SPFBL feedback system

SPFBL feedback system

Several anti-spam systems provide methods of sending feedback so that e-mail service administrators can learn about complaints against their own senders. These feedbacks are very important for the email service administrator because too many abuses can compromise the reputation of the IP used by the service. If an IP’s reputation is compromised, multiple providers may stop receiving messages from that service.

 

The best-known feedback system is the Feedback Loop (FBL). The big problem with this system is that it depends on previous registration in each destination provider. If the email service administrator wants to have access to all of the complaint information against their senders, they must register at each FBL provider.

 

This FBL registration procedure is costly and complicated. For this reason, the SPFBL project has created a special rejection prefix, at the SMTP layer, so that email service administrators can obtain all information without registering with SPFBL providers.

 

About the SPFBL reputation system

 

The SPFBL reputation system consists of counting all legitimate messages (HAM) and illegitimate messages (SPAM) within a certain period of time for each source IP. This period will never be longer than seven days. This information is collected from all SPFBL project contributors through a P2P network.

 

Using these counts, the SPAM ratio is calculated by the total sending volume, which will be the sum of HAM and SPAM of that IP:

P = SPAM /(HAM+SPAM)

If this ratio exceeds the 50% threshold, the IP will be listed on the DNSBL SPFBL.net.

 

How to identify SPFBL rejection prefix

 

The SPFBL rejection prefix is generated in the SMTP layer and consists of the code 5.7.1, which means that the sending is not authorized, plus the word SPFBL, which means that there was a negative punctuation, due to the increment of the SPAM count:

5.7.1 SPFBL <message>

The message, which precedes the prefix, describes the reason for the negative punctuation.

 

Cleaning the IP reputation

 

Every email service administrator must determine policies for their clients and monitor the SPFBL rejection prefix in the MTA log files of the last seven days:

egrep "5\.7\.1.+SPFBL" <mta_log_file>

If using cPanel or Exim, the administrator can find these records with the following command:

exigrep "5\.7\.1 SPFBL" /var/log/exim4/mainlog*

If any system that uses SPFBL receives too many e-mails/spams that generate rejections with this prefix, the administrator of the remote system must warn or ban his user who is sendung such spams. The goal is to avoid receiving new rejections with this prefix, which generate a negative point for each rejection.

 

Rejection may occur due to manual blocking. In this case, a URL will be sent within the message:

5.7.1 SPFBL BLOCKED <url>

If the block is improper, you must start a release procedure. The release procedure, through the URL, depends on the recipient’s interaction. In this case, it is important that the sender contacts the recipient by another means of communication, to warn him that he has been improperly blocked by the anti-spam system and will start the release process. Once started, the recipient will receive a system email:

The sender 'leandro@spfbl.com.br' wants to send you messages but was blocked by the SPFBL system as being a source of SPAM.
If you trust this sender and want to receive his messages, please go to this URL and solve the reCAPTCHA:
http://matrix.spfbl.net/<ticket>

If the recipient completes this procedure, the system will remove any block that prevents messages from being accepted and will register the sender on the recipient’s whitelist, so that the recipient’s MTA will accept any message from that sender destined to that same recipient.

 

How to identify future spamtraps

 

The disabled addresses are recorded as non-existent in SPFBL service, returning the following prefix:

5.1.1 SPFBL <message>

All rejections with this prefix are the sign that the email address should be removed immediately from the contact list or from the email marketing list.

 

If the removal is not done, there is a risk that the fire service will be listed at SPFBL network because the address can be converted to spamtrap at any time. Strictly speaking, each email address is converted to spamtrap one year after its inclusion in the list of non-existent recipients. High volume of non-existent recipients can list IP too.

 

Although spamtrap addresses remain in some contact list, without the sender’s knowledge, there is a mechanism that simulates sender blocking by the intended recipient, who would actually be a robot and not a real recipient. This blocking is performed in a pseudo-random fashion so that it is not possible for the sender to find out which addresses are from real recipients or what are spamtraps. If automatic spamtrap blocking is performed, the sender should treat the case exactly as if it were a real recipient and remove its address from the contact list, as it would actually be removing spamtrap without realizing it.

 

External links

Enhanced Mail System Status Codes
Simple Mail Transfer Protocol (SMTP) Enhanced Status Codes Registry

Leandro Carlos Rodrigues

Bacharel em Ciência da Computação pela FEI

19 Comments
  • Joshua Kaplan
    Reply
    Posted at 13:17, 23 June, 2017

    I followed the procedure to request an unblock code for onssi.com which you report as being good, and a webpage appeared stating that an unblock code was sent, but I never received the code.

    Please tell me how to get that code, or unblock onssi.com in a different way.

  • Joshua Kaplan
    Reply
    Posted at 14:30, 23 June, 2017

    72.80.31.43 does match mail.onssi.com on an rDNS query, and our mail server answers “mail.onssi.com” to an SMTP request.

    this can be verified at mxtoolbox.com or any of several other public tools, or by a direct query of our DNS records.

    what makes you think that rDNS is not working for our domain ?

    Your webpage did not say that we have a problem. It said that our domain is now good. there was no error message about a problem with rDNS.

    The webpage displayed by your website declared that we are rated as good, and gave me a button to click for an unlock code. The next page displayed says that a code was sent to me, but I never received it.

    I need to either receive the code or have the block cleared for me.

    Please tell me what the next step is.

  • Joshua Kaplan
    Reply
    Posted at 14:40, 23 June, 2017

    I don’t understand.

    the rDNS check is for my domain, onssi.com
    I have a mailbox there which is postmaster@onssi.com
    that is what I filled out on your web page
    I never received the email with the unblock code

  • Joshua Kaplan
    Reply
    Posted at 15:37, 23 June, 2017

    thank you

  • Vitor Ayres
    Reply
    Posted at 15:13, 18 July, 2017

    O que podemos fazer quando os logs do Mail Server não reportam qualquer registro com o codigo 5.7.1 e , mesmo assim, continua sendo bloqueado pelo sistema SPFBL?

      • Vitor Ayres
        Reply
        Posted at 15:25, 18 July, 2017

        Há algum outro canal de comunicação menos exposto? Grato.

  • Marcius Franciso
    Reply
    Posted at 14:03, 24 August, 2017

    Boa tarde..

    Meu IP está na lista de bloqueio, como fazer para retirá-lo? A pagina tentou me enviar a chave de delist mas não consegue.

  • Posted at 10:57, 28 August, 2017

    Caros, bom dia!

    Estamos enfrentando dificuldade de envio de e-mail do Tribunal de Justiça da Bahia para diversos domínios.
    Já entramos em contato a mais de uma semana sem retorno.

    Existe alguma forma de comunicação e interação para verificar essa situação.

    Devido a criticidade por falta da comunicação, solicito celeridade no caso.

    https://matrix.spfbl.net/168.228.240.164

  • Vitalino Victor
    Reply
    Posted at 16:45, 6 September, 2017

    Olá, Leandro.
    Meu servidor de e-mails está com 66% de pontos negativos. O FCrDNS está ok.
    A orientação dada pela página http://matrix.spfbl.net seria diminuir a quantidade de e-mails (suponho que seja para satisfazer o P = SPAM /(HAM+SPAM)).

    Acredito que algum falso positivo esteja acontecendo na avaliação de possíveis de SPAM (não utilizo o servidor/domínio para fins publicitários, nem aviso de anexos).

    Além dos documentados em:

    http://spfbl.net/en/delist/
    http://spfbl.net/feedback/

    Existe alguma outra alternativa para satisfazer o SPFBL?

      • Vitalino Victor
        Reply
        Posted at 17:47, 6 September, 2017

        Oi, Leandro. Vou bem. Muito obrigado pelo retorno.

        O problema é que para qualquer e-mail enviado é retornado um prefixo de rejeição.

        Na verdade, todos os e-mails são enviados por um “usuário” no-reply. É apenas um e-mail automático, disparado em eventos específicos. Não há outros usuários partilhando do mesmo domínio. Portanto, não tenho condições de isolar um possível abusador.

        Apenas como teste, tentei disparar e-mails com outro usuário (vitalino@). E mesmo assim o e-mail foi rejeitado.

        A poucos dias atrás, nossos pontos negativos abaixaram de 100% para 54% devido a inatividade total de tentativas de envio de e-mails para o destinatário que utiliza o SPFBL.

        Att,
        Vitalino Victor

Post a Comment

Comment
Name
Email
Website