Skip to main content

Email delivery problem with SpamHaus

Comments

26 comments

  • mtindor
    Hello, We're experiencing problems with lots of recipients (not hosted by us) because of an RBL Error. The rebound states the following: SMTP error from remote mail server after RCPT TO:: 550-"JunkMail rejected OURSERVERDOMAIN[OUR-IP-ADDRESS]:33842 is in 550 an RBL: Error: open resolver;
    0
  • cPRex Jurassic Moderator
    Thanks for sharing @mtindor - that was a great reply. We're also seeing other issues with Spamhaus lately that is causing us to consider removing that blacklist from the WHM interface entirely. They've been blocking Gmail and cPanel IP ranges, leading to much confusion.
    0
  • mtindor
    We're also seeing other issues with Spamhaus lately that is causing us to consider removing that blacklist from the WHM interface entirely. They've been blocking Gmail and cPanel IP ranges, leading to much confusion.

    I did read about those reports in other threads, but I've yet to see it myself (of course that doesn't mean it isn't happening). If cPanel does indeed decide to remove the blacklist from the WHM interface entirely, please make some sort of post on the forum or announcement somewhere where admins are going to be aware of it. Absence of issues on my end, I wish to continue using Spamhaus (I have ever since it's inception) and am quite comfortable with it. I'd hate for it to disappear / not be functioning as an RBL with Exim without my knowledge. - mike
    0
  • mlopez
    Your hosting server has a public resolver (such as a Cloudflare IP address for one of their public DNS resolvers) in /etc/resolv.conf. When your server queries Spamhaus it doesn't do it direct but rather queries the public resolver, which then seeks out the information by making a query to Spamhaus. Spamhaus does not want people using public resolvers because they generate high volumes of queries to Spamhaus. For instance, as much as we might want 1.1.1.1 (CF), or 8.8.8.8 or 8.8.4.4 (Google) resolvers on our servers, we do not for this very reason, and also because URIBL also will not answer queries from these public resolvers. Depending upon how many hosting servers you have, you might want to spin up a couple of Digital Ocean droplets (or your favorite cheap VPS provider) running Bind (or whatever nameservice you like) and limit the IPs that can query to only those of your hosting servers. Then you can add the IPs of the DigitalOcean droplets in your /etc/resolv.conf and you'd be able to successfully query Spamhaus records and URIBL records and such. Mike

    Thank you for your answer, Mike. But let me understand, this tip (excellent, by the way) is for server that uses SpamHaus RBL, right? but we're not. This is happening with some recipients not hosted with us. We send mail say from user@ourserver.com => whatever@example.com and we get a rebound that states there's a SpamHaus error. Should we also use a custom forward DNS server to avoid this? Regards, Mauricio
    0
  • mtindor
    Thank you for your answer, Mike. But let me understand, this tip (excellent, by the way) is for server that uses SpamHaus RBL, right? but we're not. This is happening with some recipients not hosted with us. We send mail say from user@ourserver.com => whatever@example.com and we get a rebound that states there's a SpamHaus error. Should we also use a custom forward DNS server to avoid this? Regards, Mauricio

    I misunderstood. So [some] message sent out by your server to remote servers are being rejected during SMTP, and the remote server is reporting that? Hmm. I would then say that the remote server(s) are the ones having that issue then. But, if I were you, I would still check and see if your server IPs (whether you have IP4 or IP6 or both) are listed on Spamhaus, just to be safe. Because I don't know the name of your server I can't look that up for you. If your primary server IP(s), both IP4 and IP6, are NOT listed on Spamhaus, then the servers you are sending to are using open resolvers + Spamhaus RBL and they will need to be the ones to correct. Sorry for the confusion!
    0
  • mlopez
    I misunderstood. So [some] message sent out by your server to remote servers are being rejected during SMTP, and the remote server is reporting that? Hmm. I would then say that the remote server(s) are the ones having that issue then. But, if I were you, I would still check and see if your server IPs (whether you have IP4 or IP6 or both) are listed on Spamhaus, just to be safe. Because I don't know the name of your server I can't look that up for you. If your primary server IP(s), both IP4 and IP6, are NOT listed on Spamhaus, then the servers you are sending to are using open resolvers + Spamhaus RBL and they will need to be the ones to correct. Sorry for the confusion!

    Mike, Great answer, thou! I've checked our IP and hostname in
    0
  • kssuhesh
    Today, I face the issue with one customer and the error is [QUOTE]550: 'JunkMail rejected - soxxx-5x.coxxr.mail.gx1.yahoo.com [xx.xx.xx.xx]:45193 is in an RBL: Error: open resolver
    After disabling Spamhaus, the mail started working.
    0
  • phil99
    Please leave Spamhaus as an option in WHM, although I guess people could always add it as a custom option. Spamhaus have published an article about the recent issues:
    0
  • cPRex Jurassic Moderator
    I disagree with most everything that article says. Yes, if you're a server owner and don't manage your mailing list that does make sense, but when we start seeing Gmail IPs show up in the blocklist, and Gmail has some of the most strict email verification rules out there, it's not a sending problem.
    0
  • George_Fusioned
    We've also started seeing Gmail/Google Workspace and Microsoft 365 IPs getting blocked since yesterday, with customers unable to receive email from their business contacts etc. For now we've disabled SpamHaus and enabled SpamCop RBL instead.
    0
  • mtindor
    The only Google stuff I've seen blocked (by Spamhaus) across 8 servers were legitimate blockages from IP addresses with "cache.google.com", or "aspmx.l.google.com" or "alt#.aspmx.l.google.com" reverse DNS, with the forward nonmatching forward DNS. IP addresses were from Uruguay and Kyrgyzstan and a lot more from China. FROM addresses were clearly bogus accounts. So far I'm not concerned about Spamhaus.
    0
  • Hedloff
    We also had massive issues with Spamhaus that started yesterday. Is there any api/command that can be used to turn it off? Terrible to login to WHM on all servers and disable it, that will take ages!
    0
  • mtindor
    We also had massive issues with Spamhaus that started yesterday. Is there any api/command that can be used to turn it off? Terrible to login to WHM on all servers and disable it, that will take ages!

    Are your logs revealing that it is due to using an open resolver? Or did they actually flag a block of your IP space?
    0
  • cPRex Jurassic Moderator
    @Hedloff - there isn't a great automated way to do that as I don't have an API call available. I can confirm that toggling the option enables this block of code in the /etc/exim.conf file: # BEGIN INSERT spamhaus_rbl deny message = JunkMail rejected - $sender_fullhost is in an RBL: $dnslist_text hosts = +backupmx_hosts dnslists = zen.spamhaus.org warn !hosts = +neighbor_netblocks !hosts = +greylist_common_mail_providers dnslists = zen.spamhaus.org set acl_m8 = 1 set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL: $dnslist_text" warn condition = ${if eq {${acl_m8}}{1}{1}{0}} ratelimit = 0 / 1h / strict / per_conn log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match" drop condition = ${if eq {${acl_m8}}{1}{1}{0}} message = ${acl_m9} # END INSERT spamhaus_rbl
    So if you wanted to make a way to script that removal and restart Exim I suppose you could.
    0
  • nlaruelle
    Hello, I just get flooded today of support requests from my users complaining about email deliverability" and of course, I've just discovered this Spamhaus Update (issue). I've disabled 'spamhaus' RBL from EXIM Config. Then" is that asking to my provider (OVHCloud) to give me some Public Resolvers can solve the situation to enable again Spamhaus? Is this kind of smaller resolver reliable? Or should I stay to Cloudflare/Google/OpenDNS resolvers? Now, should the cloud providers offer some private 'resolvers' to all the users of their Dedicated Servers ? Thanks!
    0
  • cPRex Jurassic Moderator
    In general, I would expect your host to offer resolvers that you can use. If you reach out to them, they should be able to provide you with a pair you can use on your machine.
    0
  • nlaruelle
    In general, I would expect your host to offer resolvers that you can use. If you reach out to them, they should be able to provide you with a pair you can use on your machine.

    Thanks cPRex! (third party issues made my summer^^) Current config I'am now using the single Primary Resolver of my Provider, but still use Public Resolver for Secondary DNS Resolver" so, of course, temporarily disabled Spamhaus from EXIM. DQS - Data Query Service Can you clarify here if cPanel is compatible their DQS " (I am afraid, not, as there is a feature request : Build in Spam Assassin Data Query Service to EXIM ; more info Help for Spamhaus Public Mirror Users - Spamhaus Technology ? Spamhaus, datacenters & cPanel future ? You know, we love Spamhaus as it's the best RBL for us? (we use it for mails, but think to use it for /etc/csf/csf.blocklists :-/ re-scheduled later so) We are all looking to improve security and avoid unnecessary server load by using RBL" it would be very appreciate if cPanel could match again with Spamhaus by this DQS, or if Datacenters could better promote their local DNS Resolver. For instance, I've seen DigitalOcean offer local resolvers, but limited by queries (100 dns resolution/second)" but they don't have an article (or I dont find it out) to promote their DNS server IP. "Caution : wet paint" Anyway, No thanks to Spamhaus for pushing this security update with so little communication (but it's seems that the way to do so"). Thank you all !
    0
  • cPRex Jurassic Moderator
    I poked our email team about that feature request!
    0
  • nightstorm22
    Just wanted to post and say this has been a total nightmare for us too - on a personal note (myself), in the last 24 hours Outlook (hotmail), Linkedin and Amazon SES emails have all been blocked - including invoices for us to pay (sent through Amazon SES).
    0
  • Glexia
    We're seeing issues with this as well. Any updates?
    0
  • cPRex Jurassic Moderator
    @Glexia - what updates were you looking for? If you're seeing similar issues, you can disable Spamhaus in WHM.
    0
  • Volox
    Is there a guide for configuring cPanel / Exim to use spamhaus via DQS (even if that means using custom config sections)? It would be preferable to have options other than just 'turn it off'.
    0
  • Volox
    Got back around to tinkering with this and found a few solutions... Solution for ZEN only If you want Spamhaus ON using DQS and only care about using ZEN (which is the combination of SBL+XBL+PBL), then you can configure that properly via the UI. By the way, ZEN is what the Exim config was configured to use originally, so this essentially gets you back to equivalent working state.
    • Sign up for Spamhaus DQS so that you have a query key to use for DQS
    • Be smart and backup your Exim config
    • Go into Exim config -> RBLs tab
    • Click on 'Manage' button at the top of that tab, which should open this screen:
    • Put in the Rbl Name, Info Url and add the DNS name from the Spamhaus portal that includes your query key for ZEN (or whichever RBL you want to use)
    • Click Add and the entry should be added to the list.
    • Return to the RBL tab in the Exom configuration and you should now see the new RBL available at the bottom of the config options:
    • Turn OFF the RBL: zen.spamhaus.org (this disables the broken part)
    • Turn on the custom RBL
    • Save the configuration (which should restart EXIM)
    Solution for ALL of Spamhaus If you want to use the domain lookup lists (DBL and ZRD) to further reduce spam, you have to do into advanced editing to get the job done. It would be great if the RBL manage interface let you specify using the RBL with the sender address or helo name as a domain lookup instead of an IP lookup. Maybe someday that feature will be there. In the meantime, here are the steps...
    • Sign up for Spamhaus DQS so that you have a query key to use for DQS
    • Be smart and backup your Exim config
    • Go into Exim config -> Advanced Editor
    • Find the section labeled: spamhaus_rbl
    • If that section is not checked/enabled, then enable it.
    • Copy the contents of that section and then disable it (this turns off the broken Spamhaus config).
    • Just below that section find the section labled: custom_end_rbl
    • Enable the custom_end_rbl and paste in the contents you copied from the Spamhaus section.
    • Replace the two instances of the 'dnslists' variable with the updated list to point to Spamhaus DQS urls that include your query key.
    dnslists = [your query key].zen.dq.spamhaus.net : \ [your query key].dbl.dq.spamhaus.net/<;$sender_address_domain;$sender_helo_name : \ [your query key].zrd.dq.spamhaus.net/<;$sender_address_domain;$sender_helo_name
    This sets the RBL to lookup the ZEN list by IP, and both the DBL and ZRD by using the domain name of the sender as well as the domain name used in the helo. 10. Save the configuration and test. The entire custom_end_rbl section should look something like: # Custom RBL section for spanhaus so we can use our key for the DQS deny message = JunkMail rejected - $sender_fullhost is in an RBL: $dnslist_text hosts = +backupmx_hosts dnslists = [your query key].zen.dq.spamhaus.net : \ [your query key].dbl.dq.spamhaus.net/<;$sender_address_domain;$sender_helo_name : \ [your query key].zrd.dq.spamhaus.net/<;$sender_address_domain;$sender_helo_name warn !hosts = +greylist_common_mail_providers dnslists = [your query key].zen.dq.spamhaus.net : \ [your query key].dbl.dq.spamhaus.net/<;$sender_address_domain;$sender_helo_name : \ [your query key].zrd.dq.spamhaus.net/<;$sender_address_domain;$sender_helo_name set acl_m8 = 1 set acl_m9 = "JunkMail rejected - $sender_fullhost is in an RBL: $dnslist_text" warn condition = ${if eq {${acl_m8}}{1}{1}{0}} ratelimit = 0 / 1h / strict / per_conn log_message = "Increment Connection Ratelimit - $sender_fullhost because of RBL match" drop condition = ${if eq {${acl_m8}}{1}{1}{0}} message = ${acl_m9}
    0
  • Volox
    I would also mention that there is one other place that the Spamhaus restrictions will be impacting your emails -> Spamassassin. If you look at your inbound email messages full source, you'll see something like this... 0.0 URIBL_ZEN_BLOCKED_OPENDNS ADMINISTRATOR NOTICE: The query to zen.spamhaus.org was blocked due to usage of an open resolver. See https://www.spamhaus.org/returnc/pub/ [URIs: sendingdomain.com]
    In order to avoid the wasted (now useless) call to Spamhaus from Spamassassin, you can create a custom config that turns off those rules. Create the file /etc/mail/spamassassin/custom.cf
    Insert the following rules into that file to turn off the rules: score RCVD_IN_ZEN_BLOCKED_OPENDNS 0 score RCVD_IN_ZEN_BLOCKED 0 score __RCVD_IN_ZEN 0
    Emails should now come through without the broken rule tagged in the spam score section. The other option is to install and setup the Spamhaus DQS plugin for Spamassassin, but others have instructions on that and I'll leave that adventure for another day. If you want to venture into that forest, here is the starting point that I found...
    0
  • Gimboid
    I just wanted to write a message to thank you for not only finding this solution, but actually writing detailed instructions on how to implement this. Over the years I've had constant problems on and off with this, DNS issues and such, I would have had no idea how to get cpanel working with the DQS and thanks to you its now running super smoothly. One issue I noticed after this was T_SPF_TEMPERROR Once someone makes the changes you recommend, if they have already previously tried making changes to their local.cf or resolv.conf (normally adding 127.0.0.1), they may start getting this error, they simply need to remove the localhost entries after implementing your changes and it should all work great, thank you so much!
    0
  • David

    The SPAMHAUS DQS has been configured in the Exim configuration manager according to the above two solutions.

    0

Please sign in to leave a comment.