--On Thursday, January 07, 2016 9:06 PM +0100 lutz.niede...@gmx.net wrote:
postfix version 2.9.3-2.1 on debian Hi! I found something really strange. Maybe someone can explain this to me. reject_rbl_client docu says "... If no "=d.d.d.d" is specified, reject the request when the reversed client network address is listed with any A record under rbl_domain." I see many, many spam mails blocked directly by postfix. This is what I expect, fine. I use spamhaus & spamcop with reject_rbl_client and reject_rhsbl_client/sender/reverse in xyz_restrictions. Now I found some mails that made their way through and have seconds later been marked by spamassassin with that (eg): X-Spam-RBL: <dns:156.89.237.109.zen.spamhaus.org> [127.0.0.4] How is that possible? I thought that they should never get through?
Why not? The RBL may have been updated in those few seconds. I see this regularly when monitoring my logs. An email comes in, and hits a couple of people. It comes in a few seconds later, and gets rejected, because the RBL was updated after the initial round of emails. I tend to call it 0-moment SPAM. Generally, everyone who is in the initial blast (0-moment) gets hit. Those who are in the next rounds generally don't, just depending on how quickly the RBL updates. So if you have a long enough delay between when postfix processes it and when SA processes it, it's quite logical for 0-moment spam to get past postfix but get tagged by SA. However, the /next/ set of emails shoudl be blocked by postfix. If that isn't happening, then I'd be concerned.
--Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
