Good evening,
I'am french 
I put this here DNSBL :
DNSBL Information - Spam Database and Blacklist Check
Email Blacklist Check - IP Blacklist Check - See if your server is blacklisted
And finally – that finished me; I just noticed today that since the start of the year or around December 30, 2023 I can no longer access certain ISP/ISP emails.
https://dnslytics.com/ (this lets me know) - What is this thing 
----
DNSBL
----
* access.redhawk.org
* b.barracudacentral.org
* bl.blocklist.de
* bl.nordspam.com
* bl.scientificspam.net
* bl.spamcop.net
* blacklist.sci.kun.nl
* bogons.cymru.com
* cbl.abuseat.org
* db.wpbl.info
* dnsbl-1.uceprotect.net
* dnsbl-2.uceprotect.net
* dnsbl-3.uceprotect.net
* dnsbl.dronebl.org
* dnsbl.sorbs.net
* dyna.spamrats.com
* http.dnsbl.sorbs.net
* ips.backscatterer.org
* korea.services.net
* pbl.spamhaus.org
* psbl.surriel.com
* sbl.spamhaus.org
* smtp.dnsbl.sorbs.net
* spam.dnsbl.sorbs.net
* spam.spamrats.com
* recent.spam.dnsbl.sorbs.net
* xbl.spamhaus.org
* zen.spamhaus.org
----
But what is this? They must believe that I am an individual at home who sends emails (35 thousand / per week), or they take me for an imbecile; It’s a mail server!
I would like to have their statistics "how many emails" they received for this IPv4?, to know!!!
Code: Select all
root@vps:~ # host 158.69.126.137137.126.69.158.in-addr.arpa domain name pointer mail.zw3b.eu.root@vps:~ # host 2607:5300:60:9389:17:4c1:0:1aa.1.0.0.0.0.0.0.1.c.4.0.7.1.0.0.9.8.3.9.0.6.0.0.0.0.3.5.7.0.6.2.ip6.arpa domain name pointer mail.zw3b.eu.Me who only sends one email per “user” account per week!
And what's more, all my emails are validated DMARC (SPF + DKIM) with reject policy on a test of 100% of my emails (in case they are not signed) + ARC + rDNS and even DANE (so, on DNSSEC) and with verification of good “compliance of message content”.
I add “Internet.nl”:
I don't understand anymore.
-----
I've been working on the subject since last night, so.
To follow up, below are the logs from my mail server when sending to XXXXXXX:
Code: Select all
==> /var/log/zimbra.log <==Feb 7 03:40:41 mail postfix/qmgr[1244816]: 9BA08583441: from=<[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)>, size=593, nrcpt=1 (queue active)Feb 7 03:40:41 mail postfix/smtpd[1249751]: disconnect from unknown[10.105.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7Feb 7 03:40:41 mail amavis[1244460]: (1244460-02) ESMTP [::1]:10026 /opt/zimbra/data/amavisd/tmp/amavis-20240207T033517-1244460-OrIxJIHE: <[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)> -> <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)> SIZE=593 BODY=8BITMIME Received: from [mail.zw3b.eu](http://mail.zw3b.eu) ([IPv6:::1]) by localhost (ma[il.zw3b.eu](http://il.zw3b.eu) [IPv6:::1]) (amavis, port 10026) with ESMTP for <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>; Wed, 7 Feb 2024 03:40:41 +0000 (UTC)Feb 7 03:40:41 mail amavis[1244460]: (1244460-02) Checking: dLCD5VqE7Cm4 ORIGINATING/MYNETS [10.105.0.1] <[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)> -> <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>Feb 7 03:40:41 mail postfix/amavisd/smtpd[1246892]: connect from ip6-localhost[::1]Feb 7 03:40:41 mail postfix/amavisd/smtpd[1246892]: CE752583445: client=ip6-localhost[::1]Feb 7 03:40:41 mail postfix/cleanup[1249752]: CE752583445: message-id=<[20240207034041.5C009600AA1@ww2.zw3b.eu](mailto:20240207034041.5C009600AA1@ww2.zw3b.eu)>Feb 7 03:40:42 mail postfix/qmgr[1244816]: CE752583445: from=<[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)>, size=2376, nrcpt=1 (queue active)Feb 7 03:40:42 mail postfix/amavisd/smtpd[1246892]: disconnect from ip6-localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5Feb 7 03:40:42 mail amavis[1244460]: (1244460-02) dLCD5VqE7Cm4 FWD from <[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)> -> <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>, BODY=7BIT 250 2.0.0 from MTA(smtp:[::1]:10025): 250 2.0.0 Ok: queued as CE752583445Feb 7 03:40:42 mail amavis[1244460]: (1244460-02) Passed CLEAN {RelayedOutbound}, ORIGINATING/MYNETS LOCAL [10.105.0.1]:38326 <[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)> -> <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>, Queue-ID: 9BA08583441, Message-ID: <[20240207034041.5C009600AA1@ww2.zw3b.eu](mailto:20240207034041.5C009600AA1@ww2.zw3b.eu)>, mail_id: dLCD5VqE7Cm4, Hits: -, size: 1966, queued_as: CE752583445, dkim_sd=2023102602:[ww2.zw3b.eu](http://ww2.zw3b.eu), 253 msFeb 7 03:40:42 mail postfix/smtp[1249753]: 9BA08583441: to=<[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>, relay=1[::1]:10026], delay=0.42, delays=0.15/0.02/0/0.25, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[::1]:10025): 250 2.0.0 Ok: queued as CE752583445)Feb 7 03:40:42 mail postfix/qmgr[1244816]: 9BA08583441: removedFeb 7 03:40:42 mail amavis[1244460]: (1244460-02) extra modules loaded: /opt/zimbra/common/lib/perl5/x86_64-linux-gnu-thread-multi/auto/Crypt/OpenSSL/RSA/[new_public_key.al](http://new_public_key.al), Net/DNS/RR/A.pm, Net/DNS/RR/AAAA.pm, Net/DNS/RR/NS.pm, Net/DNS/RR/OPT.pm, Net/DNS/RR/TXT.pm, Net/DNS/Text.pmFeb 7 03:40:43 mail postfix/smtp[1248899]: CE752583445: to=<[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>, relay=[XXXXXXX-smtp-in.l.XXXXXXX](http://XXXXXXX-smtp-in.l.XXXXXXX)[172.253.115.26]:25], delay=1.4, delays=0.2/0/0.29/0.94, dsn=5.7.1, status=bounced (host [XXXXXXX-smtp-in.l.XXXXXXX](http://XXXXXXX-smtp-in.l.XXXXXXX)[172.253.115.26] said: 550-5.7.1[158.69.126.137 19] XXXXXXX has detected that this message is 550-5.7.1 likely suspicious due to the very low reputation of the sending 550-5.7.1 domain. To best protect our users from spam, the message has been 550-5.7.1 blocked. For more information,Feb 7 03:40:43 mail postfix/cleanup[1249752]: 6E479583446: message-id=<[20240207034043.6E479583446@mail.zw3b.eu](mailto:20240207034043.6E479583446@mail.zw3b.eu)>Feb 7 03:40:43 mail postfix/bounce[1249755]: CE752583445: sender non-delivery notification: 6E479583446Feb 7 03:40:43 mail postfix/qmgr[1244816]: 6E479583446: from=<>, size=5120, nrcpt=1 (queue active)Feb 7 03:40:43 mail postfix/qmgr[1244816]: CE752583445: removedWe notice that the email – is in “bounce”? in “bounce” → " Feb 7 03:40:43 mail postfix/smtp[1248899]: CE752583445: to=<[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX)>, relay=[XXXXXXX-smtp -in.l.XXXXXXX](http://XXXXXXX-smtp-in.l.XXXXXXX)[172.253.115.26]:25], delay=1.4, delays=0.2/0/0.29/0.94, dsn=5.7.1 , status=bounced (host [XXXXXXX-smtp-in.l.XXXXXXX](http://XXXXXXX-smtp-in.l.XXXXXXX)[172.253.115.26] said: 550-5.7.1 "??? Why is this ?
Otherwise RSPAMD which also signs and verifies :
Code: Select all
2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; lua; spf.lua:186: skip SPF checks for local networks and authorized users2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; lua; dmarc.lua:353: skip DMARC checks as either SPF or DKIM were not checked2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; lua; once_received.lua:102: Skipping once_received for authenticated user or local network2024-02-07 03:40:41 #1241031(rspamd_proxy) rdns; rdns_parse_rr: unexpected RR type: 46; domain 2023102602._[domainkey.ww2.zw3b.eu](http://domainkey.ww2.zw3b.eu)2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; lua; greylist.lua:335: Score too low - skip greylisting2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; proxy; rspamd_task_write_log: id: <[20240207034041.5C009600AA1@ww2.zw3b.eu](mailto:20240207034041.5C009600AA1@ww2.zw3b.eu)>, qid: <9BA08583441>, ip: 10.105.0.1, from: <[root@ww2.zw3b.eu](mailto:root@ww2.zw3b.eu)>, (default: F (no action): [0.27/15.00] [SUBJ_ALL_CAPS(0.37){5;},MIME_GOOD(-0.10){text/plain;},ARC_NA(0.00){},DKIM_SIGNED(0.00){ww2.zw3b.eu:s=2023102602;},FREEMAIL_ENVRCPT(0.00){[XXXXXXX](http://XXXXXXX);},FREEMAIL_TO(0.00){[XXXXXXX](http://XXXXXXX);},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;},MISSING_XM_UA(0.00){},NEURAL_SPAM(0.00){0.775;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ONE(0.00){1;},RCVD_TLS_LAST(0.00){},SINGLE_SHORT_PART(0.00){},TAGGED_RCPT(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1077, time: 3.891ms, dns req: 3, digest: <0a2cc0e5247335d3918354057e7be5a6>, rcpts: <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX),[lab3worj@XXXXXXX](mailto:lab3worj@XXXXXXX)>, mime_rcpts: <[lab3w.orj@XXXXXXX](mailto:lab3w.orj@XXXXXXX),>2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; proxy; rspamd_protocol_http_reply: regexp statistics: 69 pcre regexps scanned, 1 regexps matched, 176 regexps total, 11 regexps cached, 2.70KiB scanned using pcre, 2.70KiB scanned total2024-02-07 03:40:41 #1241031(rspamd_proxy) <d9d3f4>; proxy; proxy_milter_finish_handler: finished milter connection2024-02-07 03:40:41 #1241031(rspamd_proxy) <3db6d0>; proxy; proxy_milter_finish_handler: finished milter connection2024-02-07 03:40:54 #1241031(rspamd_proxy) <5bbd57>; milter; rspamd_milter_process_command: got connection from [194.169.175.10:35748](http://194.169.175.10:35748)2024-02-07 03:40:54 #1241031(rspamd_proxy) <5bbd57>; proxy; proxy_milter_finish_handler: finished milter connection2024-02-07 03:40:54 #1241031(rspamd_proxy) <28f9df>; milter; rspamd_milter_process_command: got connection from [194.169.175.10:35748](http://194.169.175.10:35748)2024-02-07 03:40:54 #1241031(rspamd_proxy) <28f9df>; proxy; proxy_milter_finish_handler: finished milter connection2024-02-07 03:41:06 #1241031(rspamd_proxy) <fdd85f>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 555522024-02-07 03:41:06 #1241031(rspamd_proxy) <0ca870>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 555602024-02-07 03:41:24 #1241031(rspamd_proxy) <0d92ef>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 458022024-02-07 03:41:24 #1241031(rspamd_proxy) <2e1bb3>; proxy; proxy_accept_socket: accepted milter connection from ::1 port 458082024-02-07 03:41:24 #1241031(rspamd_proxy) <0d92ef>; milter; rspamd_milter_process_command: got connection from [2.56.58.178:45658](http://2.56.58.178:45658)2024-02-07 03:41:24 #1241031(rspamd_proxy) <0d92ef>; proxy; proxy_milter_finish_handler: finished milter connection2024-02-07 03:41:24 #1241031(rspamd_proxy) <2e1bb3>; milter; rspamd_milter_process_command: got connection from [2.56.58.178:45658](http://2.56.58.178:45658)2024-02-07 03:41:24 #1241031(rspamd_proxy) <2e1bb3>; proxy; proxy_milter_finish_handler: finished milter connection2024-02-07 03:41:27 #1241032(controller) <prfoy8>; monitored; rspamd_monitored_dns_cb: DNS reply returned 'no error' for [list.dnswl.org](http://list.dnswl.org) while 'no records with this name' was expected when querying for '[1.0.0.127.list.dnswl.org](http://1.0.0.127.list.dnswl.org)'(likely DNS spoofing or BL internal issues)We see that:
1. 2024-02-07 03:40:41 #1241031(rspamd_proxy) <9ac8c9>; lua; greylist.lua:335: Score too low - skip greylisting
→ the score of the email (sent) has a score too low to check the “grey list” of MY server.
2. 2024-02-07 03:40:41 -> (default: F (no action): SPAM score --> 0.27 out of 15.00
→ The DNS response returned "no error" for list.dnswl.org while "no records with this name" was expected when querying for "1.0.0.127.list.dnswl.org" (spoofing 'probable DNS identity or internal BL issues)
So, it's all right…
I really don't understand, why?
For my part, I have checked the configuration of RSPAMd (yet it has been active (it is the same configuration) for several months, since November 28, 2023 and I have sent 5 emails to/by address (5 mailings; one per week, from December 1 to December 29) which entered the servers - without configuration change therefore and since December 31, 2023 it no longer fits on certain servers.
See: the list of my modified files in the directory (for the date of “my last” modifications) :
Code: Select all
root@mail:/etc/rspamd/local.d # ls -ltotal 48lrwxrwxrwx 1 root root 17 nov. 28 16:28 arc.conf -> dkim_signing.conf-rw-r--r-- 1 root root 229 nov. 28 16:25 asn.conf-rw-r--r-- 1 root root 1146 nov. 28 16:25 dkim.conf-rw-r--r-- 1 root root 1729 nov. 28 18:59 dkim_signing.conf-rw-r--r-- 1 root root 24 févr. 7 04:18 dmarc.conf-rw-r--r-- 1 root root 659 nov. 28 16:28 logging.inc-rw-r--r-- 1 root root 2109 nov. 28 16:25 milter_headers.conf-rw-r--r-- 1 root root 1138 nov. 28 18:12 options.inc-rw-r--r-- 1 root root 138 févr. 7 04:20 redis.conf-rw-r--r-- 1 root root 467 nov. 28 16:25 spf.conf-rw-r--r-- 1 root root 1162 nov. 28 17:03 statistic.conf-rw-r--r-- 1 root root 932 nov. 28 16:25 worker-controller.inc-rw-r--r-- 1 root root 59 nov. 28 16:25 worker-proxy.incBy the way, I just saw this line:
Code: Select all
==> /var/log/rspamd/rspamd.log <==2024-02-07 04:28:07 #1273188(controller) <imhkkk>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volumeOkay I’m sending to “34,000” people internationally but hey we are “8,000,000,000” people on earth! And if you look at my DMARC reports it’s pretty representative. I send a lot more emails in France and a lot fewer abroad (between 10 and 50 for foreign countries and 30,000 for France including “hotmail com”).
Could it be because of that? Anyway !
Otherwise you put me on your WhiteList / GreyList – ha ha – for 30,000 / week… or not I specify.
I don't find it very FUN.
These are not emails to sell you Viagra pills that you receive quintuple in the same minute, 10 times a day, every day.
It’s a different newsletter every week.
Can you talk about it between admins 
Thank you. High up there in my mountain, I'm not likely to stir up crowds.
Otherwise, I wish you a good day and good luck.
Romain
LAB3W : O.R.J
Freelance | LAMP Consultant (W3C.Master: Analyst.SSI/Dev.OpS/WebDev)
Web and Networks Lab - Internet Engineering - Creator ZW3B [EU|FR|TV|NET|COM|SITE|BLOG]
