SPAMD - scoring messed up by validity-rules

[shanti]

we actually experience a lot of unscored spam due to failing SA-rules

Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)
Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)
Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

Since query fails the forced-failback on according rules is to score 0.0 .. which cannot be overruled (it should IMHO)

i already applied recommended settings like

dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org

but that doesnt change anything
reassigning scores doesnt work neither.

i would like NOT to touch directly into SA to remove these checks .. i'd prefer a custom-config-way

anyone experienced similiar ?
and how to fix that ?

tnx4support
br
-c-

 

[zEitEr]

i already applied recommended settings like

Hello,

Where did you put them?

 

[shanti]

Hello,

Where did you put them?

i include them via local.cf

untaint_path /etc/mail/spamassassin/custom_rules.d
include /etc/mail/spamassassin/custom_rules.d/*.cf

and there

#cat 10_denyqueries.cf
dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org

tnx for looking
-c-

 

[zEitEr]

we actually experience a lot of unscored spam due to failing SA-rules

My tests show that even the queries fail, they do not prevent SpamAssassin from high-scoring incoming Spam. Tested with:

zgrep -E "RCVD_IN_VALIDITY_SAFE_BLOCKED|RCVD_IN_VALIDITY_RPBL_BLOCKED|RCVD_IN_VALIDITY_CERTIFIED_BLOCKED" /var/log/maillog* | grep "spamd: result: Y"

against logs from last 30 days, i.e. /var/log/maillog-20250204 until now. E.g.:

spamd[4882]: spamd: result: Y 36 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO,HTML_MESSAGE,KAM_MESSAGE_HASHBL_FREEMAIL,PCCC_HASHBL_EMAIL,PCCC_HASHBL_HDR_EMAIL,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_HOSTKARMA_BL,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_SBL_CSS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,URIBL_CSS_A,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.3,size=36397...


I don't have information on why the way you used to disable the tests did not work for you. The only thing you might gain here by disabling the tests is saving resources used for DNS querying, it won't affect other parts.

As of DNS queries refused you might check this: https://uribl.com/refused.shtml

i include them via local.cf

I added the lines from your initial post in the file /etc/mail/spamassassin/local.cf and restarted SpamAssassin. And I can see the DNS queries are no longer running on my end.

 

[Ohm J]

For workaround, just add this to "local.cf", because using public DNS resolver will cause the problem.

dns_server 127.0.0.1

 

[Richard G]

For workaround, just add this to "local.cf",

Just tried that, but that is only if the issue is with the resolver.

In this case it clearly says:

blocked you due to too many queries

I've got the same here and have local resolver in both /etc/resolv.conf (which fixes Spamhaus limit issues) and local.cf but that did not solve this current issue.

Also when using the lines in local.cf as mentioned in post #3, an error will appear in the status of spamd.

util: refusing to untaint suspicious path: "/etc/mail/spamassassin/custom_rules.d/*.cf

causing this error in the exim paniclog:

2025-05-07 18:18:05 1uChTA-0000000Czl3-4BOU spam acl condition: all spamd servers failed

If anybody has a method to stop these:

May 7 18:10:52 server26 spamd[2847126]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

May 7 18:10:52 server26 spamd[2847126]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

it would make me very happy.

I can put them directly in the local.cf directly but this might be overwritten on an update, no?

 

[Richard G]

Probably fixed it myself.

Just created a custom-denyquery.cf file with those lines in the /etc/mail/spamassassin directory and restarted spamd. Looks good.

 

[Richard G]

Hmmz... not fixed. So still looking for a solution.
Still getting this:

May  7 19:03:57 server26 spamd[3163526]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

And I do have dns_server 127.0.0.1 in local.cf and as first in /etc/resolv.conf and restarted spamassassin, spamd and exim... I'm out of idea's.

 

[Ohm J]

First, check your IP already in rate limits or not.

dig 2.0.0.127.sa-accredit.habeas.com +short @127.0.0.1

Result shouldn't return any "127.255.255.*"

This is simple debug from https://www.spamhaus.org/faqs/dnsbl-usage/#simple-command-line-test-of-your-dnsbl-resolver

 

[Richard G]

First, check your IP already in rate limits or not.

That command gives no output as result, so that seems fine. Right?

I also have this in the local.cf:

# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit
dns_server 127.0.0.1
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-accredit.habeas.com

I've now set "recursion yes" in named.conf to see if that helps.

At this point only see the sa-trusted.bondedsender.org org messages as posted above.
Same command with sa-trusted.bondedsender.org also gives no output.

I could add the deny line for sa-trusted.bondedsender.org in local.cf too, I'm just wondering why it's still giving issues while it's all working by localhost resolver (caching nameserver).

 

[Richard G]

I've now set "recursion yes" in named.conf to see if that helps.

This might have been something good. I'm still monitoring but at this moment I did not get any of these notices anymore for 20 minutes.

I will report back later if I see new ones.

 

[Richard G]

Unfortunately that also did not do the trick. Still getting the sa-trusted.bondedsender.org notices. Odd.