[Rspamd-Users] RBL module, default_received and default_from

Mon Feb 24 15:18:46 UTC 2020

On 24/02/2020 14:20, Riccardo Alfieri wrote:
> Hi,
> 
> the default configuration in rbl.conf is the following:
> 
> ---
> rbl {
>   default_from = true;
>   default_received = false;
> ...
>     spamhaus {
>       symbol = "SPAMHAUS"; # Augmented by prefixes
>       rbl = "zen.spamhaus.org";
>       ipv6 = true;
>       received = true;
>       from = true;
> ...
> ---
> 
> As far as I understood, this means that by default, all the IPs in the
> received chain are tested.
> 
> I then added in my local.d/rbl.conf the following config:
> 
> ---
> rbls {
>     spamhaus {
>         from = false;
>     }
>     spamhaus_from {
>         from = true;
>         received = false;
>         returncodes {
>           SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4",
> "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10",
> "127.0.0.11" ];
>         }
> ...
> ---
> 
> I was hoping that, by doing that, the "spamhaus_from" section would
> *only* check the connecting IP, while the "spamhaus" one would check the
> received chain *except* the connecting IP. Unfortunately this is not
> happening. In cases of direct-to-mx bots, I see both rules appearing in
> the logs:
> 
> 2020-02-24 14:XX:XX #11691(normal) ... (default: T (reject):
> [23.49/15.00]
> [SPAMHAUS_ZEN(7.00){185.42.105.XX:from;},RECEIVED_SPAMHAUS_XBL(3.00){185.42.105.XX:received;}
> 
> 
> I think it would be more correct if only the SPAMHAUS_ZEN would have
> been triggered in this case, as there is no received chain to inspect.
> 
> Am I doing something wrong or is this expected behaviour?
> 

Received chain includes an implicit 'first received' that is formed from
the connection data (if not added by MTA like the vast majority of MTAs do).