Spamhaus PBL and ZEN blocklists

[Rich Wales <ri...@richw.org>]

I see references to the Spamhaus PBL and ZEN blocklists in the
SpamAssassin rules, and I'm confused / concerned about this.

According to the web page (http://www.spamhaus.org/pbl/), the
Spamhaus PBL "is a DNSBL database of end-user IP address ranges
which should not be delivering unauthenticated SMTP email to any
Internet mail server except those provided for specifically by
an ISP for that customer's use."

Spamhaus also says that servers should "not use PBL in filters
that do any 'deep parsing' of Received headers, or for other than
checking IP addresses that hand off to your mailservers."  The
issue is that a piece of mail might *legitimately* originate from
a host in the Spamhaus PBL, as long as the mail leaves the user's
machine via his/her ISP's mail relay and is *not* being sent
directly from the user's machine to the intended destination.

Does the RCVD_IN_PBL rule in SpamAssassin take care to check *only*
the *last* (chronologically last, physically first) "Received:"
line?  Or does it parse *all* the "Received:" header lines and
match *any* occurrence of a PBL-listed relay *anywhere* along a
message's delivery path?  If the rule checks *all* of a message's
relay sites against the PBL, I believe this is wrong.

Similar comments for the Spamhaus ZEN list, which includes the
PBL information.  (The comment in 20_dnsbl_tests.cf saying that
"Spamhaus SBL+XBL" is "now called Zen" is in error -- the ZEN
list combines SBL, XBL, and PBL.)

Comments on this?  Am I missing something here?

Rich Wales
Palo Alto, CA
richw@richw.org

Re: Spamhaus PBL and ZEN blocklists

[Ned Slider <ne...@unixmail.co.uk>]

On 08/05/11 20:05, Rich Wales wrote:
> I see references to the Spamhaus PBL and ZEN blocklists in the
> SpamAssassin rules, and I'm confused / concerned about this.
>
> According to the web page (http://www.spamhaus.org/pbl/), the
> Spamhaus PBL "is a DNSBL database of end-user IP address ranges
> which should not be delivering unauthenticated SMTP email to any
> Internet mail server except those provided for specifically by
> an ISP for that customer's use."
>
> Spamhaus also says that servers should "not use PBL in filters
> that do any 'deep parsing' of Received headers, or for other than
> checking IP addresses that hand off to your mailservers."  The
> issue is that a piece of mail might *legitimately* originate from
> a host in the Spamhaus PBL, as long as the mail leaves the user's
> machine via his/her ISP's mail relay and is *not* being sent
> directly from the user's machine to the intended destination.
>
> Does the RCVD_IN_PBL rule in SpamAssassin take care to check *only*
> the *last* (chronologically last, physically first) "Received:"
> line?  Or does it parse *all* the "Received:" header lines and
> match *any* occurrence of a PBL-listed relay *anywhere* along a
> message's delivery path?  If the rule checks *all* of a message's
> relay sites against the PBL, I believe this is wrong.
>
> Similar comments for the Spamhaus ZEN list, which includes the
> PBL information.  (The comment in 20_dnsbl_tests.cf saying that
> "Spamhaus SBL+XBL" is "now called Zen" is in error -- the ZEN
> list combines SBL, XBL, and PBL.)
>
> Comments on this?  Am I missing something here?
>
> Rich Wales
> Palo Alto, CA
> richw@richw.org
>


$ grep spamhaus *.cf | grep RCVD_IN_PBL
20_dnsbl_tests.cf:header RCVD_IN_PBL 
eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')


See above, the -lastexternal switch means only the *last external* IP 
address in the received chain is examined, which is what you want.

So there's no issue here as per the default configuration in SpamAssassin.

Re: Spamhaus PBL and ZEN blocklists

[Mark Martinec <Ma...@ijs.si>]

> > Similar comments for the Spamhaus ZEN list, which includes the
> > PBL information.  (The comment in 20_dnsbl_tests.cf saying that
> > "Spamhaus SBL+XBL" is "now called Zen" is in error -- the ZEN
> > list combines SBL, XBL, and PBL.)

Sahil Tandon writes:
> That comment is harmless, and likely an artifact from when SBL-XBL was
> deprecated in favor of ZEN several years ago.  And FWIW, ZEN actually
> contains the SBL, SBLCSS, XBL and PBL blocklists.

Thank, fixed the comment:

-# Spamhaus SBL+XBL, now called Zen
+# Spamhaus ZEN includes SBL+CSS+XBL+PBL

Mark

Re: Spamhaus PBL and ZEN blocklists

[Sahil Tandon <sa...@FreeBSD.org>]

On Sun, 2011-05-08 at 12:05:50 -0700, Rich Wales wrote:

> Does the RCVD_IN_PBL rule in SpamAssassin take care to check *only*
> the *last* (chronologically last, physically first) "Received:"
> line?  Or does it parse *all* the "Received:" header lines and
> match *any* occurrence of a PBL-listed relay *anywhere* along a
> message's delivery path?  If the rule checks *all* of a message's
> relay sites against the PBL, I believe this is wrong.

Please read how the rule is constructed and pay close attention to
discussion of '-lastexternal' in the documentation.

> Similar comments for the Spamhaus ZEN list, which includes the
> PBL information.  (The comment in 20_dnsbl_tests.cf saying that
> "Spamhaus SBL+XBL" is "now called Zen" is in error -- the ZEN
> list combines SBL, XBL, and PBL.)

That comment is harmless, and likely an artifact from when SBL-XBL was
deprecated in favor of ZEN several years ago.  And FWIW, ZEN actually
contains the SBL, SBLCSS, XBL and PBL blocklists.

> Comments on this?  Am I missing something here?

Yes; a closer review of documentation and rule construction is in order.

-- 
Sahil Tandon <sa...@FreeBSD.org>