Topic: [Solved] Barracuda DNSBL doesn't seem to be working with qpsmtpd

[mmccarn]

I have dnsbl enabled, with my RBLList set to:
    RBLList=b.barracudacentral.org:zen.spamhaus.org:bl.spamcop.net

I see lots of emails getting blocked by spamhaus.

I see *no* emails getting blocked by b.barracudacentral.org, BUT every now and then I see a block of 3+ emails with high spamassassin scores -- so far, every time this happens if I manually lookup the source IP it is listed on the Barracuda DNSBL.

Example:

Code: [Select]

#dnsbl plugin denies email based on zen.spamhaus.org results
@4000000053b5dadc00da96fc 5850 logging::logterse plugin (deny): ` 209.217.224.11        static-11-224-217-209.nocdirect.com     vui11.xewdxwxd.com      <ParentPromotionsusa@xewdxwxd.com>              dnsbl   903     http://www.spamhaus.org/sbl/query/SBLCSS        msg denied before queued
#
# 3 messages denied by spamassassin
@4000000053b5dbd338fc2474 5962 logging::logterse plugin (deny): ` 173.213.70.235        Unknown 00f6b63c.risebrush.info <MyDietBlog@risebrush.info>     <k.ward@mysmedomain.org>       spamassassin    901     spam score exceeded threshold (#5.6.1)  Yes, hits=21.1 required=5.0_
@4000000053b5dbd339363f74 5963 logging::logterse plugin (deny): ` 173.213.70.235        Unknown 001b9f4e.risebrush.info <MyFitnessDiet@risebrush.info>  <rbutrum@mysmedomain.org>      spamassassin    901     spam score exceeded threshold (#5.6.1)  Yes, hits=21.4 required=5.0_
@4000000053b5dbd71eada534 5964 logging::logterse plugin (deny): ` 173.213.70.235        Unknown 0021febb.risebrush.info <BestBodyToday@risebrush.info>  <s.burner@mysmedomain.org>     spamassassin    901     spam score exceeded threshold (#5.6.1)  Yes, hits=21.1 required=5.0_

If I immediately do a manual lookup on 173.213.70.235 at barracudacentral, the host shows as "listed" (returns 127.0.0.2):

Code: [Select]

#  nslookup 235.70.213.173.b.barracudacentral.org
Server: 192.168.1.2
Address: 192.168.1.2#53

Non-authoritative answer:
Name: 235.70.213.173.b.barracudacentral.org
Address: 127.0.0.2


[mmccarn]

This turns out to be a "feature" of the dnsbl plugin.

dnsbl wants the blocklist service to return a TXT record containing the message that goes back to the spammer, but b.barracudacentral.org returns ONLY an A record.

In order for dnsbl to pay attention to A records, /var/service/qpsmtpd/config/dnsbl_zones must contain a colon plus a message for the spammer -- dnsbl uses the colon to determine that it should do an A lookup instead of a TXT lookup.

By default there is no way to get a colon into dnsbl_zones.

I've submitted a code sample in Bug 8484 that allows dnsbl to support colons in /var/service/qpsmtpd/config/dnsbl_zones (and therefore A-record block lists).

After following the steps shown in the bug, /var/log/qpsmtpd/current shows that emails are being blocked by b.barracudacentral.org.

[mmccarn]

SME 9.2 now supports A-record RBLs like b.barracudacentral.org:
https://wiki.contribs.org/Qpsmtpd#A-Record_DNSBL_Services