Hello,
Today I noticed that an email which was clearly spam ended up in my Inbox. Looking at the SpamAssassin report, I saw these scores corresponding to DNSBL checks managed by validity.com
1.3 RCVD_IN_VALIDITY_RPBL RBL: Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
[185.67.36.65 listed in bl.score.senderscore.com]
-3.0 RCVD_IN_VALIDITY_CERTIFIED RBL: Sender in Validity Certification - Contact [email protected]
[Excessive Number of Queries | <https://knowledge.validity.com/hc/en-us/articles/20961730681243>]
-2.0 RCVD_IN_VALIDITY_SAFE RBL: Sender in Validity Safe - Contact [email protected]
[Excessive Number of Queries | <https://knowledge.validity.com/hc/en-us/articles/20961730681243>]
VALIDITY_RPBL adds 1.3 points, VALIDITY_CERTIFIED and VALIDITY_SAFE subtract 3 and 2 points respectively. All three scores are incorrect, and the cause is that my server has exceeded the query limit to their DNSBL (10 000 queries per rolling month). Although the VALIDITY_RPBL entry doesn’t specify this in the report, the issue is the same: the query limit has been exceeded, and it always returns the same score for all IPs.
This seems to be a recent change in Validity policies and SpamAssassin does not account for this scenario, applying the predefined scores to these checks even when they don’t return correct results (all three lists always return 127.255.255.255 for any query, which means the limit has been exceeded). For other DNSBLs, SpamAssassin does have rules in place to ignore such checks when this happens, but since this is likely new, it’s not accounted for yet.
The rules in SpamAssassin are located at /usr/share/spamassassin/20_dnsbl_tests.cf:
# ---------------------------------------------------------------------------
# Validity (née Return Path, SenderScore) reputation DNSBLs
# https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6247
# Certified:
# https://www.validity.com/resource-center/fact-sheet-certification/
# (replaces RCVD_IN_BSP_TRUSTED, RCVD_IN_BSP_OTHER, RCVD_IN_SSC_TRUSTED_COI, RCVD_IN_RP_CERTIFIED)
header RCVD_IN_VALIDITY_CERTIFIED eval:check_rbl_txt('ssc-firsttrusted', 'sa-trusted.bondedsender.org.')
describe RCVD_IN_VALIDITY_CERTIFIED Sender in Validity Certification - Contact [email protected]
tflags RCVD_IN_VALIDITY_CERTIFIED net nice publish
reuse RCVD_IN_VALIDITY_CERTIFIED RCVD_IN_RP_CERTIFIED
# Safe:
# https://www.validity.com/resource-center/fact-sheet-certification/
# (replaces HABEAS_ACCREDITED_COI, HABEAS_ACCREDITED_SOI, HABEAS_CHECKED, RCVD_IN_RP_SAFE)
header RCVD_IN_VALIDITY_SAFE eval:check_rbl_txt('ssc-firsttrusted','sa-accredit.habeas.com.')
describe RCVD_IN_VALIDITY_SAFE Sender in Validity Safe - Contact [email protected]
tflags RCVD_IN_VALIDITY_SAFE net nice publish
reuse RCVD_IN_VALIDITY_SAFE RCVD_IN_RP_SAFE
# Validity RPBL (née Return Path Reputation Network Blacklist - RNBL):
# https://www.senderscore.org/blocklistlookup/
# (replaces RCVD_IN_RP_RNBL)
header RCVD_IN_VALIDITY_RPBL eval:check_rbl('rnbl-lastexternal','bl.score.senderscore.com.')
describe RCVD_IN_VALIDITY_RPBL Relay in Validity RPBL, https://senderscore.org/blocklistlookup/
tflags RCVD_IN_VALIDITY_RPBL net publish
reuse RCVD_IN_VALIDITY_RPBL RCVD_IN_RP_RNBL
And the scores assigned are in /usr/share/spamassassin/50_scores.cf:
score RCVD_IN_VALIDITY_RPBL 0 1.284 0 1.310 # n=0 n=2
score RCVD_IN_VALIDITY_CERTIFIED 0.0 -3.0 0.0 -3.0
score RCVD_IN_VALIDITY_SAFE 0.0 -2.0 0.0 -2.0
That said, since I don’t want every email I receive to get 3.7 points subtracted (-3 + -2 + 1.3) for no reason, I’ve disabled the resolution of these three lists.
cat <<EOF > /etc/spamassassin/disable-validity.cf
dns_query_restriction deny sa-trusted.bondedsender.org
dns_query_restriction deny sa-accredit.habeas.com
dns_query_restriction deny bl.score.senderscore.com
EOF
systemctl restart spamd
I hope this helps someone facing the same issue.