Email delivery problem with SpamHaus

[mlopez]

Hello,

We're experiencing problems with lots of recipients (not hosted by us) because of an RBL Error.

The rebound states the following:
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550-"JunkMail rejected OURSERVERDOMAIN[OUR-IP-ADDRESS]:33842 is in
550 an RBL: Error: open resolver; https://www.spamhaus.org/returnc/pub/2400:cb00:44:1024::c629:e564"

When you look at this webpage DNSBL Error Code - Open/public resolver - The Spamhaus Project you get a message that says the problem isn't ours but the receiving server. Anyway our costumers are claiming a solution and we would like to help solve this.

Thank you for your help.

Mauricio

 

[mtindor]

Hello,

We're experiencing problems with lots of recipients (not hosted by us) because of an RBL Error.

The rebound states the following:
SMTP error from remote mail server after RCPT TO:<[email protected]>:
550-"JunkMail rejected OURSERVERDOMAIN[OUR-IP-ADDRESS]:33842 is in
550 an RBL: Error: open resolver; https://www.spamhaus.org/returnc/pub/2400:cb00:44:1024::c629:e564"

When you look at this webpage DNSBL Error Code - Open/public resolver - The Spamhaus Project you get a message that says the problem isn't ours but the receiving server. Anyway our costumers are claiming a solution and we would like to help solve this.

Thank you for your help.

Mauricio

Your hosting server has a public resolver (such as a Cloudflare IP address for one of their public DNS resolvers) in /etc/resolv.conf. When your server queries Spamhaus it doesn't do it direct but rather queries the public resolver, which then seeks out the information by making a query to Spamhaus. Spamhaus does not want people using public resolvers because they generate high volumes of queries to Spamhaus.

For instance, as much as we might want 1.1.1.1 (CF), or 8.8.8.8 or 8.8.4.4 (Google) resolvers on our servers, we do not for this very reason, and also because URIBL also will not answer queries from these public resolvers. Depending upon how many hosting servers you have, you might want to spin up a couple of Digital Ocean droplets (or your favorite cheap VPS provider) running Bind (or whatever nameservice you like) and limit the IPs that can query to only those of your hosting servers. Then you can add the IPs of the DigitalOcean droplets in your /etc/resolv.conf and you'd be able to successfully query Spamhaus records and URIBL records and such.

Mike

 

[cPRex]

Thanks for sharing @mtindor - that was a great reply.

We're also seeing other issues with Spamhaus lately that is causing us to consider removing that blacklist from the WHM interface entirely. They've been blocking Gmail and cPanel IP ranges, leading to much confusion.

 

[mtindor]

We're also seeing other issues with Spamhaus lately that is causing us to consider removing that blacklist from the WHM interface entirely. They've been blocking Gmail and cPanel IP ranges, leading to much confusion.

I did read about those reports in other threads, but I've yet to see it myself (of course that doesn't mean it isn't happening). If cPanel does indeed decide to remove the blacklist from the WHM interface entirely, please make some sort of post on the forum or announcement somewhere where admins are going to be aware of it. Absence of issues on my end, I wish to continue using Spamhaus (I have ever since it's inception) and am quite comfortable with it. I'd hate for it to disappear / not be functioning as an RBL with Exim without my knowledge.

- mike

 

[mlopez]

Your hosting server has a public resolver (such as a Cloudflare IP address for one of their public DNS resolvers) in /etc/resolv.conf. When your server queries Spamhaus it doesn't do it direct but rather queries the public resolver, which then seeks out the information by making a query to Spamhaus. Spamhaus does not want people using public resolvers because they generate high volumes of queries to Spamhaus.

For instance, as much as we might want 1.1.1.1 (CF), or 8.8.8.8 or 8.8.4.4 (Google) resolvers on our servers, we do not for this very reason, and also because URIBL also will not answer queries from these public resolvers. Depending upon how many hosting servers you have, you might want to spin up a couple of Digital Ocean droplets (or your favorite cheap VPS provider) running Bind (or whatever nameservice you like) and limit the IPs that can query to only those of your hosting servers. Then you can add the IPs of the DigitalOcean droplets in your /etc/resolv.conf and you'd be able to successfully query Spamhaus records and URIBL records and such.

Mike

Thank you for your answer, Mike. But let me understand, this tip (excellent, by the way) is for server that uses SpamHaus RBL, right? but we're not.



This is happening with some recipients not hosted with us. We send mail say from [email protected] => [email protected] and we get a rebound that states there's a SpamHaus error.
Should we also use a custom forward DNS server to avoid this?

Regards,
Mauricio

 

[mtindor]

Thank you for your answer, Mike. But let me understand, this tip (excellent, by the way) is for server that uses SpamHaus RBL, right? but we're not.

View attachment 79205

This is happening with some recipients not hosted with us. We send mail say from [email protected] => [email protected] and we get a rebound that states there's a SpamHaus error.
Should we also use a custom forward DNS server to avoid this?

Regards,
Mauricio

I misunderstood. So [some] message sent out by your server to remote servers are being rejected during SMTP, and the remote server is reporting that? Hmm. I would then say that the remote server(s) are the ones having that issue then.

But, if I were you, I would still check and see if your server IPs (whether you have IP4 or IP6 or both) are listed on Spamhaus, just to be safe. Because I don't know the name of your server I can't look that up for you.

If your primary server IP(s), both IP4 and IP6, are NOT listed on Spamhaus, then the servers you are sending to are using open resolvers + Spamhaus RBL and they will need to be the ones to correct.

Sorry for the confusion!

 

[mlopez]

I misunderstood. So [some] message sent out by your server to remote servers are being rejected during SMTP, and the remote server is reporting that? Hmm. I would then say that the remote server(s) are the ones having that issue then.

But, if I were you, I would still check and see if your server IPs (whether you have IP4 or IP6 or both) are listed on Spamhaus, just to be safe. Because I don't know the name of your server I can't look that up for you.

If your primary server IP(s), both IP4 and IP6, are NOT listed on Spamhaus, then the servers you are sending to are using open resolvers + Spamhaus RBL and they will need to be the ones to correct.

Sorry for the confusion!

Mike,

Great answer, thou!

I've checked our IP and hostname in SpamHaus and we're not listed. So it looks like some other hosting companies have to apply your solution.

Best regards,

Mauricio

 

[kssuhesh]

Today, I face the issue with one customer and the error is

550: 'JunkMail rejected - soxxx-5x.coxxr.mail.gx1.yahoo.com
[xx.xx.xx.xx]:45193 is in an RBL: Error:
open resolver

After disabling Spamhaus, the mail started working.

 

[phil99]

Please leave Spamhaus as an option in WHM, although I guess people could always add it as a custom option.

Spamhaus have published an article about the recent issues:

Poor sending practices trigger a tidal wave of informational listings

 

[cPRex]

I disagree with most everything that article says. Yes, if you're a server owner and don't manage your mailing list that does make sense, but when we start seeing Gmail IPs show up in the blocklist, and Gmail has some of the most strict email verification rules out there, it's not a sending problem.

 

[wintech2003]

We've also started seeing Gmail/Google Workspace and Microsoft 365 IPs getting blocked since yesterday, with customers unable to receive email from their business contacts etc.
For now we've disabled SpamHaus and enabled SpamCop RBL instead.

 

[mtindor]

The only Google stuff I've seen blocked (by Spamhaus) across 8 servers were legitimate blockages from IP addresses with "cache.google.com", or "aspmx.l.google.com" or "alt#.aspmx.l.google.com" reverse DNS, with the forward nonmatching forward DNS. IP addresses were from Uruguay and Kyrgyzstan and a lot more from China. FROM addresses were clearly bogus accounts. So far I'm not concerned about Spamhaus.

 

[Hedloff]

We also had massive issues with Spamhaus that started yesterday.
Is there any api/command that can be used to turn it off? Terrible to login to WHM on all servers and disable it, that will take ages!

 

[mtindor]

We also had massive issues with Spamhaus that started yesterday.
Is there any api/command that can be used to turn it off? Terrible to login to WHM on all servers and disable it, that will take ages!

Are your logs revealing that it is due to using an open resolver? Or did they actually flag a block of your IP space?

 

[cPRex]

@Hedloff - there isn't a great automated way to do that as I don't have an API call available. I can confirm that toggling the option enables this block of code in the /etc/exim.conf file:

# BEGIN INSERT spamhaus_rbl

 deny message = JunkMail rejected - $sender_fullhost is in an RBL: $dnslist_text
     hosts = +backupmx_hosts
     dnslists = zen.spamhaus.org

 warn

                !hosts = +neighbor_netblocks
                !hosts = +greylist_common_mail_providers
     dnslists = zen.spamhaus.org
     set acl_m8 = 1
     set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL: $dnslist_text"

 warn
     condition = ${if eq {${acl_m8}}{1}{1}{0}}
     ratelimit = 0 / 1h / strict / per_conn
     log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match"

 drop
     condition = ${if eq {${acl_m8}}{1}{1}{0}}
     message = ${acl_m9}


# END INSERT spamhaus_rbl

So if you wanted to make a way to script that removal and restart Exim I suppose you could.

 

[nlaruelle]

Hello,

I just get flooded today of support requests from my users complaining about email deliverability… and of course, I've just discovered this Spamhaus Update (issue).
I've disabled 'spamhaus' RBL from EXIM Config.

Then…

is that asking to my provider (OVHCloud) to give me some Public Resolvers can solve the situation to enable again Spamhaus? Is this kind of smaller resolver reliable? Or should I stay to Cloudflare/Google/OpenDNS resolvers?

Now, should the cloud providers offer some private 'resolvers' to all the users of their Dedicated Servers ?

Thanks!

 

[cPRex]

In general, I would expect your host to offer resolvers that you can use. If you reach out to them, they should be able to provide you with a pair you can use on your machine.

 

[nlaruelle]

In general, I would expect your host to offer resolvers that you can use. If you reach out to them, they should be able to provide you with a pair you can use on your machine.

Thanks cPRex! (third party issues made my summer^^)

Current config

I'am now using the single Primary Resolver of my Provider, but still use Public Resolver for Secondary DNS Resolver…

so, of course, temporarily disabled Spamhaus from EXIM.

DQS - Data Query Service

Can you clarify here if cPanel is compatible their DQS …
(I am afraid, not, as there is a feature request : Build in Spam Assassin Data Query Service to EXIM ;
more info FREE Spamhaus Data Query Service (DQS)),

that seems the proper solution to continue to takes advantage from the Public Resolver :
Help for Spamhaus Public Mirror Users - Spamhaus Technology ?

Spamhaus, datacenters & cPanel future ?

You know, we love Spamhaus as it's the best RBL for us? (we use it for mails, but think to use it for /etc/csf/csf.blocklists :-/ re-scheduled later so)

We are all looking to improve security and avoid unnecessary server load by using RBL… it would be very appreciate if cPanel could match again with Spamhaus by this DQS, or if Datacenters could better promote their local DNS Resolver.

For instance, I've seen DigitalOcean offer local resolvers, but limited by queries (100 dns resolution/second)… but they don't have an article (or I dont find it out) to promote their DNS server IP.

"Caution : wet paint"

Anyway,

No thanks to Spamhaus for pushing this security update with so little communication (but it's seems that the way to do so…).

Thank you all !

 

[cPRex]

I poked our email team about that feature request!

 

[nightstorm22]

Just wanted to post and say this has been a total nightmare for us too - on a personal note (myself), in the last 24 hours Outlook (hotmail), Linkedin and Amazon SES emails have all been blocked - including invoices for us to pay (sent through Amazon SES).