[Rspamd-Users] HOWTO become unblocked (FUZZY_BLOCKED(0.00)[rspamd.com])?

G.W. Haywood rspamd at jubileegroup.co.uk
Thu Jun 6 17:46:14 UTC 2024 

Hi there,

On Thu, 6 Jun 2024, Michael Grimm via Users wrote:

> in April[1] I mentioned that both of my mailservers[2] are blocked: FUZZY_BLOCKED(0.00)[rspamd.com]
>
> I sent that mail[1] via mx2.enfer-du-nord.net <http://mx2.enfer-du-nord.net/> and a few of days later I noticed that this mailserver became unblocked.
>
> But my other server mx1.enfer-du-nord.net (91.121.41.56) is still being blocked, although I tried to contact support at rspamd.com <mailto:support at rspamd.com> as mentioned in [3].
>
> During the last two month I tried to reach both support@ and/or postmaster@ without success/answer.
>
> I am sorry to use the list for my request to become unblocked, perhaps my mails might have been flagged as spam ;-)
>
> Or is there another way to ask for becoming unblocked?

It probably isn't your fault. :(

I suspect that at least some of your troubles are because your IPs are
listed by DNSBLs in an IPv4 CIDR block such as a /24, or even a /16.

See for example:

https://multirbl.valli.org/dnsbl-lookup/91.121.41.56.html
https://multirbl.valli.org/dnsbl-lookup/135.125.211.209.html

Below is an abbreviated table showing the spam_score [*] and the
numbers of connections from spammers, grouped by AS number, which have
been seen by our servers.  The table is limited to ASNs from which
more than 10,000 attempts to send spam were seen here recently. [**]

[*] The "spam_score" is the weighted sum of the number of DNSBLs in
which an connecting IP is found at the time it connects to one of our
servers.  The weight for a DNSBL is between 1 and 3.  Reliable DNSBL
services e.g. Spamhaus carry a weight of 3.  As you see, the AVERAGE
spam_score for connections from OVH (AS16276) is more than 3 - meaning
the majority of the connections were from spammers.  NOCIX and WII are
the closest comparable scores.  We routinely drop all mail from those
ASNs as in my experience it's *all* spam.  OVH seems slightly better,
but until recently it has only been slightly.  So far in 2024, things
seem to have improved markedly but obviously I have no crystal ball.

[**] Many of the smaller ASNs have scores as high as the low twenties,
but they don't send quite so much spam.  This table would be a hundred
times longer if they were all included.

milter=> WITH t AS ( SELECT asnum,connections.asname,AVG(spam_score) AS score, \
          COUNT(*) AS count FROM connections GROUP BY asnum,connections.asname  \
 	 ORDER BY score ) SELECT * FROM t WHERE count > 10000 ;
  asnum  |            asname           | score  | count 
--------+-----------------------------+--------+-------
   16417 | IRONPORT-SYSTEMS-INC        |  0.075 | 17895
   24940 | HETZNER ONLINE GMBH         |  0.172 | 33682
   14618 | AMAZON-AES                  |  0.300 | 30959
   15169 | GOOGLE                      |  0.343 | 18230
    8075 | MICROSOFT-CORP-MSN-AS-BLOCK |  0.367 | 33098
     702 | UUNET                       |  0.460 | 16889
   16509 | AMAZON-02                   |  1.160 | 15521
   33387 | NOCIX                       |  3.036 | 24605
   16276 | OVH SAS                     |  3.251 | 15285 <<== OVH
   32097 | WII                         |  3.409 | 15055
   14061 | DIGITALOCEAN-ASN            |  4.506 | 12978
    4134 | CHINANET                    |  6.674 | 30686
  213035 | DES CAPITAL B.V.            |  9.388 | 28000
   36352 | AS-COLOCROSSING             | 10.773 | 10764
  211252 | DELIS LLC                   | 11.976 | 15361

Of the service suppliers who failed to deal with the spammers who use
their services, in my experience your supplier (OVH) has been amongst
the more serious offenders for a number of years.  As I said, if my
experience is anything to go by things do seem to have improved in the
first part of 2024 but I just don't know.  Rather than anything that
OVH has done, it might easily be because our policies have caused
spammers to avoid us.

You have no control over the DNSBLs which recipients use in their spam
filtering systems.  If for example they use UCEProtect, they may find
the IP addresses of your servers are both listed, and so you may have
difficulty sending messages to those recipients unless they're able
(and prepared) to whitelist your IPs.  Many larger organizations will
either not take the time to do that or will be unable to do it.

You might be able to get the DNSBLs who are listing blocks including
your IPs either to reconsider their listing policy, or perhaps to
whitelist your IPs.  Alternatively you might consider finding another
service supplier.

You have a SPF TXT record for enfer-du-nord.net, but not for the MXes
mx1.enfer-du-nord.net and mx2.enfer-du-nord.net.  I wonder if it may
improve things if you create those records.  Also you might try -all
instead of ~all as the default mechanism.  I don't know whether or not
that will help.  If you were to send mail here, it might.

Have you seen improvements in delivery if mail is signed with DKIM?

-- 

73,
Ged.

More information about the Users mailing list