How to stop SpamAssassin from querying Validity RBLs
UPDATE: See this cPanel article that has the official solution: How can I stop SpamAssassin from querying Validity RBLs? – cPanel. The remainder of this post below is now for historic reference only.
Here's my experience of seeing references to Validity.com's RBLs (Real-time Blackhole Lists) in email headers and how I went about disabling those queries. Validity.com is a company that provides RBL services for filtering spam, and this post explains how to bypass those specific queries. I hope this post is helpful to other admins dealing with the same issue.
If you're using SpamAssassin and it's querying the Validity RBLs, and you don't want to sign up with Validity, here's how to stop those Validity RBL queries.
First, here's a sample of what the SpamAssassin X-Ham-Report header contains:
0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[REDACTED_IP_ADDRESS listed in bl.score.senderscore.com]
0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
The query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[REDACTED_IP_ADDRESS listed in sa-trusted.bondedsender.org]
The URL mentioned goes to a Validity.com article explaining that you need to sign up for an account and that access to Validity reputation data is free for non-commercial use. See: Accessing Validity reputation data through DNS.
The SpamAssassin rules for querying the Validity RBL are located in the following file, where VERSION is your SpamAssassin version number:
/var/lib/spamassassin/VERSION/updates_spamassassin_org/20_dnsbl_tests.cf
You don't want to modify that file because it gets overwritten during SpamAssassin updates, which would erase your changes. Instead, you can override its settings by editing the local configuration file (local.cf), which is designed for persistent customizations that won’t be affected by updates.
Edit local.cf (use vi or your editor of choice):
sudo vi /etc/mail/spamassassin/local.cf
Add the following lines at the end:
# Disable SpamAssassin queries to Validity RBLs (e.g., bl.score.senderscore.com).
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header RCVD_IN_VALIDITY_RPBL eval:check_rbl('custom', '127.0.0.1')
header RCVD_IN_VALIDITY_SAFE eval:check_rbl('custom', '127.0.0.1')
header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl('custom', '127.0.0.1')
header RCVD_IN_VALIDITY_RPBL_BLOCKED eval:check_rbl('custom', '127.0.0.1')
header RCVD_IN_VALIDITY_SAFE_BLOCKED eval:check_rbl('custom', '127.0.0.1')
header RCVD_IN_VALIDITY_CERTIFIED_BLOCKED eval:check_rbl('custom', '127.0.0.1')
endif # Mail::SpamAssassin::Plugin::DNSEval
Those header statements redirect SpamAssassin's queries for Validity RBLs to the local address 127.0.0.1, effectively bypassing external queries to Validity's servers. This approach causes the queries to "fast fail," instantly returning no results, which eliminates unnecessary network traffic and potential delays. Other RBL checks remain fully functional, ensuring SpamAssassin's spam filtering continues to operate efficiently.
Save the local.cf file and then restart SpamAssassin. Make a note of the time of the restart.
sudo /usr/local/cpanel/scripts/restartsrv_spamd
date
SpamAssassin will no longer query Validity RBLs. To verify the change, send yourself a test email, and then look in /var/log/maillog for references to Validity. There should be none after the time of the restart.
grep VALIDITY /var/log/maillog | tail -n1
Hopefully, you find the above explanation useful.
Thanks, David.
-
Thanks for sharing this information!!
1 -
cPRex is there or will there be something official from cPanel on properly disabling these checks versus just forcing the lookups to localhost?
Perhaps this RBL should be a toggle in "Exim Configuration Manager > RBLs" similar to spamcop and spamhaus?1 -
bellwood - I've brought this up with our email team and I'll let you know what I find out!
0 -
I just wanted to post an update to say I haven't heard back as the leader of the email team is out for a few days. Once I hear something I'll let you know!
0 -
cPRex another thought, I believe placing the following in /etc/mail/spamassassin/local.cf:
score RCVD_IN_VALIDITY_RPBL 0
score RCVD_IN_VALIDITY_RPBL_BLOCKED 0
score RCVD_IN_VALIDITY_CERTIFIED 0
score RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0
score RCVD_IN_VALIDITY_SAFE 0
score RCVD_IN_VALIDITY_SAFE_BLOCKED 0
score __RCVD_IN_VALIDITY_RPBL 0
score __RCVD_IN_VALIDITY_RPBL_BLOCKED 0
score __RCVD_IN_VALIDITY_CERTIFIED 0
score __RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0
score __RCVD_IN_VALIDITY_SAFE 0
score __RCVD_IN_VALIDITY_SAFE_BLOCKED 0...will short circuit the RBL check entirely but I've yet to be able to test it thoroughly.
That might be much easier than feature/interface changes.0 -
bellwood, in my solution above I used header rules with 127.0.0.1 localhost so that lookups would fast-fail within my server and not go outside of it.
In general, in received email headers, I have seen some zero-score rules being triggered, e.g.: "0.0 HTML_MESSAGE, BODY: HTML included in message". Thus, I assume that a rule will still run even if it has a zero-score. The processing of RBL rules might be different, that is, "if (score is non-zero) { run RBL rule }"; however, without further testing, I will assume it is simply, "run RBL rule".
So, I assume that setting the scores to 0 as you indicate above would not stop SpamAssassin from doing lookups to Validity.com's server. I have not tested this zero-score solution since the 127.0.0.1 solution works fine.
Hopefully, cPanel will be able to add a WHM setting as you suggested to make it much easier to turn off Validity RBL lookups.
Thanks, David.
0 -
dcusimano theres been quite a bit of chatter about validity in the mailop mailing list and the following was suggested in /etc/mail/spamassassin/local.cf
dns_query_restriction deny sa-trusted.bondedsender.org
dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.comNote that you need to be running SpamAssassin 3.4+
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/DnsBlocklists
NOTE: As from SpamAssassin version 3.4 you may disable queries for any BL by adding: (local.cf)
dns_query_restriction deny bldomain
for example:
dns_query_restriction deny dnswl.org
That said, what I'd suggested above DID work as well, for us:
To eliminate the use of a particular DNSBL, set the score to zero. Put lines like
score RCVD_IN_RFCI 0 score RCVD_IN_ORBS 0 score RCVD_IN_DSBL 0
in your local.cf if you don't want certain DNSBLs listed with RCVD_IN_* in 50_scores.cf to be used.
Hope this helps.
1 -
bellwood, thanks for the additional information.
0 -
dcusimano you're very welcome.
cPRex perhaps a knowledge base article would be apropos?
Given the way this is playing out for Validity (by their own choosing) come May 1st when those not willing to be taken to the cleaners by them, gets throttled, I'm confident many will be looking for a solution.
1 -
Whoops - I forgot to reply to this one yesterday. Had it all typed out and just never pressed "submit"
I did bring this up with the team and they are working on an article now, so I'd expect that to happen sooner than later.
1 -
We have an article posted at https://support.cpanel.net/hc/en-us/articles/31647640928919-How-can-I-stop-SpamAssassin-from-querying-Validity-RBLs now!
1 -
cPRex, the article says, "you need to create a custom configuration file as updates to SpamAssassin will overwrite changes to the local.cf file." Is that sentence referring to /var/lib/spamassassin/VERSION/updates_spamassassin_org/local.cf (version specific) or /etc/mail/spamassassin/local.cf (installed file)?
I would think that it is only the version specific local.cf that gets overwritten by SpamAssassin updates, and not the installed local.cf file.
I have SpamAssassin 3.4.6 and I see that /var/lib/spamassassin/3.004006/updates_spamassassin_org/local.cf was modified early this morning. My installed file /etc/mail/spamassassin/local.cf (dated a few days ago) is unchanged and still contains my modifications.
[root@server ~]# locate -0 local.cf | xargs -0 ls -lt --time-style=long-iso | awk '{print $6, $7, $8}'
2025-04-25 00:28 /var/lib/spamassassin/3.004006/updates_spamassassin_org/local.cf
2025-04-22 13:25 /etc/mail/spamassassin/local.cf
2023-02-21 00:28 /var/lib/spamassassin/3.004004/updates_spamassassin_org/local.cf
2020-03-01 00:31 /var/lib/spamassassin/3.004003/updates_spamassassin_org/local.cf
2019-12-17 00:28 /var/lib/spamassassin/3.004002/updates_spamassassin_org/local.cf
2018-11-14 00:28 /var/lib/spamassassin/3.004001/updates_spamassassin_org/local.cfSo, is it necessary to have a .cf file of a different name, such as the suggested filename /etc/mail/spamassassin/custom.cf ?
It appears that /etc/mail/spamassassin/local.cf is not overwritten, and thus it is a suitable filename for local modifications.
Thanks.
0 -
It may not get overwritten as part of the nightly update but it would likely get overwritten if there are larger updates to spamassassin, which is why we always caution against editing the main files.
1 -
cPRex, okay, I copied /etc/mail/spamassassin/local.cf to /etc/mail/spamassassin/custom.cf and restarted SpamAssassin. I will keep an eye on the modified dates after SpamAssassin updates. Thanks.
0 -
Now I understand why I was receiving so many emails from "Validity Company" warning me that the services would be cut off and that I should contact them to create an account and upgrade the plan (I assume to a paid one).
We will proceed to evaluate whether it is worth paying, or if we remove it.
1
Please sign in to leave a comment.
Comments
16 comments