False positive from Spamhaus / abuseat in the last few weeks (2022-May) ?

L

lonea

Verified User
Joined
Jan 3, 2009
Messages
45
Any one experiencing false positive from spamhaus and the abuseat RBL?

Getting a lot of false positive from regular emails that are definitely not spam, and the origin IP is clean. They include gmail and outlook IPs.

Email blocked by cbl.abuseat.org
Email blocked by zen.spamhaus.org
Click to expand...

The server is using the default RBL set.

RBL_DNS_LIST=\
cbl.abuseat.org : \
b.barracudacentral.org : \
zen.spamhaus.org
Click to expand...

Anyone else?
 
I had them from zen.spamhaus.org so I removed that one. They were looking too deep and finding dynamic home ip's which ofcourse are used, and giving false positives on them instead of looking at the connecting MTA.

As far as I know I dont have false positives with abuseat.
 
Richard G said:
I had them from zen.spamhaus.org so I removed that one. They were looking too deep and finding dynamic home ip's which ofcourse are used, and giving false positives on them instead of looking at the connecting MTA.

As far as I know I dont have false positives with abuseat.
Click to expand...

Thanks, what's interesting is that when you go do a abuseat lookup. It goes to the spamhaus page.

 
maybe related to this

remove cbl.abuseat.org from exim.conf

https://www.abuseat.org/ Changes to the CBL IMPORTANT TO ALL CBL users: If you were using the CBL to filter access to your mail servers or anything else, you will need to take note of several changes to the CBL that occured in January 2021. In short, the CBL infrastructure was replaced by the...
forum.directadmin.com forum.directadmin.com
 
lonea said:
Thanks, what's interesting is that when you go do a abuseat lookup. It goes to the spamhaus page.
Click to expand...
Yes it might be that it doesn't work anymore, not sure. I still have cbl.abuseat.org in my exim.conf.

You can check the link @bdacus01 posted, I had a reply there too as post 2:
The CBL service will continue operation under the "cbl.abuseat.org" query name for some time, after which "abuseat.org" will be retired. No date has been identified for this to occur, but rest assured, when we do it, at worst it will simply stop returning a positive list indication.
Click to expand...
So either it's not retired yet, since no date was known yet, or it is retired and I don't know it yet.
But I certainly won't use Spamhaus due to these false positives I described.
 
Every day I see at least 1 or 2 outbound emails rejected, claiming our IP is listed at Spamhaus. Only, it isn't. The reason is explained here: https://www.spamhaus.org/returnc/pub/

To put it simply, Spamhaus has cracked down on their policy and they are sometimes blocking queries from certain servers. Due to the configuration on those servers, they sometimes interpret the rejection as a blacklisting rather than a rejected query. If you are unable to comply with their policy against using public/open resolvers, it would be best for you to remove them from your RBL list.
 
So seems like abuseat/spamhaus is still messing up.

I just personally tried sending a "test email" from a gmail account and abuseat block it.

I have disabled both spamhaus and abuseat on production server now.

This is out of control.
 
lonea said:
This is out of control.
Click to expand...

It is indeed fact that servers are all too often provisioned with public DNS resolvers, and that including in DA installations RBLs which have a policy against their use through public DNS resolvers by default, may no longer be sane. Public resolvers are otherwise fine and commonly recommended for their ability to handle production workloads. This needs more internal discussion on the best way to handle this by default @smtalk.

While the policy for spamhaus is not new, the enforcement is, and thus the discussion on their inclusion must be new as well. I'm not saying it's an objective "It must be removed as default." Not all servers are configured with 8.8.8.8 lazily blasted to /etc/resolv.conf, but it's far from none. I'm not sure it's the majority but I'd be doubtful it's less than half.
 
lonea said:
just personally tried sending a "test email" from a gmail account and abuseat block it.
Click to expand...
I totally don't have any issues with Gmail being send to any of our servers. And we're still using cbl.abuseat.org in our list. We don't use any Spamhaus to reasons mentioned before.

So it might indeed be cause by public resolvers, I don't know, we don't have any issues. We do use our own nameservers as stated.
 
You must log in or register to reply here.
Back
Top