Certain Email Being Treated As Junk Email

According to user feedbacks, some legitimate email messages are treated is junk email messages.

Symptom

As shown in Figure 1, certain email is treated as junk email after the anti-spam function is enabled.

Figure 1 Networking diagram for mail filtering

Troubleshooting Roadmap

Symptom	Possible Cause	Troubleshooting Procedure
According to the logs, certain email is treated as junk email.	The DNS server in use is hijacked.	To redirect users to the value-added service websites or partner websites, Internet service providers may modify the DNS server. As a result, when receiving a DNS query that cannot be resolved, the DNS server returns the IP address of the value-added or partner website. This is how the DNS hijacking works. Ensure that the DNS server is not hijacked. Otherwise, legitimate mails might be considered junk mails. Use the preinstalled nslookup tool of the Windows operating system to test the DNS server. Choose Start > Run, enter nslookup, and click OK to start the nslookup tool. Use the test address that is included in the RBL database to perform the test. If the returned reply code is the same as that provided by the RBL service provider, it means that the DNS server is available. For example, the DNS server resides at 10.87.13.129, RBL service name provided by the RBL service provider is cbl.anti-spam.org.cn, test address is 127.0.0.2, and reply code is 127.0.8.2. > server 10.87.13.129 // Enter the IP address of the DNS server to be tested. Default Server: nscache.prserv.net Address: 10.87.13.129 > 2.0.0.127.cbl.anti-spam.org.cn // Concatenate the reverse of the DNS server IP address and the RBL server name. Then enter the concatenated string. Server: nscache.prserv.net Address: 10.87.13.129 Non-authoritative answer: Name: 2.0.0.127.cbl.anti-spam.org.cn Address: 127.0.8.2 // Expected result: the DNS server is available only when the returned reply code is the same as the one provided by cbl.anti-spam.org.cn. Use an IP address that is not included in the RBL to perform the test. In common cases, 192.168.0.1 is not included in the RBL. You can use this IP address to perform the test. > server 10.87.13.129// Enter the IP address of the DNS server to be tested. Default Server: nscache.prserv.net Address: 10.87.13.129 > 1.0.168.192.cbl.anti-spam.org.cn// Concatenate the reverse of the DNS server IP address and the RBL server name. Then enter the concatenated string. Server: nscache.prserv.net Address: 10.87.13.129 * nscache.prserv.net can't find 1.0.168.192.cbl.anti-spam.org.cn: Non-existent domain // If the returned reply code is Non-existnet domain, the DNS server is not hijacked. If the returned reply code is an IP address, the DNS server is hijacked.**
The DNS server performs an iterative DNS query.	The DNS server can perform the query in recursive mode or iteration mode. To ensure that mail filtering properly functions, the DNS server must perform the query in recursive mode. Otherwise, legitimate email might be treated as junk mails. Use the preinstalled nslookup tool of the Windows operating system to test the DNS server. Choose Start > Run, enter nslookup, and click OK to start the nslookup tool. Enable debugging. > set debug // Enable the debugging function. Use the test address that is included in the RBL to perform the test. If recursion avail is displayed, it means that the DNS server supports recursive query. For example, the DNS server resides at 10.87.13.129, RBL service name provided by the RBL service provider is cbl.anti-spam.org.cn, test address is 127.0.0.2, and reply code is 127.0.8.2. > server 10.87.13.129 //Enter the IP address of the DNS server to be tested. ------------ Got answer: HEADER: opcode = QUERY, id = 3, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 ------------ Default Server: nscache.prserv.net Address: 10.87.13.129 > 2.0.0.127.cbl.anti-spam.org.cn // Concatenate the reverse of the DNS server IP address and the RBL server name. Then enter the concatenated string. Server: nscache.prserv.net Address: 10.87.13.129 ------------ Got answer: HEADER: opcode = QUERY, id = 4, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 7, additional = 7 ------------ Non-authoritative answer: Name: 2.0.0.127.cbl.anti-spam.org.cn Address: 127.0.8.2 Use an IP address that is not included in the RBL to perform the test. In common cases, 1.1.1.1 is not included in the RBL. You can use this IP address to perform the test. If recursion avail is displayed, it means that the DNS server supports recursive query. > 1.1.1.1.cbl.anti-spam.org.cn // Concatenate the reverse of the IP address and the RBL server name. Then enter the concatenated string. Server: nscache.prserv.net Address: 10.87.13.129 ------------ Got answer: HEADER: opcode = QUERY, id = 5, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 ------------ *** nscache.prserv.net can't find 1.1.1.1.cbl.anti-spam.org.cn: Non-existent domain

Symptom

Possible Cause

Troubleshooting Procedure

According to the logs, certain email is treated as junk email.

The DNS server in use is hijacked.

To redirect users to the value-added service websites or partner websites, Internet service providers may modify the DNS server. As a result, when receiving a DNS query that cannot be resolved, the DNS server returns the IP address of the value-added or partner website. This is how the DNS hijacking works.

Ensure that the DNS server is not hijacked. Otherwise, legitimate mails might be considered junk mails.

Use the preinstalled nslookup tool of the Windows operating system to test the DNS server. Choose Start > Run, enter nslookup, and click OK to start the nslookup tool.

Use the test address that is included in the RBL database to perform the test. If the returned reply code is the same as that provided by the RBL service provider, it means that the DNS server is available.

For example, the DNS server resides at 10.87.13.129, RBL service name provided by the RBL service provider is cbl.anti-spam.org.cn, test address is 127.0.0.2, and reply code is 127.0.8.2.

> server 10.87.13.129  // Enter the IP address of the DNS server to be tested.
Default Server:  nscache.prserv.net
Address:  10.87.13.129
> 2.0.0.127.cbl.anti-spam.org.cn  // Concatenate the reverse of the DNS server IP address and the RBL server name. Then enter the concatenated string.
Server:  nscache.prserv.net
Address:  10.87.13.129
Non-authoritative answer:
Name:    2.0.0.127.cbl.anti-spam.org.cn
Address:  127.0.8.2  
// Expected result: the DNS server is available only when the returned reply code is the same as the one provided by cbl.anti-spam.org.cn.

Use an IP address that is not included in the RBL to perform the test. In common cases, 192.168.0.1 is not included in the RBL. You can use this IP address to perform the test.

> server 10.87.13.129// Enter the IP address of the DNS server to be tested. Default Server:  nscache.prserv.net
Address:  10.87.13.129
> 1.0.168.192.cbl.anti-spam.org.cn// Concatenate the reverse of the DNS server IP address and the RBL server name. Then enter the concatenated string.

Server:  nscache.prserv.net
Address:  10.87.13.129

*** nscache.prserv.net can't find 1.0.168.192.cbl.anti-spam.org.cn: Non-existent domain 
 // If the returned reply code is Non-existnet domain, the DNS server is not hijacked. If the returned reply code is an IP address, the DNS server is hijacked.

The DNS server performs an iterative DNS query.

The DNS server can perform the query in recursive mode or iteration mode. To ensure that mail filtering properly functions, the DNS server must perform the query in recursive mode. Otherwise, legitimate email might be treated as junk mails.

Use the preinstalled nslookup tool of the Windows operating system to test the DNS server. Choose Start > Run, enter nslookup, and click OK to start the nslookup tool.

Enable debugging.

> set debug  // Enable the debugging function.

Use the test address that is included in the RBL to perform the test. If recursion avail is displayed, it means that the DNS server supports recursive query.

For example, the DNS server resides at 10.87.13.129, RBL service name provided by the RBL service provider is cbl.anti-spam.org.cn, test address is 127.0.0.2, and reply code is 127.0.8.2.

> server 10.87.13.129  //Enter the IP address of the DNS server to be tested.
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

------------
Default Server:  nscache.prserv.net
Address:  10.87.13.129

> 2.0.0.127.cbl.anti-spam.org.cn   // Concatenate the reverse of the DNS server IP address and the RBL server name. Then enter the concatenated string.

Server:  nscache.prserv.net
Address:  10.87.13.129

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 7,  additional = 7

------------
Non-authoritative answer:
Name:    2.0.0.127.cbl.anti-spam.org.cn
Address:  127.0.8.2

Use an IP address that is not included in the RBL to perform the test. In common cases, 1.1.1.1 is not included in the RBL. You can use this IP address to perform the test.

If recursion avail is displayed, it means that the DNS server supports recursive query.

> 1.1.1.1.cbl.anti-spam.org.cn  // Concatenate the reverse of the IP address and the RBL server name. Then enter the concatenated string.

Server:  nscache.prserv.net
Address:  10.87.13.129

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

------------
*** nscache.prserv.net can't find 1.1.1.1.cbl.anti-spam.org.cn: Non-existent domain

If the fault persists, contact Huawei technical support engineers.