HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


dnsbl.httpbl.org RBL problems

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#99504 (In Topic #19554)
TQ
Avatar

Honoured member

Hi All,

Yesterday I registered an account and used my http:bl key as described in the set-up notes for OCP. I have since received 27 error message overnight much the same as this one:

"Could not run spam check using the xxxxxershcka.*.dnsbl.httpbl.org service. The error message returned was: 95.43.xxx.xxx. The action has been let through without a check. The IP involved was 82.1.127.135. "

(The first IP address is my web server. I have replaced some of the key with xxx)

In the same period I have received 1 message indicating that the feature is working but as I write, more errors are coming in.

"A possible spammer was detected by the xxxxxershckadnsbl.httpbl.org service (IP: 192.74.238.60). Their request has been blocked."

Anybody got any ideas?

Nick
Back to the top
 
Posted
Rating:
#99508
Avatar

I can't find any bug. I ran the same query myself just now, manually, and using the ocPortal API for it, and it worked okay.

I got a none-result back from the DNS query, which is expected for a non-block.

Code

nslookup <yourkey>.135.127.1.82.dnsbl.httpbl.org

The service seemed to return an error code, '95'. HTTP:BL only says it must start '127', and anything else is an error: it doesn't define what the errors mean unfortunately.

These errors are silent, apart from the notification – users won't see it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99512
TQ
Avatar

Honoured member

Thanks for the reply Chris.

Just for clarity, are you saying that there is no problem other than I get an e-mail stating "Could not run spam check using..." when it should read "Not a spammer" if any notification were to be sent?

Nick

Back to the top
 
Posted
Rating:
#99513
Avatar

Well, if httpbl is returning an error code to you, I can't say if that means they wouldn't have been marked as a spammer if it had worked. It would vary on a case by case basis.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99520
TQ
Avatar

Honoured member

This problem perplexed me for a while not least because I'm using a Wnndoz server and nslookup did not respond in any sensible way.

Fortunately I got over this by downloading a dig app for windows and started getting meaningful results.

It appears that querying a bad IP produces more information:

Code

c:\dig\dig xxxxsershcka.56.168.123.112.d
nsbl.httpbl.org

; <<>> DiG 9.3.2 <<>> xxxxsershcka.56.168.123.112.dnsbl.httpbl.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 870
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xxxxsershcka.56.168.123.112.dnsbl.httpbl.org. IN A

;; ANSWER SECTION:
xxxxsershcka.56.168.123.112.dnsbl.httpbl.org. 300 IN A 127.1.66.5

;; Query time: 187 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 14 20:58:13 2013
;; MSG SIZE  rcvd: 78


You'll note that it Flags Answer: 1 and there is in fact an answer.

If I query a good IP, it Flags Answer: 0 and no Answer section is present.

Code

c:\dig\dig xxxxsershcka.170.127.43.xx.dn
sbl.httpbl.org

; <<>> DiG 9.3.2 <<>> xxxxsershcka.170.127.43.xx.dnsbl.httpbl.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1599
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xxxxsershcka.170.127.43.xx.dnsbl.httpbl.org. IN        A

;; Query time: 93 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 14 21:00:05 2013
;; MSG SIZE  rcvd: 61


I now assume that OCP is unsure what to do if there is no answer at all so it sends me the message mentioned in my first post but in reality, a 'no answer' is equal to a non-spammer IP.

Am I on the right track?

Nick
Back to the top
 
Posted
Rating:
#99521
Avatar

Well, I'm impressed you dug so deep into this (so to speak) :).

But no, this is normal / modus-operandi…

In sources/antispam.php:

Code

function rbl_resolve($ip,$rbl_domain,$page_level)
{
...
   $_result=gethostbyname($lookup);
   $result=explode('.',$_result);

   if (implode('.',$result)==$lookup) // This is how gethostbyname indicates an error happened; however it likely actually means no block happened (as the RBL returned no data on the IP)
   {
      return NULL;
   }

   if ($result[0]!='127') // This is how the RBL indicates an error happened
   {
      if (!$page_level)
      {
         require_code('failure');
         $error=do_lang('_ERROR_CHECKING_FOR_SPAMMERS',$rbl_domain,$_result,$ip);
         relay_error_notification($error,false,'error_occurred');
      }
      return NULL;
   }

   // Some kind of response
   return $result;
}

The if (implode('.',$result)==$lookup) check in the code is checking for a blank response. This is because PHP returns the request as the response if there is no response.

In your case it did give a response, but with the error code of 95 (as opposed to 127 meaning success).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99549
TQ
Avatar

Honoured member

Hi Chris,

I'm glad you were a little impressed, I thought I'd be getting on your nerves by now. I'm having to be persistant because, over the past 2 months of it's reincarnation, the site has become very visible and now every spammer and his brother is putting serious pressure on the web server.

To the point, I waded through your PHP with the help of (w3schools.com) but didn't in the first instance work out where you got the error code 95, then it dawned on me, its the first octet of my servers IP address.

If I'm right, could the code in antispam.php be modified to determined what the servers IP address is and then NOT send a message out if it matches the result?

Living in hope

Nick
Back to the top
 
Posted
Rating:
#99550
Avatar

If I'm right, could the code in antispam.php be modified to determined what the servers IP address is and then NOT send a message out if it matches the result?

Oh, I see that's your IP, hahaha. I did not realise. I don't know why your server would give a reference to itself back when failing to do a lookup.

Try changing:

Code

   if (implode('.',$result)==$lookup) // This is how gethostbyname indicates an error happened; however it likely actually means no block happened (as the RBL returned no data on the IP)
to:

Code

   if (($_result==$lookup) || ($_result==ocp_srv('SERVER_ADDR'))) // This is how gethostbyname indicates an error happened; however it likely actually means no block happened (as the RBL returned no data on the IP)


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99551
Avatar

I found a comment in the PHP manual:
So if you do a lookup for nonexistentdomainname.be your server may return the ip for nonexistentdomainname.be.yourhostname.com, which is the server-ip.

I think your server is doing this. When it fails to lookup a domain (this is essentially a domain lookup, because whoever decided to implement RBLs over DNS implemented a bit of a 'hack' lol) – it resolves it as a version of that domain on your own network, giving your IP back. i.e. it can't find it on the Internet, so it maps it to a localised version of that address, whether it exists or not.

We could try to change:

Code

   $lookup=str_replace('*',$arpa,$rbl_domain);
to:

Code

   $lookup=str_replace('*',$arpa,$rbl_domain).'.';
However, I don't know if it has any negative consequences. It is probably better than the fix I just posted, as the server might not return the same IP address as SERVER_ADDR (many servers have multiple IP addresses).

So I suggest this second fix, not the one in my last post.


Last edit: by Chris Graham


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99552
Avatar

Yeah the second fix (the dot append) should be safe. I checked the nslookup manual:
If host is a name and does not have a trailing period, the default domain name is appended to the name. (This behavior depends on the state of the set options domain , srchlist , defname , and search .
To look up a host not in the current domain, append a period to the name.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#99555
TQ
Avatar

Honoured member

Hi Chris,

Thanks again for your efforts.

I have copied antispam.php into \sources_custom then made change 2. Assuming that was the correct thing to do I'll keep you posted as to the results.

Nick
Back to the top
 
Posted
Rating:
#99558
Avatar

We'll also include the change in the next patch release.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Item has a rating of 5 (Liked by Chris Graham)  
Rating:
#99579
TQ
Avatar

Honoured member

Fixed!

This change to sources/antispam.php:

Code

$lookup=str_replace('*',$arpa,$rbl_domain).'.';

... appear to have worked without any detrimental consequences. Overnight one more IP address was banned but no more error mails were received.

Thank you Chris for all your help.

Nick
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: