On 04/01/2018 09:25 AM, Michael Brunnbauer wrote:
hi
I think I lost quite a few customers in the last months because DNS-lookups
are fucked up with Spamassassin so all DNSBL tests won't trigger while not
reporting errors. A problem with newer versions of Net::DNS that has been
known for months without any consequences - like a new release. This sucks.
So I downgraded to Net-DNS-0.83 today and got spamassassin working but not
spamd.
spamassassin -D looks like:
Apr 1 15:30:18.733 [22195] dbg: dns: hit
<dns:210.8.207.185.zen.spamhaus.org> 127.0.0.3
spamd -D looks like:
Apr 1 15:10:51 merlot spamd[6505]: dns: hit
<dns:210.8.207.185.zen.spamhaus.org> \# 4 7f000003
One time the result is an IP as integer and one time it's a normal IP. The
integer result is not recognized and the DNSBL tests do not trigger.
What can I do?
What is your MTA? You should do as much as possible in the MTA like RBL
checks and other basic DNS checks. If you are using Postfix, enable
postscreen to help a lot with defaults. Then enable weighted RBL checks
in postscreen like we have mentioned often on this mailling list in the
past year or so. Make sure you add postwhite from github.com along with
with the postscreen weighted RBLs.
Enable greylisting, rate limiting, connection limits, pipelining limits,
etc. in the MTA too. Setup a high MX that simply tempfails everything
to attract botnets that won't retry.
Setup OpenDMARC, OpenDKIM, and policyd-spf to improve SA's ability to
allow through trusted senders. Add dkimwl.org rules along with other
custom rules that have been discussed the past year or so on this
mailing list like:
DecodeShortURLs.cf & pm
iXhash2.cf & pm
dwl.dnswl.org
dkimwl.org
KAM.cf
b.barracudacentral.org
ubl.unsubscore.com (Lashback)
score.senderscore.com
UNOFFICIAL ClamAV sigs from sanesecurity.com
Invaluement (subscription required but it's not expensive and worth
every bit)
--
David Jones