IP listed in RBL but not blocked at SMTP level

Discuss here all what concerns the MailCleaner anti-spam efficiency, share your rulesets and tips for SpamAssassin !

Moderators: Pascal, mentor, FlorianB, bourgeois

ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

IP listed in RBL but not blocked at SMTP level

Postby ics » Tue Oct 07, 2014 10:29 am

Hi,

Some IPs are listed in RBLs, however MC just tagged the email as spam by using the PreRBL listing instead of blocking the connection at the SMTP level.

The strange thing is that for some other listed IPs it works at SMTP level with the same RBLs.

In the example in the attached picture, the IP 174.142.71.47 is listed in cbl.abuseat.org but it is only detected at the PreRBL level, not at the SMTP level, why ? (of course cbl.abuseat.org check is enabled in the SMTP settings). These obvious spams are tagged but I want to block it completely.

Anyone else has the same issue ?
Attachments
capt.png
capt.png (48.65 KiB) Viewed 5280 times
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Tue Oct 07, 2014 12:16 pm

Hi ics,

please show me a screenshot of your SMTP stage blacklists and the .cf file of that RBL in /usr/mailcleaner/etc/rbls/
Also do

Code: Select all

/usr/mailcleaner/bin/mc_mysql -m
> use mc_config
> select * from dnslist;

and post the output here

Thanks
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Tue Oct 07, 2014 12:34 pm

Hi del,

Thank you for the answer.

Here is the output your asked for :

Code: Select all

mysql> select * from dnslist;
+---------------+--------------------------------------------+-----------+--------+-----------------------------------------------------------------------------------------+
| name          | url                                        | type      | active | comment                                                                                 |
+---------------+--------------------------------------------+-----------+--------+-----------------------------------------------------------------------------------------+
| AHBL          | rhsbl.ahbl.org.                            | blacklist |      1 | <a target="_blank" href="http://www.ahbl.org">http://www.ahbl.org</a>                   |
| BSP           | sa-trusted.bondedsender.org.               | whitelist |      1 | NULL                                                                                    |
| CompleteWhois | combined-HIB.dnsiplists.completewhois.com. | blacklist |      1 | <a target="_blank" href="http://www.completewhois.com">http://www.completewhois.com</a> |
| DNSWL         | list.dnswl.org.                            | whitelist |      1 | NULL                                                                                    |
| DSBL          | list.dsbl.org.                             | blacklist |      1 | <a target="_blank" href="http://www.dsbl.org">http://www.dsbl.org</a>                   |
| HABEAS        | sa-accredit.habeas.com.                    | whitelist |      1 | NULL                                                                                    |
| IADB          | iadb.isipp.com.                            | whitelist |      1 | NULL                                                                                    |
| NJABL         | dnsbl.njabl.org.                           | blacklist |      1 | <a target="_blank" href="http://www.njabl.org">http://www.njabl.org</a>                 |
| RFC-Ignorant  | fulldom.rfc-ignorant.org.                  | blacklist |      1 | <a target="_blank" href="http://www.rfc-ignorant.org">http://www.rfc-ignorant.org</a>   |
| SECURITYUSAGE | blackhole.securitysage.com.                | blacklist |      1 | <a target="_blank" href="http://www.securitysage.com">http://www.securitysage.com</a>   |
| SORBS-DNSBL   | dnsbl.sorbs.net.                           | blacklist |      1 | <a target="_blank" href="http://www.sorbs.net">http://www.sorbs.net</a>                 |
| spamcop.net   | bl.spamcop.net.                            | blacklist |      1 | <a target="_blank" href="http://www.spamcop.net">http://www.spamcop.net</a>             |
| SPAMHAUS-ZEN  | zen.spamhaus.org.                          | blacklist |      1 | <a target="_blank" href="http://www.spamhaus.org/zen/">http://www.spamhaus.org/zen/</a> |
+---------------+--------------------------------------------+-----------+--------+-----------------------------------------------------------------------------------------+
13 rows in set (0.00 sec)

I don't see cbl.abuseat.org nor b.barracudacentral.org in this SQL result. Could it be the reason why it doesn't work for some IP and it works for some other ?

Code: Select all

File: /usr/mailcleaner/etc/rbls/ABUSEAT.cf

name=ABUSEAT
type=IPRBL
dnsname=cbl.abuseat.org
sublist=127.0.0.\d+,ABUSEAT,abuseat.org list

Attachments
smtp.png
smtp.png (29.99 KiB) Viewed 5276 times
Last edited by ics on Tue Oct 07, 2014 12:51 pm, edited 2 times in total.
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Tue Oct 07, 2014 12:49 pm

Yes, plase do:

Code: Select all

/usr/mailcleaner/bin/mc_mysql -m
> use mc_config
> insert into dnslist (name,url,type,active) VALUES ('ABUSECAT','cbl.abuseat.org','blacklist','1');


and maybe (but I think it's done when restarting MC)

Code: Select all

echo "ABUSECAT   cbl.abuseat.org" >> /usr/mailcleaner/etc/mailscanner/dnsblacklists.conf


Restart MailCleaner engine

Code: Select all

/etc/init.d/mailcleaner restart
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Tue Oct 07, 2014 12:50 pm

I have 2 MC nodes in cluster. Should I do that on both or only on the master ?
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Tue Oct 07, 2014 12:56 pm

The master is enough.
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Tue Oct 07, 2014 1:11 pm

Ok I added the entry on the master and restated MC engine on both.
The new SQL entry appears only on the master, it has not been replicated on the slave.
I am gonna try to add it manualy on the slave as well...

I have already manualy added "ABUSEAT cbl.abuseat.org." in /usr/mailcleaner/etc/mailscanner/dnsblacklists.conf on both nodes.
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Tue Oct 07, 2014 1:19 pm

All modifications done. :)
Have to wait and see if the spam still goes through...

Thanks much for your help.
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Tue Oct 07, 2014 1:20 pm

Read this please
viewtopic.php?f=3&t=1816
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Tue Oct 07, 2014 1:54 pm

Already read.
Unless I miss something, the only difference with my case is that the entry is not automatically added to the slave database even after a MC daemon restart. So I added it manually.

BTW, it still doesn't work I received one spam that has been tagged at PreRBL level with the ABUSEAT blacklist but not blocked at smtp level. :(
Any other idea?
Any reason why some blacklisted IPs (in Abuseat.org or barracuda.org) are blocked at smtp level and some not ?
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Fri Oct 10, 2014 12:42 pm

Any other ideas ?
I still receive many emails tagged at the PreRBL level and that should have been rejected at the SMTP level.

The latest example is with these IPs: 174.142.71.47 and 201.156.142.231.

Both are listed in cbl.abuseat.org but only one is blocked at SMTP level.
201.156.142.231.png
201.156.142.231.png (7.54 KiB) Viewed 5243 times


The other one is tagged at PreRBL level.
174.142.71.47.png
174.142.71.47.png (39.55 KiB) Viewed 5243 times


What could be the difference between those IPs?
How can I check that MC really checks the RBL at the SMTP level?
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Thu Oct 16, 2014 1:26 pm

up!
Nobody else has this issue?
ics
Posts: 66
Joined: Wed Sep 03, 2014 11:05 am
How did you hear about Mailcleaner: googling

Re: IP listed in RBL but not blocked at SMTP level

Postby ics » Thu Oct 30, 2014 1:09 pm

Any clue ?
I still have users who receive many PreRBL tagged spam that should have been blocked at the SMTP RBL check level.
Is there a way to enable a kind of debug logging option so that at least one clue appears in the logs ?
ossistemes
Posts: 4
Joined: Thu Mar 06, 2014 10:27 am
How did you hear about Mailcleaner: google

Re: IP listed in RBL but not blocked at SMTP level

Postby ossistemes » Mon Nov 10, 2014 1:23 am

You're not alone!!

Here same problem, after update to 2014.10, now I see that in SMTP not filter the RBL list, but in PreRBL is tagged.

If I find something, i post it!!
del
Posts: 497
Joined: Mon Mar 11, 2013 7:42 am
How did you hear about Mailcleaner: google
Location: Germany

Re: IP listed in RBL but not blocked at SMTP level

Postby del » Mon Nov 10, 2014 8:23 am

Does the email match the sender's SPF policy?

Return to “Filter efficiency”

Who is online

Users browsing this forum: No registered users and 3 guests