Thread Info
  • State Suggested Answer
  • +6 person also asked this people also asked this
  • Locked Locked
  • Replies 48 replies
  • Answers 5 answers
  • Subscribers 27 subscribers
  • Views 14828 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM RBL Check broken today?

Felix Buch

Hello,

today it seems like the RBL Pattern is broken, some E-Mails are getting blocked who are not on the Blacklist.

Anyone else

Greetings Felix



This thread was automatically locked due to age.
Parents
  • 0

    Resolution

    Issue is not due to Sophos UTM, rather due to Spamhaus' policy regarding lookups from Public DNS providers.

    Option 1:
    Uncheck "Use recommended RBL" and enter in a custom RBL if necessary.

    Do not use cbl.abuseat.org as a custom RBL at present if you use public DNS.

    http://www.anti-abuse.org/multi-rbl-check/ Contains a listing of common RBLs

    Option 2:
    Under Network Services>DNS>Request Routing add cbl.abuseat.org to the domain field and then either directly add  the Spamhaus IP or an alternate DNS server to not forward this domain via public DNS.

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Could you please explain why this is a problem with public dns ? 

    I thought all RBLs would be contacted directly for RBL checks and not via dns forwarder configured in the utm.

    We have big problems with our customers because of this problem to explain the root cause.

  • 0 in reply to Andreas Jackstadt

    I don't know the technical details, why SPAMHAUS don't like Public DNS Resolver. I believe, that the public Resolver don't deliver the same Information and they are not able to control the use.

    However, topic 1.1.3 from the terms of use say:

    The network originating the DNS Query must be identifiable. This means you must query the Spamhaus DNSBL Public Mirrors from a recursive resolver run on your own network or from a public resolver which supports ECS.

    Source: https://www.spamhaus.org/organization/dnsblusage/

    So i set the default DNS resolver to something like Google oder Quad9 and made an additional requesting route only for "cbl.abuseat.org" to the DNS resolver from the "Deutsche Telekom". That's already my Internet provider.

    So I believe, if your provider is someone like for example "1 & 1", you have to take their DNS resolvver.

    My solutions works for me without any problems.

Reply
  • 0 in reply to Andreas Jackstadt

    I don't know the technical details, why SPAMHAUS don't like Public DNS Resolver. I believe, that the public Resolver don't deliver the same Information and they are not able to control the use.

    However, topic 1.1.3 from the terms of use say:

    The network originating the DNS Query must be identifiable. This means you must query the Spamhaus DNSBL Public Mirrors from a recursive resolver run on your own network or from a public resolver which supports ECS.

    Source: https://www.spamhaus.org/organization/dnsblusage/

    So i set the default DNS resolver to something like Google oder Quad9 and made an additional requesting route only for "cbl.abuseat.org" to the DNS resolver from the "Deutsche Telekom". That's already my Internet provider.

    So I believe, if your provider is someone like for example "1 & 1", you have to take their DNS resolvver.

    My solutions works for me without any problems.

Children
Unfiltered HTML