Postscreen response to client - which rbl is named?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Postscreen response to client - which rbl is named?

Dominic Raferd
When postscreen rejects an incoming email because it exceeds the dnsbl/rbl score, how does it decide which rbl to report back to client as the cause of the rejection - since it only reports one? Is it just the first one to respond? Or random?

See below for an (lightly obfuscated) example:
08:15:26 myhost postfix/postscreen[29782]: CONNECT from [188.59.147.103]:57447 to [192.168.101.82]:25
08:15:26 myhost postfix/dnsblog[29788]: addr 188.59.147.103 listed by domain zen.dq.spamhaus.net as 127.0.0.3
08:15:26 myhost postfix/dnsblog[29785]: addr 188.59.147.103 listed by domain b.barracudacentral.org as 127.0.0.2
08:15:26 myhost postfix/dnsblog[29788]: addr 188.59.147.103 listed by domain zen.dq.spamhaus.net as 127.0.0.4
08:15:26 myhost postfix/dnsblog[29788]: addr 188.59.147.103 listed by domain zen.dq.spamhaus.net as 127.0.0.11
08:15:26 myhost postfix/dnsblog[29791]: addr 188.59.147.103 listed by domain truncate.gbudb.net as 127.0.0.2
08:15:26 myhost postfix/dnsblog[29792]: addr 188.59.147.103 listed by domain hostkarma.junkemailfilter.com as 127.0.0.2
08:15:27 myhost postfix/dnsblog[29787]: addr 188.59.147.103 listed by domain bl.fmb.la as 127.0.0.2
08:15:32 myhost postfix/postscreen[29782]: DNSBL rank 5 for [188.59.147.103]:57447
08:15:32 myhost postfix/tlsproxy[29793]: CONNECT from [188.59.147.103]:57447
08:15:33 myhost postfix/tlsproxy[29793]: Anonymous TLS connection established from [188.59.147.103]:57447: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
08:15:34 myhost postfix/postscreen[29782]: NOQUEUE: reject: RCPT from [188.59.147.103]:57447: 550 5.7.1 Service unavailable; client [188.59.147.103] blocked using b.barracudacentral.org; from=<[hidden email]>, to=<[hidden email]>, proto=ESMTP, helo=<narlabsorgtw.bosahek.com>
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Matus UHLAR - fantomas
On 25.01.20 08:44, Dominic Raferd wrote:
>When postscreen rejects an incoming email because it exceeds the dnsbl/rbl
>score, how does it decide which rbl to report back to client as the cause
>of the rejection - since it only reports one? Is it just the first one to
>respond? Or random?

it is the first onw that responds.
if it's a whitelist (scoringnegatively), it's reported anyway.

that's where postscreen_dnsbl_reply_map is to be used.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Dominic Raferd


On Sat, 25 Jan 2020 at 09:08, Matus UHLAR - fantomas <[hidden email]> wrote:
On 25.01.20 08:44, Dominic Raferd wrote:
>When postscreen rejects an incoming email because it exceeds the dnsbl/rbl
>score, how does it decide which rbl to report back to client as the cause
>of the rejection - since it only reports one? Is it just the first one to
>respond? Or random?

it is the first onw that responds.
if it's a whitelist (scoringnegatively), it's reported anyway.

that's where postscreen_dnsbl_reply_map is to be used.

Thanks for clearing that up. My whitelists always cause a pass so for me the whitelist reporting issue doesn't arise; for systems where it does, I suppose the idea is to substitute the name of a blacklisting rbl (or some generic text such as 'unidentified_blacklist') if the response would otherwise show the whitelist?
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Matus UHLAR - fantomas
>> On 25.01.20 08:44, Dominic Raferd wrote:
>> >When postscreen rejects an incoming email because it exceeds the dnsbl/rbl
>> >score, how does it decide which rbl to report back to client as the cause
>> >of the rejection - since it only reports one? Is it just the first one to
>> >respond? Or random?

>On Sat, 25 Jan 2020 at 09:08, Matus UHLAR - fantomas <[hidden email]>
>wrote:
>> it is the first onw that responds.
>> if it's a whitelist (scoringnegatively), it's reported anyway.
>>
>> that's where postscreen_dnsbl_reply_map is to be used.

On 25.01.20 09:18, Dominic Raferd wrote:
>Thanks for clearing that up. My whitelists always cause a pass so for me
>the whitelist reporting issue doesn't arise; for systems where it does, I
>suppose the idea is to substitute the name of a blacklisting rbl (or some
>generic text such as 'unidentified_blacklist') if the response would
>otherwise show the whitelist?

i guess the original idea was to hide dnsbl secret from clients
(http://www.postfix.org/postconf.5.html#postscreen_dnsbl_reply_map)
but replacing message by e.g. "blocked by multiple dnsbl lists" is also
possible.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Wietse Venema
In reply to this post by Dominic Raferd
Dominic Raferd:
> When postscreen rejects an incoming email because it exceeds the dnsbl/rbl
> score, how does it decide which rbl to report back to client as the cause
> of the rejection - since it only reports one? Is it just the first one to
> respond? Or random?

It replies with the DNSBL site that has the biggest weight.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Wietse Venema
Wietse Venema:
> Dominic Raferd:
> > When postscreen rejects an incoming email because it exceeds the dnsbl/rbl
> > score, how does it decide which rbl to report back to client as the cause
> > of the rejection - since it only reports one? Is it just the first one to
> > respond? Or random?
>
> It replies with the DNSBL site that has the biggest weight.

This behavior was introduced on 20120222:

    Cleanup: when multiple DNSBLs block an SMTP client, the
    postscreen "reject" message now gives credit to the DNSBL
    with the largest weight, instead of the DNSBL that replies
    first. File: postscreen/postscreen_dnsbl.c.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Dominic Raferd


On Sat, 25 Jan 2020 at 15:47, Wietse Venema <[hidden email]> wrote:
Wietse Venema:
> Dominic Raferd:
> > When postscreen rejects an incoming email because it exceeds the dnsbl/rbl
> > score, how does it decide which rbl to report back to client as the cause
> > of the rejection - since it only reports one? Is it just the first one to
> > respond? Or random?
>
> It replies with the DNSBL site that has the biggest weight.

This behavior was introduced on 20120222:

    Cleanup: when multiple DNSBLs block an SMTP client, the
    postscreen "reject" message now gives credit to the DNSBL
    with the largest weight, instead of the DNSBL that replies
    first. File: postscreen/postscreen_dnsbl.c.

And if they have the same weight then random or the one that replied first? Or the one that gave the most hits (response codes)?
Reply | Threaded
Open this post in threaded view
|

Re: Postscreen response to client - which rbl is named?

Wietse Venema
Dominic Raferd:

> On Sat, 25 Jan 2020 at 15:47, Wietse Venema <[hidden email]> wrote:
>
> > Wietse Venema:
> > > Dominic Raferd:
> > > > When postscreen rejects an incoming email because it exceeds the
> > dnsbl/rbl
> > > > score, how does it decide which rbl to report back to client as the
> > cause
> > > > of the rejection - since it only reports one? Is it just the first one
> > to
> > > > respond? Or random?
> > >
> > > It replies with the DNSBL site that has the biggest weight.
> >
> > This behavior was introduced on 20120222:
> >
> >     Cleanup: when multiple DNSBLs block an SMTP client, the
> >     postscreen "reject" message now gives credit to the DNSBL
> >     with the largest weight, instead of the DNSBL that replies
> >     first. File: postscreen/postscreen_dnsbl.c.
> >
>
> And if they have the same weight then random or the one that replied first?
> Or the one that gave the most hits (response codes)?

It initializes (sitename, weight) as (null, null) then updates that
whenever a response has a larger weight. Thus, it returns the first
name of all the DNSBL sites that have the largest weight.

I see no reason to reveal more detail to spammers. Authorized
personnel can get those details from the maillog file.

        Wietse