more spam getting through in v12

[digo]

This might be unrelated to the upgrade... and more to do with using our local ISP's DNS (Cox) 68.105.28.16 and 68.105.29.16
Since the upgrade we noticed a ton more spam is coming through.

spamassassin is firing the URIBL_BLOCKED rule - it's all over the logs. Spam that used to get flagged as spam now passes with a score of zero.

Reading these notes:
http://uribl.com/refused.shtml

If you are low volume user, you have a few options. Possibly changing your nameservers from a public dns provider (ie opendns/google) to your local ISP may solve it. If your local ISP is also effected because they are very large (ie cox/att/comcast/etc), you may need to use your own recursive DNS solution. If your company has DNS servers, point to them for resolution. Alternatively, you could setup a caching nameserver on the loopback of the machine doing the spam checking, and point the DNS to localhost.

We do have a DNS server internally within our network. Do I add the local IP address of our DNS server to Untangle's external interface primary DNS?

[dmorris]

post a screenshot of the events. Show as much as you can of the "Detail" column as you can fit on the screen.

URIBL_BLOCKED is common.
It would be nice to find a way to get URIBL working, but URIBL is just a tiny piece of spamassassin's sigs and is likely not the issue if you have having all mail score as 0.

[digo]

events.png
only one of those messages was not spam (from hp support)

[sky-knight]

URIBL.org and DNSQL.org queries will not work via COX provided DNS servers.
spamhaus.org queries will intermittently not work.

The only way I've found around this is to lease a VPS, get a DNS service running on it, and redirect those three domains to it. You can use this to test: http://wiki.untangle.com/index.php/S...k_DNSBL_Access

You can also run a DNS server onsite, and pass things through that. However, while that seems to fix the first two, that last one simply times out on my Cox here. Hence, the VPS.

[digo]

I guess I'm unclear if untangle can point to a DNS server within the LAN, as opposed to something external. Our exchange box is also a DNS server, DC, etc. We have 10 users in our office...

[sky-knight]

Untangle can point at whatever DNS server you want. But if you want it to filter spam well, you'd better crack open SSH and run that check from time to time. And if a test doesn't work, that's when you get creative.

[dmorris]

I doubt thats related to DNS. It doesnt look like any rules are firing. I bet its a signature issue. It probably hasn't been able to download the new signatures for some reason. Assuming its connected to the internet I would contact support.

If you ever tried to update the signatures manually as root then I would just reinstall. We've had a couple users call that tried to do this because they saw something on the forums. That does not work. It sets the permissions of the signature files incorrectly and prevent all future updates from working.

[sky-knight]

Ouch... well, to be fair I've been on the receiving end of some really bad bayes databases because of goofy DNS over time.

So OP, after you reinstall, check your DNS, you'll be glad you did!

[digo]

I doubt thats related to DNS. It doesnt look like any rules are firing. I bet its a signature issue. It probably hasn't been able to download the new signatures for some reason. Assuming its connected to the internet I would contact support.

If you ever tried to update the signatures manually as root then I would just reinstall. We've had a couple users call that tried to do this because they saw something on the forums. That does not work. It sets the permissions of the signature files incorrectly and prevent all future updates from working.

I guess my post was a bit misleading. I had sorted the events to show all events with a score of zero. The filter is working somewhat, just less effective than it was at v11.2

events.png
spam ratio.png

The spam ratio used to be closer to 90% in v 11.2
I did not attempt to update anything manually.

I will try the DNS change and see if it helps any. Thanks for the feedback so far.

[sky-knight]

That doesn't look right to me either, I would open a ticket and let support dig in. That module more so than most of the others is difficult to support remotely, and requires a pretty specific skill-set to dig into and fix.