Sophos UTM RBL Check broken today?

Hello Community,

The team is working on a permanent fix for v9.7MR9, likely to be released towards the end of the year.

There are a number of ways to avoid the issue in the meantime:

- switching to a different DNS provider. We have mainly seen this with customers using Quad9.

- alternatively, you can set a DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver

- Disabling recommended RBL checks will guarantee mail doesn't get unnecessarily rejected but may allow more spam through

Regards,

Regarding your fixes:
- disabling RBL means waay more spam reaching users. So, a not preferable solution.

- switching to another dns provider might not work, you say yourself that "We have mainly seen this with customers using Quad9.". But what if it also happens with the alternate dns provider? Legitimate mail get's blocked but since this is on a smtp connect level the recipient get's no notification. We rely on the sender to notify of the sending failure by other means! So potentially important mail get's lost. VERY not preferable solution!

- " DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver"
If my understanding of the underlying problem is correct then adding the own spamhaus dns servers via that way would be the ideal solution. All normal dns queries go whatever way and only the queries regarding spam or not go directly from my utm (with my IP - so no big quad9/google/whatever dns IP) to spamhaus. Spamhaus is happy that they can count how many requersts come from my IP, I am happy because spam query via dns works reliably and UTM/Sophos is out of the doghouse.

I detailed my resolution attempt a little above.

MAYBE Sophos can give precise and tested instructions on how to implement the DNS forwarding rules so we all in this thread can implement it accordingly!

Thanks

Regarding your fixes:
- disabling RBL means waay more spam reaching users. So, a not preferable solution.

- switching to another dns provider might not work, you say yourself that "We have mainly seen this with customers using Quad9.". But what if it also happens with the alternate dns provider? Legitimate mail get's blocked but since this is on a smtp connect level the recipient get's no notification. We rely on the sender to notify of the sending failure by other means! So potentially important mail get's lost. VERY not preferable solution!

- " DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver"
If my understanding of the underlying problem is correct then adding the own spamhaus dns servers via that way would be the ideal solution. All normal dns queries go whatever way and only the queries regarding spam or not go directly from my utm (with my IP - so no big quad9/google/whatever dns IP) to spamhaus. Spamhaus is happy that they can count how many requersts come from my IP, I am happy because spam query via dns works reliably and UTM/Sophos is out of the doghouse.

I detailed my resolution attempt a little above.

MAYBE Sophos can give precise and tested instructions on how to implement the DNS forwarding rules so we all in this thread can implement it accordingly!

Thanks