On 20 Jun 2016, at 1:52, Voytek wrote:
I have a user who can not receive emails as his correspondent's domain
is currently on multiple rbls.
As an interim measure, should I look at temporarily allowing this
domain?
Look? Sure. When someone claims a need to receive mail from someplace
and is paying you to handle their mail, you should at least *consider*
exempting the source from automated blocking mechanisms. It would be
irresponsible to hand over your spam filtering to an arbitrary
collection of external sources and never look at the possibility that
they've made mistakes or subjective judgments that you would not agree
with.
Should you actually do it in this case? I would not. See below
Or, is that a bad idea, shouldn't consider such temp workarounds?
As a generic question, only you (or whoever pays you to be a mail admin)
can answer that for the particular circumstances on a mail system you
administer. As someone who handles technical and policy issues for a
diverse set of mail systems, in some cases I whitelist sources almost
any time a user asks for it. In other cases, there is an absolute policy
of no system-wide whitelisting. However, in nearly all cases I give
users some form of self-service partial whitelisting via patterned
aliases, so it is quite rare that whitelisting decisions make it to me
or other admins.
HOWEVER: In this particular case, the address in question would
currently be beyond all whitelisting mechanisms on all systems I
administer. See below.
domain in question:
____________________________________
Checking ckchaiseree.com which resolves
to119.59.120.56 against 107 known blacklists...
Listed 7 times.
Blacklist Reason
LISTED CBL
119.59.120.56 was listed
LISTED ivmSIP
119.59.120.56 was listed
LISTED ivmSIP24
119.59.120.56 was listed
LISTED Protected Sky
119.59.120.56 was listed
LISTED SORBS SPAM
119.59.120.56 was listed
LISTED Spamhaus ZEN
119.59.120.56 was listed
Obscured detail here:
56.120.59.119.zen.spamhaus.org has address 127.0.0.11
That's a Spamhaus-entered PBL result, which means Spamhaus believed at
some point that this was a dynamically assigned address and that no one
responsible for the IP address has bothered to assert otherwise. It is
easy for anyone to remove such a listing.
56.120.59.119.zen.spamhaus.org has address 127.0.0.4
That's a CBL listing, which means the address has recently been detected
as behaving in some way idiosyncratic to systems under the control of
some form of malware. In this case, the latest misbehavior was
approximately 1 hour ago according to the CBL record. CBL listings also
can be removed through a self-service system, but if the address
continues to act like part of a botnet, it will get re-listed and
de-listing will become slower each time. Ultimately, a machine must STOP
acting like part of a botnet to get off the CBL and stay off. CBL has
occasionally made mistakes about such detections, but they are also VERY
good about fixing their misjudgments and publicly admitting to them. I
doubt that this listing is in error, since my personal system has been
the target of malware-like behavior from that IP within the past month.
56.120.59.119.zen.spamhaus.org has address 127.0.0.3
This is a CSS listing, which means it has hit the automated detection
system Spamhaus uses to detect "snowshoe" spammers who spread their spam
sources across many different IP addresses to avoid simple volume
detection. It's possible for CSS to make mistakes but they rarely
persist since listings automatically expire and Spamhaus works with
legitimate senders to avoid any chronic mis-detection.
56.120.59.119.zen.spamhaus.org has address 127.0.0.2
This is a simple SBL listing, meaning that a human being at Spamhaus has
evaluated evidence of spamming via the address and determined that there
is a persistent policy problem enabling the spam which must be dealt
with by the ISP and discussed with Spamhaus to resolve the listing.
Sometimes they make mistakes but in this case it looks unlikely. See
https://www.spamhaus.org/sbl/query/SBL274933 for the details and note
that they didn't even include the registered range (a /19) or the
announced route (a /24) but just the /25 from which they have a large
number of spam samples with topically similar and quite spammy subjects.
This combination of listings would be absolutely prohibitive on every
Postfix system I run. CBL listing alone puts an address past my
postscreen threshold even if the address is on every public whitelist I
use in postscreen. On the non-Postfix systems I run, CBL & PBL .11 both
have no exemption mechanisms since they both have self-service delisting
mechanisms. Strength of CSS and SBL listings varies more between
different systems, but either alone is enough to reject mail absent any
whitelisting and together they score at or above the point of no
possible mitigation on every postscreen config I manage. On other
systems, an IP in both SBL and CSS (absent CBL & PBL) would require
multiple whitelisting mechanisms to get mail accepted, since the
combination would be lethal in SpamAssassin without a hitting
substantial combination of negative-score rules (e.g. recipient in
more_spam_to, explicit SPF or DKIM whitelisting, etc.)
I cannot conceive of any circumstance where I would make any sort of
effort to allow mail from an IP with this constellation of Spamhaus
listings to get to any user. Any legitimate sender using that IP for
email has made a serious error of some sort and must either fix the
system if it is theirs or find a different path for their email if the
IP is intentionally shared in a way that is outside of their control.
The likely explanations for this sort of multi-listing make ANY sort of
whitelisting problematic because the IP address is clearly not under the
control of any truly responsible party and trusting anything flowing
through it cannot be justified.
