Be careful: Using Spamhaus with open resolvers is bad news

Do you use any of the Spamhaus blocking lists (DNSBLs) to protect yourself from inbound spam and email threats? If so, you're not alone. The Spamhaus data is quite popular and used by many ISPs as a front door gatekeeper for IP (and domain) reputation.

If you do use any of Spamhaus's DNSBLs, though, make sure you're not doing it via a public DNS resolver or via any DNS server that is attempting a high volume of queries against Spamhaus without being registered with them. If you do, you risk the queries triggering blocks simply due to the sheer volume of DNS traffic Spamhaus is receiving. Meaning you'll end up blocking mail that wasn't spam and that you probably didn't mean to block.

Here's how to catch that. Look in your server's mail log for response codes or response text from Spamhaus queries. For text responses, look for things like "Error: open resolver; https://www.spamhaus.org/returnc/pub/74.63.26.239" and look for return codes like 127.255.255.252, 127.255.255.254 and 127.255.255.255.

If you're seeing anything like that in your mail logs, you're blocking non-spam accidentally-- you're making mail bounce that Spamhaus did not intend to reject. If so, please review Spamhaus's guidance for what to do in this instance.

Let me be clear: I strongly recommend AGAINST using public DNS servers to query Spamhaus DNSBLs. In my testing of various common public DNS servers, I saw problems. In particular, Spamhaus intermittently rejects queries from Quad9's public DNS servers with the "open resolver" error, and in the case of Google Public DNS, Alternate DNS, Yandex and Fourth Estate's public resolvers, all queries resulted in NXDOMAIN (no DNS result found) even for IP addresses that I know were listed on one or more Spamhaus DNSBLs.

In my testing, I see that various other public DNS servers I queried seem to work OK today, responding to Spamhaus queries with correct data, but I doubt that will be the case in the long term. Spamhaus clearly doesn't want to provide this IP reputation data via these channels and right now it's just a question of how effective they are at blocking it. They're not fully effective at it today, but I'm sure they'll get better at it over time.

This also presents a particularly vexing problem for email senders. We get bounces in our logs that reference the "open resolver" error message, but it's not something that a sender can fix. It's up to the inbound email server's administrator to fix it. One hopes that administrator is paying attention -- and if not, perhaps they'll learn from posts like this and watch for this problem in the future.

If you work in deliverability for an email sending platform, you might want to customize how you handle Spamhaus bounces -- perhaps looking for that "open resolver" error message and preventing suppression of addresses that bounce with that error message, because those bounces are indeed false positives.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.