
> 103.47.66.81.dynablock.njabl.org

The response provides the following information:

Non-authoritative answer:
103.47.66.81.dynablock.njabl.org text =
"Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html"

dynablock.njabl.org nameserver = ns5.njabl.org
dynablock.njabl.org nameserver = ns6.njabl.org
dynablock.njabl.org nameserver = ns1.njabl.org
dynablock.njabl.org nameserver = ns2.njabl.org
dynablock.njabl.org nameserver = ns3.njabl.org
dynablock.njabl.org nameserver = ns4.njabl.org
ns1.njabl.org internet address = 209.208.0.96
ns2.njabl.org internet address = 69.28.95.74
ns3.njabl.org internet address = 69.28.95.42
ns4.njabl.org internet address = 209.208.92.254
ns5.njabl.org internet address = 209.208.0.111
ns6.njabl.org internet address = 69.28.95.66

Receiving different results.


Different databases may show different results. In the following example, the sbl.spamhaus.org service does not identify the same IP address as a spam source.

 

> 103.47.66.81.sbl.spamhaus.org
Server: [your server]
Address: [your server IP address]
*** ns-cache0.oleane.net can't find 103.47.66.81.sbl.spamhaus.org: Non-existent domain

 

Note that if multiple RBL/ORDBL/DNSBL services is configured on the FortiGate, the first positive Spam hit returned by any service, is sufficient to mark the email as Spam.

That is, all configured RBL/ORDBL/DNSBL services will have to return a negative result before the incoming email is not considered as Spam.

Labels:
1789
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.