Forum: >>> Magnum BBS <<<

Re: Fixing feature(enhdnsbl) so that a rate-limit response doesn't caus

From Marco Moock@21:1/5 to All on Wed Aug 23 11:45:04 2023

Am 23.08.2023 um 02:20:09 Uhr schrieb Gushi:

Hey there,

It looks like right now, occasionally, spamhaus will return a code of 127.255.255.255 or 127.255.255.254 if you are querying them too much,
or if you're doing so (perhaps inadvertently) via a public resolver,
as I had managed to do on one newly installed box.

It would be great if the enhdnsbl code had overrides that could
ignore these specific codes, rather than simply blocking on ANY
returned A record from the BL zone.

How difficult would this be to implement?

In sendmail 4th edition 7.2.2 (pdf page 288ff)

Maybe that is helpful for you:

| Here, the address is the IP address of the sending host. The
| dialups.mail-abuse.org matches the lookup host specified in the second
| argument to the FEATURE(enhdnsbl). If the t were omitted, as for
| example: FEATURE(enhdnsbl,`dialups.mail-abuse.org´, `"550 dial-up site
| refused"´, ,`127.0.0.3.´)
| temporary lookups will be ignored and the message will be accepted.
| The fourth argument is the expected result of the lookup. For the
| lookup host dialups.mail-abuse.org, a successful lookup (one that means
| the message should be rejected) will return the address 127.0.0.3.
| Different lookup hosts will return differ- ent addresses on success, so
| you will need to visit the appropriate web site to deter- mine the
| address to match. If the address is omitted from the FEATURE(enhdnsbl),
| any successfully returned address will cause the message to be
| rejected. If more than one address can be returned, you can list up to
| five more following the first one. In the following, we list three
| possible returned addresses (the line is wrapped to fit the page):
| FEATURE(enhdnsbl,`dialups.mail-abuse.org´, `"550 dial-up site
| refused"´, ,`127.0.0.1.´, `127.0.0.2.´, `127.0.0.3.´)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Gushi on Wed Aug 23 06:04:04 2023

Gushi wrote:

It would be great if the enhdnsbl code had overrides that could ignore
these specific codes, rather than simply blocking on ANY returned A
record from the BL zone.

How difficult would this be to implement?

Seems someone already did something like that...
and it is documented it in cf/README:

enhdnsbl Enhanced version of dnsbl (see above). Further arguments
(up to 5) can be used to specify specific return values
from lookups. Temporary lookup failures are ignored unless
[[ read on for details ... ]]

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Gushi@21:1/5 to All on Tue Aug 29 23:42:28 2023

On Wednesday, August 23, 2023 at 3:04:07 AM UTC-7, Claus Aßmann wrote:

Gushi wrote:

It would be great if the enhdnsbl code had overrides that could ignore these specific codes, rather than simply blocking on ANY returned A
record from the BL zone.

How difficult would this be to implement?

Seems someone already did something like that...
and it is documented it in cf/README:

enhdnsbl Enhanced version of dnsbl (see above). Further arguments
(up to 5) can be used to specify specific return values
from lookups. Temporary lookup failures are ignored unless
[[ read on for details ... ]]

This does not seem to work. When I enable this as recommended by this page:

https://docs.spamhaus.com/datasets/docs/source/40-real-world-usage/PublicMirrors/MTAs/030-Sendmail.html

By adding:

FEATURE(enhdnsbl,`zen.spamhaus.org', `"554 Connecting client IP address listed in Spamhaus ZEN. See https://www.spamhaus.org/query/ip/"$client_address" for details"', `127.0.0.2', `127.0.0.3', `127.0.0.4', `127.0.0.9', `127.0.0.10', `127.0.0.11')dnl

I find that mails are not blocked, and instead fall through to the reverse DNS checking:

Aug 30 06:16:24 <mail.info> prime sm-mta[51635]: 37U6GK0Y051635: dns emx.mail.ru. => 94.100.180.180
Aug 30 06:16:24 <mail.info> prime sm-mta[51635]: 37U6GK0Y051635: dns 240.52.65.128.zen.spamhaus.org. => 127.0.0.4
Aug 30 06:16:24 <mail.notice> prime sm-mta[51635]: 37U6GK0Y051635: ruleset=check_rcpt, arg1=<adm1@nnnnn.org>, relay=[128.65.52.240], reject=550 5.7.1 <adm1@nnnnn.org>... Fix reverse DNS for 128.65.52.240

In the event something does have reverse DNS, it gets through:

Aug 30 02:37:35 <mail.info> prime sm-mta[27963]: 37U2bJV4027963: dns mail.zadiodim-rostov.ru. => 185.26.123.232
Aug 30 02:37:35 <mail.info> prime sm-mta[27963]: 37U2bJV4027963: dns 170.157.12.181.zen.spamhaus.org. => 127.0.0.3
Aug 30 02:37:36 <mail.info> prime sm-mta[27963]: 37U2bJV4027963: Milter: to=<524swss4ayreqg@nnnnn.com>, reject=451 4.7.1 Greylisting in action, please come back in 00:10:00
Aug 30 02:37:36 <mail.notice> prime sm-mta[27963]: 37U2bJV4027963: lost input channel from host170.181-12-157.telecom.net.ar [181.12.157.170] to MTA after rcpt
Aug 30 02:37:36 <mail.info> prime sm-mta[27963]: 37U2bJV4027963: from=<3q1w789o8zhvcneu@nnnnn.ru>, size=0, class=0, nrcpts=100, proto=ESMTP, daemon=MTA, relay=host170.181-12-157.telecom.net.ar [181.12.157.170]

Yes, that's six arguments, and I note cf/README says "up to five" arguments, so I shortened it to just one return code: 127.0.0.11

Still no luck:

Aug 30 06:20:16 <mail.info> prime sm-mta[52272]: 37U6KBvV052272: dns aspmx.l.google.com. => 142.250.27.27
Aug 30 06:20:16 <mail.info> prime sm-mta[52272]: 37U6KBvV052272: dns alt1.aspmx.l.google.com. => 142.251.9.26
Aug 30 06:20:16 <mail.info> prime sm-mta[52272]: 37U6KBvV052272: dns alt2.aspmx.l.google.com. => 142.250.150.26
Aug 30 06:20:16 <mail.info> prime sm-mta[52272]: 37U6KBvV052272: dns aspmx2.googlemail.com. => 142.251.9.27
Aug 30 06:20:16 <mail.info> prime sm-mta[52272]: 37U6KBvV052272: dns aspmx3.googlemail.com. => 142.250.150.27
Aug 30 06:20:16 <mail.info> prime sm-mta[52272]: 37U6KBvV052272: dns 114.24.0.196.zen.spamhaus.org. => 127.0.0.11
Aug 30 06:20:16 <mail.notice> prime sm-mta[52272]: 37U6KBvV052272: ruleset=check_rcpt, arg1=<josefa@nnnnn.com>, relay=[196.0.24.114], reject=550 5.7.1 <josefa@nnnnn.com>... Fix reverse DNS for 196.0.24.114

When I remove the ip argument so it's only:

FEATURE(enhdnsbl,`zen.spamhaus.org', `blocked by zen', `t')dnl

I once again start getting blocks.

Am I formatting the return codes wrong?

As a note, here's what winds up in my sendmail.cf both with and without an IP address, respectively. I'm also noticing that it's stuffing the require_rdns code right after the RBL, versus giving it its own section.

Notworking:
# DNS based IP address spam list zen.spamhaus.org
R$* $: $&{client_addr}
R$-.$-.$-.$- $: <?> $(ednsbl $4.$3.$2.$1.zen.spamhaus.org. $: OK $) R<?>OK $: OKSOFAR
R<?>$+<TMP> $#error $@ 4.4.3 $: "451 Temporary lookup failure of " $&{client_addr} " at zen.spamhaus.org"
R<?>127.0.0.11 $#error $@ 5.7.1 $: blocked by zen
R$* $: $&{client_addr} $| $&{client_resolve}
R$=R $* $@ RELAY We relay for these
R$* $| OK $@ OK Resolves.
R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1

Working:
# DNS based IP address spam list zen.spamhaus.org
R$* $: $&{client_addr}
R$-.$-.$-.$- $: <?> $(ednsbl $4.$3.$2.$1.zen.spamhaus.org. $: OK $) R<?>OK $: OKSOFAR
R<?>$+<TMP> $#error $@ 4.4.3 $: "451 Temporary lookup failure of " $&{client_addr} " at zen.spamhaus.org"
R<?>$+ $#error $@ 5.7.1 $: blocked by zen
R$* $: $&{client_addr} $| $&{client_resolve}
R$=R $* $@ RELAY We relay for these
R$* $| OK $@ OK Resolves.
R$* $| FAIL $#error $@ 5.7.1 $: 550 Fix reverse DNS for $1
R$* $| TEMP $#error $@ 4.1.8 $: 451 Client IP address $1 does not resolve
R$* $| FORGED $#error $@ 4.1.8 $: 451 Possibly forged hostname for $1

-Dan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Gushi on Wed Aug 30 03:23:08 2023

Gushi wrote:

FEATURE(enhdnsbl,`zen.spamhaus.org', `"554 Connecting client IP address

..

`127.0.0.2', `127.0.0.3', `127.0.0.4', `127.0.0.9', `127.0.0.10',

Add a trailing dot to each IP:
`127.0.0.2.'

(and if that works, tell the people who wrote the webpage...)

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

Recent Visitors

Spudboy
Tue May 6 02:45:15 2025
from Central, Il via Telnet

Ginger1
Mon May 5 20:30:23 2025
from London via SSH

Guest
Mon May 5 20:15:29 2025
from S via Telnet

Keyop
Mon May 5 18:21:28 2025
from Huddersfield, West Yorkshire via SSH

Gretchiie
Mon May 5 05:52:10 2025
from Derry, Nh via Telnet

Centurion
Mon May 5 01:26:55 2025
from Berea, Ohio via Telnet

Arden66
Mon May 5 00:17:32 2025
from Portland Oregon via Raw

Fred Blogs
Sun May 4 18:35:23 2025
from Uk via SSH

System Info

Sysop: Keyop

Location: Huddersfield, West Yorkshire, UK

Users: 468

Nodes: 16 (2 / 14)

Uptime: 35:37:35

Calls: 9,444

Calls today: 1

Files: 13,594

Messages: 6,111,304

Re: Fixing feature(enhdnsbl) so that a rate-limit response doesn't caus

Who's Online

Recent Visitors

System Info