Replace Spamhaus Zen Postfix blacklisting with stronger SpamAssassin scoring

[myfirstnameispaul]

This PR removes reject_rhsbl_sender dbl.spamhaus.org and reject_rbl_client zen.spamhaus.org from main.cf so the emails will be received by the server and adds custom score values to spamassassin so it always marks Spamhaus Zen blacklisted emails as spam.

I realize this is potentially a contentious PR...

In the process of adding DMARC checks for a recent PR, it was communicated that the project prefers receiving email and marking it as spam to rejecting emails. In the example of DMARC, this means receiving email even when the administrators of a domain configure their policies to instruct other admins to reject the email, which is how the server is now configured.

In the case of blacklists, blocking the receipt of blacklisted email is the equivalent of granting strangers the ability to control what can be received by a server, essentially creating an externally managed gateway. This seems arbitrary as there are legitimate real-world complaints about Spamhaus refusing to remove blacklisted servers that do not send spam.

More reasonable seems to be to configure MiaB to receive blacklisted emails but always send them to the spam folder.

I have been running with the Spamhaus Zen blacklist disabled for a long time (two or three years) and I have not observed an appreciable increase in the quantity of spam received by the server. Initially, I ran without using any custom spamasassin rules, and in that time a total of one Spamhaus Zen blacklisted spam arrived in an inbox because the blacklisted spam has so many other problems that even without special rules, spamassassin will do its job of sending the spam to the spam folder.

Typical Spamhaus Zen listed email (without custom rules):

X-Spam-Report: 
	*  3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
	*      [score: 1.0000]
	*  0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
	*      [score: 1.0000]
	*  3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
	*      [212.116.113.179 listed in zen.spamhaus.org]
	*  0.1 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
	*  0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	*  0.1 URIBL_SBL_A Contains URL's A record listed in the Spamhaus SBL
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	*  1.6 URIBL_SBL Contains an URL's NS IP listed in the Spamhaus SBL
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	*  0.1 URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	*  2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
	*      blocklist
	*      [URIs: pandaoo.ru]
	*  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
	*      [URIs: pandaoo.ru]
	* -0.1 DMARC_PASS DMARC check passed
	* -0.1 SPF_PASS SPF check passed
	*  0.0 RCVD_IN_MSPIKE_L3 RBL: Low reputation (-3)
	*      [212.116.113.179 listed in bl.mailspike.net]
	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	*  1.4 PYZOR_CHECK Listed in Pyzor
	*      (https://pyzor.readthedocs.io/en/latest/)
	*  2.0 RAND_MKTG_HEADER Has partially-randomized marketing/tracking
	*      header(s)
	*  0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted
X-Spam-Score: 16.4

One time, the spamscore was below 5.0:

X-Spam-Report: 
	* -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
	*      [score: 0.0391]
	* -0.1 DMARC_PASS DMARC check passed
	* -0.1 SPF_PASS SPF check passed
	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
	*  3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
	*      [109.236.88.21 listed in zen.spamhaus.org]
	*  0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: df.nevada-land-sales.com]
	*  0.1 URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: df.nevada-land-sales.com]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
X-Spam-Score: 2.7

With the score values in this PR, the above score would have been:

X-Spam-Report: 
	* -0.5 BAYES_05 BODY: Bayes spam probability is 1 to 5%
	*      [score: 0.0391]
	* -0.1 DMARC_PASS DMARC check passed
	* -0.1 SPF_PASS SPF check passed
	* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
	*   10 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
	*      [109.236.88.21 listed in zen.spamhaus.org]
	*   10 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: df.nevada-land-sales.com]
	*   10 URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: df.nevada-land-sales.com]
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
X-Spam-Score: 29.2

[downtownallday]

One effect of this would have been to place github's email (your pull request coment that was forwarded to me) into spam because the message contents contained "s18.pandaoo.ru".

Headers on github's email:

X-Spam-Report: 
	*  2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
	*      blocklist
	*      [URIs: pandaoo.ru]
	* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
	*      https://www.dnswl.org/, no trust
	*      [2a00:1450:4864:20:0:0:0:135 listed in]
	[list.dnswl.org]
	*  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
	*      [URIs: pandaoo.ru]
	* -0.1 DMARC_PASS DMARC check passed
	* -0.1 SPF_PASS SPF: sender matches SPF record
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*       valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	*      author's domain
	*  0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	*  0.1 URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	* -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
	*       manager
	* -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender
X-Spam-Score: 3.1

[myfirstnameispaul]

Good point. I didn't experience this simply because these domains aren't normally in a body. Your comment came into my spam folder with X-Spam-Score: 20.1. However, based on what I observed in searching through various spam tool list archives and forums, it seems a regular problem for devs and admins while addressing these issues.

Another way to look at this would be that emails containing blacklisted domains in the body will go to spam, which is the normal type of email that contains these domains.

This behavior comes from modifying the score values. If the PR only added the modified score values, more mail that is likely spam would be declared spam since reject_rhsbl_sender is only evaluating the MAIL FROM domain and reject_rhsbl_client is only evaluating the client hostname, assuming I am understanding those configuration descriptions correctly.

[downtownallday]

What I find odd is that Spamassassin thinks the text "s18.pandaoo.ru" is a URI or URL and would even consider it at all:

	*  2.5 URIBL_DBL_SPAM Contains a spam URL listed in the Spamhaus DBL
	*      blocklist
	*  1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
	*      [URIs: pandaoo.ru]
	*  0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: s18.pandaoo.ru]
	*  0.1 URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS
	*      blocklist
	*      [URIs: s18.pandaoo.ru]

But, it's just text. Embeded in a <pre> tag. Not clickable. Not a URI (https://tools.ietf.org/html/rfc3986) or URL (https://tools.ietf.org/html/rfc1738).

You can't even mention the name! Lord Voldemort

[myfirstnameispaul]

Turns out there is a real problem with this body problem.

Currently, parler.com is on the Spamhaus CSS blacklist.

* 10 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS
* blocklist
* [URIs: parler.com]
* 10 URIBL_CSS Contains an URL's NS IP listed in the Spamhaus CSS
* blocklist
* [URIs: parler.com]

Whatever the problems of parler.com, I speculate they aren't engaged in unsolicited or abusive mail campaigns.

I have been concerned that Spamhaus is subject to some political games likely indirectly, but then they make the actual removal process from their list very opaque. And no matter who you are (e.g., dovecot.org), they do not remove you no matter if you never spammed, and they do not tell you why.

So with this PR, users of parler.com would be allowed to receive mail whereas right now they cannot, but people not using parler.com but receive emails that have parler.com anywhere in the body (e.g., Substack newsletter) will have those mails going seemingly inexplicably to spam.

[ddavness]

Personally not fond of this PR, but I'll chip in anyway.

---

I don't particularly understand why you would want to get rid of the zen blocklisting - I have to give it that the case of DBL is debatable, though.

The Zen blocklist tracks IP addresses. If it's on the list, then you probably seriously don't want to receive mail from them (especially if it's on SBL or XBL). And if there's anyone operating a legit mail server with that IP, then maybe they have bigger issues to solve.

In fact, the Zen blocklist is supposed to "kick in" before the server actually sends the mail. From the Spamhaus website:

Incoming mail from servers listed on Spamhaus's SBL, XBL or PBL (collectively Zen) at this first stage should be rejected at the RCPT TO command, terminating the SMTP transaction before the message body is sent or accepted.

[myfirstnameispaul]

The first time I became aware of issues with legitimate servers being blocked by Spamhaus was with the Dovecot mailing list. They had an IPv6 address listed and I emailed the admin to make sure they were aware. He responded that they had already filled out all of the forms and attempted other methods of communication but inexplicably remained on the list. He said their server, domain or IP address had never sent spam.

The actual procedure for getting off of their list is "fill out a form" and wait. This means it is impossible for admins stuck on their list to actually know if they have taken the proper steps to be removed from the list, as the server can never send spam but be on the list.

These are not people I feel should be in charge of blocking mail to a server.

I've been running without them blocking mail to my server for years and I can't tell the difference between a Spamhaus listed spam or other spam unless I look at the headers.

[stvhay]

It seems like their process is to review the removal request within 24 hours.

When Spamhaus accepts your removal form, it will process it immediately. However, note that the removal process may take a few minutes up to 24 hours. If your IP address is still on the blocklist after 24 hours, contact Spamhaus’ technical account manager for removal assistance.

There are some shady blacklists out there, but I don't think Spamhaus is one of them...

[myfirstnameispaul]

The first time I became aware of issues with legitimate servers being blocked by Spamhaus was with the Dovecot mailing list. They had an IPv6 address listed and I emailed the admin to make sure they were aware. He responded that they had already filled out all of the forms and attempted other methods of communication but inexplicably remained on the list. He said their server, domain or IP address had never sent spam.

I think most people have not had this experience, which is why Spamhaus is so broadly trusted. however, observing these problems in real time enlightened me to the fact that Spamhaus should not be the gatekeeper to messages sent to my server.

[hija]

So with this PR, users of parler.com would be allowed to receive mail whereas right now they cannot, but people not using parler.com but receive emails that have parler.com anywhere in the body (e.g., Substack newsletter) will have those mails going seemingly inexplicably to spam.

For me this seems to be a bad tradeoff. I don't see why legitimate emails should get more likely to be classified as spam just so that some domains can receive mails.

/e: I suspect, that the "damage" of this PR is higher than the benefit. But of course that is just a gut feeling and I have no data to back it up.

/e2: One thing we can maybe consider: I think it is rather likely that a domain's name, especially from social networks, appears in the mailbody as well and so in your case chances are that the parler mail would be classified as spam as well.