SPAMD - scoring messed up by validity-rules

[shanti]

we actually experience a lot of unscored spam due to failing SA-rules

Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)
Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)
Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

Since query fails the forced-failback on according rules is to score 0.0 .. which cannot be overruled (it should IMHO)

i already applied recommended settings like

dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org

but that doesnt change anything
reassigning scores doesnt work neither.

i would like NOT to touch directly into SA to remove these checks .. i'd prefer a custom-config-way

anyone experienced similiar ?
and how to fix that ?

tnx4support
br
-c-

 

[zEitEr]

i already applied recommended settings like

Hello,

Where did you put them?

 

[shanti]

Hello,

Where did you put them?

i include them via local.cf

untaint_path /etc/mail/spamassassin/custom_rules.d
include /etc/mail/spamassassin/custom_rules.d/*.cf

and there

#cat 10_denyqueries.cf
dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org

tnx for looking
-c-

 

[zEitEr]

we actually experience a lot of unscored spam due to failing SA-rules

My tests show that even the queries fail, they do not prevent SpamAssassin from high-scoring incoming Spam. Tested with:

zgrep -E "RCVD_IN_VALIDITY_SAFE_BLOCKED|RCVD_IN_VALIDITY_RPBL_BLOCKED|RCVD_IN_VALIDITY_CERTIFIED_BLOCKED" /var/log/maillog* | grep "spamd: result: Y"

against logs from last 30 days, i.e. /var/log/maillog-20250204 until now. E.g.:

spamd[4882]: spamd: result: Y 36 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO,HTML_MESSAGE,KAM_MESSAGE_HASHBL_FREEMAIL,PCCC_HASHBL_EMAIL,PCCC_HASHBL_HDR_EMAIL,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_HOSTKARMA_BL,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_SBL_CSS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,URIBL_CSS_A,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.3,size=36397...


I don't have information on why the way you used to disable the tests did not work for you. The only thing you might gain here by disabling the tests is saving resources used for DNS querying, it won't affect other parts.

As of DNS queries refused you might check this: https://uribl.com/refused.shtml

i include them via local.cf

I added the lines from your initial post in the file /etc/mail/spamassassin/local.cf and restarted SpamAssassin. And I can see the DNS queries are no longer running on my end.

 

[Ohm J]

For workaround, just add this to "local.cf", because using public DNS resolver will cause the problem.

dns_server 127.0.0.1