today it seems like the RBL Pattern is broken, some E-Mails are getting blocked who are not on the Blacklist.
We are seeing the same thing with multiple customers.
The log says that IPs are blocked due to an RBL entry with cbl.abuseat.org or sbl-xbl.spamhaus.org and rejects the mail. But when you check with the…
The team is working on a permanent fix for v9.7MR9, likely to be released towards the end of the year.
There are a number of ways to avoid the issue in the meantime:
- switching to a different DNS provider. We have mainly seen this with customers using Quad9.
- alternatively, you can set a DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver
- Disabling recommended RBL checks will guarantee mail doesn't get unnecessarily rejected but may allow more spam through
Regarding your fixes: - disabling RBL means waay more spam reaching users. So, a not preferable solution.
- switching to another dns provider might not work, you say yourself that "We have mainly seen this with customers using Quad9.". But what if it also happens with the alternate dns provider? Legitimate mail get's blocked but since this is on a smtp connect level the recipient get's no notification. We rely on the sender to notify of the sending failure by other means! So potentially important mail get's lost. VERY not preferable solution!
- " DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver" If my understanding of the underlying problem is correct then adding the own spamhaus dns servers via that way would be the ideal solution. All normal dns queries go whatever way and only the queries regarding spam or not go directly from my utm (with my IP - so no big quad9/google/whatever dns IP) to spamhaus. Spamhaus is happy that they can count how many requersts come from my IP, I am happy because spam query via dns works reliably and UTM/Sophos is out of the doghouse.
I detailed my resolution attempt a little above.
MAYBE Sophos can give precise and tested instructions on how to implement the DNS forwarding rules so we all in this thread can implement it accordingly!
So is this fixed in 9.709-3?
It works :)
by default we have quad9 dns