You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Spamhaus is adjusting it's rbl return codes

Spamhaus is adjusting the RBL return codes that are served using their public mirrors. If you're using spamhaus, you should review your configuration.

Daniel Nachtrub
Daniel Nachtrub

As of march 2021 spamhaus will introduce new return codes that are served with their public mirrors. Users of these mirrors are advised to review their configuration.

As already announced in 2019 spamhaus will announce the return codes served from their public mirrors. If you are using those mirrors in your spamfilter appliance, you should review your configuration! Spamhaus has published this on their blog: https://www.spamhaus.org/news/article/807/using-our-public-mirrors-check-your-return-codes-now

Until the adjusment, spamhaus is returning NXDOMAIN if you're querying incorrect zones or you're exceeding rate limits. The newly introduced return codes will return values that provide distinction between the reasons that you don't get the actual query result.

This means: If you're querying the RBL using a spamfilter appliance, you should make sure to handle these return values correctly.

New return codes

The following codes are introduced.

Return code Meaning
127.255.255.252 Typing error in DNSBL Name
127.255.255.254 Query via public/open resolver/generic unattributable rDNS
127.255.255.255 Excessive Number of Queries

These code don't reflect information regarding the queried address - these codes are error codes related to the query itself.

Adjusting postfix

Querying spamhaus from postfix may require an adjustment.

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]
postscreen configuration

This will filter the return codes to results in range [127.0.0.2,127.0.0.11].

If you're using spamhaus within postfix rbl configuration, you may need to adjust there also.

reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
postfix configuration

Adjusting spamassassin

Querying spamhaus using spamassassin may require some additional configuration. Some guides recommend using a configuration as shown here:

header      RCVD_IN_ZEN       eval:check_rbl('zen-lastexternal','zen.spamhaus.org.')
describe    RCVD_IN_ZEN       Received via a relay in Spamhaus Zen
tflags      RCVD_IN_ZEN       net

header      RCVD_IN_XBL     eval:check_rbl_sub('zen-lastexternal','127.0.0.[45678]')
describe    RCVD_IN_XBL     Received via a relay in Spamhaus XBL
tflags      RCVD_IN_XBL     net

header      RCVD_IN_PBL     eval:check_rbl_sub('zen-lastexternal','127.0.0.1[01]')
describe    RCVD_IN_PBL     Received via a relay in Spamhaus PBL
tflags      RCVD_IN_PBL     net
spamassassin configuration

In this case make sure that the symbol RCVD_IN_ZEN has no weight assigned and everything is adjusted using the appropriate subqueries.

There is still a huge set of antispam appliance available - check your vendors documentation on how to filter return codes (if you're using spamhaus today). If you can't filter on return codes it's strongly recommendet to not use spamhaus at all!

If everything is fine, you won't even notice the adjustment.

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.