A brief note about Spamhaus Policy Block List

After getting in closer-than-usual acquaintance with my mail server logs I thought I’d share a brief note I found in the Spamhaus PBL FAQ:

The first thing to know is: THE PBL IS NOT A BLACKLIST.

Oh, and since you’re already there you may want to linger a bit in this warning:

WARNING! Some post-delivery filters use “full Received line traversal” or “deep parsing”, where the filter reads all the IPs in the Received lines. Legitimate users, correctly sending good mail out through their ISP’s smarthost, will have PBL-listed IPs show up in the first (lowest) Received header where their ISP picks it up. Such mail should not be blocked! So, you should tell your filters to stop comparing IPs against PBL at the IP which hands off to your mail server! That last hand-off IP is the one which PBL is designed to check. If you cannot configure your filters that way, then do not use PBL to filter your mail. Instead, you may wish to use sbl-xbl.spamhaus.org, but even that may have unacceptable “false positive” filtering, for example when a an exploited end-user machine sends legitimate mail out through the ISP smarthost, or when the dynamic assignment changes the IP to an uninfected machine. Do not use PBL or XBL if you do not understand the issues of “deep parsing”.

(Emphasis mine)
So if your top-of-the-line multi-thousand-dollar antispam appliance starts blocking all my email just because there’s a dynamic IP address somewhere in the header and there’s no freaking way to turn it off please go ask for a refund. And stop bouncing my messages.
Oh and by the way the default SpamAssassin configuration in Debian assigns a 0.905 score if the last hop is in PBL.

score RCVD_IN_PBL 0 0.509 0 0.905
...
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal', 'zen.spamhaus.org.', '127.0.0.1[01]')

And yes, SpamAssassin does the right thing and checks only the *last* external address — I’ve seen the code:

package Mail::SpamAssassin::PerMsgStatus;
...
# If name is foo-lastexternal, check only the Received header just before
# it enters our internal networks; we can trust it and it's the one that
# passed mail between networks

So once again kudos to Open Source — and Common Sense.