Massive SPAM false pozitives due to wrong blacklist resolving

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Labsy
Outstanding Member
Outstanding Member
Posts: 411
Joined: Sat Sep 13, 2014 12:52 am

Massive SPAM false pozitives due to wrong blacklist resolving

Post by Labsy »

Hi,
I've got massive SPAM false-pozitives rejections on my ZCS server, saying in zimbra.log the sending server is BLOCKED using one of configured blacklists:
- psbl.surriel.com
- dbl.spamhaus.org
- bl.spameatingmonkey.net
- multi.surbl.org
...and others.

***EDIT***
Here's how it looks in zimbra.log:

Code: Select all

Nov  2 09 19  RCPT from mail-eopbgr60076.outbound.protection.outlook.com[40.107.6.76]  554 5.7.1 Service unavailable; Client host [40.107.6.76] blocked using psbl.surriel.com; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR04-DB3-obe.outbound.protection.outlook.com>
Nov  2 09 48  RCPT from mail-eopbgr20065.outbound.protection.outlook.com[40.107.2.65]  554 5.7.1 Service unavailable; Client host [mail-eopbgr20065.outbound.protection.outlook.com] blocked using dbl.spamhaus.org; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR02-VE1-obe.outbound.protection.outlook.com>
Nov  2 09 49  RCPT from mail-eopbgr20067.outbound.protection.outlook.com[40.107.2.67]  554 5.7.1 Service unavailable; Client host [40.107.2.67] blocked using bl.spameatingmonkey.net; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR02-VE1-obe.outbound.protection.outlook.com>
Nov  2 09 57  RCPT from mail-eopbgr20043.outbound.protection.outlook.com[40.107.2.43]  554 5.7.1 Service unavailable; Client host [40.107.2.43] blocked using psbl.surriel.com; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR02-VE1-obe.outbound.protection.outlook.com>
Nov  2 09 59  RCPT from mail-eopbgr20049.outbound.protection.outlook.com[40.107.2.49]  554 5.7.1 Service unavailable; Client host [40.107.2.49] blocked using bl.spameatingmonkey.net; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR02-VE1-obe.outbound.protection.outlook.com>
Nov  2 10 06  RCPT from mail-eopbgr30080.outbound.protection.outlook.com[40.107.3.80]  554 5.7.1 Service unavailable; Client host [40.107.3.80] blocked using bl.spameatingmonkey.net; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR03-AM5-obe.outbound.protection.outlook.com>
Nov  2 10 07  RCPT from mail-eopbgr40047.outbound.protection.outlook.com[40.107.4.47]  554 5.7.1 Service unavailable; Sender address [outside.sender@domain1.com] blocked using multi.surbl.org; from=<outside.sender@domain1.com> to=<inside.recipient@domain2.com> proto=ESMTP helo=<EUR03-DB5-obe.outbound.protection.outlook.com>
But when I manually lookup at each of those blacklists, NONE of blocked IPs is listed there???!!!
Where is the fail?
Obviously something wrong on my ZCS server or DNS or...

***EDIT***
I also tested ZCS's local nad firewall's DNS resolver to query some of listed blacklists, but they all resolve THE SAME either locally or using Google or CloudFlare DNS.

But MAYBE, just maybe there is a problem (long lasting?!) in ZCS's list of blocklists?
Just MAYBE I've had them all wrong for long time?
Here's what I had now:

List of client RBLs:
- psbl.surriel.com
- bl.spameatingmonkey.net
- b.barracudacentral.org
- dbl.spamhaus.org --> THIS ONE might be wrong, as this is DOMAIN lookup, not IP lookup! Today I've changed it to ZEN

List of Client RHSBLs:
- sbl.spamhaus.org
- multi.surbl.org
- rhsbl.sorbs.net

List of Reverse Client RHSBLs:
- dbl.spamhaus.org --> Is this one OK? Does ZCS query for DOMAIN or IP against this bl? It should query DOMAIN, not IP.

List of Sender RHSBLs: --> Which SENDER is checked? My ZCS users or outside users or both?
- multi.surbl.org
- rhsbl.sorbs.net
- zen.spamhaus.org
- multi.uribl.com


ideas?
Post Reply