bl.spamcop.net | Service unavailable

Gabor Szel

Active Member
Nov 8, 2018
7
0
41
44
Dear Support!!!

We have 3 member PMG cluster (all member have PMG Subscription)
The cluster receives 10,000+ letters a day.

Today the letter reception stopped:
Code:
an 31 14:30:55 mx1 postfix/postscreen[23551]: NOQUEUE: reject: RCPT from [40.107.13.100]:47705: 550 5.7.1 Service unavailable; client [40.107.13.100] blocked using bl.spamcop.net; from=<xxxx@xxxx.com>, to=<xxxx@xxxxx.hu>, proto=ESMTP, helo=<EUR01-HE1-obe.outbound.protection.outlook.com>

PMG cluster drop all email because bl.spamcop.net unavailable!
We removed from /etc/pmg/pmg.conf, and works again!
This is a very big problem!

Is there a solution, if it is not available, do not use it?
 
the problem seems to be, that spamcop.net used to be a very reliable service and has vanished without warning or announcment into thin air this sunday morning.

See the Reddit and WikiPedia articles.

The way this was done looks actively hostile (and it took me ages to debug, with many nameservers still having cache entries for the spamcop.net nameservers)

While proxmox couldn't have done anything about it, i guess it's really important to warn your users and ship a new default config ASAP.

(iff spamcop.net is in the default config, which i haven't checked; I have modded my RBL list)
 
  • Like
Reactions: guletz
the problem seems to be, that spamcop.net used to be a very reliable service and has vanished without warning or announcment into thin air this sunday morning.

See the Reddit and WikiPedia articles.

The way this was done looks actively hostile (and it took me ages to debug, with many nameservers still having cache entries for the spamcop.net nameservers)

While proxmox couldn't have done anything about it, i guess it's really important to warn your users and ship a new default config ASAP.

(iff spamcop.net is in the default config, which i haven't checked; I have modded my RBL list)
Yes, I saw:
This Domain Name Has Expired

I think, DNS based SPAM check is obsolete.
API based SPAM check would be better, but it does not exist, and use more-more resources.
 
Thanks for bringing this to our (the whole community's) attention!

AFAICT PMG does not ship any pre-configured DNSBL's in its mailproxy configuration (and the getting started page in our wiki [0], did and does not list spamcop).

Since the DNSBL setting is probably one of the most customized one's (and is always done by the local admin) - there's nothing we really can do about removing spamcop.

This leaves the SpamAssassin rules - from a quick grep in the spamassassin rules:
Code:
RCVD_IN_BL_SPAMCOP_NET
seems the single rule which yields a score for a listing in bl.spamcop.net (default score currently 1.246 in PMG's SA configuration).

You can disable spamcop there as well by simply creating a custom rule-score of 0 for the rule - see [1].

According to the later posts in the reddit thread and to a quick check in a global DNS lookup tool it seems that the service is up again (but this still needs a while to propagate through the various DNS caching layers) - so unless you're currently experiencing many false positives it might be acceptable to just wait.

Sadly those things happen every few years - since long transferred services get forgotten, and a domain-fee is not paid in time.

I hope this helps!

[0] https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
[1] https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_spamdetector (section 4.7.3)
 
I was using spamcop as rbl and i have blocked more then 1000 email because of spamcop domain is expired.

They have renewed their domain but we lost many email.

During this time dns server was answering queries as global ip instead of local ip.

Normally rbl servers returns local ip.

I think PMG could check for the dns replies maybe. If the answer is not local ip would not block the mails. It is just an idea.



Here is the log of PMG during problem
Feb 1 10:28:44 pmx postfix/dnsblog[22412]: addr 212.252.27.55 listed by domain bl.spamcop.net as 91.195.240.87
Feb 1 10:28:49 pmx postfix/dnsblog[22334]: addr 195.190.20.247 listed by domain bl.spamcop.net as 91.195.240.87
Feb 1 10:28:51 pmx postfix/dnsblog[22410]: addr 209.85.219.180 listed by domain bl.spamcop.net as 91.195.240.87
Feb 1 10:29:04 pmx postfix/dnsblog[22412]: addr 185.60.224.85 listed by domain bl.spamcop.net as 91.195.240.87
Feb 1 10:29:17 pmx postfix/dnsblog[23127]: addr 213.142.129.165 listed by domain bl.spamcop.net as 91.195.240.87

After spamcop solve problem
Feb 1 20:50:16 pmx postfix/dnsblog[8427]: addr 73.2.193.197 listed by domain bl.spamcop.net as 127.0.0.2
Feb 1 20:50:55 pmx postfix/dnsblog[8427]: addr 77.43.86.106 listed by domain bl.spamcop.net as 127.0.0.2
Feb 1 20:54:31 pmx postfix/dnsblog[8428]: addr 155.94.185.117 listed by domain bl.spamcop.net as 127.0.0.2
Feb 1 20:58:44 pmx postfix/dnsblog[8424]: addr 88.57.55.218 listed by domain bl.spamcop.net as 127.0.0.2
Feb 1 21:02:04 pmx postfix/dnsblog[8424]: addr 151.8.105.244 listed by domain bl.spamcop.net as 127.0.0.2
 
Last edited:
think PMG could check for the dns replies maybe. If the answer is not local ip would not block the mails. It is just an idea.
PMG uses postfix' postscreen for the DNSBL at this stage [0].
In general you cannot say that only 127/8 replies are valid ones from DNSBL's (AFAICT) - it's just quite a common pattern.

You should already be able to 'filter' the replies from your configured DNSBL sites (AFAIR also in the GUI) by setting an appropriate filter - see [1]


I hope this helps!

[0] http://www.postfix.org/POSTSCREEN_README.html
[1] http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites
 
I think PMG could check for the dns replies maybe. If the answer is not local ip would not block the mails. It is just an idea.

I don't think that's a good idea. Don't forget this issue is an exception. If Proxmox were to implement their own workarounds for each issue that could possibly pop up, we'd end up with an extremely complex, unmanageable piece of software. That would cause more problems than if we were to accept that bugs exist...
 
  • Like
Reactions: Stoiko Ivanov
PMG uses postfix' postscreen for the DNSBL at this stage [0].
In general you cannot say that only 127/8 replies are valid ones from DNSBL's (AFAICT) - it's just quite a common pattern.

You should already be able to 'filter' the replies from your configured DNSBL sites (AFAIR also in the GUI) by setting an appropriate filter - see [1]


I hope this helps!

[0] http://www.postfix.org/POSTSCREEN_README.html
[1] http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites

I am now clear.

I would configure my dnsbl configuration as follows.

bl.spamcop.net=127.0.0.[2..15],zen.spamhaus.org

Is that right ?
 
I would configure my dnsbl configuration as follows.

bl.spamcop.net=127.0.0.[2..15],zen.spamhaus.org

Is that right ?
syntactically it looks correct from a quick comparison to the docs - and postscreen does start happily with that setting.
I have not tried this on a live-system - so I'd suggest that you try it.
In any case I would suggest that you keep an eye on the mail-logs after you made the change - to see if it works as expected.

One question - why did you configure all responstes from 127.0.0.2-127.0.0.15?
The one thing I could find from spamcop says that they will always respond with 127.0.0.2 in case of a listed ip:
https://www.spamcop.net/fom-serve/cache/291.html

I hope this helps!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!