SPAMD - scoring messed up by validity-rules

[shanti]

we actually experience a lot of unscored spam due to failing SA-rules

Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)
Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)
Mar 04 13:43:36 host spamd[1348102]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

Since query fails the forced-failback on according rules is to score 0.0 .. which cannot be overruled (it should IMHO)

i already applied recommended settings like

dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org

but that doesnt change anything
reassigning scores doesnt work neither.

i would like NOT to touch directly into SA to remove these checks .. i'd prefer a custom-config-way

anyone experienced similiar ?
and how to fix that ?

tnx4support
br
-c-

 

[zEitEr]

i already applied recommended settings like

Hello,

Where did you put them?

 

[shanti]

Hello,

Where did you put them?

i include them via local.cf

untaint_path /etc/mail/spamassassin/custom_rules.d
include /etc/mail/spamassassin/custom_rules.d/*.cf

and there

#cat 10_denyqueries.cf
dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org

tnx for looking
-c-

 

[zEitEr]

we actually experience a lot of unscored spam due to failing SA-rules

My tests show that even the queries fail, they do not prevent SpamAssassin from high-scoring incoming Spam. Tested with:

zgrep -E "RCVD_IN_VALIDITY_SAFE_BLOCKED|RCVD_IN_VALIDITY_RPBL_BLOCKED|RCVD_IN_VALIDITY_CERTIFIED_BLOCKED" /var/log/maillog* | grep "spamd: result: Y"

against logs from last 30 days, i.e. /var/log/maillog-20250204 until now. E.g.:

spamd[4882]: spamd: result: Y 36 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FORGED_REPLYTO,FREEMAIL_REPLYTO,HTML_MESSAGE,KAM_MESSAGE_HASHBL_FREEMAIL,PCCC_HASHBL_EMAIL,PCCC_HASHBL_HDR_EMAIL,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_HOSTKARMA_BL,RCVD_IN_MSPIKE_BL,RCVD_IN_MSPIKE_L5,RCVD_IN_PBL,RCVD_IN_SBL,RCVD_IN_SBL_CSS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,URIBL_CSS_A,URIBL_DBL_SPAM,URIBL_SBL_A scantime=2.3,size=36397...


I don't have information on why the way you used to disable the tests did not work for you. The only thing you might gain here by disabling the tests is saving resources used for DNS querying, it won't affect other parts.

As of DNS queries refused you might check this: https://uribl.com/refused.shtml

i include them via local.cf

I added the lines from your initial post in the file /etc/mail/spamassassin/local.cf and restarted SpamAssassin. And I can see the DNS queries are no longer running on my end.

 

[Ohm J]

For workaround, just add this to "local.cf", because using public DNS resolver will cause the problem.

dns_server 127.0.0.1

 

[Richard G]

For workaround, just add this to "local.cf",

Just tried that, but that is only if the issue is with the resolver.

In this case it clearly says:

blocked you due to too many queries

I've got the same here and have local resolver in both /etc/resolv.conf (which fixes Spamhaus limit issues) and local.cf but that did not solve this current issue.

Also when using the lines in local.cf as mentioned in post #3, an error will appear in the status of spamd.

util: refusing to untaint suspicious path: "/etc/mail/spamassassin/custom_rules.d/*.cf

causing this error in the exim paniclog:

2025-05-07 18:18:05 1uChTA-0000000Czl3-4BOU spam acl condition: all spamd servers failed

If anybody has a method to stop these:

May 7 18:10:52 server26 spamd[2847126]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

May 7 18:10:52 server26 spamd[2847126]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

it would make me very happy.

I can put them directly in the local.cf directly but this might be overwritten on an update, no?

 

[Richard G]

Probably fixed it myself.

Just created a custom-denyquery.cf file with those lines in the /etc/mail/spamassassin directory and restarted spamd. Looks good.

 

[Richard G]

Hmmz... not fixed. So still looking for a solution.
Still getting this:

May  7 19:03:57 server26 spamd[3163526]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)

And I do have dns_server 127.0.0.1 in local.cf and as first in /etc/resolv.conf and restarted spamassassin, spamd and exim... I'm out of idea's.

 

[Ohm J]

First, check your IP already in rate limits or not.

dig 2.0.0.127.sa-accredit.habeas.com +short @127.0.0.1

Result shouldn't return any "127.255.255.*"

This is simple debug from https://www.spamhaus.org/faqs/dnsbl-usage/#simple-command-line-test-of-your-dnsbl-resolver

 

[Richard G]

First, check your IP already in rate limits or not.

That command gives no output as result, so that seems fine. Right?

I also have this in the local.cf:

# shortcircuit BAYES_99                spam
# shortcircuit BAYES_00                ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit
dns_server 127.0.0.1
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-accredit.habeas.com

I've now set "recursion yes" in named.conf to see if that helps.

At this point only see the sa-trusted.bondedsender.org org messages as posted above.
Same command with sa-trusted.bondedsender.org also gives no output.

I could add the deny line for sa-trusted.bondedsender.org in local.cf too, I'm just wondering why it's still giving issues while it's all working by localhost resolver (caching nameserver).

 

[Richard G]

I've now set "recursion yes" in named.conf to see if that helps.

This might have been something good. I'm still monitoring but at this moment I did not get any of these notices anymore for 20 minutes.

I will report back later if I see new ones.

 

[Richard G]

Unfortunately that also did not do the trick. Still getting the sa-trusted.bondedsender.org notices. Odd.

 

[sec-is]

Hi Richard,

You are not alone!

Found this in my logs, filling up /var/log/maillog with quite a lot of lines now.

May 11 19:22:16 server spamd[3695016]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)
May 11 19:22:16 server spamd[3695016]: check: dns_block_rule RCVD_IN_VALIDITY_CERTIFIED_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-trusted.bondedsender.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-trusted.bondedsender.org" to disable queries)
May 11 19:22:16 server spamd[3695016]: check: dns_block_rule RCVD_IN_VALIDITY_RPBL_BLOCKED hit, creating /root/.spamassassin/dnsblock_bl.score.senderscore.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny bl.score.senderscore.com" to disable queries)

Posting here in the hope to see someone clear this problem.

I added to /etc/mail/spamassassin/local.cf
dns_server 127.0.0.1
dns_query_restriction deny bl.score.senderscore.com
dns_query_restriction deny sa-trusted.bondedsender.org
dns_query_restriction deny sa-accredit.habeas.com
And need to wait what that does. I expect dns 127.0.0.1 not to do anything since my dns running at 127.0.0.1 already _is_ DNS resolver #1

I do see anti-spam IS working, after those 3 lines above I see
spamd: identified spam (8.8/5.0) for username:1653 in 0.9 seconds, 3811 bytes.
spamd: result: Y 8 - BAYES_60,HTML_IMAGE_ONLY_24,HTML_MESSAGE,LIST_PARTIAL,PYZOR_CHECK.......

 

[Richard G]

And need to wait what that does.

What it does is disable these checks. Now I don't mind about Senderscore because that one is check via my Exim RBL's anyway.
The others are not checked either anymore, hence the notices are gone.

Spamassassin keeps working, but is just not checking those 3 which now are restricted in the local.cf.
I see the same kind of lines as you in the maillog as you have, prooving that spamd is still working.

It's odd, never had issues with that before. I don't know exactly when this started, but it's present on all servers running spamassassin except for one. But that one might be just within the query limits.

Thank you for confirming that the previous solution to use dns_server 127.0.0.1 will not fix the query limit issue anymore with queries over 10K.

 

[Richard G]

Update.

I kept searching and found this article on cPanel. Seems everyone is having issues.

In there it said the cause was Validity:

The URL mentioned goes to a Validity.com article explaining that you need to sign up for an account and that access to Validity reputation data is free for non-commercial use.

On Validity it says:

Validity will allow up to 10,000 requests to anonymous users over a 30-day period. If you require the ability to query in larger volumes then a contractual agreement is needed.

So it seems we're running into a lot of queries due to a high load of spammers and Validity uses this query limit now too.

However I did have a Validity account, and ended it as soon as free accounts did not get any reports anymore. But created a new one several days ago and will enable the tests again and see what will happen now. If we still run into limits or if it's all fine now.

 

[Richard G]

Well... it's even getting worse. In spite of the account, still running into the limits and now Zen is added too.

May 13 21:52:26 server spamd[796214]: check: dns_block_rule RCVD_IN_ZEN_BLOCKED_OPENDNS hit, creating /root/.spamassassin/dnsblock_zen.spamhaus.org (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny zen.spamhaus.org" to disable queries)

and

May 13 21:52:26 server26 spamd[796214]: check: dns_block_rule RCVD_IN_VALIDITY_SAFE_BLOCKED hit, creating /root/.spamassassin/dnsblock_sa-accredit.habeas.com (This means DNSBL blocked you due to too many queries. Set all affected rules score to 0, or use "dns_query_restriction deny sa-accredit.habeas.com" to disable queries)

So account or not doesn't matter (unless you pay ofcourse)
I disabled it now and for the time being also disabled ZEN. For some reason it seems ZEN is still seeing an opendns while we use our caching nameserver and have dns_server 127.0.0.1 in the local.cf file.