Find out why all your emails suddenly become blocked by Spamhaus with every query that you make returning 127.255.255.254 and the reasons behind this.

·

Blocked by Spamhaus?

Recently, we’ve seen an increase in support and noticed that we’ve gained some new customers, as Spamhaus has been blocking them from querying. Which subsequently caused their mail server to reject all of their inbound mail.

Investigating this case, I found a Spamhaus post on various platforms saying they would start blocking queries to their public mirrors from “shared” DNS resolvers, e.g., ISPs, hosting providers, Cloud DNS, etc.

But having service withdrawn by Spamhaus shouldn’t usually cause all mail to be rejected.

The only options available to a blocklist provider when handling DNS queries are the following:

  • Drop the query, e.g., don’t provide any answer, causing the DNS server doing the query to time out.
  • Refuse the query. This returns a special DNS response that indicates the query was refused.
  • Return a fixed result, e.g., actually, return an answer.

None of these are particularly great options as you still have to deal with the queries in the first place, which takes resources.

However, on today’s hardware, a DNS server can easily handle hundreds of thousands of queries per second, and multiple servers will handle this load.

In the case of Abusix, we refuse the query. This is the most technically correct and “friendliest” way to do it and can be detected by the querying software, which would stop querying in an ideal world. No mail would be lost, and there would be no delays.

Dropping the queries would cause the remote end to “time out” each query after a few dozen seconds and could cause some messages to be delayed.

But because of this delay, it is more likely to cause someone to notice, investigate and then stop querying the service.

But most importantly, no mail would be lost.

For a fixed result, you would typically return 127.0.0.1 as this is supposed to denote that ‘This blocklist is “listing the world” and is shutting down, so please stop querying it.’   However, this isn’t universally recognized by all mail systems as a standard yet, so it can cause ALL mail to be rejected.

There is an Internet Standards paper (RFC) called “Overview of Best Email DNS-Based List (DNSBL) Operational Practices,” which covers these cases and is the “bible” upon that Abusix operates our lists.

However, it appears that Spamhaus chose not to follow the standards.

They instead chose to invent several new result codes in the 127.255.255.x range.

As they start to block these “shared” DNS resolvers, anyone querying them would inadvertently reject all of their mail, legitimate or not.

Read More

·

Email remains a cornerstone of business communication but also a primary vector for cyber threats like <a class="glossaryLink" aria-describedby="tt" data-cmtooltip="cmtt_0d5115a19961821ee5d6d5d40616c9d2"...

·

Big Update! The “Overview” has grown up to a “Dashboard”, we’re introducing a new state, and are exposing even more internals...

·

Botnet-assisted Distributed Denial of Service (<a class="glossaryLink" aria-describedby="tt" data-cmtooltip="cmtt_3c1af7992e7d830801fc8cfbe9555d13" href="https://abusix.com/glossary/distributed-denial-of-service/" data-mobile-support="0"...