Disable AHBL (Abuse Hosts) DNS blocklist in Spamassassin

Written by - 3 comments

Published on January 20th 2015 - Listed in Internet Mail Linux

Since this month, mails are often wrongly tagged as spam by Spamassassin because of a wrong lookup in the AHBL DNSBL:

Content analysis details:   (10.0 points, 5.0 required)

 pts rule name              description
---- ----------------------
 2.4 DNS_FROM_AHBL_RHSBL    RBL: Envelope sender listed in dnsbl.ahbl.org
 3.0 CK_DIVERS_BODY         BODY: Mail contents one of the words
 1.4 FUZZY_CREDIT           BODY: Attempt to obfuscate words in spam
 0.7 HTML_TAG_BALANCE_BODY  BODY: HTML has unbalanced "body" tags
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 1.3 RDNS_NONE              Delivered to internal network by a host with no
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information

According to the ahbl website, the dnsbl has stopped its services and this may cause false positives in the lookups:

If you are still using these services, this may cause you to incorrectly tag e-mail as spam, or create other unintended consequences.  Fix and maintain your servers, now.  Do not contact us about 'removing' your domain or IP address from our lists, as there is nothing we can do for you.

OK, the message is clear. Let's maintain the servers.

First of all it is important to know, that the AHBL is a default DNSBL used by Spamassassin. So that configuration doesn't come from the end user but from Spamassassin itself. This is mentioned on https://wiki.apache.org/spamassassin/DnsBlocklists :

Black Lists

Support for the following DNSBLs is built-in, and shipped in the default configuration.

    AHBL http://www.ahbl.org/

    NJABL http://www.njabl.org/

    SORBS http://www.sorbs.net/

    SPAMCOP http://www.spamcop.net/

    Spamhaus PBL+SBL+XBL http://www.spamhaus.org/ NOTE: Spamhaus is enabled as a "free for most" provider. See: http://www.spamhaus.org/organization/dnsblusage.html.


So the AHBL has to be manually disabled in the default Spamassassin rules. In a Debian installation these can be found in /usr/share/spamassasin. Let's grep for the AHBL:

grep ahbl /usr/share/spamassassin/*
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL      eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL    Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org

The following section can be commented or deleted from /usr/share/spamassassin/20_dnsbl_tests.cf:

# Now, single zone BLs follow:

# another domain-based blacklist
header DNS_FROM_AHBL_RHSBL      eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
describe DNS_FROM_AHBL_RHSBL    Envelope sender listed in dnsbl.ahbl.org
tflags DNS_FROM_AHBL_RHSBL      net

IMHO this should be fixed directly from Spamassassin or in the Spamassassin Debian package instead of manually fiddling around in the default rules. But hey - there's already an open bug for this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774768. According to this bug, this problem could/can be prevented by regularly updating the Spamassassin rules with a cronjob. The cronjob can be enabled by setting "CRON=1" in /etc/default/spamassassin. However even with a manual launch of "sa-update", no rules were updated.

This leaves only two options:

1) Comment or delete the AHBL from the default rule definition in /usr/share/spamassassin/20_dnsbl_tests.cf or
2) Overwrite the scoring of "DNS_FROM_AHBL_RHSBL" in /etc/spamassassin/local.cf .

Add a comment

Show form to leave a comment

Comments (newest first)

Orly from Philippines wrote on Mar 25th, 2015:

Will be applying both just to be sure.

And hope this will solve our (similar) concern as well.

Thanks, indeed.

alex from wrote on Feb 25th, 2015:

thanks for the info.

Regarding the Debian bug report, this has been fixed in SA 3.4, which is in Wheezy Backports, https://packages.debian.org/wheezy-backports/spamassassin

Chris from PE, Canada wrote on Jan 31st, 2015:

Perfect, thanks.