On Sun, Mar 13, 2011 at 01:35:57PM -0400, Wietse Venema wrote:
> Larry Vaden:
> > Hello postfix-users,
> >
> > For a selected time period today, the postfix/postscreen DNSBL rank
> > log entries are summarized as:
> >
> > 1744 DNSBL rank 2
> > 12458 DNSBL rank 3
> > 5113 DNSBL rank 4
> > 1099 DNSBL rank 5
> > 1 DNSBL rank 7
> >
> > Q1: Given the postscreen invocation in main.cf below the sig, what is
> > the meaning of DNSBL rank 7?
Mine can add up to 10, but I've seen one at 12 and one at 16. User
error was a contributing factor. This might be reproducible, and
perhaps in some cases could violate policy. In *very* unlikely
circumstances, this could reject wanted mail.
-rw-r--r-- 1 root root 23066 Feb 27 20:46 /etc/postfix/main.cf
-rw-r--r-- 1 root root 247 Feb 27 20:49 /etc/postfix/postscreen_access.cidr
I enabled the postscreen_access.cidr in main.cf about 3 minutes
before creating that file.
Feb 27 20:46:46 cardinal postfix/postscreen[19863]: fatal: open
/etc/postfix/postscreen_access.cidr: No such file or directory
Feb 27 20:46:47 cardinal postfix/master[1492]: warning: process
/usr/libexec/postfix/postscreen pid 19863 exit status 1
Feb 27 20:46:47 cardinal postfix/master[1492]: warning:
/usr/libexec/postfix/postscreen: bad command startup -- throttling
Feb 27 20:47:47 cardinal postfix/postscreen[19921]: fatal: open
/etc/postfix/postscreen_access.cidr: No such file or directory
Feb 27 20:47:48 cardinal postfix/master[1492]: warning: process
/usr/libexec/postfix/postscreen pid 19921 exit status 1
Feb 27 20:47:48 cardinal postfix/master[1492]: warning:
/usr/libexec/postfix/postscreen: bad command startup -- throttling
Feb 27 20:48:48 cardinal postfix/postscreen[19945]: fatal: open
/etc/postfix/postscreen_access.cidr: No such file or directory
Feb 27 20:48:49 cardinal postfix/master[1492]: warning: process
/usr/libexec/postfix/postscreen pid 19945 exit status 1
Feb 27 20:48:49 cardinal postfix/master[1492]: warning:
/usr/libexec/postfix/postscreen: bad command startup -- throttling
... and postscreen was understandably not happy. But when I hit F2
(save) in my trusty editor mc(1), all was forgiven:
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[186.58.57.178]:10383
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[95.135.200.136]:7986
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: HANGUP after 0 from
[186.58.57.178]:10383 in tests before SMTP handshake
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: DISCONNECT
[186.58.57.178]:10383
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[95.105.171.227]:16467
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: HANGUP after 0 from
[95.135.200.136]:7986 in tests before SMTP handshake
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: DISCONNECT
[95.135.200.136]:7986
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[95.135.200.136]:10354
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: HANGUP after 0 from
[95.105.171.227]:16467 in tests before SMTP handshake
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: DISCONNECT
[95.105.171.227]:16467
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[95.105.171.227]:17718
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[90.176.45.181]:63096
Feb 27 20:49:49 cardinal postfix/postscreen[19956]: CONNECT from
[95.135.123.84]:52370
Feb 27 20:49:50 cardinal postfix/dnsblog[19961]: addr 95.135.200.136 listed by
domain bl.spameatingmonkey.net as 127.0.0.3
Feb 27 20:49:50 cardinal postfix/dnsblog[19958]: addr 186.58.57.178 listed by
domain bl.spameatingmonkey.net as 127.0.0.3
Feb 27 20:49:50 cardinal postfix/dnsblog[19963]: addr 95.135.200.136 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19963]: addr 95.135.200.136 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19969]: addr 95.135.200.136 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19969]: addr 95.135.200.136 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19963]: addr 95.135.200.136 listed by
domain bl.spameatingmonkey.net as 127.0.0.3
Feb 27 20:49:50 cardinal postfix/dnsblog[19959]: addr 186.58.57.178 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19959]: addr 186.58.57.178 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19965]: addr 95.105.171.227 listed by
domain bl.spamcop.net as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19970]: addr 95.105.171.227 listed by
domain bl.spamcop.net as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19960]: addr 95.135.200.136 listed by
domain bl.spamcop.net as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19961]: addr 95.135.200.136 listed by
domain bl.spamcop.net as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19959]: addr 95.105.171.227 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19959]: addr 95.105.171.227 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19958]: addr 95.135.200.136 listed by
domain b.barracudacentral.org as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19960]: addr 95.135.200.136 listed by
domain b.barracudacentral.org as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19973]: addr 90.176.45.181 listed by
domain b.barracudacentral.org as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19965]: addr 95.105.171.227 listed by
domain b.barracudacentral.org as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19970]: addr 95.105.171.227 listed by
domain b.barracudacentral.org as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19959]: addr 95.135.123.84 listed by
domain b.barracudacentral.org as 127.0.0.2
Feb 27 20:49:50 cardinal postfix/dnsblog[19966]: addr 95.135.123.84 listed by
domain bl.spameatingmonkey.net as 127.0.0.3
Feb 27 20:49:50 cardinal postfix/dnsblog[19968]: addr 95.105.171.227 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19968]: addr 95.105.171.227 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19971]: addr 90.176.45.181 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19971]: addr 90.176.45.181 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19957]: addr 95.135.123.84 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:49:50 cardinal postfix/dnsblog[19957]: addr 95.135.123.84 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:49:50 cardinal postfix/dnsblog[19971]: addr 90.176.45.181 listed by
domain dnsbl.sorbs.net as 127.0.0.7
Feb 27 20:49:50 cardinal postfix/dnsblog[19963]: addr 90.176.45.181 listed by
domain bl.spamcop.net as 127.0.0.2
And the scores:
Feb 27 20:49:55 cardinal postfix/postscreen[19956]: DNSBL rank 16 for
[95.135.200.136]:10354
Feb 27 20:49:55 cardinal postfix/postscreen[19956]: DNSBL rank 12 for
[95.105.171.227]:17718
Feb 27 20:49:55 cardinal postfix/postscreen[19956]: DNSBL rank 7 for
[90.176.45.181]:63096
Feb 27 20:49:55 cardinal postfix/postscreen[19956]: DNSBL rank 7 for
[95.135.123.84]:52370
The two at 7 are correct.
95.135.200.136: Zen (3), BRBL (2), SEM (2), Spamcop (1): appears to
be a score of 8, was doubled (counted twice?)
95.105.171.227: Zen (3), BRBL (2), Spamcop (1): appears to be a score
of 6, also doubled.
And for completeness, here's what happened with them:
Feb 27 20:49:56 cardinal postfix/postscreen[19956]: NOQUEUE: reject: RCPT from
[95.135.123.84]:52370: 550 5.7.1 Service unavailable; client [95.135.123.84]
blocked using multiple DNS-based blocklists; from=<j...@gmail.com>,
to=<munged@spam.victim>, proto=ESMTP, helo=<84-123-135-95.pool.ukrtel.net>
Feb 27 20:49:56 cardinal postfix/postscreen[19956]: NOQUEUE: reject: RCPT from
[95.135.200.136]:10354: 550 5.7.1 Service unavailable; client [95.135.200.136]
blocked using multiple DNS-based blocklists; from=<b...@bluebellgroup.com>,
to=<munged@spam.victim>, proto=ESMTP, helo=<136-200-135-95.pool.ukrtel.net>
Feb 27 20:49:56 cardinal postfix/postscreen[19956]: HANGUP after 1.3 from
[95.135.200.136]:10354 in tests after SMTP handshake
Feb 27 20:49:56 cardinal postfix/postscreen[19956]: DISCONNECT
[95.135.200.136]:10354
Feb 27 20:49:56 cardinal postfix/postscreen[19956]: HANGUP after 1.3 from
[95.135.123.84]:52370 in tests after SMTP handshake
Feb 27 20:49:56 cardinal postfix/postscreen[19956]: DISCONNECT
[95.135.123.84]:52370
Feb 27 20:50:09 cardinal postfix/postscreen[19956]: NOQUEUE: reject: RCPT from
[90.176.45.181]:63096: 550 5.7.1 Service unavailable; client [90.176.45.181]
blocked using multiple DNS-based blocklists; from=<j...@gmail.com>,
to=<munged@spam.victim>, proto=ESMTP, helo=<181.45.broadband9.iol.cz>
Feb 27 20:50:09 cardinal postfix/postscreen[19956]: HANGUP after 14 from
[90.176.45.181]:63096 in tests after SMTP handshake
Feb 27 20:50:09 cardinal postfix/postscreen[19956]: DISCONNECT
[90.176.45.181]:63096
Feb 27 20:50:24 cardinal postfix/postscreen[19956]: HANGUP after 29 from
[95.105.171.227]:17718 in tests after SMTP handshake
Feb 27 20:50:24 cardinal postfix/postscreen[19956]: DISCONNECT
[95.105.171.227]:17718
And this one comes right back, and everything seems normal again:
Feb 27 20:50:25 cardinal postfix/postscreen[19956]: CONNECT from
[95.105.171.227]:19796
Feb 27 20:50:25 cardinal postfix/dnsblog[19975]: addr 95.105.171.227 listed by
domain bl.spamcop.net as 127.0.0.2
Feb 27 20:50:25 cardinal postfix/dnsblog[19970]: addr 95.105.171.227 listed by
domain zen.spamhaus.org as 127.0.0.11
Feb 27 20:50:25 cardinal postfix/dnsblog[19970]: addr 95.105.171.227 listed by
domain zen.spamhaus.org as 127.0.0.4
Feb 27 20:50:25 cardinal postfix/dnsblog[19975]: addr 95.105.171.227 listed by
domain b.barracudacentral.org as 127.0.0.2
Scored correctly this time:
Feb 27 20:50:31 cardinal postfix/postscreen[19956]: DNSBL rank 6 for
[95.105.171.227]:19796
Feb 27 20:50:45 cardinal postfix/postscreen[19956]: NOQUEUE: reject: RCPT from
[95.105.171.227]:19796: 550 5.7.1 Service unavailable; client [95.105.171.227]
blocked using zen.spamhaus.org; from=<mar...@gmail.com>,
to=<munged@spam.victim>, proto=ESMTP, helo=<static-95-105-171-227.orange.sk>
Feb 27 20:50:45 cardinal postfix/postscreen[19956]: HANGUP after 14 from
[95.105.171.227]:19796 in testsafter SMTP handshake
Feb 27 20:50:45 cardinal postfix/postscreen[19956]: DISCONNECT
[95.105.171.227]:19796
Feb 27 20:51:04 cardinal postfix/postscreen[19956]: CONNECT from
[219.80.128.61]:14127
I wouldn't worry too much about loss of mail, because with my
threshold of 3, all it amounts to is to promote the lesser-scored
DNSBLs. It would mean one hit of BRBL or SEM (score 2) would reject,
or two hits of any combination of SORBS, Spamcop or TRBL (scored 1
each.) It's still likely to be spam, but just slightly stretches my
trust model.
> Uncorrected multi-bit memory error?
>
> > Further, "blocked using" is summarized as follows:
(and this summary is useless.)
> > 54.6% blocked using b.barracudacentral.org;
> > 12.1% blocked using bl.spamcop.net;
> > 3.8% blocked using spamtrap.trblspam.com;
> > 29.5% blocked using zen.spamhaus.org;
> >
> > Q2: Is a "blocked using" entry written for each DNSBL for which
> > there is a hit? If not, how is it determined which DNSBL will
> > get credit?
>
> The first DNSBL that responds.
Could it be changed to the highest-scored DNSBL?
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
