[SOLVED] RBL configured but not working

S

SBauhaus

Active Member
Proxmox Subscriber
Jul 12, 2017
9
3
43
35
Hi,

I receive a massive amount of spam every day. I am searching for the root cause and checked one of the messages. The IP of the sending server does appear on the Barracuda Blacklist, if I manually check this, nevertheless it gets delivered to me.

It seems that there is no RBL check at all:
Code: 
Jul 1 06:35:58 mx postfix/smtpd[14240]: connect from nuttire.ru.com[163.123.141.182]
Jul 1 06:35:59 mx postfix/smtpd[14240]: NOQUEUE: client=nuttire.ru.com[163.123.141.182]
Jul 1 06:37:07 mx pmg-smtp-filter[12466]: 1200C562BE79F38E274: new mail message-id=<YIo2xxTJiOvkWxL9hwmT8sJJJlQZEKAdsjGrB-EP7-0.egTmr4LuNaZyP0WtFUkpitJrj2uCJwQkKewUZHkJLS0@nuttire.ru.com>#012
Jul 1 06:37:09 mx pmg-smtp-filter[12466]: 1200C562BE79F38E274: SA score=0/5 time=2.017 bayes=undefined autolearn=disabled hits=HTML_MESSAGE(0.001),HTML_MIME_NO_HTML_TAG(0.635),KAM_DMARC_STATUS(0.01),MIME_HTML_ONLY(0.1),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01)
Jul 1 06:37:09 mx postfix/smtpd[14276]: connect from localhost.localdomain[127.0.0.1]
Jul 1 06:37:09 mx postfix/smtpd[14276]: 9C5EC120192: client=localhost.localdomain[127.0.0.1], orig_client=nuttire.ru.com[163.123.141.182]
Jul 1 06:37:09 mx postfix/cleanup[14277]: 9C5EC120192: message-id=<YIo2xxTJiOvkWxL9hwmT8sJJJlQZEKAdsjGrB-EP7-0.egTmr4LuNaZyP0WtFUkpitJrj2uCJwQkKewUZHkJLS0@nuttire.ru.com>
Jul 1 06:37:09 mx postfix/qmgr[836]: 9C5EC120192: from=<lobby@nuttire.ru.com>, size=6976, nrcpt=1 (queue active)
Jul 1 06:37:09 mx pmg-smtp-filter[12466]: 1200C562BE79F38E274: accept mail to <xxx@yyy.de> (9C5EC120192) (rule: default-accept)
Jul 1 06:37:09 mx postfix/smtpd[14276]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jul 1 06:37:09 mx pmg-smtp-filter[12466]: 1200C562BE79F38E274: processing time: 2.061 seconds (2.017, 0.021, 0)
Jul 1 06:37:09 mx postfix/smtpd[14240]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (1200C562BE79F38E274); from=<lobby@nuttire.ru.com> to=<xxx@yyy.de> proto=ESMTP helo=<nuttire.ru.com>
Jul 1 06:37:09 mx postfix/smtp[14278]: Trusted TLS connection established to 192.168.X.X[192.168.X.X]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
Jul 1 06:37:09 mx postfix/smtp[14278]: 9C5EC120192: to=<xxx@yyy.de>, relay=192.168.X.X[192.168.X.X]:25, delay=0.05, delays=0.01/0.01/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A72191809BE)
Jul 1 06:37:09 mx postfix/qmgr[836]: 9C5EC120192: removed
Jul 1 06:37:22 mx postfix/smtpd[14240]: disconnect from nuttire.ru.com[163.123.141.182] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Should the RBL check produce any log output?

This is my DNSBL Sites config:
Code: 
zen.spamhaus.org*2,bl.spamcop.net*2,psbl.surriel.com*2,spamrbl.imp.ch*2,noptr.spamrats.com*2,escalations.dnsbl.sorbs.net*2,bl.score.senderscore.com*2,bl.spameatingmonkey.net*2,rbl.realtimeblacklist.com*2,dnsbl.dronebl.org*2,ix.dnsbl.manitu.net,b.barracudacentral.org,truncate.gbudb.net,bl.blocklist.de

DNSBL Threshold is set to 2.

PMG 7.1-3.

Thank you!

Greetings
Sebastian
 
2 Things to check:
* make sure these mails get received on the external port of PMG (in the default config this is port 25)
* please check the journal / /var/log/mail.log for all messages around that time
** the tracking center does not gather all information - but usually only the relevant one - so in this case this means the postscreen messages that indicate if/how the IP was assessed is missing

I hope this helps!
 
Ok I found the entry and indeed there is more information, thanks for the hint:
Code: 
Jul  1 06:36:02 mx postfix/postscreen[14226]: warning: dnsblog reply timeout 10s for escalations.dnsbl.sorbs.net
Jul  1 06:36:02 mx postfix/dnsblog[14235]: warning: dnsblog_query: lookup error for DNS query 182.141.123.163.escalations.dnsbl.sorbs.net: Host or domain name not found. Name service error for name=182.141.123.163.escalations.dnsbl.sorbs.net type=A: Host not found, try again

Does that mean my setting for the SORBS DNSBL is incorrect?

How does the mechanism work in general? Does the system query ALL dnsbl entries every time or is this some kind of round robin and only one of the entries is used per request?
 
SBauhaus said:
Does that mean my setting for the SORBS DNSBL is incorrect?
Click to expand...
the entry looks correct when I look at:
http://www.sorbs.net/general/using.shtml

* It might be an issue with your DNS-setup - does dns resolution work in general - does it work fast?
* It might also be an issue at sorbs - but that should be temporary

Else as a general suggestion:
* your dnsbl_sites is quite large - are you sure each and every single one of the lists is helping you in a sensible way to combat spam?
* if not I would suggest to start with fewer dnsbl_sites (and skip the weights)

In general - check out The getting started page in the pmg wiki:
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
 
Stoiko Ivanov said:
* It might be an issue with your DNS-setup - does dns resolution work in general - does it work fast?
Click to expand...
This seems to be the issue. I use the pfSense as my forwarder. "Normal" requests are passing without problems, but the specific dnsbl queries are not. I configured external DNS servers now.

It is working now!
Code: 
Jul  1 11:41:42 mx postfix/dnsblog[1366]: addr 103.167.90.52 listed by domain zen.spamhaus.org as 127.0.0.11
Jul  1 11:41:42 mx postfix/dnsblog[1366]: addr 103.167.90.52 listed by domain zen.spamhaus.org as 127.0.0.4
Jul  1 11:41:42 mx postfix/postscreen[1360]: PREGREET 11 after 0.18 from [103.167.90.52]:58952: EHLO User\r\n
Jul  1 11:41:43 mx postfix/postscreen[1360]: DNSBL rank 2 for [103.167.90.52]:58952
Jul  1 11:41:43 mx postfix/postscreen[1360]: DISCONNECT [103.167.90.52]:58952

Stoiko Ivanov said:
* your dnsbl_sites is quite large - are you sure each and every single one of the lists is helping you in a sensible way to combat spam?
Click to expand...
The configuration is quite old but I remember that I copied this list from some kind of tutorial that a user posted in this forum. I now reduced it to Spamhaus and Barracuda.

Thank you for the quick replies and help! :)
 
  • Like
Reactions: Stoiko Ivanov
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back