Spamhouse.org question

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
DrmCa
Normal user
Normal user
Posts: 116
Joined: 2011-02-14 21:30

Spamhouse.org question

Post by DrmCa » 2021-05-13 18:27

Very recently, with the last week, without any changes on my hMailServer insteance, one of my correspondents started getting 505 error for all of their emails. They are being rejected by spamhouse. I went on spamhouse.org web site and searched for their domain in the removal search, but they do not list it. Does anybody know why this is happening and how I can allow it? I trust that domain, specifically, and if an override is needed then I am fine with creating it.

DrmCa
Normal user
Normal user
Posts: 116
Joined: 2011-02-14 21:30

Re: Spamhouse.org question

Post by DrmCa » 2021-05-13 19:27

My bad: error 550, not 505

User avatar
johang
Senior user
Senior user
Posts: 534
Joined: 2008-09-01 09:20

Re: Spamhouse.org question

Post by johang » 2021-05-13 19:32

DrmCa wrote:
2021-05-13 18:27
Very recently, with the last week, without any changes on my hMailServer insteance, one of my correspondents started getting 505 error for all of their emails. They are being rejected by spamhouse. I went on spamhouse.org web site and searched for their domain in the removal search, but they do not list it. Does anybody know why this is happening and how I can allow it? I trust that domain, specifically, and if an override is needed then I am fine with creating it.
soo.. SPAMHAUS note the spelling :wink: has some different lists..

The Spamhaus Block List
The Spamhaus Block List ("SBL") Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.

Exploits Block List
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

he Policy Block List
The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

The Domain Block List (DBL)
The Spamhaus DBL is a list of domain names with poor reputations. It is published in a domain DNSBL format. These domain reputations are calculated from many factors, and maintained in a database which in turn feeds the DBL zone itself.

The Spamhaus Don't Route Or Peer Lists
The Spamhaus DROP (Don't Route Or Peer) lists are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.


do you know if it really is the domain that is blocked ? ( then you know that domain recieved bad reputation ) if you tested the domain at https://check.spamhaus.org/ and you dont get a match.. it is propabally the sending IP that is listed....
___________________________________________________________end of the line

User avatar
SorenR
Senior user
Senior user
Posts: 4596
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhouse.org question

Post by SorenR » 2021-05-13 19:33

Did you check their IP address?

https://mxtoolbox.com/blacklists.aspx
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

palinka
Senior user
Senior user
Posts: 2704
Joined: 2017-09-12 17:57

Re: Spamhouse.org question

Post by palinka » 2021-05-13 19:42

Spamhaus removal search uses both IP and domain. They may or may not overlap. A clean domain does not mean a clean IP.

Your spamhaus score must be very high or your delete threshhold must be very low for one test to cause a message to be deleted.

You can whitelist his email address to bypass spam tests.

DrmCa
Normal user
Normal user
Posts: 116
Joined: 2011-02-14 21:30

Re: Spamhouse.org question

Post by DrmCa » 2021-05-14 02:23

Yes, all of you are correct. Spamhaus (omg, the spelling!) has rejected their IP for the past few days.

User avatar
jim.bus
Senior user
Senior user
Posts: 701
Joined: 2011-05-28 11:49
Location: US

Re: Spamhouse.org question

Post by jim.bus » 2021-05-14 07:07

palinka wrote:
2021-05-13 19:42
Spamhaus removal search uses both IP and domain. They may or may not overlap. A clean domain does not mean a clean IP.

Your spamhaus score must be very high or your delete threshhold must be very low for one test to cause a message to be deleted.

You can whitelist his email address to bypass spam tests.
I may be incorrect about this but while DrmCA can Whitelist the Domain or even the particular sender, but hMailServer would not be performing any Spam Tests since that Domain would be Whitelisted for that Domain. This would mean that the email server which sent the email might not be authorized to send email for that Domain because determining this is a part of SPAM Tests if I am not mistaken.

User avatar
SorenR
Senior user
Senior user
Posts: 4596
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhouse.org question

Post by SorenR » 2021-05-14 07:43

jim.bus wrote:
2021-05-14 07:07
palinka wrote:
2021-05-13 19:42
Spamhaus removal search uses both IP and domain. They may or may not overlap. A clean domain does not mean a clean IP.

Your spamhaus score must be very high or your delete threshhold must be very low for one test to cause a message to be deleted.

You can whitelist his email address to bypass spam tests.
I may be incorrect about this but while DrmCA can Whitelist the Domain or even the particular sender, but hMailServer would not be performing any Spam Tests since that Domain would be Whitelisted for that Domain. This would mean that the email server which sent the email might not be authorized to send email for that Domain because determining this is a part of SPAM Tests if I am not mistaken.
Move all RBL checking to SpamAssassin and whitelist domain.

OR...

There is always this ... viewtopic.php?p=209774#p209774
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

palinka
Senior user
Senior user
Posts: 2704
Joined: 2017-09-12 17:57

Re: Spamhouse.org question

Post by palinka » 2021-05-14 12:01

jim.bus wrote:
2021-05-14 07:07
palinka wrote:
2021-05-13 19:42
Spamhaus removal search uses both IP and domain. They may or may not overlap. A clean domain does not mean a clean IP.

Your spamhaus score must be very high or your delete threshhold must be very low for one test to cause a message to be deleted.

You can whitelist his email address to bypass spam tests.
I may be incorrect about this but while DrmCA can Whitelist the Domain or even the particular sender, but hMailServer would not be performing any Spam Tests since that Domain would be Whitelisted for that Domain. This would mean that the email server which sent the email might not be authorized to send email for that Domain because determining this is a part of SPAM Tests if I am not mistaken.
The domain was clean, so that means the sender is probably on a shared server with other domains and one of them was compromised. The server is blacklisted but not because of the friend's domain, therefore, he's unlikely to receive spam from his friend's address, even though other domains on the same server may send spam to his server. So he's safe by whitelisting the friend's domain AND he's safe leaving the spamhouse (hehe) dnsbl in place.

User avatar
jim.bus
Senior user
Senior user
Posts: 701
Joined: 2011-05-28 11:49
Location: US

Re: Spamhouse.org question

Post by jim.bus » 2021-05-14 21:10

palinka wrote:
2021-05-14 12:01
jim.bus wrote:
2021-05-14 07:07
palinka wrote:
2021-05-13 19:42
Spamhaus removal search uses both IP and domain. They may or may not overlap. A clean domain does not mean a clean IP.

Your spamhaus score must be very high or your delete threshhold must be very low for one test to cause a message to be deleted.

You can whitelist his email address to bypass spam tests.
I may be incorrect about this but while DrmCA can Whitelist the Domain or even the particular sender, but hMailServer would not be performing any Spam Tests since that Domain would be Whitelisted for that Domain. This would mean that the email server which sent the email might not be authorized to send email for that Domain because determining this is a part of SPAM Tests if I am not mistaken.
The domain was clean, so that means the sender is probably on a shared server with other domains and one of them was compromised. The server is blacklisted but not because of the friend's domain, therefore, he's unlikely to receive spam from his friend's address, even though other domains on the same server may send spam to his server. So he's safe by whitelisting the friend's domain AND he's safe leaving the spamhouse (hehe) dnsbl in place.
I understand that. I was just pointing out that by Whitelisting a Domain hMailServer will not check to see if the Email Server sending mail from that Domain is authorized to do so (SPF and DKIM checks). So any Email Server could be sending email from the Whitelisted Domain. But as you point out the Domain DrmCA would Whitelist is probably not being used in an unauthorized manner. I also Whitelist certain Domains but mostly I Whitelist specific Email Addresses as opposed to the whole Domain.

mikedibella
Senior user
Senior user
Posts: 503
Joined: 2016-12-08 02:21

Re: Spamhouse.org question

Post by mikedibella » 2021-05-14 21:18

Thinking out-of-box. Can a negative score be used for a hit on an RBL? Perhaps the solution to this problem could to to implement a local responder loaded with whitelist zones, and configure HMS to lower scores when these zones produce non-NXD responses?

palinka
Senior user
Senior user
Posts: 2704
Joined: 2017-09-12 17:57

Re: Spamhouse.org question

Post by palinka » 2021-05-14 23:14

mikedibella wrote:
2021-05-14 21:18
Thinking out-of-box. Can a negative score be used for a hit on an RBL? Perhaps the solution to this problem could to to implement a local responder loaded with whitelist zones, and configure HMS to lower scores when these zones produce non-NXD responses?
Can a negative score be used at all?

Soren has a blacklist function that adds N to spam score. Why wouldn't a negative number work for that?

I changed a few things here to get rid of the blacklisting aspect of it. Haven't tested this yet but I didn't change much from Soren's blacklist.

Code: Select all

Sub ScoreSafe(oMessage, strMatch, iScore)
	Dim i, Done : Done = False
	If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then
		i = CInt(oMessage.HeaderValue("X-hMailServer-Reason-Score"))
	Else
		i = 0
	End If

	oMessage.HeaderValue("X-hMailServer-Reason-0") = "Scored Safe - (Score: " & iScore & " )"
	oMessage.HeaderValue("X-hMailServer-Reason-Score") = iScore + i
	i = 1
	Do Until Done
		If (oMessage.HeaderValue("X-hMailServer-ScoreSafe-" & i) = "") Then
			oMessage.HeaderValue("X-hMailServer-ScoreSafe-" & i) = strMatch
			Exit Do
		Else
			i = i + 1
		End If
	Loop
	oMessage.Save
End Sub


REM - friendly IP subject to sometimes abuse
If oClient.IPAddress = "1.2.3.4" Then Call ScoreSafe(oMessage, "Friend X Scored Safe", -10)
Although looking at it after fiddling with it, I think its still better just to simply whitelist the email address unless you're trying to counteract something specific and known, like the OP's situation. Whatever his spamhouse (hehe) dnsbl scoring is, the "scoresafe" score should be the negative of that to simply wipe it out. If you don't have a predictable situation like this, then whitelisting is simply better - especially if the friend's server starts ending up on multiple lists.

Of course, that's assuming the function even works with negative numbers at all. I don't know the answer to that. Maybe I'll test it later.

User avatar
SorenR
Senior user
Senior user
Posts: 4596
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spamhouse.org question

Post by SorenR » 2021-05-15 01:02

I actually do this... Showing just the important code here...

Code: Select all

    '
    '   Whitelisting
    '
    Done = False
    Whitelisted = False
    Do Until Done
        '
        '   Whitelist "X-Envelope-From:"
        '
        strRegEx = myListsRegEx(myListsDict, "//Whitelist/X-Envelope-From")
        If strRegEx <> "VOID" Then
            Set oMatchCollection = oLookup(strRegEx, oMessage.FromAddress, False)
            For Each oMatch In oMatchCollection
                Call myListsStat(myListsDict, oMatch)
                Whitelisted = True
                EventLogX.Write( LPad("WList X-From", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(" ", 3, " ") & vbTab & LPad(" ", 16, " ") & vbTab & oMessage.FromAddress )
                Call WhiteList(oMessage, "//Whitelist/X-Envelope-From = '" & oMatch.Value & "'")
            Next
            If oMatchCollection.Count > 0 Then Exit Do
        End If
        '
        '   Whitelist "From:"
        '
        strRegEx = myListsRegEx(myListsDict, "//Whitelist/From")
        If strRegEx <> "VOID" Then
            Set oMatchCollection = oLookup(strRegEx, oMessage.From, False)
            For Each oMatch In oMatchCollection
                Call myListsStat(myListsDict, oMatch)
                Whitelisted = True
                EventLogX.Write( LPad("WList From", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(" ", 3, " ") & vbTab & LPad(" ", 16, " ") & vbTab & oMessage.From )
                Call WhiteList(oMessage, "//Whitelist/From = '" & oMatch.Value & "'")
            Next
        End If
        Exit Do
    Loop


Sub WhiteList(oMessage, strMatch)
    Dim i, Done : Done = False
    If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then
        oMessage.HeaderValue("X-hMailServer-Spam") = "NO"
        oMessage.HeaderValue("X-hMailServer-Reason-Score") = "0"
    End If
    oMessage.HeaderValue("X-hMailServer-WhiteList") = "YES"
    i = 1
    Do Until Done
        If (oMessage.HeaderValue("X-hMailServer-WhiteList-" & i) = "") Then
            oMessage.HeaderValue("X-hMailServer-WhiteList-" & i) = strMatch
            Exit Do
        Else
            i = i + 1
        End If
    Loop
    oMessage.Save
End Sub
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

palinka
Senior user
Senior user
Posts: 2704
Joined: 2017-09-12 17:57

Re: Spamhouse.org question

Post by palinka » 2021-05-15 01:40

SorenR wrote:
2021-05-15 01:02
I actually do this... Showing just the important code here...

Code: Select all

    '
    '   Whitelisting
    '
    Done = False
    Whitelisted = False
    Do Until Done
        '
        '   Whitelist "X-Envelope-From:"
        '
        strRegEx = myListsRegEx(myListsDict, "//Whitelist/X-Envelope-From")
        If strRegEx <> "VOID" Then
            Set oMatchCollection = oLookup(strRegEx, oMessage.FromAddress, False)
            For Each oMatch In oMatchCollection
                Call myListsStat(myListsDict, oMatch)
                Whitelisted = True
                EventLogX.Write( LPad("WList X-From", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(" ", 3, " ") & vbTab & LPad(" ", 16, " ") & vbTab & oMessage.FromAddress )
                Call WhiteList(oMessage, "//Whitelist/X-Envelope-From = '" & oMatch.Value & "'")
            Next
            If oMatchCollection.Count > 0 Then Exit Do
        End If
        '
        '   Whitelist "From:"
        '
        strRegEx = myListsRegEx(myListsDict, "//Whitelist/From")
        If strRegEx <> "VOID" Then
            Set oMatchCollection = oLookup(strRegEx, oMessage.From, False)
            For Each oMatch In oMatchCollection
                Call myListsStat(myListsDict, oMatch)
                Whitelisted = True
                EventLogX.Write( LPad("WList From", 15, " ") & vbTab & LPad(oClient.IPAddress, 16, " ") & vbTab & LPad(" ", 3, " ") & vbTab & LPad(" ", 16, " ") & vbTab & oMessage.From )
                Call WhiteList(oMessage, "//Whitelist/From = '" & oMatch.Value & "'")
            Next
        End If
        Exit Do
    Loop


Sub WhiteList(oMessage, strMatch)
    Dim i, Done : Done = False
    If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then
        oMessage.HeaderValue("X-hMailServer-Spam") = "NO"
        oMessage.HeaderValue("X-hMailServer-Reason-Score") = "0"
    End If
    oMessage.HeaderValue("X-hMailServer-WhiteList") = "YES"
    i = 1
    Do Until Done
        If (oMessage.HeaderValue("X-hMailServer-WhiteList-" & i) = "") Then
            oMessage.HeaderValue("X-hMailServer-WhiteList-" & i) = strMatch
            Exit Do
        Else
            i = i + 1
        End If
    Loop
    oMessage.Save
End Sub
Have you ever tried a negative number as the "strMatch"?

User avatar
mattg
Moderator
Moderator
Posts: 21454
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spamhouse.org question

Post by mattg » 2021-05-15 02:09

I include all SpamAssassin scores above Negative 500 (ie all SpamAssassin scores) and use the SA score
This works fine in hMailserver

You can't set negative scores using the GUI though
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply