On 1/7/2016 2:19 PM, Quanah Gibson-Mount wrote: > --On Thursday, January 07, 2016 9:06 PM +0100 lutz.niede...@gmx.net > wrote: > >> >> >> postfix version 2.9.3-2.1 on debian >> >> Hi! >> >> I found something really strange. Maybe someone can explain this >> to me. >> >> reject_rbl_client docu says "... If no "=d.d.d.d" is specified, >> reject >> the request when the reversed client network address is listed >> with any A >> record under rbl_domain." >> >> I see many, many spam mails blocked directly by postfix. This is >> what I >> expect, fine. I use spamhaus & spamcop with reject_rbl_client and >> reject_rhsbl_client/sender/reverse in xyz_restrictions. >> >> Now I found some mails that made their way through and have >> seconds later >> been marked by spamassassin with that (eg): >> >> X-Spam-RBL: <dns:156.89.237.109.zen.spamhaus.org> [127.0.0.4] >> >> How is that possible? I thought that they should never get through? > > Why not? The RBL may have been updated in those few seconds. I see > this regularly when monitoring my logs. An email comes in, and hits > a couple of people. It comes in a few seconds later, and gets > rejected, because the RBL was updated after the initial round of > emails. I tend to call it 0-moment SPAM. Generally, everyone who > is in the initial blast (0-moment) gets hit. Those who are in the > next rounds generally don't, just depending on how quickly the RBL > updates. So if you have a long enough delay between when postfix > processes it and when SA processes it, it's quite logical for > 0-moment spam to get past postfix but get tagged by SA. However, > the /next/ set of emails shoudl be blocked by postfix. If that > isn't happening, then I'd be concerned. > > --Quanah >
In addition to "0-moment" timing issues SA may, depending on configuration, look at URLs inside the message, or at other Received: headers. Postfix only considers the connecting client, which is appropriate for a first-line defense. It's not clear from the post if SA was complaining about the connecting client, or some other IP. -- Noel Jones
