This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RBL Blacklist behaviour?

This is one of the SMG monitoring gadgets I created a month ago.

This is my filter

For quite some time now I was getting very few hits on my RBL filters then today I noticed an exceptionally large number of messages being blocked. Of course, I have made no changes to my system. :-)

Has anyone else noticed similar behaviour?

__________
Kevin Boyle, SuperUser

Calgary, Alberta, Canada

Tags:

Parents
  • 0

    Kevin - this is what I have gotten back from development - "

    That seems more like an observation than a question. I can’t answer his actual question at the end, because I don’t have a system to compare behaviour.

     RBL services are external to SMG, so the reason for them firing could be a very wide range of reasons, some legitimate, some problematic. If normal mail is flowing, then generally it’s just one of the ‘reasons’.

     Here’s some of the reasons/faults off the top of my head that could cause this type of spike:

     Reasons:

    - A spammer has become very active

    - There’s a new form of spam that’s appeared

    - A DDoS spammer has appeared from a network range that spamhaus knows about

    - A targeted attack is happening that spamhaus has detected

     Faults:

    - DNS problems looking up spamhaus

    - spamhaus has a fault

    - SMG appliance has a DNS cache problem and needs a restart

     Something that could be done to verify if there’s a general mail pattern change would be to layer in the number of connections processed onto that graph for reference."

    Pam

Reply
  • 0

    Kevin - this is what I have gotten back from development - "

    That seems more like an observation than a question. I can’t answer his actual question at the end, because I don’t have a system to compare behaviour.

     RBL services are external to SMG, so the reason for them firing could be a very wide range of reasons, some legitimate, some problematic. If normal mail is flowing, then generally it’s just one of the ‘reasons’.

     Here’s some of the reasons/faults off the top of my head that could cause this type of spike:

     Reasons:

    - A spammer has become very active

    - There’s a new form of spam that’s appeared

    - A DDoS spammer has appeared from a network range that spamhaus knows about

    - A targeted attack is happening that spamhaus has detected

     Faults:

    - DNS problems looking up spamhaus

    - spamhaus has a fault

    - SMG appliance has a DNS cache problem and needs a restart

     Something that could be done to verify if there’s a general mail pattern change would be to layer in the number of connections processed onto that graph for reference."

    Pam

Children
  • 0   in reply to 
    Kevin - this is what I have gotten back from development - "

    Hi Pam,

    Thanks for that feedback. 

    This is not an issue I was trying to get resolved via the forums. It was a change in behaviour that I observed and I was wondering if anyone else noticed a similar change.

    I do not quarantine messages blocked by my RBL filters and I know that SMG has no control over what these RBL sites report.

    Suddenly a lot email from known senders was blocked and lost. I noticed that spamhaus reported issues with the sender's IP addressed but spamcop didn't so I assumed this was an issue with spamhaus rather than an actual change in the reputation of sender's IP addresses so I simply disabled my spamhaus filter.

    I will enable it once again but not attach any services just to see if things have returned to normal. I expect they have...

    __________
    Kevin Boyle, SuperUser

    Calgary, Alberta, Canada