[Rspamd-Users] HFILTER_HOSTNAME_UNKNOWN possible evaluation bug?

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Oct 20 14:39:17 UTC 2022


Hi there,

On Thu, 20 Oct 2022, Josef Vybíhal wrote:

> I have noticed that some messages sent to us hit the HFILTER_HOSTNAME_UNKNOWN.
>
> By further investigation I have found out that in fact the sender (as
> far as my knowledge goes) has his PTR/FCrDNS in order.
>
> Example:
>
> $ dig -x 18.185.115.19 +short
> repost01.tmes.trendmicro.eu.
>
> $ dig repost01.tmes.trendmicro.eu +short | grep '18.185.115.19'
> 18.185.115.19
>
>
> What goes on here is, that the 'repost01.tmes.trendmicro.eu' record
> has multiple A records defined:
>
> $ dig repost01.tmes.trendmicro.eu +short
> 18.185.115.15
> [snip 30 IP addresses]
> 18.185.115.10
>
>
> Is that a bug in rspamd evaluation or maybe I am missing something here?

Indeed rspamd might be implicated but I'd want to know more about it
before I pointed my finger. :)

Firstly, in the absence of other replies to you, I searched and found

https://github.com/mailcow/mailcow-dockerized/issues/3168

What resolver(s) are rspamd and your MTA using?

Secondly, I wonder would it be simpler to let your MTA do this check?

Finally, if you look at the 'dig' reply without '+short' you will see
that the response is over 700 octets.  That's more than will fit in a
bargain basement DNS UDP packet.  If DNS has to fall back to TCP, all
sorts of things can start to go wrong.  I wonder if you've run into
problems with things like TCP packet sizes, fragmentation, truncation,
or even bugs in firewalls and resolvers - such things are depressingly
common.  Don't forget that what an application sees and what dig shows
you might be different things.  (Strange thesedays for anyone to want
so many 'A' records in a reply, and there are no 'AAAA' records at all
yet the nameservers all have IPv6 addresses.)

HTH

-- 

73,
Ged.


More information about the Users mailing list