Sophos UTM RBL Check broken today?

Yes it is a sophos problem.

sophos implemented a base configuration that makes use of RBL with spamhaus.

If this doesn't work, then change the base to a working RBL system and launch UTMs update

You are absolutely right!

The recomended RBL settings is a small black box. And due to the fact that cbl.abuseat.org is in the recommended RBL list, Sophos overslept the changes from abuseat.org that they replaced their infrastructure and use spamhaus since January 2021.

So not only using custom rbl spamhaus.org (third party) is the problem, Sophos have to change their recommendes RBL configuration asap and remove abuseat.org.

At the moment, you have to disable the "use recommended RBLs" and use custom rbl lists.

Maybe the solution from maygyver (check against return codes of the rbl) would be also a way to reduce false positive and not only block the incoming mail.

At the moment i'm disappointed with the sophos support.

We had the same problem with all our customers. The reason is that servers of many of the big mailproviders like Gmail, Apple, Microsoft are listed at Sorbs. So mails from these servers are rejected.

It would be nice to have global whitlisting (like dnswl.org) implemented. This would help not to block the big players.

Hello Community,

The team is working on a permanent fix for v9.7MR9, likely to be released towards the end of the year.

There are a number of ways to avoid the issue in the meantime:

- switching to a different DNS provider. We have mainly seen this with customers using Quad9.

- alternatively, you can set a DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver

- Disabling recommended RBL checks will guarantee mail doesn't get unnecessarily rejected but may allow more spam through

Regards,

Regarding your fixes:
- disabling RBL means waay more spam reaching users. So, a not preferable solution.

- switching to another dns provider might not work, you say yourself that "We have mainly seen this with customers using Quad9.". But what if it also happens with the alternate dns provider? Legitimate mail get's blocked but since this is on a smtp connect level the recipient get's no notification. We rely on the sender to notify of the sending failure by other means! So potentially important mail get's lost. VERY not preferable solution!

- " DNS forwarding rule that would pass DNS requests for cbl.abuseat.org to a different DNS resolver"
If my understanding of the underlying problem is correct then adding the own spamhaus dns servers via that way would be the ideal solution. All normal dns queries go whatever way and only the queries regarding spam or not go directly from my utm (with my IP - so no big quad9/google/whatever dns IP) to spamhaus. Spamhaus is happy that they can count how many requersts come from my IP, I am happy because spam query via dns works reliably and UTM/Sophos is out of the doghouse.

I detailed my resolution attempt a little above.

MAYBE Sophos can give precise and tested instructions on how to implement the DNS forwarding rules so we all in this thread can implement it accordingly!

Thanks

what is the status of this problem.

The problem is not resolved. 

when the sophos apply the patch to resolve this

So is this fixed in 9.709-3?

It works :)

by default we have quad9 dns