Exchange Blacklist check

[rferebee]

Hello,

Can someone explain to me how the Blacklist check works in the Exchange Wizard? We seem to have ended up on a blacklist, but the list that it says we're on doesn't exist (zen.spamhaus.org). There is a spamhaus.org, but no zen.spamhaus.org so we're a little confused.

Mail flow seems to be fine and we cannot find ourselves on any other lists.

Any information you can provide would be greatly appreciated.

Thank you.

[ssax]

zen.spamhaus.org

ZEN is the combination of all Spamhaus IP-based DNSBLs into one single powerful and comprehensive blocklist to make querying faster and simpler. It contains the SBL, SBLCSS, XBL and PBL blocklists.

It contains the SBL, SBLCSS, XBL and PBL blocklists.

So it's on one of those.

Taken from here:

https://www.spamhaus.org/faq/section/DNSBL%20Usage#202
https://www.spamhaus.org/zen/

You could change it from this:

Code: Select all

/usr/local/nagios/libexec/check_bl -H X.X.X.X -B zen.spamhaus.org bl.spamcop.net dnsbl.ahbl.org dnsbl.njabl.org dnsbl.sorbs.net virbl.dnsbl.bit.nl rbl.efnet.org phishing.rbl.msrbl.net 0spam.fusionzero.com list.dsbl.org multihop.dsbl.org unconfirmed.dsbl.org will-spam-for-food.eu.org blacklist.spambag.org blackholes.brainerd.net blackholes.uceb.org spamsources.dnsbl.info map.spam-rbl.com ns1.unsubscore.com psbl.surriel.com l2.spews.dnsbl.sorbs.net bl.csma.biz sbl.csma.biz dynablock.njabl.org no-more-funn.moensted.dk ubl.unsubscore.com dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net spamguard.leadmon.net opm.blitzed.org bl.spamcannibal.org rbl.schulte.org dnsbl.ahbl.org virbl.dnsbl.bit.nl combined.rbl.msrbl.net

To this:

Code: Select all

/usr/local/nagios/libexec/check_bl -H X.X.X.X -B sbl.spamhaus.org xbl.spamhaus.org pbl.spamhaus.org bl.spamcop.net dnsbl.ahbl.org dnsbl.njabl.org dnsbl.sorbs.net virbl.dnsbl.bit.nl rbl.efnet.org phishing.rbl.msrbl.net 0spam.fusionzero.com list.dsbl.org multihop.dsbl.org unconfirmed.dsbl.org will-spam-for-food.eu.org blacklist.spambag.org blackholes.brainerd.net blackholes.uceb.org spamsources.dnsbl.info map.spam-rbl.com ns1.unsubscore.com psbl.surriel.com l2.spews.dnsbl.sorbs.net bl.csma.biz sbl.csma.biz dynablock.njabl.org no-more-funn.moensted.dk ubl.unsubscore.com dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net spamguard.leadmon.net opm.blitzed.org bl.spamcannibal.org rbl.schulte.org dnsbl.ahbl.org virbl.dnsbl.bit.nl combined.rbl.msrbl.net

Let us know if that shows better for you?

Does yours show up in here?

https://mxtoolbox.com/blacklists.aspx

[rferebee]

It's so strange, we're not showing up blacklisted anywhere.

[rferebee]

Is there a way to have the check return specifically which IP address is being blacklisted?

[ssax]

Please PM me the full command and the full output that is being run so that I can debug further.

[rferebee]

Circling back to this, is there a way to have XI return specifically which IP is being blacklisted?

Also, along the same lines, in order to test SMTP properly we'd like to know if there is a way to have XI send and receive a test email?

[ssax]

Try changing this code (around line 111):

Code: Select all

if (%listed)
{
  print "Listed at";
  foreach (keys(%listed)) { print " $_" }
  print "\n";
}
else { print "Not black-listed\n" }

To this:

Code: Select all

if (%listed)
{
  print "CRITICAL - Server ($opt_H) black-listed at";
  foreach (keys(%listed)) { print " $_" }
  print "\n";
}
else { print "OK - Server ($opt_H) not black-listed\n" }

Then test:

Code: Select all

/usr/local/nagios/libexec/check_bl -H X.X.X.X -B sbl.spamhaus.org xbl.spamhaus.org pbl.spamhaus.org bl.spamcop.net dnsbl.ahbl.org dnsbl.njabl.org dnsbl.sorbs.net virbl.dnsbl.bit.nl rbl.efnet.org phishing.rbl.msrbl.net 0spam.fusionzero.com list.dsbl.org multihop.dsbl.org unconfirmed.dsbl.org will-spam-for-food.eu.org blacklist.spambag.org blackholes.brainerd.net blackholes.uceb.org spamsources.dnsbl.info map.spam-rbl.com ns1.unsubscore.com psbl.surriel.com l2.spews.dnsbl.sorbs.net bl.csma.biz sbl.csma.biz dynablock.njabl.org no-more-funn.moensted.dk ubl.unsubscore.com dnsbl-1.uceprotect.net dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net spamguard.leadmon.net opm.blitzed.org bl.spamcannibal.org rbl.schulte.org dnsbl.ahbl.org virbl.dnsbl.bit.nl combined.rbl.msrbl.net

It should output the server checked now.

NOTE: Your changes may get reverted on an XI upgrade, please either rename the plugin and setup a new check command in XI or plan to replace it after every upgrade until the devs release a permanent change.

[rferebee]

So, this change worked in the sense that now it lists the IP address of the server that the check is being ran against, but Nagios is still saying that every one of my Exchange servers is black-listed.

To clarify, is it possible to have Nagios return specifically which IP address is being black-listed. We have a subset of external IP addresses for email, these are what typically get black-listed not the internal IP addresses.

Also, still looking for an answer to this question, "Does Nagios have the ability to monitor the sending and receiving of an email to test SMTP traffic?"

Thanks for all the help!

[ssax]

Does Nagios have the ability to monitor the sending and receiving of an email to test SMTP traffic?

Configure > Configuration Wizards > Email Delivery should do that for you.

[ssax]

Additionally, please send me a screenshot or the entire output so that I can see what you're seeing when you are saying this:

Nagios is still saying that every one of my Exchange servers is black-listed

This output is returning on every single Exchange server in my environment (with different host IP addresses of course).

The only passed in information is displayed, if you want the plugin to return something other than what is being passed in I would need to see what it's failing with and the entire output so that I can try to modify the plugin to do what you want.