| Spamhaus may block legitimate email if you use that blocklist! [message #151451] |
Fri, 15 April 2022 00:33  |
DataSmith
Messages: 8
Registered: March 2013
|
|
|
|
Spamhaus, which is one of the blocklists built into Kerio Connect has a new policy that might affect your mail server - and block legitimate email - since Kerio may interpret the new response as a spam code.
Specifically "Spamhaus has introduced the following error codes; 127.255.255.254, and 127.255.255.255" and I believe Kerio connect sees this as spam
The problem happens if your mail server makes an "excessive number of queries" of their blocklist, or your mail server uses a public DNS server (e.g. Open DNS or Cloudflare, or google) and....
Spamhaus says"
"We are no longer allowing queries via open resolvers due to massive abuse of our systems, and while it has worked that way for years, it does not any more. "
To use Spamhaus they say there are 2 solutions
1) Sign up to use their free Data Query Service. I did that and have not managed to get it to block spam tests.
2) "your queries must come from a dedicated IP with attributable reverse and forward DNS" My mail servers all meet all of that yet it still the built in Spamhaus block list says that legit emails are spam.
Read more about it here
https://www.spamhaus.com/product/help-for-spamhaus-public-mi rror-users/
Sign up here
https://www.spamhaus.com/free-trial/sign-up-for-a-free-data- query-service-account/
Does anyone have a solution to use the new system at Spamhaus or have success with the built in Spamhaus blocklist recently?
|
|
|
|
| Re: Spamhaus may block legitimate email if you use that blocklist! [message #151569 is a reply to message #151451] |
Thu, 05 May 2022 07:21  |
Alex_moseby
Messages: 5
Registered: May 2022
|
|
|
|
We are seeing this right now - Three different hosts all using a mix of 1.1.1.1 and 8.8.8.8 ZEN is marking all mail instantly +3 spam points - gmail especially. not sure what to do - the smart option is changing the ROUTERS dns to something non commercial but 1.1.1.1 and 1.1.1.3 have nice free anti porn filters etc. The main issue is that they are blocking free DNS lookup service queries with a blanket response, the change of codes isn't the primary cause in our case.
How have you configured the Free Data Query Service on the kerio SMTP blacklist?
|
|
|
|
| Re: Spamhaus may block legitimate email if you use that blocklist! [message #151570 is a reply to message #151451] |
Thu, 05 May 2022 09:06 |
Alex_moseby
Messages: 5
Registered: May 2022
|
|
|
|
Although i have managed to get it to PARTIALLY work by disabling apache Spamassassin configuration on the spam filter page (prior to this EVERYTHING came through ie all mail that should be blocked wasn't)
It will block pbl-dqs-ip sbl-dqs-ip xbl-dqs-ip however fails on the below :
dbl-dqs-ehlo
dbl-dqs-from
zrd-dqs-ehlo
zrd-dqs-from
sbl-dqs-body-ip
dbl-dqs-body-domain
zrd-dqs-body-domain
You need SpamAssassin 3.4.1 (2015) or higher. If you are running a previous release please upgrade. Are we able to alter those files ourselves ? Github hosts the changed files.....
|
|
|
|
|
|
| Re: Spamhaus may block legitimate email if you use that blocklist! [message #151579 is a reply to message #151578] |
Fri, 06 May 2022 10:30 |
Alex_moseby
Messages: 5
Registered: May 2022
|
|
|
|
You need to do BOTH things is that right ?
For me at present I have simply turned off zen. RBL as it is doing more damage than good with reputable email !
I did try option 2 and like the OP it didn't block everything this was WITH using 1.1.1.1 (presumign this is why it didnt block everything ? OP thinks the new response codes maybe at play with kerios built in RBL) -
Our ISPs DNS is absolutely crap so we cannot use that and not having WIN DNS setting up my own BIND dns authorative server feels like I'm going back to 2000 !
|
|
|
|
| Re: Spamhaus may block legitimate email if you use that blocklist! [message #151597 is a reply to message #151451] |
Tue, 10 May 2022 17:02 |
freakinvibe
Messages: 588
Registered: April 2004
|
|
|
|
No, you only need to do one of the options.
Option 1 = Use your own recursive DNS server ==> You do not need a DQS account
Option 2 = Use DQS ==> You do not need your own DNS server, but you can point to public DNS servers (like Google 8 . 8 . 8 . 8 )
Both free options will only work if you have a low volume of email. If you have thousands of emails per day, Spamhaus will start to throttle. So this is for small businesses or private mail servers.
Dexion Services AG - IT Support Services in Basel, Switzerland
https://dexionag.ch
|
|
|
|
Members
Search
Help
Register
Login
Home
. The DNS server must allow recursive queries and should only be reachable by your internal network. As the DNS service is included in Windows 2019, it was just a matter of switching it on and configure it correctly. This works.
