[Rspamd-Users] Spamhaus Technology contributions to Rspamd ruleset

Tim Harman tim at muppetz.com
Wed Jul 24 23:18:36 UTC 2019 

On 25/07/2019 12:12 am, Riccardo Alfieri wrote:
> 
> If I'm interpreting this correctly this is generated from rbl.conf,
> and could happen because some bots use "127.0.0.1" as HELO, in
> rbl.conf there is "helo = true", and I believe this checks all HELOs
> in the received chain. It could also happen if there are broken MUAs
> or other application that use IPs as HELO strings.
> 
> Anyway, I pushed an expansion on DBL and ZRD rules that include the
> error return code (127.0.1.255) , that should somehow "fix" it, in the
> sense that you'll probably find some hits on rules
> RBL_DBL_DONT_QUERY_IPS and RBL_ZRD_DONT_QUERY_IPS. Don't worry about
> that because the weight is 0.
> 
> If you keep finding that then I believe we need to understand what
> rule triggers them and maybe ask a developer for some advice

Actually, what I *think* is happening is to do with rspamd's monitoring 
of RBLs to ensure they're still valid/working.

from: https://rspamd.com/doc/modules/rbl.html

<snip snip>
     monitored_address: (new in Rspamd 1.6) fixed address to check for 
absence (1.0.0.127 by default).

Now what seems to be happening:

Querying regular Zen:

-!- rspamd/local.d » drill 1.0.0.127.zen.spamhaus.org
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 46173  
<------------------------ NXDOMAIN
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 1.0.0.127.zen.spamhaus.org.  IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
zen.spamhaus.org.       4       IN      SOA     need.to.know.only. 
hostmaster.spamhaus.org. 1907242304 3600 600 432000 10

But we have this new zrd BL in the rbl module.  Therefore it is also 
doing a check of 1.0.0.127.<hidden>.zrd.dq.spamhaus.net
But it doesn't return NXDOMAIN, it returns an answer:

-!- rspamd/local.d » drill 1.0.0.127.<hidden>.zrd.dq.spamhaus.net
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 57008  
<------------------------- NOERROR
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 1.0.0.127.<hidden>.zrd.dq.spamhaus.net.    IN      A

;; ANSWER SECTION:
1.0.0.127.<hidden>.zrd.dq.spamhaus.net.       1       IN      A       
127.0.2.255

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

I believe the fix is to set monitored_address for spamhaus_zrd in 
rbl.conf, but I don't know what IP it would be set to (maybe 
255.255.255.255, that seems to return NXDOMAIN)

Hope this helps - someone with more clue will hopefully be able to chime 
in.

Kind Regards,
Tim

More information about the Users mailing list