Spamhaus is blocking several customers since a couple of days?

Question

I received a couple of complaints from customers that got their emails rejected. I haven't changed my config, so this must be an issue with spamhaus.

I'm running Postfix with these settings for spamhaus:

   smtpd_sender_restrictions = [...]
   reject_rhsbl_helo dbl.spamhaus.org,
   reject_rhsbl_reverse_client dbl.spamhaus.org,
   reject_rhsbl_sender dbl.spamhaus.org,

Here are a couple of my logs where customers get blocked:

NOQUEUE: reject: RCPT from mx08-0020e701.pphosted.com[91.207.212.174]: 554 5.7.1 Service unavailable; Unverified Client host [mx08-0020e701.pphosted.com] blocked using dbl.spamhaus.org; from=<prvs=122944b5d5=XXX.XXX@XXX.com> to=<XXX@XXX.de> proto=ESMTP helo=<mx07-0020e701.pphosted.com>
NOQUEUE: reject: RCPT from mailout09.t-online.de[194.25.134.84]: 554 5.7.1 Service unavailable; Sender address [XXX@t-online.de] blocked using dbl.spamhaus.org; from=<XXX@t-online.de> to=<info@XXX.de> proto=ESMTP helo=<mailout09.t-online.de>
NOQUEUE: reject: RCPT from mail-fr2deu01on2094.outbound.protection.outlook.com[40.107.135.94]: 554 5.7.1 Service unavailable; Helo command [DEU01-FR2-obe.outbound.protection.outlook.com] blocked using dbl.spamhaus.org; from=<#XXX@XXX.com> to=<XXX@XXX.de> proto=ESMTP helo=<DEU01-FR2-obe.outbound.protection.outlook.com>

Anybody knows how I can fix this (without exposing my mailserver)?

They have acknownledged this, and apparently it has something to do with CIsco OpenDNS. — Orphans, Aug 19 '22 at 09:07

anx · Accepted Answer · 2022-08-19T12:19:20.633

Your configuration is dangerously wrong. You must filter the DNS return codes, as instructed.

Not every response from spamhaus indicates a listing, some indicate lookup errors (usually: querying via a shared open DNS server, thus exceeding lookup rates). Your configuration blocks clients on all results, including 127.255.255.0/24 responses.

This configuration fixes the immediate problem by only rejecting on actual results. Depending on the nature of the error, this may mean you are then not blocking anyone:

smtpd_sender_restrictions = [...]
 reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
 reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
 reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],

This suggested fix only makes you not mistreat the error responses. You additionally have to configure your DNS lookups according to the usage guidelines - to yet again retrieve the intended responses.

To begin with this, on the machine in question, call this command:

dig +short 2.0.0.127.zen.spamhaus.org

And then see what the returned code corresponds to in their public list explaining the codes.

Thank you for documentation link. This is particularly useful as I find too many people add Spamhaus to MTA config as more cargo cult than anything: "Blocking at the SMTP level is only suggested if you have a moderately high email volume (more than 200,000 emails per day), low computing resources, or if you do not use additional anti-spam software." — Paul, Aug 19 '22 at 12:49

Spamhaus is blocking several customers since a couple of days?

1 Answers1

Linked