This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RBL working too well

Greetings, 

Yesterday morning I upgraded to firmware version 9.705-7. This morning at about 6:00 am the RBL feature has started rejecting well-known hosts. Shown here are oktax.state.ok and pharmacy.cvs.com. 

Checking pharmacy.cvs.com with www.anti-abuse.org I see that it's all green.

I have turned off the RBL checks in the SMTP Antispam page and those email addresses are now going through the mail server.
However, so are any 'bad-guy' sites that actually test as RBL failures. So, this is a workaround, not a fix.

Thoughts?



This thread was automatically locked due to age.
  • In looking through the logs, it appears that cbl.abuseat.org seems to be the only 'false positive' that is reporting.

  • FormerMember
    0 FormerMember in reply to mkleine

    Hi ,

    Thanks for reaching out to the Community! 

    Would it be possible for you to update the firmware version on your UTM and monitor the issue? 

    Is there any pending pattern update on your UTM? would it be possible for you to provide the smtp logs from your firewall? 

    Thanks,

  • As stated above, this started after the most current update. 

    I guess I don't understand the firewall question. The firewall log is over 12 MB already today. I searched the firewall log for cvs, oktax, cbl, and abuseat. None of those terms were shown in the log.

  • I see the pharmacy.cvs IP on the SORBS SPAM blacklist using mxtoolbox.com, but the OK State Tax Commission's IP is not listed anywhere. The cbl.abuseat.org RBL is one that you get when you select 'Use recommended RBLs'.  I would uncheck that for the time being and add zen.spamhaus.org to 'Extra RBL Zones'.

    To see all of the RBL-rejected addresses, run the following command:

         zgrep 'reason="rbl"' /var/log/smtp/2021/05/*26*|grep -oP 'from=".*?"'|sort -n|uniq -c

    That will let you know if any other desired domain is on an RBL.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • UTM - 9.711 | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Bob, I flipped to the zen.spamhous.org site, and the first message blocked was from ADT... bounce.adtpulse.com
    MXTOOLBOX.com shows that domain as clean and green on all RBLs. 
    I've disabled it again. 
    That 'update' seems to be the same 9.705-7 that we're running. I'll take a closer look overnight when the users are quiet.

    Thanks.

  • Also, there were dozens of other domains that were blocked but didn't show to be a problem on MXTOOLBOX.com.

  • Thank you for that Bob, for so long it gets tiring helping vendors diagnose their crap and you, me, the rest of us don't get paid to fix their stuff or tell them they're broken. haha  First time 3 people get legit stuff blocked, I get in the UTM, disable recommended, and click apply, THEN GO research it. Since 1999 you're right on as far as I can remember.  signed, another old but extremely long term memory dude over here in Tulsa. 

  • also, I've installed 9.706-9 on several test boxes, home accounts on friends homes and no complaints yet so it looks like this long awaited firmware is happy, no spam filtering issues, even one client with 90 plus employees on it with a 210 and no web filtering issues.  Thank you sir for all you do and helping others.  

  • Well, I updated to 9.706-9 and zen.spamhaus.org blocked live.com
    mxtoolbox.com shows live.com to be OK!