This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RBL Blacklist behaviour?

This is one of the SMG monitoring gadgets I created a month ago.

This is my filter

For quite some time now I was getting very few hits on my RBL filters then today I noticed an exceptionally large number of messages being blocked. Of course, I have made no changes to my system. :-)

Has anyone else noticed similar behaviour?

__________
Kevin Boyle, 
Knowledge Partner

Calgary, Alberta, Canada

Tags:

  • 0

    Not sure if its related, but we also started seeing a bunch of anti-virus alerts start appearing recently (March 31).

    We did replace the proxy on our router (which did upstream AV scanning) a couple of weeks before that (with a simple packet filter which does not), but the SMG AV alerts did NOT coincide with that change.  Only recently did we actually start getting alerts...

    (Normally AV scanning in BOTH locations would be desirable, but we continually had issues with SMG shutting down SMTP connections while it waited for the router to buffer up the message so the router could scan it.  I got tired of increasing the SMG protocol timeout to chase this...)

  • 0  

    Kevin - this is what I have gotten back from development - "

    That seems more like an observation than a question. I can’t answer his actual question at the end, because I don’t have a system to compare behaviour.

     RBL services are external to SMG, so the reason for them firing could be a very wide range of reasons, some legitimate, some problematic. If normal mail is flowing, then generally it’s just one of the ‘reasons’.

     Here’s some of the reasons/faults off the top of my head that could cause this type of spike:

     Reasons:

    - A spammer has become very active

    - There’s a new form of spam that’s appeared

    - A DDoS spammer has appeared from a network range that spamhaus knows about

    - A targeted attack is happening that spamhaus has detected

     Faults:

    - DNS problems looking up spamhaus

    - spamhaus has a fault

    - SMG appliance has a DNS cache problem and needs a restart

     Something that could be done to verify if there’s a general mail pattern change would be to layer in the number of connections processed onto that graph for reference."

    Pam

  • 0   in reply to   
    Kevin - this is what I have gotten back from development - "

    Hi Pam,

    Thanks for that feedback. 

    This is not an issue I was trying to get resolved via the forums. It was a change in behaviour that I observed and I was wondering if anyone else noticed a similar change.

    I do not quarantine messages blocked by my RBL filters and I know that SMG has no control over what these RBL sites report.

    Suddenly a lot email from known senders was blocked and lost. I noticed that spamhaus reported issues with the sender's IP addressed but spamcop didn't so I assumed this was an issue with spamhaus rather than an actual change in the reputation of sender's IP addresses so I simply disabled my spamhaus filter.

    I will enable it once again but not attach any services just to see if things have returned to normal. I expect they have...

    __________
    Kevin Boyle, 
    Knowledge Partner

    Calgary, Alberta, Canada

  • 0  

    The Spamhouse project since 2019 has made some profound changes in return codes that has led to problems with some spam solutions and filters. RBL from Spamhouse I currently use very reluctant because I have in the field again and again the issue of massive blocking of mail and that partly also domain are entered on blacklists of Spamhouse.
    Another issue is the question which DNS forwarders are used in the local spam protection mechanisms. I also often see problems that can be traced back to DNS resolution. 

    Regards George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei