7242 – URIBL_SBL and URIBL_SBL_A doing each other's lookups

Bug 7242 - URIBL_SBL and URIBL_SBL_A doing each other's lookups

Summary: URIBL_SBL and URIBL_SBL_A doing each other's lookups

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Plugins (show other bugs)
Version:	unspecified
Hardware:	PC FreeBSD

Importance:	P2 minor
Target Milestone:	Undefined
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-05 12:34 UTC by RW
Modified:	2018-11-04 11:20 UTC (History)
CC List:	2 users (show)

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description RW 2015-09-05 12:34:10 UTC

URIBL_SBL is suppose to check the host's nameserver IPs in SBL and URIBL_SBL_A is supposed to check the host's IP address, but both rules are doing both.

See: "What does URIBL_SBL  check (was Re: Amazon Route53 nameservers listed in SBL?)" on the user list.

I've set this as a minor bug since the lookups are being done, it's just the granularity that's being lost.

Comment 1 Kevin A. McGrail 2015-09-07 16:48:30 UTC

Adding more information about the issue:

$ printf "\n\nhttp://www.alfordmedia.com/" | spamassassin -D uridnsbl  2>&1       
Sep  5 00:57:40.749 [88636] dbg: uridnsbl: considering host=www.alfordmedia.com, domain=alfordmedia.com
Sep  5 00:57:40.759 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_RHS_DOB DNSBL:alfordmedia.com:dob.sibl.support-intelligence.net
Sep  5 00:57:40.759 [88636] dbg: uridnsbl: complete_ns_lookup NS:alfordmedia.com
Sep  5 00:57:40.760 [88636] dbg: uridnsbl: got(1) NS for alfordmedia.com: alfordmedia.com. 172603 IN NS ns-1298.awsdns-34.org.
Sep  5 00:57:40.760 [88636] dbg: uridnsbl: got(2) NS for alfordmedia.com: alfordmedia.com. 172603 IN NS ns-1925.awsdns-48.co.uk.
Sep  5 00:57:40.761 [88636] dbg: uridnsbl: got(3) NS for alfordmedia.com: alfordmedia.com. 172603 IN NS ns-62.awsdns-07.com.
Sep  5 00:57:40.761 [88636] dbg: uridnsbl: got(4) NS for alfordmedia.com: alfordmedia.com. 172603 IN NS ns-696.awsdns-23.net.
Sep  5 00:57:40.762 [88636] dbg: uridnsbl: complete_a_lookup A:www.alfordmedia.com
Sep  5 00:57:40.762 [88636] dbg: uridnsbl: complete_a_lookup got(1) A for www.alfordmedia.com: www.alfordmedia.com. 103 IN A 209.124.71.2
Sep  5 00:57:40.764 [88636] dbg: uridnsbl: complete_a_lookup A:ns-1298.awsdns-34.org
Sep  5 00:57:40.764 [88636] dbg: uridnsbl: complete_a_lookup got(1) A for ns-1298.awsdns-34.org: ns-1298.awsdns-34.org. 170801 IN A 205.251.197.18
Sep  5 00:57:40.765 [88636] dbg: uridnsbl: complete_a_lookup A:ns-1925.awsdns-48.co.uk
Sep  5 00:57:40.765 [88636] dbg: uridnsbl: complete_a_lookup got(1) A for ns-1925.awsdns-48.co.uk: ns-1925.awsdns-48.co.uk. 170801 IN A 205.251.199.133
Sep  5 00:57:40.766 [88636] dbg: uridnsbl: complete_a_lookup A:ns-62.awsdns-07.com
Sep  5 00:57:40.766 [88636] dbg: uridnsbl: complete_a_lookup got(1) A for ns-62.awsdns-07.com: ns-62.awsdns-07.com. 170801 IN A 205.251.192.62
Sep  5 00:57:40.767 [88636] dbg: uridnsbl: complete_a_lookup A:ns-696.awsdns-23.net
Sep  5 00:57:40.767 [88636] dbg: uridnsbl: complete_a_lookup got(1) A for ns-696.awsdns-23.net: ns-696.awsdns-23.net. 170801 IN A 205.251.194.184
...
Sep  5 00:57:40.863 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL_A DNSBL:2.71.124.209:sbl.spamhaus.org
Sep  5 00:57:40.864 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL DNSBL:2.71.124.209:zen.spamhaus.org      <--- A
Sep  5 00:57:40.864 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL_A DNSBL:18.197.251.205:sbl.spamhaus.org  <--- B
Sep  5 00:57:40.864 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL_A DNSBL:62.192.251.205:sbl.spamhaus.org  <--- B
Sep  5 00:57:40.864 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL_A DNSBL:133.199.251.205:sbl.spamhaus.org <--- B 
Sep  5 00:57:40.865 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL DNSBL:184.194.251.205:zen.spamhaus.org
Sep  5 00:57:40.979 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL DNSBL:18.197.251.205:zen.spamhaus.org
...
Sep  5 00:57:43.032 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL DNSBL:62.192.251.205:zen.spamhaus.org
Sep  5 00:57:43.033 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL DNSBL:133.199.251.205:zen.spamhaus.org
Sep  5 00:57:43.033 [88636] dbg: uridnsbl: complete_dnsbl_lookup URIBL_SBL_A DNSBL:184.194.251.205:sbl.spamhaus.org <--- B

In the line marked A it looks like URIBL_SBL did look-up SBL (via zen)
for the host's IP. Also in the lines marked B it looks  URIBL_SBL_A is 
doing an SBL look-up on the nameserver IPs as well as the hosts. In
other words it looks like both rules are doing the full set of look-ups

Comment 2 AXB 2015-09-07 17:26:09 UTC

hmmm

could some one pls test replaceing
uridnsbl        URIBL_SBL_A    sbl.spamhaus.org.   A

with

uridnsbl        URIBL_SBL_A    zen.spamhaus.org.   A 127.0.0.2

Comment 3 Kevin A. McGrail 2015-09-14 13:50:24 UTC

(In reply to AXB from comment #2)
> hmmm
> 
> could some one pls test replaceing
> uridnsbl        URIBL_SBL_A    sbl.spamhaus.org.   A
> 
> with
> 
> uridnsbl        URIBL_SBL_A    zen.spamhaus.org.   A 127.0.0.2

Anyone with the issue and using spamhaus?

Comment 4 Kevin A. McGrail 2016-01-01 18:05:22 UTC

Nick Edwards posted something similar:

Take postfix.org for example, it has no A record, so this check should
return NXDOMAIN and therefore not score the mail with a positive
value.

However, it does, so, I either screwed up something in the rule :

uridnsbl        ATQ_URI2 snowshoers.int. A
body            ATQ_URI2 eval:check_uridnsbl('ATQ_URI2')
describe        ATQ_URI2 URL's domain A record listed in snowshoe netblocks
score           ATQ_URI2 3.0
tflags          ATQ_URI2 net a

or spamassassins  lookup is over bearing?

The list  in snowshoers.int contains about 400  /24's so removing one
at a time is not feasable, but, as indicated, postifx.org has no A
record so this shojldnt be an issue, I did check the IP's of
www.postifx.org both of them are not in any netblock.

So how can it be it gets tagged as being in it?
It can not be a nxdomain false in code, since undernet.org has no A
records and it passes fine without tagging/scoring.



And Noel Butler on the mailing list wrote:

         If so, I think I see the problem, SA is using  -ANY in its lookup,
         not the A that you want (I'm guessing without looking into code,
         I'm just back from holidays so bit busy at home), postfix ns4 has
         an IP in a /24 list from HOSTI-20 173.244.206.0/24 which was added
         4 weeks ago by looks of it, its marked "spam multiple junk domains"

         So it seems SA's eval code does have an error.   

The rule might be requesting an A but the code is firing or returning ANY causing a false hit perhaps?


RW than pointed out this sounded similar to this bug.

Comment 5 Henrik Krohns 2018-11-04 11:20:35 UTC

This should fix it in 3.4:

Sending        lib/Mail/SpamAssassin/Plugin/URIDNSBL.pm
Transmitting file data .done
Committing transaction...
Committed revision 1845723.

Will commit trunk at later date, I was in the process of cleaning up the whole URIDNSBL.pm spaghetti, discovered this bug myself too..

Also fixed sbl -> zen usage and added CSS rules:

Sending        rules/25_uribl.cf
Sending        rules/50_scores.cf
Transmitting file data ..done
Committing transaction...
Committed revision 1845724.