Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
Greetings,
Yesterday morning I upgraded to firmware version 9.705-7. This morning at about 6:00 am the RBL feature has started rejecting well-known hosts. Shown here are oktax.state.ok and pharmacy.cvs.com.
Checking pharmacy.cvs.com with www.anti-abuse.org I see that it's all green.
I have turned off the RBL checks in the SMTP Antispam page and those email addresses are now going through the mail server.However, so are any 'bad-guy' sites that actually test as RBL failures. So, this is a workaround, not a fix.
Thoughts?
In looking through the logs, it appears that cbl.abuseat.org seems to be the only 'false positive' that is reporting.
Hi mkleine,
Thanks for reaching out to the Community!
Would it be possible for you to update the firmware version on your UTM and monitor the issue?
Is there any pending pattern update on your UTM? would it be possible for you to provide the smtp logs from your firewall?
Thanks,
As stated above, this started after the most current update.
I guess I don't understand the firewall question. The firewall log is over 12 MB already today. I searched the firewall log for cvs, oktax, cbl, and abuseat. None of those terms were shown in the log.
I see the pharmacy.cvs IP on the SORBS SPAM blacklist using mxtoolbox.com, but the OK State Tax Commission's IP is not listed anywhere. The cbl.abuseat.org RBL is one that you get when you select 'Use recommended RBLs'. I would uncheck that for the time being and add zen.spamhaus.org to 'Extra RBL Zones'.
To see all of the RBL-rejected addresses, run the following command:
zgrep 'reason="rbl"' /var/log/smtp/2021/05/*26*|grep -oP 'from=".*?"'|sort -n|uniq -c
That will let you know if any other desired domain is on an RBL.
Cheers - Bob
Actually, this is your most current update: https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.705007-706009.tgz.gpg
XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SSD HDD | GB Ethernet x5
Bob, I flipped to the zen.spamhous.org site, and the first message blocked was from ADT... bounce.adtpulse.comMXTOOLBOX.com shows that domain as clean and green on all RBLs. I've disabled it again. That 'update' seems to be the same 9.705-7 that we're running. I'll take a closer look overnight when the users are quiet.
Thanks.
Also, there were dozens of other domains that were blocked but didn't show to be a problem on MXTOOLBOX.com.
Thank you for that Bob, for so long it gets tiring helping vendors diagnose their crap and you, me, the rest of us don't get paid to fix their stuff or tell them they're broken. haha First time 3 people get legit stuff blocked, I get in the UTM, disable recommended, and click apply, THEN GO research it. Since 1999 you're right on as far as I can remember. signed, another old but extremely long term memory dude over here in Tulsa.
also, I've installed 9.706-9 on several test boxes, home accounts on friends homes and no complaints yet so it looks like this long awaited firmware is happy, no spam filtering issues, even one client with 90 plus employees on it with a 210 and no web filtering issues. Thank you sir for all you do and helping others.
Well, I updated to 9.706-9 and zen.spamhaus.org blocked live.commxtoolbox.com shows live.com to be OK!