It may be helpful to look at this from a different perspective... Back in 2018 Spamhaus told us that 20% of their queries came from the big public DNS resolvers and that although they were committed to continue to provide free services to non-profits and others who met their criteria, they needed to take steps to stop large commercial users from "hiding" their queries behind the public DNS resolvers:
https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/ So here we are today... Queries to spamhaus.org from the public DNS resolvers fail, leading to false positives. Queries to spamhaus.net can come from anywhere, including the public DNS resolvers, but you need to register for a DQS account with Spamhaus to be able to query the .net servers -- and, you have to make the query using your unique, Spamhaus-provided DQS key. You can still get a free DQS account if you meet Spamhaus's criteria, but now they can track your query volume. And if you claim you meet their criteria for a free DQS account, but your actual query volume says otherwise, then they will ask you to convert to a paid account. We can of course have differing opinions on Spamhaus's business model, but putting that aside and just sticking to the technical bits, I would expect that going forward we all should be using spamhaus.net for queries (with a free or paid DQS account). Best regards to all, Mark _________________________________________________________________ L. Mark Stone, Founder North America's Leading Zimbra VAR/BSP/Training Partner For Companies With Mission-Critical Email Needs ----- Original Message ----- From: "Bastian Blank via mailop" <[email protected]> To: "mailop" <[email protected]> Sent: Friday, November 4, 2022 3:13:52 AM Subject: Re: [mailop] Spamhaus DNS issues causing all incoming mail to drop for me On Thu, Nov 03, 2022 at 10:59:22AM -0500, Brian Knight via mailop wrote: > I'm seeing DNS issues this morning connecting to sbl.spamhaus.org. > > This morning, my Postfix server was rejecting all incoming emails as spam. > Found that the A record for sbl.spamhaus.org is gone, replaced with SOA and > NS records that look a bit odd. You seem to missunderstand RBL. The correct way to test this RBL is via a lookup for "2.0.0.127.sbl.spamhaus.org", which is also listed in the FAQ at https://www.spamhaus.org/faq/section/DNSBL%20Usage. > Queries direct to the NS servers return the same result. Queries via AWS and > Comcast return the same result also. And you always need your own DNS recursor to query RBL. Bastian -- Vulcans do not approve of violence. -- Spock, "Journey to Babel", stardate 3842.4 _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
