Too many inbound emails blocked by RBL check

Hello Michael Großmann,

Thank you for reaching out to the community, so may we know were you using the pre-defined RBLs such as standard & premium RBLs OR you are using any custom ?
> Address group: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/AddressGroup/index.html
> Add an address group: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/AddressGroup/EmailAddressGroupAdd/index.html

Hello Vivek,

we're using only the two pre-defined premium RBLs.

Best regards

Michael

have you checked with one of the sample e-mail where the sender's domain is black-listed or not ? 

Yes, I have checked different email addresses to see if they are on any block list. None of the addresses were on blocklist, there were also many known addresses, which were never rejected in the past.
Many email addresses are sometimes rejected (reason: blacklisted) and sometimes not rejected - even with the same email addresses. I have no idea how this can be.

Best regards

Michael

Okay, is the email protection deployed in Legacy or MTA mode ?
Can you share the debug logs for any one of the mail which was rejected ?

To enable/disable debug: service smtpd:debu -ds nosync
To enable/disable debug: service awarrensmtp:debug -ds nosync
Log file details: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogFileDetails/index.html
Refer the SMTP section and collect the logs and revert !

Hello Vivek,

some additional information until I have created and evaluated the logs:
The problem occurs with 18.5.2 and 19.0.1, so regardless of the firmware.
MTA is in use everywhere.

Best regards
Michael

And have you checked if your ISP is not blacklisted ? 
mxtoolbox.com/blacklists.aspx

And have you checked if your ISP is not blacklisted ? 
mxtoolbox.com/blacklists.aspx

Hello Vivek,

I checked the IP addresses of the sending email servers. None of them were blacklisted.
Again for clarity:
Customer-Email->via SMTP->Our Firewall (MTA)->Our Exchange Server.
And we have three tenants, each with a policy in which the RBLs are entered.
And please don't forget that the problem was reported to several customers of ours, as some important emails went through sometimes and sometimes not.
The complaints went away immediately when I removed the RBLs, and I didn't see any more blocks in the SMTP log.

Overall, this is getting a bit annoying as customers are now complaining that so much crap is ending up in quarantine. And there is no preview at this point either (as I learned that this is only available with the UTM). All in all, it's a pity, since customers pay for the SMTP module. And switching customers to SOPHOS Central Email is not really an option at the moment.

Best regards
Michael

Would request you to raise a sophos support request and get this further investigated !!

Case #05589257 opened

Best regards
Michael

Hi Michael,

I just found your request, since we have the same issue since 3 days.
First, we tried to create exceptions with disabling IP Reputation and Greylisting. But that did not help.

Disabling SPAM-Protection works. But that is not the solution, it's only a fu%&$ workaround.
We don't use the predefined RBLs "Premium RBL Services" or "Standard RBL Services". We use custom RBLs.

We also checked if all the senders are blacklisted, which they are not! We checked at our custom RBLs as well as mxtoolbox.com.

Do you have any new informations yet ?

Kind regards
Christian

Hi Christian,

I have unchecked "Reject based on RBL" in all policies under "Spam protection". Otherwise are still checked (active):
- Check for inbound spam
- Reject based on BATV
- Reject based on SPF

So it seems to work without problems. However, now you get a lot more crap in the quarantine, which the customers don't find so funny either.

For the "bad" countries I have set up a country blocking anyway, so that the really bad crap doesn't arrive at all. ;)

Otherwise there is no news yet, SOPHOS support is working on it.

Best regards
Michael

Hi Christian, Hi Michael

i have the same problem since 3 weeks. Many incoming E-Mails will be blocked by rbl. My exception list has more then 100 entries. Only one RBL is active: zen.spamhaus.org. The same email senders sometimes went through and sometimes were blocked.

I'm waiting for a responce of sophos support for over1 week. 

Since we had the 3rd party RBLs running (cbl.abuseat.org and spamhaus.org), I changed them to "Premium RBL Services" and "Standard RBL Services". We'll investigate and give feedback tomorrow.

This is a hint from SOPHOS Support:

https://www.reddit.com/r/sysadmin/comments/l9asw7/spamcop_domain_expiredparked/

I removed Spamcop from Premium RBL and I will now observe what happens. :)

our attempt with changing the RBL-lists did not help. We switched from the old entries (cbl.abuseat.org and spamhaus.org) to new ones (Premium RBL Services and Standard RBL Services). Premium RBLs are defined with "bl.spamcop.net" and Standard RBLs are using "dnsbl-1.uceprotect.net".

In the night, new mails were blocked because of IP blacklisting.

I checked the IP and domain manually on the new RBLs and they are NOT LISTED.

so no new insights yet...

so far I have only "dnsbl-1.uceprotect.net" active on two of three policies (customers), the third policy (is critical if there emails do not arrive) I have just activated. So far I have not noticed any anomalies, but will monitor it closely.