Re: Spamhaus spurious positives - how does SpamAssassin check Spamhaus?

Sat, 07 May 2022 10:38:15 -0700 

On Sat, May 07, 2022 at 09:35:31AM -0700, Paul Pace wrote:
> On 2022-05-07 07:53, Benny Pedersen wrote:
> > On 2022-05-07 16:42, Paul Pace wrote:
> > >   *   10 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
> > >   *      blocklist
> > >   *      [URIs: wikileaksdotorg]
> 
> The problem with this solution is I don't know which domain is going to be
> next, plus I'm not so much looking for a solution to this specific result,
> but rather I want to understand why there is a disparity between what
> SpamAssassin is reporting and what the Spamhaus website is reporting.

If you do:

grep -r URIBL_SBL /var/lib/spamassassin/
you'll see it does this:

/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf:uridnssub   
    URIBL_SBL        zen.spamhaus.org.       A   127.0.0.2
/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf:body        
    URIBL_SBL        eval:check_uridnsbl('URIBL_SBL')
/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf:describe    
    URIBL_SBL        Contains an URL's NS IP listed in the Spamhaus SBL 
blocklist

which means if it wanted to check (for example) 195.35.109.44 it would do
DNS A record lookup on "44.109.35.195.zen.spamhaus.org" (note reversed quads),
and check if the result is "127.0.0.2" (which happens to be true in this case
at the moment - but might not be some time later):

% host -t a 44.109.35.195.zen.spamhaus.org
44.109.35.195.zen.spamhaus.org has address 127.0.0.2

Same procedure can be used for others RBLs. 

As to why web lookup returns different result, is might be because
DNS results was cached earlier (maybe by some previous spam message),
and/or because you did not look it up fast enough. Data on RBL
servers changes all the time, and there is usually delay between
their current database (which is likely what the web interface looks
up directly) and their published DNS records (which would lag behind
it).

Anyway if you do DNS check at the same time (or very close; I think
default TTL there is 60 seconds) as spamassasin does it, you should
get the same result. If you do it minutes or hours later, the results
might be different again (how often they change depend on the RBL in
question, as well as your luck).

-- 
Opinions above are GNU-copylefted.

Reply via email to