RBL lists do not block mail?

[Richard G]

It looks like the anti spam system is not doing it's work properly.
On my private account on my server, I received several emails from which the source was already on the Spamhaus blacklist.

I do have DNSRBL's enabled, including Spamhaus and also Spamblocker, ESF and blockcracking is working and also Spamassassin.
For my private account I've also setup spamassassin and also in the anti spam settings defined everything higher dan level 7.5 should be automatically deleted.

Shouldn't senders listed in Spamhaus automatically be blocked or removed, so that mail will not arrive in the mailbox?

 

[toml]

Is the domain of your private account listed in the /etc/virtual/use_rbl_domains ? That is the trigger to include that in the RBL checks.

 

[Richard G]

Yes, that file is linked to domains (by default I thought) and all domains are in there, I doublechecked.
Also in Administrator settings the "Use RBL Blocking" is set to yes.

 

[toml]

No, that file is not linked to domains by default. The install.sh script just does a touch on that file and changes the permissions. If it is linked, that was done after the install. The only other reason I can think of that an RBL would bypassed is if the domain was listed in skip_rbl_domains. You could always increase logging, and see what is going on.

 

[Richard G]

No, that file is not linked to domains by default. The install.sh script just does a touch on that file and changes the permissions.

Nope, it's not touched but linked by default these days, so I remembered correctly.
I just installed a new server and did not touch anything yet in Directadmin, only updated the OS and installed directadmin and this is the result:

lrwxrwxrwx   1 mail      mail      7 2016-09-19 17:13 use_rbl_domains -> domains

How exactly can I increase logging for something like this? If it might happen again?

 

[Arieh]

Just for the record, RBL is enabled by default since last year: http://forum.directadmin.com/showthread.php?t=52481

 

[Richard G]

I just got another spam email which got through and the sending ip is on the spamhaus blacklist:

2016-09-19 18:51:23 1bm1mr-0006m6-Ec <= [email protected] H=(fnwrz3j35.generteszpoweralert.website) [185.163
.46.208] P=esmtp S=17526 id=18034730676591801816147186@fnwrz3j35.generteszpoweralert.website T="Use this Device to lower all your po
wer costs" from <[email protected]> for [email protected]
2016-09-19 18:51:23 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bm1mr-0006m6-Ec
2016-09-19 18:51:24 1bm1mr-0006m6-Ec => foobar <[email protected]> F=<[email protected]> R=virtual_use
r T=dovecot_lmtp_udp S=18061 C="250 2.0.0 <[email protected]> 2REhO4sX4FeYZQAADNWw8g Saved"
2016-09-19 18:51:24 1bm1mr-0006m6-Ec Completed

This is from the /var/log/exim/mainlog and I don't see any spamassassin or RBL check here.

 

[ikkeben]

Do you see errors somewhere else?
like these:

spf: lookup failed, dkim, or dns meaning something with socket...?

https://forum.directadmin.com/showthread.php?t=52987

Yourself >
https://forum.directadmin.com/showthread.php?t=53719&p=275386#post275386

http://www.gossamer-threads.com/lists/spamassassin/users/188895

 

[Richard G]

Thank you but SPF and DKIM have to do with Spamassin while RBL's are checked by Exim, so that are 2 different things.
Can't see any dns problems either.

That's also why I wouldn't know where to look next because there's nothing with above containt or ip's in rejectlog, the paniclogs are empty so only the mainlog is left over, from which I took the above section.
Also /var/log/maillog and /var/log/messages have no entry's about the above at that time. The only thing I see is my email program picking up the mail.

The only thing I can imagine is that zen.spamhaus.org (used by Exim) is not checking sbl.spamhaus.org for some reason (which should not be the case) or does not mark ip's mentioned in SBL to be blacklisted.

So it looks to me like some Exim issue or Spamhaus issue.

 

[Richard G]

Ah wait, I overlooked something. I did found spamassassin working.
But it might be a sieve permission error again.

Spamassassin gave result 6 and I've got auto deletion set to 7.5 so that's why Spamassasin did not delete it.
However Exim should react to it.

lmtp([email protected]): Error: 2REhO4sX4FeYZQAADNWw8g: sieve: binary save: failed to create temporary file: open(/var/lib/dovecot/sieve/default.svbin.server18.hostingserver.nl.26008.) failed: Permission denied (euid=522(accountname) egid=12(mail) missing +w perm: /var/lib/dovecot/sieve, dir owned by 0:0 mode=0755)

This might have something to do with it, not sure. I did have this before. And after some update you have to run some command to get this sieve thing fixed again.
I'm fed up with that now and going to look how I can disable this sieve crap.

 

[Richard G]

The issue is still occuring.
Exim is -not- blocking mail/ip adresses which are blocked by SBL.spamhaus.org which should be the case, because Exim is using zen.spamhaus.org which includes SBL.

Could this be a bug in Exim? Because my Mailwasher Pro is detecting it and flagging it for deletion.

From the header also, this is fun:

X-Spam-Score: 2.3 (++)
X-Spam-Report: Spam detection software, running on the system "hostname.myserver.nl",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

I don't get it, what's going wrong?

 

[Richard G]

Am I the only one with this issue? It's still happening. I thought RBL's should instantly block the mails.

 

[Arieh]

Works fine here, I've looked into my logs to check.

2016-10-06 14:46:38 ReverseDNS: No reverse DNS for mailserver at 197.2.129.8, +100 Spam score
2016-10-06 14:46:40 H=([197.2.129.8]) [197.2.129.8] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by cbl.abuseat.org
2016-10-06 14:46:40 H=([197.2.129.8]) [197.2.129.8] incomplete transaction (QUIT) from <[email protected]>

In this example there are 3 lines for this mail which gets discarded by the rbl. But before that there is a line stating the rdns does not match/exists. So it does check other things before rbl I suppose. So at the logs you don't see everything that's going on I suppose, maybe you could enable more logging with 'log_selector' config setting.

Other than that I don't know, maybe you could ask DA directly through ticket.

 

[Richard G]

Thank you Arieh, but your log is from abuseat. I'm only experiencing this by emails which are only listed in sbl.spamhaus.org), other RBL's are working fine.
I did send an email to Directadmin, but stated it was not a priority, maybe that's why they are taking some more time.
I don't mind though, as long as I get an answer.

 

[Arieh]

I see, I hadn't read into those details. You mention zen.spamhaus.org and SBL. Do you have any rejects from zen.spamhaus.org at all?

2016-10-06 09:11:05 H=(precursiveh.info-35.top) [14.186.211.125] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by zen.spamhaus.org

2016-10-06 15:29:13 H=ptrl.rozik174.de1mano.ml [209.198.14.174] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by zen.spamhaus.org

 

[Richard G]

From october 3rd until now I've got 1 block by zen.spamhaus.org on the email address of a customer, not mine.

However, on a regularbase, I get spam on my private email. I scan my mail with Mailwasher home, which detects that the ip is present in sbl.spamhaus.org and when I take the ip of the spammer and check it, it's indeed in the sbl.spamhaus.org blacklist.

So this might be 0-day spam, but if it's listed in sbl.spamhaus.org it should be blocked by zen.spamhaus.org, and that does not happen. That's what's confusing me.