Hi everyone! We are running a mail forwarding service (https://improvmx.com) and I've recently partnered with URIBL in order to improve our quality of spam detection. After a few weeks of trial to estimate our usage, the team at URIBL came back to us with some odd behavior sent from our servers.
We implemented URIBL only on our SpamAssassin servers. These are EC2 instances that solely use SpamAssassin and are auto-scaling to meet the demand. In order to improve the DNS queries done, we install SA and Unbound and update the resolv.conf file to point to localhost. We almost don't modify SA. Here are the only changes we do: time_limit 25 bayes_auto_learn 0 ifplugin Mail::SpamAssassin::Plugin::Shortcircuit shortcircuit BAYES_99 spam shortcircuit BAYES_00 ham endif # Mail::SpamAssassin::Plugin::Shortcircuit bayes_token_ttl 21d bayes_seen_ttl 8d bayes_auto_expire 1 dns_server 127.0.0.1 score FREEMAIL_FORGED_REPLYTO 1.5 That and the customized URIBL configuration for SA. Here's the Unbound configuration: https://pastebin.com/Bn7B3uCv (expires in a month). The team at Uribl identified two issues that are really odd and shouldn't happen from SA/Unbound, and I'm hoping someone on this list might know something about it and help us figure out what is happening. 1. The first issue is that it seems that we are querying URIBL using random lower/upper case domains. We had queries such as: - SoMeDoMaIn.cOM._custom_id.dF.URIbl.cOM - AnOtHeRDoM.ApP._custom_id.dF.UrIbL.COM - etc I'd want to believe that SA would lowercase all the DNS requests before sending them, but it doesn't seem to be the case. What's odd is that the uribl.com part isn't from incoming emails, so it's not something a spammer would send. It is definitely added somewhere between SA and Unbound. But why?! It doesn't make any sense 2. The other issue is even weirder. SA is trying to validate the domains by trimming the left part up to the gTLDs : - some.domain.com._custom_id.df.uribl.com - domain.com._custom_id.df.uribl.com - com._custom_id.df.uribl.com <-- wtf? Somehow, something is trying to check up to the top TLD, where it's useless. Again, I can't understand why SA would do that. --- Does anyone have experienced that already? Would it be some specific behavior from SA or Unbound when checking the DNS entries? Or maybe it is related to AWS that does some specific modification that I'm not aware of? I'm hoping someone will have an answer to this. Thank you for your help, sorry for the long post. Best, Cyril
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
