Disable AHBL (Abuse Hosts) DNS blocklist in Spamassassin

Written by - 3 comments

Published on - Listed in Internet Mail Linux


Since this month, mails are often wrongly tagged as spam by Spamassassin because of a wrong lookup in the AHBL DNSBL:

Content analysis details:   (10.0 points, 5.0 required)

 pts rule name              description
---- ----------------------
--------------------------------------------------
 2.4 DNS_FROM_AHBL_RHSBL    RBL: Envelope sender listed in dnsbl.ahbl.org
 3.0 CK_DIVERS_BODY         BODY: Mail contents one of the words
 1.4 FUZZY_CREDIT           BODY: Attempt to obfuscate words in spam
 0.7 HTML_TAG_BALANCE_BODY  BODY: HTML has unbalanced "body" tags
 0.0 HTML_MESSAGE           BODY: HTML included in message
 1.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 1.3 RDNS_NONE              Delivered to internal network by a host with no
rDNS
 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information

According to the ahbl website, the dnsbl has stopped its services and this may cause false positives in the lookups:

If you are still using these services, this may cause you to incorrectly tag e-mail as spam, or create other unintended consequences.  Fix and maintain your servers, now.  Do not contact us about 'removing' your domain or IP address from our lists, as there is nothing we can do for you.

OK, the message is clear. Let's maintain the servers.

First of all it is important to know, that the AHBL is a default DNSBL used by Spamassassin. So that configuration doesn't come from the end user but from Spamassassin itself. This is mentioned on https://wiki.apache.org/spamassassin/DnsBlocklists :

Black Lists

Support for the following DNSBLs is built-in, and shipped in the default configuration.

    AHBL http://www.ahbl.org/

    NJABL http://www.njabl.org/

    SORBS http://www.sorbs.net/

    SPAMCOP http://www.spamcop.net/

    Spamhaus PBL+SBL+XBL http://www.spamhaus.org/ NOTE: Spamhaus is enabled as a "free for most" provider. See: http://www.spamhaus.org/organization/dnsblusage.html.

[...]

So the AHBL has to be manually disabled in the default Spamassassin rules. In a Debian installation these can be found in /usr/share/spamassasin. Let's grep for the AHBL:

grep ahbl /usr/share/spamassassin/*
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL      eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL    Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org

The following section can be commented or deleted from /usr/share/spamassassin/20_dnsbl_tests.cf:

# Now, single zone BLs follow:

# another domain-based blacklist
header DNS_FROM_AHBL_RHSBL      eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
describe DNS_FROM_AHBL_RHSBL    Envelope sender listed in dnsbl.ahbl.org
tflags DNS_FROM_AHBL_RHSBL      net
reuse  DNS_FROM_AHBL_RHSBL

IMHO this should be fixed directly from Spamassassin or in the Spamassassin Debian package instead of manually fiddling around in the default rules. But hey - there's already an open bug for this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774768. According to this bug, this problem could/can be prevented by regularly updating the Spamassassin rules with a cronjob. The cronjob can be enabled by setting "CRON=1" in /etc/default/spamassassin. However even with a manual launch of "sa-update", no rules were updated.

This leaves only two options:

1) Comment or delete the AHBL from the default rule definition in /usr/share/spamassassin/20_dnsbl_tests.cf or
2) Overwrite the scoring of "DNS_FROM_AHBL_RHSBL" in /etc/spamassassin/local.cf .


Add a comment

Show form to leave a comment

Comments (newest first)

Orly from Philippines wrote on Mar 25th, 2015:

Will be applying both just to be sure.

And hope this will solve our (similar) concern as well.

Thanks, indeed.


alex from wrote on Feb 25th, 2015:

thanks for the info.

Regarding the Debian bug report, this has been fixed in SA 3.4, which is in Wheezy Backports, https://packages.debian.org/wheezy-backports/spamassassin


Chris from PE, Canada wrote on Jan 31st, 2015:

Perfect, thanks.


RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Icingaweb   Icingaweb2   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder   


Update cookies preferences