Spam filtering foiled by DNS-based whitelisting gone awry
I've had a sense recently that more spam than usual has been making its way through my mail server's filters, and I took the time tonight to figure out why. The result was interesting, a bit surprising, and in hindsight not altogether unexpected.
Like any decent run-of-the-mill mail admin nowadays, I run SpamAssassin as a primary line of defence against incoming junk. Casual spot checks of the headers on recent messages had revealed nothing out of the ordinary — all had spam scores assigned, and all fell below the configured threshold. Yet with messages so obviously spammy, and especially arriving in groups with unusual regularity, something was obviously amiss.
Looking more closely at the tests reported in the X-Spam-Status headers, one caught my eye: RCVD_IN_DNSWL_HI. Guessing that "WL" meant "whitelist", and confirming that this match was responsible for adding −5.0 to the spam score (thereby reducing it), I visited the DNSWL lookup page and manually checked every IP address in the Received headers of one piece of spam in order to determine which rogue relay was incorrectly reported as good.
To my surprise, none was listed. I checked those from a different message, and found the same. I verified these results by doing manual DNS lookups with the "host" command on my Mac. None of the servers that handled these messages was registered in this whitelist, yet SpamAssassin was repeatedly hitting a positive on the test. What was going on?
Naturally I turned to Google for some insight, and found an anecdotal account of how one guy solved a similar problem by changing his DNS resolver to something else, away from Google's public DNS service which he had been using. His problem went away, and messages were no longer being erroneously whitelisted.
For a few minutes I was pondering what Google's DNS servers could have to do with anything when I came across this article from the DNSWL folks that seemed like it might be vaguely related to my problem. The upshot is that due to a huge volume of DNS queries fielded from several particular organizations in violation of their terms of service, DNSWL has retaliated by replying with a "good" response for any and all whitelist queries from such sources.
It dawned on me that this was, in fact, my exact issue. I checked the resolv.conf on my mail server, and lo and behold, the culprit was the DNS server 8.8.8.8, one of Google's public DNS — that's where my machine has been looking for all of its name resolution.
Many months ago I had commented out my ISP's DNS in favour of the Google ones. I can't remember the specifics, but the brief comment I left in the file suggests there had been some intermittent problems with the "house" DNS (which for an SMTP server can cause havoc). So I swapped in the eights as a workaround, and everything had been buzzing along since.
I've now reverted to the local servers, which seem to be working fine, and I expect spam to return to the usual levels.
November 11th, 2011 - 20:20
Well good on ya for doing the digging! Sounds like your clients will (probably unknowingly) benefit substantially from it.