You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by shridhar shetty <sh...@gmail.com> on 2018/02/23 14:26:13 UTC
Whitelist IP for SBL check
Hello,
In our infra we use spamassassin to scan our **outgoing** mails too. This
is to prevent spammers using our infra to send mails and get our IP's
blacklisted. We perform various DNSBL tests on the mail body.
One of our IPs got listed in Spamhaus SBL for some reason, so now our
outgoing mails are getting detected as spam if the email body contains our
local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
We have hundreds of domainnames mapped to an single IP.
Is there a way to exclude local IP from DNSBL checks. For eg: if there is a
local domainname xyz.org present in the mail body, then spamassassin should
not mark it as spam even if A or NS record for xyz.org is listed in SBL.
I tried the following things which did not work.
1. Adding the local IP in "trusted_network" and "internal_network" in
local.cf
2. Using uridnsbl_skip_domain "<domainname>" directives in local.cf works.
But adding hundreds of local domains doesn't seem like a solution.
Some details:
SpamAssassin Server version 3.4.1
Spamassassin rule which matched:
####
uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
body URIBL_SBL eval:check_uridnsbl('URIBL_SBL')
describe URIBL_SBL Contains an URL's NS IP listed in the
Spamhaus SBL blocklist
tflags URIBL_SBL net
reuse URIBL_SBL
####
Thanks,
Shridhar
Re: Whitelist IP for SBL check
Posted by Markus Clardy <ma...@clardy.eu>.
Considering the issue, couldn't you in theory just add "uridnsbl_skip_domain
ip.on.blk.lst"?
I mean, according to URIBL_SBL, it would be if the IP itself is on the
blacklist, so wouldn't skipping the "domain" of a specific IP skip
detection?
On Fri, Feb 23, 2018 at 4:55 PM, David Jones <dj...@ena.com> wrote:
> On 02/23/2018 10:46 AM, Axb wrote:
>
>> On 02/23/2018 04:33 PM, David Jones wrote:
>>
>>> On 02/23/2018 08:26 AM, shridhar shetty wrote:
>>>
>>>> Hello,
>>>>
>>>> In our infra we use spamassassin to scan our **outgoing** mails too.
>>>> This is to prevent spammers using our infra to send mails and get our IP's
>>>> blacklisted. We perform various DNSBL tests on the mail body.
>>>>
>>>>
>>> We also scan outbound aggressively to keep our own IPs clean. I monitor
>>> for our own IPs getting listed in major RBLs every 15 minutes and hourly I
>>> have a script that checks my own IPs in all RBLs listed at
>>> http://multirbl.valli.org/. You need to make sure you have a good
>>> abuse@ contact setup for your IP ranges based on a WHOIS lookup of the
>>> IPs. You must setup feedback loops with all of the major platforms out
>>> there like Yahoo, AOL, Comcast, etc.
>>>
>>> We send out millions of spammy looking emails every week from from
>>> student management systems that don't have an opt-out method to lots of
>>> parents on freemail platforms. We very rarely get listed on RBLs and have
>>> excellent delivery rates mainly because of compromised account detection
>>> and blocking of outbound mail from the single sender quickly when this is
>>> triggered. Most sane RBLs will allow for a little junk outbound as long as
>>> you stop it quickly because compromised accounts happen.
>>>
>>>
>>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
>>>> outgoing mails are getting detected as spam if the email body contains our
>>>> local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
>>>> We have hundreds of domainnames mapped to an single IP.
>>>>
>>>> Is there a way to exclude local IP from DNSBL checks. For eg: if there
>>>> is a local domainname xyz.org <http://xyz.org> present in the mail
>>>> body, then spamassassin should not mark it as spam even if A or NS record
>>>> for xyz.org <http://xyz.org> is listed in SBL.
>>>>
>>>>
>>> Setup a quick meta rule that subtracts the same points that the local IP
>>> on Spamhaus adds until you can find a better way to handle this.
>>>
>>> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
>>> meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
>>> score SPAMHAUS_LOCAL_IP_OFFSET -1.0
>>>
>>> You will need to adjust the header rule to match your Received header
>>> format of your particular MTA and also match the actual Spamhaus rule that
>>> is getting hit. I just guessed it was RCVD_IN_XBL.
>>>
>>>
>> you are aware that your recommendation doesn't apply to a
>> uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
>> hit ?
>>
>>
>>
>>
> I was in a hurry, sorry. My last paragraph had a disclaimer that 2 things
> would need to be adjusted. Here is 1 of them corrected so the OP will only
> have to make sure the header rule matches his MTA's format:
>
> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
> meta URIBL_SBL_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && URIBL_SBL
> score URIBL_SBL_LOCAL_IP_OFFSET -1.0
>
> --
> David Jones
>
--
- Markus
Re: Whitelist IP for SBL check
Posted by David Jones <dj...@ena.com>.
On 02/23/2018 10:46 AM, Axb wrote:
> On 02/23/2018 04:33 PM, David Jones wrote:
>> On 02/23/2018 08:26 AM, shridhar shetty wrote:
>>> Hello,
>>>
>>> In our infra we use spamassassin to scan our **outgoing** mails too.
>>> This is to prevent spammers using our infra to send mails and get our
>>> IP's blacklisted. We perform various DNSBL tests on the mail body.
>>>
>>
>> We also scan outbound aggressively to keep our own IPs clean. I
>> monitor for our own IPs getting listed in major RBLs every 15 minutes
>> and hourly I have a script that checks my own IPs in all RBLs listed
>> at http://multirbl.valli.org/. You need to make sure you have a good
>> abuse@ contact setup for your IP ranges based on a WHOIS lookup of the
>> IPs. You must setup feedback loops with all of the major platforms
>> out there like Yahoo, AOL, Comcast, etc.
>>
>> We send out millions of spammy looking emails every week from from
>> student management systems that don't have an opt-out method to lots
>> of parents on freemail platforms. We very rarely get listed on RBLs
>> and have excellent delivery rates mainly because of compromised
>> account detection and blocking of outbound mail from the single sender
>> quickly when this is triggered. Most sane RBLs will allow for a
>> little junk outbound as long as you stop it quickly because
>> compromised accounts happen.
>>
>>
>>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
>>> outgoing mails are getting detected as spam if the email body
>>> contains our local domainname whose IP is listed in SBL(hitting
>>> URIBL_SBL rule).
>>> We have hundreds of domainnames mapped to an single IP.
>>>
>>> Is there a way to exclude local IP from DNSBL checks. For eg: if
>>> there is a local domainname xyz.org <http://xyz.org> present in the
>>> mail body, then spamassassin should not mark it as spam even if A or
>>> NS record for xyz.org <http://xyz.org> is listed in SBL.
>>>
>>
>> Setup a quick meta rule that subtracts the same points that the local
>> IP on Spamhaus adds until you can find a better way to handle this.
>>
>> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
>> meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
>> score SPAMHAUS_LOCAL_IP_OFFSET -1.0
>>
>> You will need to adjust the header rule to match your Received header
>> format of your particular MTA and also match the actual Spamhaus rule
>> that is getting hit. I just guessed it was RCVD_IN_XBL.
>>
>
> you are aware that your recommendation doesn't apply to a
> uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
> hit ?
>
>
>
I was in a hurry, sorry. My last paragraph had a disclaimer that 2
things would need to be adjusted. Here is 1 of them corrected so the OP
will only have to make sure the header rule matches his MTA's format:
header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta URIBL_SBL_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && URIBL_SBL
score URIBL_SBL_LOCAL_IP_OFFSET -1.0
--
David Jones
Re: Whitelist IP for SBL check
Posted by Axb <ax...@gmail.com>.
On 02/23/2018 04:33 PM, David Jones wrote:
> On 02/23/2018 08:26 AM, shridhar shetty wrote:
>> Hello,
>>
>> In our infra we use spamassassin to scan our **outgoing** mails too.
>> This is to prevent spammers using our infra to send mails and get our
>> IP's blacklisted. We perform various DNSBL tests on the mail body.
>>
>
> We also scan outbound aggressively to keep our own IPs clean. I monitor
> for our own IPs getting listed in major RBLs every 15 minutes and hourly
> I have a script that checks my own IPs in all RBLs listed at
> http://multirbl.valli.org/. You need to make sure you have a good
> abuse@ contact setup for your IP ranges based on a WHOIS lookup of the
> IPs. You must setup feedback loops with all of the major platforms out
> there like Yahoo, AOL, Comcast, etc.
>
> We send out millions of spammy looking emails every week from from
> student management systems that don't have an opt-out method to lots of
> parents on freemail platforms. We very rarely get listed on RBLs and
> have excellent delivery rates mainly because of compromised account
> detection and blocking of outbound mail from the single sender quickly
> when this is triggered. Most sane RBLs will allow for a little junk
> outbound as long as you stop it quickly because compromised accounts
> happen.
>
>
>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
>> outgoing mails are getting detected as spam if the email body contains
>> our local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
>> We have hundreds of domainnames mapped to an single IP.
>>
>> Is there a way to exclude local IP from DNSBL checks. For eg: if there
>> is a local domainname xyz.org <http://xyz.org> present in the mail
>> body, then spamassassin should not mark it as spam even if A or NS
>> record for xyz.org <http://xyz.org> is listed in SBL.
>>
>
> Setup a quick meta rule that subtracts the same points that the local IP
> on Spamhaus adds until you can find a better way to handle this.
>
> header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
> meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
> score SPAMHAUS_LOCAL_IP_OFFSET -1.0
>
> You will need to adjust the header rule to match your Received header
> format of your particular MTA and also match the actual Spamhaus rule
> that is getting hit. I just guessed it was RCVD_IN_XBL.
>
you are aware that your recommendation doesn't apply to a
uridnssub URIBL_SBL zen.spamhaus.org. A 127.0.0.2
hit ?
Re: Whitelist IP for SBL check
Posted by David Jones <dj...@ena.com>.
On 02/23/2018 08:26 AM, shridhar shetty wrote:
> Hello,
>
> In our infra we use spamassassin to scan our **outgoing** mails too.
> This is to prevent spammers using our infra to send mails and get our
> IP's blacklisted. We perform various DNSBL tests on the mail body.
>
We also scan outbound aggressively to keep our own IPs clean. I monitor
for our own IPs getting listed in major RBLs every 15 minutes and hourly
I have a script that checks my own IPs in all RBLs listed at
http://multirbl.valli.org/. You need to make sure you have a good
abuse@ contact setup for your IP ranges based on a WHOIS lookup of the
IPs. You must setup feedback loops with all of the major platforms out
there like Yahoo, AOL, Comcast, etc.
We send out millions of spammy looking emails every week from from
student management systems that don't have an opt-out method to lots of
parents on freemail platforms. We very rarely get listed on RBLs and
have excellent delivery rates mainly because of compromised account
detection and blocking of outbound mail from the single sender quickly
when this is triggered. Most sane RBLs will allow for a little junk
outbound as long as you stop it quickly because compromised accounts happen.
> One of our IPs got listed in Spamhaus SBL for some reason, so now our
> outgoing mails are getting detected as spam if the email body contains
> our local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
> We have hundreds of domainnames mapped to an single IP.
>
> Is there a way to exclude local IP from DNSBL checks. For eg: if there
> is a local domainname xyz.org <http://xyz.org> present in the mail body,
> then spamassassin should not mark it as spam even if A or NS record for
> xyz.org <http://xyz.org> is listed in SBL.
>
Setup a quick meta rule that subtracts the same points that the local IP
on Spamhaus adds until you can find a better way to handle this.
header __RCVD_LOCAL_IP Received =~ /\[xx\.xx\.xx\.xx\]/
meta SPAMHAUS_LOCAL_IP_OFFSET __RCVD_LOCAL_IP && RCVD_IN_XBL
score SPAMHAUS_LOCAL_IP_OFFSET -1.0
You will need to adjust the header rule to match your Received header
format of your particular MTA and also match the actual Spamhaus rule
that is getting hit. I just guessed it was RCVD_IN_XBL.
--
David Jones
Re: Whitelist IP for SBL check
Posted by shridhar shetty <sh...@gmail.com>.
Yes, I missed it.
On Sat, Feb 24, 2018 at 12:49 AM, RW <rw...@googlemail.com> wrote:
> On Sat, 24 Feb 2018 00:36:56 +0530
> shridhar shetty wrote:
>
>
> > 'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's
> > end.' In such case we relay our mails through an external server
> > which has clean reputation. That way our mails are delivered to the
> > recipient.
>
> That will help with RCVD_IN_SBL, but URIBL_SBL is based on URI domains.
>
Re: Whitelist IP for SBL check
Posted by RW <rw...@googlemail.com>.
On Sat, 24 Feb 2018 00:36:56 +0530
shridhar shetty wrote:
> 'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's
> end.' In such case we relay our mails through an external server
> which has clean reputation. That way our mails are delivered to the
> recipient.
That will help with RCVD_IN_SBL, but URIBL_SBL is based on URI domains.
Re: Whitelist IP for SBL check
Posted by shridhar shetty <sh...@gmail.com>.
Hello Axb,
Below are the response to your queries.
Why not fix the SBL issue instead of trying to work around it?
Fixing the SBL issue is the first thing we do. But it takes some time so we
do not want our outbound mail service to be affected due to this.
'Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.'
In such case we relay our mails through an external server which has clean
reputation. That way our mails are delivered to the recipient.
Give us the SBL number and we may be able to help you out.
Do you mean the response code from zen.spamhaus? the response code is
127.0.0.2
On Fri, Feb 23, 2018 at 10:35 PM, Axb <ax...@gmail.com> wrote:
>
> On 02/23/2018 03:26 PM, shridhar shetty wrote:
>
>> Hello,
>>
>> In our infra we use spamassassin to scan our **outgoing** mails too. This
>> is to prevent spammers using our infra to send mails and get our IP's
>> blacklisted. We perform various DNSBL tests on the mail body.
>>
>> One of our IPs got listed in Spamhaus SBL for some reason, so now our
>> outgoing mails are getting detected as spam if the email body contains our
>> local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
>> We have hundreds of domainnames mapped to an single IP.
>>
>
>
> Why not fix the SBL issue instead of trying to work around it?
> Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.
> Give us the SBL number and we may be able to help you out.
>
>
>
Re: Whitelist IP for SBL check
Posted by Axb <ax...@gmail.com>.
On 02/23/2018 03:26 PM, shridhar shetty wrote:
> Hello,
>
> In our infra we use spamassassin to scan our **outgoing** mails too. This
> is to prevent spammers using our infra to send mails and get our IP's
> blacklisted. We perform various DNSBL tests on the mail body.
>
> One of our IPs got listed in Spamhaus SBL for some reason, so now our
> outgoing mails are getting detected as spam if the email body contains our
> local domainname whose IP is listed in SBL(hitting URIBL_SBL rule).
> We have hundreds of domainnames mapped to an single IP.
Why not fix the SBL issue instead of trying to work around it?
Your local "fix" won't stop a URIBL_SBL hit at the other, rcpt's end.
Give us the SBL number and we may be able to help you out.