Zen Spamhaus give you a way of testing whether your block list transport agent is working. An interesting scenario can occur where this doesn’t work.
How to test your Block List Provider is working?
To test that your Zen Spamhaus block list provider is working, send an email from your Exchange account to nelson-sbl-test@crynwr.com. It’ll attempt to send you an email from a blacklisted IP and then send you the SMTP conversation by email. You should get a reply back like below:
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list.
Here’s how the conversation looked from sbl.crynwr.com.
Note that some sites don’t apply the SBL block to postmaster, so I use your envelope sender as the To: address.
I connected to <your IP> and here’s the conversation I had:
220 server.domain.com Microsoft ESMTP MAIL Service ready at Tue, 25 Aug 2015 15:38:07 +0100 helo sbl.crynwr.com
250 server.domain.com Hello [192.203.178.107] mail from:<>
250 2.1.0 Sender OK
rcpt to:<mark@mydomain.co.uk>
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
From: nelson-SBL-test@crynwr.com
Date: Tue, 25 Aug 2015 14:38:22 -0000
Message-Id: <1440513502@sbl.crynwr.com>
Precedence: junk
Test message
250 2.6.0 <1440513502@sbl.crynwr.com> [InternalId=219] Queued mail for delivery quit Successful termination. As far as I can tell, the email was delivered. That might not be what you want.
As you can see, the email was delivered. That’s definitely not what we want.
How to fix the Zen SpamHaus block list provider?
The problem here is that our internal DNS server is using a DNS forwarder that cannot resolve the names we require. The way it needs to work is that when your Exchange server receives a connection from an IP which is submitting an email, it does a DNS forward lookup on <the IP in reverse>.zen.spamhaus.org.
To demonstrate a failed DNS lookup for Zen SpamHaus, we can do a lookup for 2.0.0.127.zen.spamhaus.org (127.0.0.2 in reverse) on Google’s DNS servers like below:
nslookup
server 8.8.8.8
2.0.0.127.zen.spamhaus.org
As you can see above, this fails: Non-existent domain
If we change the DNS server to use one of the domain controllers (192.168.0.8) that is configured to use the root hints and no forwarders then this works:
nslookup
server 192.168.0.8
2.0.0.127.zen.spamhaus.org
We can now go ahead and send another test email to nelson-sbl-test@crynwr.com and we get a response as below to say that the email is blocked as it was found on an RBL:
Testing your SBL block. See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for relaying. Instead, it tests to see if your server blocks email from IP addresses listed in various blocking lists; in this case, the SBL list.
Here’s how the conversation looked from sbl.crynwr.com.
Note that some sites don’t apply the SBL block to postmaster, so I use your envelope sender as the To: address.
I connected to <your IP> and here’s the conversation I had:
220 server.domain.com Microsoft ESMTP MAIL Service ready at Thu, 12 Nov 2015 21:50:20 +0000 helo sbl.crynwr.com
250 server.domain.com Hello [192.203.178.107] mail from:<>
250 2.1.0 Sender OK
rcpt to:<mark@mydomain.co.uk>
550 5.7.1 Recipient not authorized, your IP has been found on a block list Terminating conversation
This looks much better. All the best!