Re: Spamhaus spurious positives - how does SpamAssassin check Spamhaus?

Sat, 07 May 2022 11:33:18 -0700 

On 2022-05-07 10:37, Matija Nalis wrote:

On Sat, May 07, 2022 at 09:35:31AM -0700, Paul Pace wrote:

On 2022-05-07 07:53, Benny Pedersen wrote:
> On 2022-05-07 16:42, Paul Pace wrote:
> >       *   10 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
> >       *      blocklist
> >       *      [URIs: wikileaksdotorg]
The problem with this solution is I don't know which domain is going to be next, plus I'm not so much looking for a solution to this specific result, 
but rather I want to understand why there is a disparity between what
SpamAssassin is reporting and what the Spamhaus website is reporting.


If you do:

grep -r URIBL_SBL /var/lib/spamassassin/
you'll see it does this:

/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf:uridnssub
      URIBL_SBL        zen.spamhaus.org.       A   127.0.0.2
/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf:body
           URIBL_SBL        eval:check_uridnsbl('URIBL_SBL')
/var/lib/spamassassin/3.004006/updates_spamassassin_org/25_uribl.cf:describe
       URIBL_SBL        Contains an URL's NS IP listed in the Spamhaus
SBL blocklist
which means if it wanted to check (for example) 195.35.109.44 it would do DNS A record lookup on "44.109.35.195.zen.spamhaus.org" (note reversed quads), and check if the result is "127.0.0.2" (which happens to be true in this case 
at the moment - but might not be some time later):

% host -t a 44.109.35.195.zen.spamhaus.org
44.109.35.195.zen.spamhaus.org has address 127.0.0.2

Same procedure can be used for others RBLs.

As to why web lookup returns different result, is might be because
DNS results was cached earlier (maybe by some previous spam message),
and/or because you did not look it up fast enough. Data on RBL
servers changes all the time, and there is usually delay between
their current database (which is likely what the web interface looks
up directly) and their published DNS records (which would lag behind
it).

Anyway if you do DNS check at the same time (or very close; I think
default TTL there is 60 seconds) as spamassasin does it, you should
get the same result. If you do it minutes or hours later, the results
might be different again (how often they change depend on the RBL in
question, as well as your luck).
Thank you, this is exactly what I was looking for. Using dig it looks like the TTL is 2100.

Reply via email to