Diagnosis incorrectly report IP blacklist on Hostkarma

[grubshka]

EDIT from ljf: This is a good first issue for a new contributor. You can find some instructions to fix this issue if you have some basic skills in python.

Describe the bug

According to the Yunohost diagnosis, our IPv4 is blacklisted on Hostkarma.
However, either manually run the DNS check or asking Hostkarma for removal says the IP is not blacklisted.

Context

• Hardware: VPS bought online
• YunoHost version: 4.2.8.1
• I have access to my server: Through SSH and through the webadmin
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no

Steps to reproduce

root@cloud1:~# yunohost diagnosis show mail --issues --human-readable
=================================
Email (mail)
=================================

[ERROR] Your IP or domain 217.XXX.XXX.XXX is blacklisted on Hostkarma
  - The blacklist reason is: "No Blacklist listed 217 See http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists"
  - After identifying why you are listed and fixed it, feel free to ask for your IP or domaine to be removed on https://ipadmin.junkemailfilter.com/remove.php

Expected behavior

The diagnosis should not report our IP.
Running the DNS lookup manually says everything is OK :

$ dig XXX.XXX.XXX.217.hostkarma.junkemailfilter.com
...
;; ANSWER SECTION:
XXX.XXX.XXX.217.hostkarma.junkemailfilter.com. 1714 IN A 127.0.0.5
...

[andretheolauret]

I’m concerned too by this issue, what is strange is that sometimes it disappear and come back 2-3 days after.

[grubshka]

On our side, we always have this warning.

The Yunohost reason is the one sent by Hostkarma, but it should not reach this step.
Here are the full dig results :

$ dig A XXX.XXX.XXX.217.hostkarma.junkemailfilter.com

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> A XXX.XXX.XXX.217.hostkarma.junkemailfilter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54018
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;XXX.XXX.XXX.217.hostkarma.junkemailfilter.com. IN A

;; ANSWER SECTION:
XXX.XXX.XXX.217.hostkarma.junkemailfilter.com. 2052 IN A 127.0.0.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 11 06:42:04 CEST 2021
;; MSG SIZE  rcvd: 89

$ dig TXT XXX.XXX.XXX.217.hostkarma.junkemailfilter.com

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> TXT XXX.XXX.XXX.217.hostkarma.junkemailfilter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9563
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;XXX.XXX.XXX.217.hostkarma.junkemailfilter.com. IN TXT

;; ANSWER SECTION:
XXX.XXX.XXX.217.hostkarma.junkemailfilter.com. 2023 IN TXT "No Blacklist listed 217 See http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists"

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 11 06:42:33 CEST 2021
;; MSG SIZE  rcvd: 170

[zamentur]

Context

The part of the code with the bug is here: https://github.com/YunoHost/yunohost/blob/d14c4820868d11fe3b9894de7a7e6e16f0b62d21/data/hooks/diagnosis/24-mail.py#L208

Currently, we make a dig request on the DNSBL and if we have no return we consider we are not blacklisted.

Hostkarma seems in certain case return a code like 127.0.0.5 or 127.0.0.1 to indicate it's not blacklisted: http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists#How_to_use_the_Lists

So here 127.0.0.5 means "maybe whitelisted", so we shouldn't indicate the tested IP is blacklisted.

EDIT: SpamRats is concerned to, some time it return 127.0.0.50 but it doesn't mean listed, only 127.0.0.36, 127.0.0.37, 127.0.0.38 means you are listed on spamrats.

How to fix

Environment

This issue is small enough to be fixed on a simple yunohost test instance. However you can use ynh-dev if you want.

Adapt the DNSBL list to put info about non blacklisted return code

To fix this, you have to add non blacklist return code in this file. Those return code can be different for each DNSBL:
https://github.com/YunoHost/yunohost/blob/dev/data/other/dnsbl_list.yml

You can add for example a key non_blacklisted_return_code with the list of local ip that shouldn't trigger the blacklisted alert. In the case of hostkarma: ['127.0.0.1', '127.0.0.5']

Change the if condition to go to the next DNSBL and not trigger the alert

Next, it's needed to adapt the code to get the return code (currently we ignore it with the specific _ var).
https://github.com/YunoHost/yunohost/blob/d14c4820868d11fe3b9894de7a7e6e16f0b62d21/data/hooks/diagnosis/24-mail.py#L208

And the condition to continue on the next DNSBL need to be adapted:
https://github.com/YunoHost/yunohost/blob/d14c4820868d11fe3b9894de7a7e6e16f0b62d21/data/hooks/diagnosis/24-mail.py#L209

Test your change

After that you can test your change to be sure it brokes anything by adding your reverse public ip concatenate with the hostkarma server in the /etc/hosts file.

$ curl ip.yunohost.org
1.2.3.4

In this case put in /etc/hosts

4.3.2.1.hostkarma.junkemailfilter.com 127.0.0.5

Don't forget to restart yunohost-api if you test by web admin (however it seems easier to test by command line.

Next, feel free to git commit and make your PR.

[rthouvenin]

I sent a fix proposal!

[alexAubin]

Closing, should be fixed by YunoHost/yunohost#1375