Since this month, mails are often wrongly tagged as spam by Spamassassin because of a wrong lookup in the AHBL DNSBL:
Content analysis details: (10.0 points, 5.0 required)
pts rule name description
2.4 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
3.0 CK_DIVERS_BODY BODY: Mail contents one of the words
1.4 FUZZY_CREDIT BODY: Attempt to obfuscate words in spam
0.7 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.3 RDNS_NONE Delivered to internal network by a host with no
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
According to the ahbl website, the dnsbl has stopped its services and this may cause false positives in the lookups:
If you are still using these services, this may cause you to incorrectly tag e-mail as spam, or create other unintended consequences. Fix and maintain your servers, now. Do not contact us about 'removing' your domain or IP address from our lists, as there is nothing we can do for you.
OK, the message is clear. Let's maintain the servers.
First of all it is important to know, that the AHBL is a default DNSBL used by Spamassassin. So that configuration doesn't come from the end user but from Spamassassin itself. This is mentioned on https://wiki.apache.org/spamassassin/DnsBlocklists :
Support for the following DNSBLs is built-in, and shipped in the default configuration.
Spamhaus PBL+SBL+XBL http://www.spamhaus.org/ NOTE: Spamhaus is enabled as a "free for most" provider. See: http://www.spamhaus.org/organization/dnsblusage.html.
So the AHBL has to be manually disabled in the default Spamassassin rules. In a Debian installation these can be found in /usr/share/spamassasin. Let's grep for the AHBL:
grep ahbl /usr/share/spamassassin/*
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org
The following section can be commented or deleted from /usr/share/spamassassin/20_dnsbl_tests.cf:
# Now, single zone BLs follow:
# another domain-based blacklist
header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
tflags DNS_FROM_AHBL_RHSBL net
IMHO this should be fixed directly from Spamassassin or in the Spamassassin Debian package instead of manually fiddling around in the default rules. But hey - there's already an open bug for this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774768. According to this bug, this problem could/can be prevented by regularly updating the Spamassassin rules with a cronjob. The cronjob can be enabled by setting "CRON=1" in /etc/default/spamassassin. However even with a manual launch of "sa-update", no rules were updated.
This leaves only two options:
1) Comment or delete the AHBL from the default rule definition in /usr/share/spamassassin/20_dnsbl_tests.cf or
2) Overwrite the scoring of "DNS_FROM_AHBL_RHSBL" in /etc/spamassassin/local.cf .
Orly from Philippines wrote on Mar 25th, 2015:
Will be applying both just to be sure.
And hope this will solve our (similar) concern as well.
alex from wrote on Feb 25th, 2015:
thanks for the info.
Regarding the Debian bug report, this has been fixed in SA 3.4, which is in Wheezy Backports, https://packages.debian.org/wheezy-backports/spamassassin
Chris from PE, Canada wrote on Jan 31st, 2015:
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu