Spam RBL

If you have a program or script that you'd like to give away or sell, this is the place to do it. All offers should include contact info.

Moderators: BBear, theunknownhost, flaguy

Anonymous

Post by Anonymous » Fri Jun 18, 2004 2:01 pm

Arf wrote:Opinion Question: Do you think it would be better not to send back the error message that states that they are being rejected because they are on an RBL?



Yes, You can change the following one it lines

R<?>$+ $#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhausxbl - see <http://www.spamhaus.org/>"


for

R<?>$+ $#discard $: discard


This works more or less to use /dev/null.

But the problem is, if the IP blocked is the your client, this never goes to know that this blocked the IP, and he think that its server doesn't send the emails. :o

Charlie
Hard Drive Crasher
Posts: 671
Joined: Tue Jan 07, 2003 4:55 am

Post by Charlie » Fri Jun 18, 2004 2:32 pm

Arf wrote:Okay, now that I feel a little more in control of this, I have another question or two.

Burning Question: Is there a way to check against the RBL without giving the sender the benefit of a return letter? So far, certain RBLs are working very well and I'm not getting any complaints. So why use the bandwidth? Why not vaporize these emails? But how?

Opinion Question: Do you think it would be better not to send back the error message that states that they are being rejected because they are on an RBL? If I were a spammer/hacker this would make me more angry and make me try other nasties against the rejecting domain. So why not provide an error message that says something line, "Mail Server Error. Please contact the recipient by another means and report to this to their Sys-Admin." This will foil the spammer with giving them a reason that would make them seek revenge while also alerting any legitimate users that there's a problem that they might wish to rectify. What-d-ya-think?


When you use sendmail.cf RBL feature to block an IP, the MTA meaning your sendmail does not send any emails to the sender. It simply does not "accept" the connection from the user saying the IP is blocked. there is no bandwidth usage.

In another note most professional spammers spammers use compromised systems /open proxies to connect to your server. They do not get angry when you reject them, but will try to find another victim

Also according to RFC if a SMTP server "accepts" an email for delivery, it must make reasonable effort to deliver it to the final recipient. It shouldnot simply discard the email without sending back a notice to the sender!
RFCs may not work great when it comes to SPAM, but imagine that every system admin decides to implement his/her own set of rules and return bogus errors codes, etc ignoring RFCs.

/C/

darklite
Nothing better to do.
Posts: 187
Joined: Tue Jun 24, 2003 3:56 pm

Post by darklite » Fri Jun 18, 2004 2:45 pm

The mail setup is getting better and better.

First Line of defence: RBL in sendmail
Second Line of defence: SpamAssassin
Third Line of Defence: WiKi Custom Lists
Forth Line of defence: ClamAV

Im going to add back Arfs offering just behind SpamAssassin to clear even more spam. Then allow the user to filter their mail also.

If only there was a way of punishing computer users who leave spam viruses on their computers ;)

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Fri Jun 18, 2004 3:02 pm

I knew I could count on this group for some great input.

Schpilkus, I can only illustrate to you by my resistance how leery I am to compile anything on my server that I don't fully understand. It is not the program that concerns me, it's not understanding how the compile program works and what I would do if the program screwed up my mail system. I am looking forward to the day when Alabanza provides it. For some, like yourself, SA is as close to a perfect solution as possible and I'd encourage it's use. I use it on my CPanel server and I like it as it comes as part of CPanel and is supported by the NOC if it should get hosed.

Also, I like the control I can get using other more low level options that I can understand. With SA, I would lose some granularity of logging and other aspects of email control that I 'want'.

I hope this helps you understand why one might not put this on their server **even if they wanted to**.

Charlie
Hard Drive Crasher
Posts: 671
Joined: Tue Jan 07, 2003 4:55 am

Post by Charlie » Fri Jun 18, 2004 3:11 pm

darklite wrote:The mail setup is getting better and better.

First Line of defence: RBL in sendmail
Second Line of defence: SpamAssassin
Third Line of Defence: WiKi Custom Lists
Forth Line of defence: ClamAV

Im going to add back Arfs offering just behind SpamAssassin to clear even more spam. Then allow the user to filter their mail also.

If only there was a way of punishing computer users who leave spam viruses on their computers ;)


It's getting better. Still you need to reject emails at MTA level if the user does not exist. I have reserved the second Line of defence for a Milter or access.db to reject emails addressed to non existent users. Why do I need to pipe them through SA and ClamAV.

/C/

sixpackmx
Hard Drive Crasher
Posts: 640
Joined: Fri Nov 01, 2002 9:44 am
Location: Mexico City, Mexico

Post by sixpackmx » Fri Jun 18, 2004 6:01 pm

[quote="CharlieAlso according to RFC if a SMTP server "accepts" an email for delivery, it must make reasonable effort to deliver it to the final recipient. It shouldnot simply discard the email without sending back a notice to the sender!
RFCs may not work great when it comes to SPAM, but imagine that every system admin decides to implement his/her own set of rules and return bogus errors codes, etc ignoring RFCs.

/C/[/quote]

Bravo!! Systems Implementations always should be based on a specific RFC. That's why I never liked the default alabanza autoresponse to bounce e-mail, it was not bouncing, but replying email.

Bouncing: Rejeceting the message in MTA level with a specific error code.

RobW
Propeller head licensee
Posts: 45
Joined: Wed Nov 10, 2004 11:35 am

Post by RobW » Thu Mar 17, 2005 11:16 pm

Finally got my head around this and plucked up courage to edit the sendmail.cf... we used the following entries for user friendly replies:

Code: Select all

# DNS based IP address spam list list.dsbl.org
R$*                     $: $&{client_addr}
R::ffff:$-.$-.$-.$-     $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $: OK $)
R$-.$-.$-.$-            $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused - see http://dsbl.org
/listing?"$&{client_addr}

# DNS based IP address spam list bl.spamcop.net
R$*                     $: $&{client_addr}
R::ffff:$-.$-.$-.$-     $: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R$-.$-.$-.$-            $: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused - see http://spamcop.
net/bl.shtml?"$&{client_addr}

# DNS based IP address spam list sbl.spamhaus.org
R$*                     $: $&{client_addr}
R::ffff:$-.$-.$-.$-     $: <?> $(host $4.$3.$2.$1.sbl-xbl.spamhaus.org. $: OK $)
R$-.$-.$-.$-            $: <?> $(host $4.$3.$2.$1.sbl-xbl.spamhaus.org. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused - see http://www.spam
haus.org/query/bl?ip="$&{client_addr}

# DNS based IP address spam list relays.ordb.org
R$*                     $: $&{client_addr}
R::ffff:$-.$-.$-.$-     $: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R$-.$-.$-.$-            $: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R<?>OK                  $: OKSOFAR
R<?>$+                  $#error $@ 5.7.1 $: "550 Mail from " $&{client_addr} " refused - see http://ordb.org
/lookup/?host="$&{client_addr}



Cheers
Rob

Guest

Post by Guest » Thu Feb 09, 2006 12:20 pm

theunknownhost wrote:Effectiveness of DSBL and Spamhaus:
moo
I'm a bit confused and I'm hoping someone here can enlighten me. First of all _thank you_ for the previous instructions, it really simplified the setup process.

I setup both lists on a server (host2) using the sendmail.cf file.

I then tried to send a message from a computer that has a black listed IP Address by accessing an emal account on a different server (host1)

i.e.

black listed PC (using outlook) ----> connected to email account on host1 ----> sent to email account on host2

The message was still successfully delivered to the recipient on host2 even though the originating IP is listed. This was a bit frustrating so I tried another approach.

I then sent a message:

black listed PC (using outlook) ----> connected to email account on host2 ----> and I received the proper connection refused error message.

However, wouldn't this suggest that the lists are in fact only effective against outgoing and not incoming messages from blacklisted IP's?

User avatar
spliffman
Propeller head licensee
Posts: 35
Joined: Sun Jan 05, 2003 4:04 am
Location: New Orleans

Post by spliffman » Fri Feb 10, 2006 11:22 pm

I had contacted my AM and had ala install the RBL's for me. I have noticed no difference in the amount of spam and we are still getting periodically blocked by comcast. I can't even find where ala put this.

1) where does ala put this information? (since the sendmail.cf is supposedly off limits)

2) which log contains the refused connections? So that I can tell if it is even working.

3) We need to all get together or have alabanza represent us and stop all this blocking -- does somebody want to setup a universal whitelist -- an RWL???

m2
Hard Drive Crasher
Posts: 767
Joined: Sun Nov 21, 2004 2:19 pm
Location: Lexington, KY

Post by m2 » Fri Feb 10, 2006 11:30 pm

spliffman wrote:I had contacted my AM and had ala install the RBL's for me. I have noticed no difference in the amount of spam and we are still getting periodically blocked by comcast. I can't even find where ala put this.

1) where does ala put this information? (since the sendmail.cf is supposedly off limits)

2) which log contains the refused connections? So that I can tell if it is even working.

3) We need to all get together or have alabanza represent us and stop all this blocking -- does somebody want to setup a universal whitelist -- an RWL???


1. I think the RBLs are in sendmail.cf

2. grep the current maillog:

Code: Select all

grep 'sender listed in' /var/log/maillog | more


m2

User avatar
spliffman
Propeller head licensee
Posts: 35
Joined: Sun Jan 05, 2003 4:04 am
Location: New Orleans

Post by spliffman » Sun Feb 12, 2006 11:36 am

I had gotten this from my AM in response to my request: "RBLs have been installed by our sys admins on both of your servers."

But, there were absolutely no RBL's of any kind anywhere. I guess they got put on someone elses boxes by mistake :roll: (They would not have lied to me) Same spit -- different day!

I followed the info in this thread; (thanks durandel) installed them myself; and they work great! caught over two hundred in the first minute (dictionary attack and valid email still getting thru)

Hint: If you have Homesite, it is a great editor for stuff like this.

DITYIHMSL?

Greg
Hosting Superstar
Posts: 1807
Joined: Fri Apr 19, 2002 12:00 am
Location: Earth

Post by Greg » Sun Mar 05, 2006 4:25 am


Locked

Who is online

Users browsing this forum: No registered users and 1 guest