Mailing List Archive

URIBL_SBL_A - Spamhaus false positive..
Hi,

It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL lookup:

* 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
* blocklist
* [URIs: fluent.ltd.uk]
* 2.1 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
* blocklist
* [URIs: fluent.ltd.uk]


fluent.ltd.uk has address 195.78.94.252

Name servers:
dns1.fluent.ltd.uk 195.78.94.253
dns2.fluent.ltd.uk 195.78.94.254


195.78.94.252 is not listed in the SBL
195.78.94.252 is not listed in the PBL

195.78.94.252 is not listed in the XBL

195.78.94.253 is not listed in the SBL
195.78.94.253 is not listed in the PBL

195.78.94.253 is not listed in the XBL

195.78.94.254 is not listed in the SBL
195.78.94.254 is not listed in the PBL

195.78.94.254 is not listed in the XBL


Has anyone come across this before or can someone give any advise of what the cause of this might be? most importantly how to fix it?


Kind Regards,

Jonathan Gilpin
fluent Ltd
www.fluent.ltd.uk <http://www.fluent.ltd.uk/>
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin <jonathan@fluent.ltd.uk>
wrote:

> Hi,
>
> It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL
> lookup:
>
> * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
> * blocklist
> * [URIs: fluent.ltd.uk]
> * 2.1 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
> * blocklist
> * [URIs: fluent.ltd.uk]
>
>
> fluent.ltd.uk has address 195.78.94.252
>
> Name servers:
> dns1.fluent.ltd.uk 195.78.94.253
> dns2.fluent.ltd.uk 195.78.94.254
>
>
> *195.78.94.252 is not listed in the SBL*
>
> *195.78.94.252 is not listed in the PBL*
>
> *195.78.94.252 is not listed in the XBL*
> *195.78.94.253 is not listed in the SBL*
>
> *195.78.94.253 is not listed in the PBL*
>
> *195.78.94.253 is not listed in the XBL*
> *195.78.94.254 is not listed in the SBL*
>
> *195.78.94.254 is not listed in the PBL*
>
> *195.78.94.254 is not listed in the XBL*
>
> Has anyone come across this before or can someone give any advise of what
> the cause of this might be? most importantly how to fix it?
>

Assuming you are still seeing the FPs (and they weren't a temporary problem
with the SBL now having been updated), what DNS resolver was being used by
the system that generated the FPs? Are you confident that it was sending
the RBL lookup requests direct to Spamhaus and not forwarding them to
another DNS server outside your control?
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On Thu, 23 Jan 2020 13:06:01 +0000
Jonathan Gilpin wrote:

> Hi,
>
> It seems that SpamAsassin is giving out a false positive on a
> Spamhaus SBL lookup:
>
> * 0.1 URIBL_SBL_A Contains URL's A record listed in the
> Spamhaus SBL

I'm not seeing this at present.

> * blocklist
> * [URIs: fluent.ltd.uk]
> * 2.1 URIBL_SBL Contains an URL's NS IP listed in the
> Spamhaus SBL
> * blocklist
> * [URIs: fluent.ltd.uk]

I did see this.


> fluent.ltd.uk has address 195.78.94.252
>
> Name servers:
> dns1.fluent.ltd.uk 195.78.94.253
> dns2.fluent.ltd.uk 195.78.94.254

These two are supplied by the ltd.uk nameservers, but if you do an NS
lookup on one of these you get a third server, dns3.fluent.ltd.uk with
the IP address 195.78.94.20. This is listed in SBL.
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
Our local resolver is 195.78.94.4 and this was verified by another Spamasassin user who has their own resolver on another network.
It has been like this for at least 4 days that I know of and yes it is still happening.

This seems to be the case for all spam-assassin users, that is, I haven’t found anyone using spamassassin that is not getting the same result

Jonathan


> On 23 Jan 2020, at 13:46, Dominic Raferd <dominic@timedicer.co.uk> wrote:
>
>
>
> On Thu, 23 Jan 2020 at 13:06, Jonathan Gilpin <jonathan@fluent.ltd.uk <mailto:jonathan@fluent.ltd.uk>> wrote:
> Hi,
>
> It seems that SpamAsassin is giving out a false positive on a Spamhaus SBL lookup:
>
> * 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
> * blocklist
> * [URIs: fluent.ltd.uk <http://fluent.ltd.uk/>]
> * 2.1 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
> * blocklist
> * [URIs: fluent.ltd.uk <http://fluent.ltd.uk/>]
>
>
> fluent.ltd.uk <http://fluent.ltd.uk/> has address 195.78.94.252
>
> Name servers:
> dns1.fluent.ltd.uk <http://dns1.fluent.ltd.uk/> 195.78.94.253
> dns2.fluent.ltd.uk <http://dns2.fluent.ltd.uk/> 195.78.94.254
>
>
> 195.78.94.252 is not listed in the SBL
> 195.78.94.252 is not listed in the PBL
>
> 195.78.94.252 is not listed in the XBL
>
> 195.78.94.253 is not listed in the SBL
> 195.78.94.253 is not listed in the PBL
>
> 195.78.94.253 is not listed in the XBL
>
> 195.78.94.254 is not listed in the SBL
> 195.78.94.254 is not listed in the PBL
>
> 195.78.94.254 is not listed in the XBL
>
>
> Has anyone come across this before or can someone give any advise of what the cause of this might be? most importantly how to fix it?
>
> Assuming you are still seeing the FPs (and they weren't a temporary problem with the SBL now having been updated), what DNS resolver was being used by the system that generated the FPs? Are you confident that it was sending the RBL lookup requests direct to Spamhaus and not forwarding them to another DNS server outside your control?
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
Hello Jonathan,

if you would care to forward me offlist a complete sample that triggers
the FPs I'll be happy to investigate

On 23/01/20 14:51, Jonathan Gilpin wrote:
> Our local resolver is 195.78.94.4 and this was verified by another
> Spamasassin user who has their own resolver on another network.
> It has been like this for at least 4 days that I know of and yes it is
> still happening.
>
> This seems to be the case for all spam-assassin users, that is, I
> haven’t found anyone using spamassassin that is not getting the same
> result
>
> Jonathan
>
>
--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
Hello Riccardo,

On Thursday, January 23, 2020, 7:53:18 AM, Riccardo Alfieri wrote:

RA> if you would care to forward me offlist a complete sample that triggers
RA> the FPs I'll be happy to investigate

FWIW, these very messages to the SA list this morning mentioning this domain
triggered for me as well, e.g.:

X-Spam-Report:
* -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high
* trust
* [207.244.88.153 listed in list.dnswl.org]
* 0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
* blocklist
* [URIs: fluent.ltd.uk]
* 1.6 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
* blocklist
* [URIs: fluent.ltd.uk]




--
Best regards,
Robert Braver
rbraver@ohww.norman.ok.us
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On 23/01/20 14:48, RW wrote:

> On Thu, 23 Jan 2020 13:06:01 +0000
> Jonathan Gilpin wrote:
>
>> Hi,
>>
>> It seems that SpamAsassin is giving out a false positive on a
>> Spamhaus SBL lookup:
>>
>> * 0.1 URIBL_SBL_A Contains URL's A record listed in the
>> Spamhaus SBL
> I'm not seeing this at present.

I guess it's because you are running 3.4.3+. On previous versions it
would hit because, as stated in 25_uribl.cf:

(URIBL_SBL_A) # Only works correctly from 3.4.3, earlier versions
basically run as URIBL_SBL duplicate

I can also confirm that, as you properly pointed out, 195.78.94.20 is
listed and that triggers URIBl_SBL.

Jonathan has been given instructions on how to request a removal and
this issue will be likely to be solved as soon as the removal request
comes in.

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On Thu, 23 Jan 2020 14:31:01 +0000
Riccardo Alfieri wrote:


> >> * 0.1 URIBL_SBL_A Contains URL's A record listed in the
> >> Spamhaus SBL
> > I'm not seeing this at present.
>
> I guess it's because you are running 3.4.3+. On previous versions it
> would hit because, as stated in 25_uribl.cf:
>
> (URIBL_SBL_A) # Only works correctly from 3.4.3, earlier versions
> basically run as URIBL_SBL duplicate

I opened bug 7242 for that in 2015 - I thought it had been fixed years
ago. It looks like it narrowly missed 3.4.2.
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
RW skrev den 2020-01-23 16:51:

> I opened bug 7242 for that in 2015 - I thought it had been fixed years
> ago. It looks like it narrowly missed 3.4.2.

i remember it was that it did 2 lockups for the same ips, and it could
not be resolved to one since it was not same data that is tested, there
is in 3.4.3 still many examples on not doing single lockups with one dns
query to see multiple results on rules

sadly with rbl zone with low ttl :(
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On Thu, Jan 23, 2020 at 05:01:20PM +0100, Benny Pedersen wrote:
> RW skrev den 2020-01-23 16:51:
>
> >I opened bug 7242 for that in 2015 - I thought it had been fixed years
> >ago. It looks like it narrowly missed 3.4.2.
>
> i remember it was that it did 2 lockups for the same ips, and it could not
> be resolved to one since it was not same data that is tested, there is in
> 3.4.3 still many examples on not doing single lockups with one dns query to
> see multiple results on rules

What examples please? There is no duplicate lookups at network level. Only
some "duplicate" debug messages can be seen, but all extra identical queries
are cached.
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On Thu, 23 Jan 2020 13:48:58 +0000
RW wrote:


> These two are supplied by the ltd.uk nameservers, but if you do an NS
> lookup on one of these you get a third server, dns3.fluent.ltd.uk with
> the IP address 195.78.94.20.

I'm curious as to what's actually going on here. If I use

dig ns fluent.ltd.uk @<cache-name>

some caches give the 2 servers supplied by Nominet, others give the 3
servers from dns[1-3].fluent.ltd.uk (an extra round-trip).

If I look on Google's 8.8.8.8 I get a random result with random TTLs.
Perhaps the TTLs can be explained by Google's higher-level caching
not coping with the conflict and leaving the individual servers to
handle it, but their software is still producing two different results.
Re: URIBL_SBL_A - Spamhaus false positive.. [ In reply to ]
On 23/01/20 18:56, RW wrote:

>
> I'm curious as to what's actually going on here. If I use
>
> dig ns fluent.ltd.uk @<cache-name>
>
> some caches give the 2 servers supplied by Nominet, others give the 3
> servers from dns[1-3].fluent.ltd.uk (an extra round-trip).
>
> If I look on Google's 8.8.8.8 I get a random result with random TTLs.
> Perhaps the TTLs can be explained by Google's higher-level caching
> not coping with the conflict and leaving the individual servers to
> handle it, but their software is still producing two different results.
If I would have to guess, I'd say someone removed dns3.fluent.ltd.uk
from the zone without updating the serial number, so now if you happen
to hit a resolver that never queried that domain you'll get only
dns[1-2] , while the others will keep the cached response until expiration.

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/