Since this month, mails are often wrongly tagged as spam by Spamassassin because of a wrong lookup in the AHBL DNSBL:
Content analysis details: (10.0 points, 5.0 required)
pts rule name description
2.4 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
3.0 CK_DIVERS_BODY BODY: Mail contents one of the words
1.4 FUZZY_CREDIT BODY: Attempt to obfuscate words in spam
0.7 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
0.0 HTML_MESSAGE BODY: HTML included in message
1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
1.3 RDNS_NONE Delivered to internal network by a host with no
0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information
According to the ahbl website, the dnsbl has stopped its services and this may cause false positives in the lookups:
If you are still using these services, this may cause you to incorrectly tag e-mail as spam, or create other unintended consequences. Fix and maintain your servers, now. Do not contact us about 'removing' your domain or IP address from our lists, as there is nothing we can do for you.
OK, the message is clear. Let's maintain the servers.
First of all it is important to know, that the AHBL is a default DNSBL used by Spamassassin. So that configuration doesn't come from the end user but from Spamassassin itself. This is mentioned on https://wiki.apache.org/spamassassin/DnsBlocklists :
Support for the following DNSBLs is built-in, and shipped in the default configuration.
Spamhaus PBL+SBL+XBL http://www.spamhaus.org/ NOTE: Spamhaus is enabled as a "free for most" provider. See: http://www.spamhaus.org/organization/dnsblusage.html.
So the AHBL has to be manually disabled in the default Spamassassin rules. In a Debian installation these can be found in /usr/share/spamassasin. Let's grep for the AHBL:
grep ahbl /usr/share/spamassassin/*
/usr/share/spamassassin/20_dnsbl_tests.cf:header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
/usr/share/spamassassin/20_dnsbl_tests.cf:describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
/usr/share/spamassassin/30_text_de.cf:lang de describe DNS_FROM_AHBL_RHSBL Absenderadresse in Liste von dnsbl.ahbl.org
The following section can be commented or deleted from /usr/share/spamassassin/20_dnsbl_tests.cf:
# Now, single zone BLs follow:
# another domain-based blacklist
header DNS_FROM_AHBL_RHSBL eval:check_rbl_envfrom('ahbl', 'rhsbl.ahbl.org.')
describe DNS_FROM_AHBL_RHSBL Envelope sender listed in dnsbl.ahbl.org
tflags DNS_FROM_AHBL_RHSBL net
IMHO this should be fixed directly from Spamassassin or in the Spamassassin Debian package instead of manually fiddling around in the default rules. But hey - there's already an open bug for this issue: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774768. According to this bug, this problem could/can be prevented by regularly updating the Spamassassin rules with a cronjob. The cronjob can be enabled by setting "CRON=1" in /etc/default/spamassassin. However even with a manual launch of "sa-update", no rules were updated.
This leaves only two options:
1) Comment or delete the AHBL from the default rule definition in /usr/share/spamassassin/20_dnsbl_tests.cf or
2) Overwrite the scoring of "DNS_FROM_AHBL_RHSBL" in /etc/spamassassin/local.cf .
Orly from Philippines wrote on Mar 25th, 2015:
Will be applying both just to be sure.
And hope this will solve our (similar) concern as well.
alex from wrote on Feb 25th, 2015:
thanks for the info.
Regarding the Debian bug report, this has been fixed in SA 3.4, which is in Wheezy Backports, https://packages.debian.org/wheezy-backports/spamassassin
Chris from PE, Canada wrote on Jan 31st, 2015:
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Container Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 InfluxDB Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder