Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2440 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sbl-xbl.spamhaus.org possible false positives

bvj
Has anyone noticed potential false positives linked to sbl-xbl.spamhaus.org today?

I noticed "Rejected: RBL (sbl-xbl.spamhaus.org)" in the SMTP log for legitimate mail originating from yahoo.com and optonline.net. I sent simple test messages from my yahoo.com mail account to the mail server behind the Astaro SMTP security wall; the first message was nailed by the spamhaus RBL flag, the second message sent 15 minutes later passed.

Legitimate mail received yesterday from optonline.net is getting nailed by the spamhaus RBL flag today.

Date: Oct 28, 2009
Firmware version: 7.500
Pattern version: 10884


This thread was automatically locked due to age.
  • 0
    The new IPS ruleset is a bit more vigorous than prior to 7.5, so that's the first place to look.

    Up2Date to 7.501.  Check your IPS log to see if it is blocking something.  Maybe DNS.  The disable the SID on the 'Advanced' tab of IPS.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I stumbled upon this thread, and was interested in your repsonse.  So, what is the relationship between RBL flagged email and the IPS?  How would the IPS block DNS, especially if a packet filter rule exists to allow that communication?  Is there a chance the IPS can interpret a DNS reply as an attack? What is the SID?  I don't see that in the advanced section of my ASG.

    Thanks,
    Shannon
  • 0
    Yes, IPS can interpret a reply as an attack.  When that happens with the FQDN of an RBL, it's just like the RBL doesn't exist, so the email is flagged as spam.

    Several SIDs have been reported including 254, 3249, 15935, 15450 and 15486, so you really nee dto look at your IPS log to see which one you need to disable.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    There appeared to be an outage of pbl.spamhaus.org on 06 November for about five hours.  The same thing seems to have happened yesterday and today.  Here's a picture of my Mail Manager today showing a message resent two minutes later and getting through.

    Here's the reason from the SMTP log: 
    reason="rbl" extra="pbl.spamhaus.org"

    There was nothing in the IPS log or the DNS log.

    Thoughts anyone?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner