You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by AJ Weber <aw...@comcast.net> on 2017/10/13 12:40:18 UTC
URIBL_BLOCKED - which one?
I guess this qualifies as a newbie question...I've been running SA for a
while, but haven't really dug into some of the workings...
I occasionally see the URIBL_BLOCKED notice in some of my spam results.
I read the related web page, and started using unbound as a local DNS,
but I'm still seeing this.
Since I have a number of RBL's setup, is there a way to determine which
of the RBLs blocked my query? Maybe I have one configured that I need
to "license" or subscribe-to in some way?
Thanks for the troubleshooting assistance.
-AJ
Re: URIBL_BLOCKED - which one?
Posted by AJ Weber <aw...@comcast.net>.
On 10/13/2017 8:57 AM, David Jones wrote:
> On 10/13/2017 07:47 AM, Markus Clardy wrote:
>> URIBL_BLOCKED is in reference to multi.uribl.com
>> <http://multi.uribl.com>.
>> --
>> - Markus
>
> To disable queries to multi.uribl.com, put this in your local.cf or
> equivalent in /etc/mail/spamassassin:
>
> score URIBL_BLACK 0
> score URIBL_GREY 0
> score URIBL_RED 0
>
> Based on my mail flow and other RBLs, I didn't miss this RBL when I
> disabled it years ago. It may be valuable to some but Spamhaus and
> IVM do most of the heavy lifting on my mail filters.
>
@Markus, @David: Thank you both. I started digging into the .cf files
and did find that reference to multi.uribl.com.
Strange that they are denying my queries. Maybe because I have a DHCP
address from a major ISP and that's a problem? I don't really
understand how they determine who is querying their RBLs. I thought
running unbound locally would help mitigate that problem, but I guess not.
Thanks again.
Re: URIBL_BLOCKED - which one?
Posted by David Jones <dj...@ena.com>.
On 10/13/2017 08:01 AM, Reindl Harald wrote:
>
>
> Am 13.10.2017 um 14:57 schrieb David Jones:
>> To disable queries to multi.uribl.com, put this in your local.cf or
>> equivalent in /etc/mail/spamassassin:
>>
>> score URIBL_BLACK 0
>> score URIBL_GREY 0
>> score URIBL_RED 0
>>
>> Based on my mail flow and other RBLs, I didn't miss this RBL when I
>> disabled it years ago. It may be valuable to some but Spamhaus and
>> IVM do most of the heavy lifting on my mail filters
>
> terrible bad idea and not a solution at all when likely his server is
> not using 127.0.0.1 as the only DNS and so other RBL's also won#t work
> as expected - when you see URIBL_BLACK you have a problem which needs to
> be solved and not burried
>
His server's /etc/resolv.conf could be pointed to 127.0.0.1 and still
have too high of volume to hit URLBL_BLOCKED like mine was years ago.
But yes, make sure you have unbound setup and working properly and
/etc/resolv.conf is pointing to 127.0.0.1. Then do a manual query to
127.0.0.1 to confirm it's working:
# dig @127.0.0.1 test.dbl.spamhaus.org
;; ANSWER SECTION:
test.dbl.spamhaus.org. 60 IN A 127.0.1.2
> be sure i scored it not to 6.5 just for fun based on a 8.0 milter-reject
> score
>
> BLOCKED: 1512
> URIBL_BLACK: 512
>
> [root@mail-gw:~]$ sa-score.sh URIBL_BLACK
> /usr/share/spamassassin
> score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2
>
> /var/lib/spamassassin/3.004001/updates_spamassassin_org
> score URIBL_BLACK 0 1.7 0 1.7 # n=0 n=2
>
> /etc/mail/spamassassin/local-*.cf
> score URIBL_BLACK 6.5
Like I said, disabling URIBL didn't impact my mail filtering because of
other RBLs and my specific mail flow. Different mail flow from
different locations around the world/Internet will cause SA to be a
little different for everyone. There's no one-size-fits-all with mail
filtering and SA but we have common issues like URIBL_BLOCKED that are
generally solved the same way. If your volume is low enough, you can
keep it and setup your local DNS server to do full recursive lookups.
If you volume is too high for their free usage limit, then disable it an
use other RBLs that could be better for your locale.
--
David Jones
Re: URIBL_BLOCKED - which one?
Posted by David Jones <dj...@ena.com>.
On 10/13/2017 07:47 AM, Markus Clardy wrote:
> URIBL_BLOCKED is in reference to multi.uribl.com <http://multi.uribl.com>.
>
> On Fri, Oct 13, 2017 at 1:40 PM, AJ Weber <aweber@comcast.net
> <ma...@comcast.net>> wrote:
>
> I guess this qualifies as a newbie question...I've been running SA
> for a while, but haven't really dug into some of the workings...
>
> I occasionally see the URIBL_BLOCKED notice in some of my spam
> results. I read the related web page, and started using unbound as
> a local DNS, but I'm still seeing this.
>
> Since I have a number of RBL's setup, is there a way to determine
> which of the RBLs blocked my query? Maybe I have one configured
> that I need to "license" or subscribe-to in some way?
>
> Thanks for the troubleshooting assistance.
>
> -AJ
>
>
>
>
> --
> - Markus
To disable queries to multi.uribl.com, put this in your local.cf or
equivalent in /etc/mail/spamassassin:
score URIBL_BLACK 0
score URIBL_GREY 0
score URIBL_RED 0
Based on my mail flow and other RBLs, I didn't miss this RBL when I
disabled it years ago. It may be valuable to some but Spamhaus and IVM
do most of the heavy lifting on my mail filters.
--
David Jones
Re: URIBL_BLOCKED - which one?
Posted by Markus Clardy <ma...@clardy.eu>.
URIBL_BLOCKED is in reference to multi.uribl.com.
On Fri, Oct 13, 2017 at 1:40 PM, AJ Weber <aw...@comcast.net> wrote:
> I guess this qualifies as a newbie question...I've been running SA for a
> while, but haven't really dug into some of the workings...
>
> I occasionally see the URIBL_BLOCKED notice in some of my spam results. I
> read the related web page, and started using unbound as a local DNS, but
> I'm still seeing this.
>
> Since I have a number of RBL's setup, is there a way to determine which of
> the RBLs blocked my query? Maybe I have one configured that I need to
> "license" or subscribe-to in some way?
>
> Thanks for the troubleshooting assistance.
>
> -AJ
>
>
--
- Markus
Re: URIBL_BLOCKED - which one?
Posted by Tom Hendrikx <to...@whyscream.net>.
Hi,
Note that on at least Ubuntu from some time ago, unbound was
automatically configured to take the dns servers that were received from
an upstream server during DHCP, and configure those as forwarders.
Can you show us output of: unbound-control list_forwards
Kind regards,
Tom
On 13-10-17 18:59, John Hardin wrote:
>
> I just want to call this out as the critical detail in all the
> back-and-forth:
>
>> The main thing with setting up a DNS server for DNSBL lookups is not
>> "caching", it is "non-forwarding". Take a look at your unbound
>> settings and make sure it is doing all of the lookups itself and not
>> forwarding to another server.
>
Re: URIBL_BLOCKED - which one?
Posted by John Hardin <jh...@impsec.org>.
I just want to call this out as the critical detail in all the
back-and-forth:
> The main thing with setting up a DNS server for DNSBL lookups is not
> "caching", it is "non-forwarding". Take a look at your unbound settings
> and make sure it is doing all of the lookups itself and not forwarding
> to another server.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The tree of freedom must be freshened from time to time
with the blood of tyrants and tyrannosaurs.
-- DW, commenting on the GM6 Lynx .50BMG bullpup
-----------------------------------------------------------------------
197 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: URIBL_BLOCKED - which one?
Posted by Bowie Bailey <Bo...@BUC.com>.
On 10/13/2017 9:45 AM, AJ Weber wrote:
> On 10/13/2017 9:23 AM, Reindl Harald wrote:
>> next time make a notice in your first post that you don#t have a
>> serious mailserver but "maybe because I have a DHCP address from a
>> major ISP and that's a problem"
>>
> OK, I can do that, but there isn't anything in the troubleshooting for
> DNSBL regarding how your IP address is assigned. It just recommends
> that you use your own, caching DNS server. If that is important,
> maybe it should be mentioned in the docs?
This may be an issue with getting your outgoing mail accepted on other
mail servers, but it shouldn't make a difference with DNSBL lookups.
>
>> Am 13.10.2017 um 15:20 schrieb AJ Weber:
>>> I put the following in my local.cf. This does not work?
>>>
>>> dns_available yes
>>> # - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
>>> dns_server 127.0.0.1
>>>> then your machine is *not* using 127.0.0.1 as the only DNS server
> So does this "dns_server" directive in my local.cf file work as
> expected? If so, my SA *is* using 127.0.0.1 as the only DNS server.
As far as I know, it should work. I just have it set in my
/etc/resolv.conf so it is used for everything on the machine. This is
the simplest setup unless you have some reason to need a different type
of DNS for other things.
The main thing with setting up a DNS server for DNSBL lookups is not
"caching", it is "non-forwarding". Take a look at your unbound settings
and make sure it is doing all of the lookups itself and not forwarding
to another server.
--
Bowie
Re: URIBL_BLOCKED - which one?
Posted by David Jones <dj...@ena.com>.
On 10/13/2017 08:45 AM, AJ Weber wrote:
> On 10/13/2017 9:23 AM, Reindl Harald wrote:
>> next time make a notice in your first post that you don#t have a
>> serious mailserver but "maybe because I have a DHCP address from a
>> major ISP and that's a problem"
>>
> OK, I can do that, but there isn't anything in the troubleshooting for
> DNSBL regarding how your IP address is assigned. It just recommends
> that you use your own, caching DNS server. If that is important, maybe
> it should be mentioned in the docs?
>
>> Am 13.10.2017 um 15:20 schrieb AJ Weber:
>>> I put the following in my local.cf. This does not work?
>>>
>>> dns_available yes
>>> # - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
>>> dns_server 127.0.0.1
>>>> then your machine is *not* using 127.0.0.1 as the only DNS server
> So does this "dns_server" directive in my local.cf file work as
> expected? If so, my SA *is* using 127.0.0.1 as the only DNS server.
It should. Do a test dig @127.0.0.1 to make sure unbound is resolving
properly. I am trying to do a test query from my mail servers to
multi.uribl.com and not getting any response right now. I have tried
from multiple locations on the Internet so I could show you exactly how
to tell you when you are blocked.
According to the SA rules, if you get back a response with xxx.xxx.xxx.1
then your query volume is too high and you hit URIBL_BLOCKED. The way
to resolve this is to run your own local DNS that does it's own full
recursive lookup and does not forward to any other DNS server.
Forwarding to other DNS servers combines your queries with potentially
other queries to the RBL and you don't want that. You want your DNS
queries to be independent from any other so they are as few as possible
to stay under free usage limits.
If you are sure your DNS queries are isolated (not forwarding) and you
still hit URIBL_BLOCKED, then your only option is to disable those RBLs
by scoring them as 0.
--
David Jones
Re: URIBL_BLOCKED - which one?
Posted by AJ Weber <aw...@comcast.net>.
On 10/13/2017 9:23 AM, Reindl Harald wrote:
> next time make a notice in your first post that you don#t have a
> serious mailserver but "maybe because I have a DHCP address from a
> major ISP and that's a problem"
>
OK, I can do that, but there isn't anything in the troubleshooting for
DNSBL regarding how your IP address is assigned. It just recommends
that you use your own, caching DNS server. If that is important, maybe
it should be mentioned in the docs?
> Am 13.10.2017 um 15:20 schrieb AJ Weber:
>> I put the following in my local.cf. This does not work?
>>
>> dns_available yes
>> # - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
>> dns_server 127.0.0.1
>>> then your machine is *not* using 127.0.0.1 as the only DNS server
So does this "dns_server" directive in my local.cf file work as
expected? If so, my SA *is* using 127.0.0.1 as the only DNS server.
Re: URIBL_BLOCKED - which one?
Posted by AJ Weber <aw...@comcast.net>.
I put the following in my local.cf. This does not work?
dns_available yes
# - REDIRECT DNS LOOKUPS TO LOCAL "unbound" service to avoid RBL bans
dns_server 127.0.0.1
On 10/13/2017 8:48 AM, Reindl Harald wrote:
>
>
> Am 13.10.2017 um 14:40 schrieb AJ Weber:
>> I guess this qualifies as a newbie question...I've been running SA
>> for a while, but haven't really dug into some of the workings...
>>
>> I occasionally see the URIBL_BLOCKED notice in some of my spam
>> results. I read the related web page, and started using unbound as a
>> local DNS, but I'm still seeing this
>
> then your machine is *not* using 127.0.0.1 as the only DNS server