Spamhaus error responses

iainhallam · 6 May 2024 00:47

Problem Description

I’ve started seeing mails being rejected by my Sympl host when using a public DNS provider. The immediate cause is that Spamhaus use addresses in 127.255.255.0/24 as error codes, but Sympl’s exim configuration regards any response as being that the address is in the blocked list.

Any Error Messages

2024-05-05 01:02:18 H=mail-yw1-f193.google.com [209.85.128.193] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no SNI=<redacted> F=<redacted> rejected RCPT <redacted>: IP blacklisted at zen.spamhaus.org.

(mail-yw1-f193.google.com [209.85.128.193] is definitely not in the list at Spamhaus!)

Solution

A proper solution is to fix my DNS settings so I don’t get Spamhaus errors, but in the case that anything does go wrong, Sympl should not interpret 127.255.255.0/24 responses as being in the block list. The exim configuration manual actually has this scenario in there - the last example in section 18.7 of 44. Access control lists is:

deny dnslists = zen.spamhaus.org!&0.255.255.0

This !&0.255.255.0 should probably be added to all the dnslists entries in /etc/exim4/sympl.d/10-acl/50-acl-check-rcpt/75-dns-blacklists

Environment

Sympl Version [9.0/10.0]: 11
Sympl Testing Version? [Yes/No]: No
Debian Version [Buster/Stretch]: Bullseye
Hardware Type? [Dedicated/Virtual/Pi]: Virtual
Hosted On? [name of hosting co]: DigitalOcean

pcollinson · 6 May 2024 09:36

Spamhaus refuses to work with public/open resolvers, here’s their help page, scroll down a bit:
https://check.spamhaus.org/returnc/pub/10.10.0.0/

If you go to their FAQ FAQs | How you can use the free Spamhaus Blocklists and click on ‘For Postmasters’, there are a series of tests you can do under ‘How do I check mty DNS server results’. They suggest that you use ‘dig’ but this doesn’t seem to return NXDOMAIN. Here’s a sample nslookup session using my local caching server first.

~$ nslookup
> 2.0.0.127.zen.spamhaus.org
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	2.0.0.127.zen.spamhaus.org
Address: 127.0.0.10
Name:	2.0.0.127.zen.spamhaus.org
Address: 127.0.0.4
Name:	2.0.0.127.zen.spamhaus.org
Address: 127.0.0.2
> 1.0.0.127.zen.spamhaus.org
Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find 1.0.0.127.zen.spamhaus.org: NXDOMAIN
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> 2.0.0.127.zen.spamhaus.org
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find 2.0.0.127.zen.spamhaus.org: NXDOMAIN
> 1.0.0.127.zen.spamhaus.org
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find 1.0.0.127.zen.spamhaus.org: NXDOMAIN
> ^D

iainhallam · 6 May 2024 11:10

Sure, but when they return an error rather than NXDOMAIN, the Sympl exim config regards that as a hit, so blocks the email. There’s work I can do to get real responses from Spamhaus, but Sympl shouldn’t block emails based on an error.

pcollinson · 6 May 2024 11:34

So perhaps dnslists should be:

dnslists = zen.spamhaus.org/127.0.0.2,127.0.0.4,127.0.0.10

and any other list should just have 127.0.0.2.

I’m using similar syntax to check the dbl list and that works.

pcollinson · 6 May 2024 19:58

Just to correct what I said earlier, the full error listing (as far as I can tell) is

dnslists = zen.spamhaus.org/127.0.0.2,127.0.0.3,127.0.0.4,127.0.0.9,127.0.0.10,127.0.0.11

Kelduum · 13 May 2024 10:54

Agreed, I’ll log an issue and see if I can get this fixed.

Adding the !&0.255.255.0 should then ignore any ‘error’ codes.

I’ve created sympl-mail: error codes returned by SpamHaus result in mails being blocked. (#353) · Issues · sympl.io / Sympl · GitLab to track it, but it should be an easy fix to just ignore errors.

We don’t really need to filter on specific results, as we’re not reporting on which lists things were added to, so as long as we ignore the 127.255.255.0/24 responses, we should be fine.