[Rspamd-Users] content_urls in RBL module

Tobias Westerhever tobias.westerhever at skyline.link38.eu
Thu Jun 8 21:39:00 UTC 2023 

Hi Rich,

to the best of my understanding, rspamd is more "conservative" with regards to
DNSBL usage than SpamAssassin is. For instance, in contrast to the latter, FQDNs
are not resolved to IP addresses by default, which could then be queried against
RBLs (see also: https://rspamd.com/doc/modules/rbl.html#ip-lists).

Since I find these checks very helpful in terms of reducing the false negative
rate, I enabled those again by the following snippet in local.d/rbl.conf :

rbls {
     "SPAMHAUS_ZEN_URIBL" {
       enabled = true;
     }
}

Enabling additional checks for certain DNSBLs is possible via configuration
snippets in the same file, such as:

SOME_DNSBL {
  checks = ["content_urls"];
}

Note that this will be _appended_ to the list of checks already defined in
modules.d/rbl.conf (it is recommended against modifying files in there, since
these changes may be overwritten during an upgrade of rspamd). _Overwriting_
these checks is possible by doing the same in override.d/rbl.conf (see also:
https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories).

The rationale of not enabling such checks by default appears to be not to
interact with an adversaries' infrastructure (in the case of querying IPs
resolved from a FQDN against DNSBLs) - however, there does not seem to be an industry
consensus on this; SURBL explicitly advises against such checks (https://surbl.org/guidelines),
while Spamhaus states the opposite in https://www.spamhaus.org/sbl/ ("the SBL
is used both as a sender IP blocklist and as a URI blocklist [SBL is very effective
as a URI blocklist]").

The primary downside of "content_urls" DNSBL checks is, I guess, a performance
impact, since there can be hundreds of them in a single attachment, causing a
spate of - comparatively slow - DNS queries. On the other hand, if you come from
SpamAssassin, I guess you (and your users) are acclimated to that already...

Some sanity checks are probably needed for both features, to reduce the DoS
vector a single e-mail loaded with FQDNs can cause. How rspamd approaches this
issue is beyond my knowledge.

Best,
Tobias

More information about the Users mailing list