Spam RBL

[durandel]

I recently implemented an RBL (real-time blocker) on one of my servers to try to stem the tide of spam. Thought I would share how it is done. A few caveats, first:

- I have not had this running for very long, so if there are long-term problems this causes, I don't know yet.

- You can screw up sendmail if you do this wrong! Please don't try this if you don't know what you are doing.

- Any alabanza upgrade of sendmail will wipe out this change, so you'll have to do it again.

- Some people have philosophical problems with RBLs because they think they can block legitimate email. With over 60% of all email being spam, I decided to scrap my philosophy.

- I'm sure if you have problems that Alabanza will not support this change.

Anyway, here are the directions.

(1) Backup /etc/mail/sendmail.cf
cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.backup
(if you skip this step, you are an idiot )

(2) Open the file /etc/mail/sendmail.cf and find the line that says:
### check_mail -- check SMTP `MAIL FROM:' command argument

(3) Right ABOVE that line add the following:

R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.sbl.spamhaus.org. $:OK $)
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.sbl.spamhaus.org. $:OK $)
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhaus - see <http://spamhaus.org/>"

A few notes on the above:
- It is 5 lines, each starting with "R". Some may line-wrap on this post, but each of the 5 lines needs to be only on one line.
- There are tabs in the middle of each line (before the $: on the first four lines, and before the $#error on the last line); they MUST be tabs, not spaces. So when you copy and paste, you'll probably have to replace the spaces with tabs. If you don't use tabs, you'll get an error message when restarting sendmail. See the lines above the ones you are inserting in sendmail.cf to see the proper format.

(4) Restart sendmail:
/etc/rc.d/init.d/sendmail stop
killall -9 sendmail
/etc/rc.d/init.d/sendmail start

(5) Check that it is running:
ps aux | grep sendmail

You can add other RBL's as well as spamhaus - just replace the sbl.spamhaus.org with another RBL and change the error message. Some others to consider (which I have NOT implemented yet):

bl.spamcop.net
relays.ordb.org
ipwhois.rfc-ignorant.org
list.dsbl.org
opm.blitzed.org
dnsbl.njabl.org
relays.visi.com

What will happen after this is implemented is that any email coming from an IP address on the RBL will be automatically rejected. If it is a "legit" message, the sender will be told that they were rejected and why. In my experience, this happens VERY infrequently, but you may have a different experience.

[Lethol]

durandel,

how has this worked for you on the week you had it running? or anyone else?

Are there many false positives being considered as SPAM?

[durandel]

We've had no problems. We had it on two servers and are now installing it on our other servers. We have also added dsbl.org as another RBL.

One fear I had was that it would affect the load average of the server, but we've seen no change on that end.

We can't know if a false positive occurs unless a client complains, and so far, we have not received any complaints. People I've talked to who have used it for a while have reported a small number of false positives (<1%).

A sample day: a server with 500 domains on it had 4,690 emails blocked by spamhaus and 5,124 emails blocked by dsbl.

[JohnBoyTheGreat]

Well, I got it working but a few minutes later I had a client contact me because his hit counter which e-mails him quit. It placed the following error message on the bottom of his websites which used his CGI hit counter: "Mail from XXXXXXX Email blocked using spamhaus - see <http://spamhaus.org/>".

So, I promptly turned it off, and I'm trying to figure out why it quit. Here's the header set for Perl which he uses (minus his private details):

open (MAIL,"|/usr/sbin/sendmail -t");
print MAIL "To: \"PRESS NOTEBOOK\" <private\@domain.com>\n";
print MAIL "From: \"PRESS NOTEBOOK\" <private\@domain.com> \n";
print MAIL "MIME-version: 1.0\n";
print MAIL "Content-type: text/html; charset=us-ascii\n";
print MAIL "Content-transfer-encoding: 7bit\n";
print MAIL "X-Mailer: IGGIT_Direct_1.0\n";
print MAIL "X-Priority: 1\n";
print MAIL "X-MSMail-priority: Urgent\n";
print MAIL "Return-path: \"PRESS NOTEBOOK\" <private\@domain.com> \n";
print MAIL "Return-to: \"PRESS NOTEBOOK\" <private\@domain.com> \n";
print MAIL "Subject: PRESS NOTEBOOK $visitoraddress
$field{'content'}$field{'pop'}\n\n";


I checked the domain name he was sending from via Spamhaus (which is the RBL I used) and there was no problem. I checked the same for his webpages that were experiencing the problem. Still no dice. I can't figure it out.

Can anybody tell me why the RBL blocking is causing that error message to appear on the bottom of his webpages???

I can't really implement this until I figure out why it won't work for him...

[datazen]

durandel,

after thr RBL is installed and running, how can I check the number of emails blocked, etc?

Thanks in advance.

[JohnBoyTheGreat]

Okay, it appears to me that this RBL uses up a bunch of server resources checking spam. Couldn't the blacklist be downloaded to the server and checked there once a week or something like that?

To be honest, I haven't the slightest idea how this works, save that Spamhaus calls it DNSBL or something like that and it apparently works with DNS.

Also can we use the other RBLs at Spamhaus like xbl.spamhaus.org and sbl-xbl.spamhaus.org, or do these work differently from sbl.spamhaus.org?

I hate to display so much ignorance all in one message...

[durandel]

datazen - To check the number of messages blocked, I just grep the maillog for spamhaus (or whatever RBL) entries:

grep -c spamhaus /var/log/maillog

(the -c makes it just display the count; if you remove that, you can see all the blocks)

JB - I'm not sure why you would have resource issues - we have been tracking that pretty close here, and have not seen anything of that nature. Could you let me know how you are seeing the resources being used up by this?

I guess in theory you could download the blacklist to your server, but I think the advantage of the current setup is that mail programs (such as sendmail) already are set up to read these lists, and you don't have to worry about updating your local one. Just being behind by a few hours could cause 1,000's of spam to get through (or block many legitimate emails).

Regarding the hit counter, I'm not sure why it is not working. A few questions:

(1) Are you sure that your server IP is not on the RBL? Maybe it is blocking it because it is coming from you.

(2) Is the domain ("private@domain.com") he is using on that server? Or is is a remote domain? It could be that one of the RBLs is blocking it because it sees that it is a "spoofed" domain.

Other than that, I'm not sure what would be causing that.

I have not tried the rbl's like xbl.spamhaus.org, but from my reading of their website, it can be used in the same way.

[datazen]

durandel,

thanks for the info. I installed the 1st RBL and have had no problems. It has seemed to catch only legitimate spam so far.

I will be adding the other RBL today and will keep everyone posted.

[Anonymous]

JB - I'm not sure why you would have resource issues - we have been tracking that pretty close here, and have not seen anything of that nature. Could you let me know how you are seeing the resources being used up by this?

Sorry, I guess I worded that badly. I should have said that it appears to me that it should or must use a bunch of resources on the server. Pure speculation. I haven't had it working for more than 15 minutes due to the problem I mentioned with my client's account, but I didn't notice any problems.

It just seems that it would use something....like bunches of transfer to check each message, or CPU resources, or...something...

[datazen]

It's better than your customers getting email messages saying your mail server is going to be down for 2 days and it didn't come from you.

I hate these spam viri

I have both RBL's installed on 2 servers and so far so good.

[Anonymous]

(1) Are you sure that your server IP is not on the RBL? Maybe it is blocking it because it is coming from you.

I'm pretty certain that it isn't our server because, (1) Our server IP address wasn't located on Spamhaus, and (2) Other mail came and went without any problems.

Of course, I'm once again going to display my ignorance...Don't we have different IP addresses for our server and our mailserver? I'm confused about all the IP addresses that are on the server, and I'm a bit unclear how to find that information... I've done it time and again, but that doesn't mean I get it...

(2) Is the domain ("private@domain.com") he is using on that server? Or is is a remote domain? It could be that one of the RBLs is blocking it because it sees that it is a "spoofed" domain.

No, the "private@domain.com" is NOT on our server. Actually there are three domains involved (we can call them one.com, two.com, and three.com).

One.com is on our server. Two.com and three.com are NOT on our server. One.com and two.com have the code which is e-mailed to private@three.com. Since private@three.com is not on our server, and the to: and from: addresses are the same, could that be what is causing the problem???

I'm not certain how our server has anything to do with the connection between two.com and three.com. I'm clearly going to have to dig into this some more...

[durandel]

One thing to note that I did not make clear in my original post. The RBL will also check messages going OUT, not just those coming IN. For example, if a customer is using an ISP that is black-listed, and they have set their SMTP mail server to their domain name with you, then it will be blocked. Since most ISPs are fine, this is a rare occurance - we have over 3,000 domains using the RBL, and only had about 4 or 5 complaints of this happening. We told them that they have to contact their ISP to get them to get off the black list. The thanks we have received from the majority of our customers have more than made up for it.

[arcwebscape]

Has anyone tried the sbl-xbl.spamhaus.org instead of just the sbl.spamhaus.org in the code above? If so, any increase in success of blocking spam w/o false positives more so than just using the Spamhaus SBL database. So far it is working great though, thanks Durandel for the instruction.

Also, prob obvious to others, but, to include another RBL like dsbl.org, do I just re-enter another block of code like above in the sendmail but just with the dsbl.org info? Just want to make sure since don't know too much about sendmail.

Thanks.

[JohnBoyTheGreat]

Has anyone tried the sbl-xbl.spamhaus.org instead of just the sbl.spamhaus.org in the code above? If so, any increase in success of blocking spam w/o false positives more so than just using the Spamhaus SBL database.

Yep. I've been running sbl-xbl for a couple months with a better success blocking spam than with either sbl or xbl alone. However, I've noticed that spam has recently increased. Apparently, it's coming from some other source or the dang spammers found a new method...

Also, prob obvious to others, but, to include another RBL like dsbl.org, do I just re-enter another block of code like above in the sendmail but just with the dsbl.org info?

I'd like to know how to add more than one RBL too. Also, would doing so use up system resources? (I know, I'm paranoid about that, and it seems like that question was answered already...However, maybe TWO or THREE RBLs would be different...)

[durandel]

Also, prob obvious to others, but, to include another RBL like dsbl.org, do I just re-enter another block of code like above in the sendmail but just with the dsbl.org info?

Yes, just add another 5-line code block below the dsbl.org one. You should be able to add as many as you want. I would think the more you have, the more resources are used, but in practice, I haven't seen a problem, even with 6-8 different blocks.

[theunknownhost]

awesome thread! thank you!

I've implemented spamhaus SBL and XBL as well as the list.dsbl.org and within the first half of the day it's stopped over 10,000 emails on just one server!

Hopefully none of them were important - so far so good, there have been no complaints.

One suggestion - I would add www. in front of spamhaus.org in the warning message
Email blocked using spamhaussbl - see <http://www.spamhaus.org

spamhaus.org does not resolve on my end and I must access it with the www. Some users may get the error and then attempt to visit http://spamhaus.org and then get frustrated since it appears to be a site that is inaccessible

Here are the sendmail.cf entries I used:

Code: Select all

#check spamhaus blacklist
R$*          $: $&{client_addr} 
R::ffff:$-.$-.$-.$-    $: <?> $(host $4.$3.$2.$1.sbl.spamhaus.org. $:OK $) 
R$-.$-.$-.$-       $: <?> $(host $4.$3.$2.$1.sbl.spamhaus.org. $:OK $) 
R<?>OK          $: OKSOFAR 
R<?>$+          $#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhaussbl - see <http://www.spamhaus.org/>"

#check dsbl blacklist
R$*          $: $&{client_addr} 
R::ffff:$-.$-.$-.$-    $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $:OK $) 
R$-.$-.$-.$-       $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $:OK $) 
R<?>OK          $: OKSOFAR 
R<?>$+          $#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using dsbl - see <http://www.dsbl.org/>"

#check xbl.spamhaus.org
R$*          $: $&{client_addr} 
R::ffff:$-.$-.$-.$-    $: <?> $(host $4.$3.$2.$1.xbl.spamhaus.org. $:OK $) 
R$-.$-.$-.$-       $: <?> $(host $4.$3.$2.$1.xbl.spamhaus.org. $:OK $) 
R<?>OK          $: OKSOFAR 
R<?>$+          $#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhausxbl - see <http://www.spamhaus.org/>"

[arcwebscape]

theunknownhost,

You can have the server check the sbl and xbl Spamhaus in one trip by replacing sbl.spamhaus.org with sbl-xbl.spamhaus.org and getting rid of the extra xbl block.

[theunknownhost]

awesome thank you!

[theunknownhost]

Effectiveness of DSBL and Spamhaus:

I'm a bit confused and I'm hoping someone here can enlighten me. First of all _thank you_ for the previous instructions, it really simplified the setup process.

I setup both lists on a server (host2) using the sendmail.cf file.

I then tried to send a message from a computer that has a black listed IP Address by accessing an emal account on a different server (host1)

i.e.

black listed PC (using outlook) ----> connected to email account on host1 ----> sent to email account on host2

The message was still successfully delivered to the recipient on host2 even though the originating IP is listed. This was a bit frustrating so I tried another approach.

I then sent a message:

black listed PC (using outlook) ----> connected to email account on host2 ----> and I received the proper connection refused error message.

However, wouldn't this suggest that the lists are in fact only effective against outgoing and not incoming messages from blacklisted IP's?

[durandel]

Here is how I understand it.

The RBL checks the IP that the email just came from. That is it - it does not do a complete trace back of all IP addresses involved in the sending of the email.

In your first example, the RBL will see the email as coming from host1, which is legit, so it gets through. It is irrelevant that it originated at a bad IP.

In the second example, the RBL sees the email as coming from the bad IP, so it rejects it.

Since the vast majority of spam is sent from a compromised server at the last step, the RBL will block it. But if a spammer is able to find a server that is not on an RBL, he will be able to make this his last hop, and the mail will get through.

How come you have access to a black-listed PC - you a spammer on the side?

[theunknownhost]

How come you have access to a black-listed PC - you a spammer on the side?

A company I worked for up until yesterday, has very bad security practices. They have a requirement for IT Solutions, but they were unable to foot the bill. This left them with somewhat of an insecure system at times and it was compromised. Someone was able to get in and use one of the servers to launch some pretty bad spam attacks. I fixed it before I left, however they're still having a heck of a time getting off the blacklists.

Thank you for your explanation! That makes perfect sense!

[Anonymous]

Ummm... I am new to all this, and I understand that if I do something wrong I hose my system and I am willing to take that chance.

I backed up the sendmail.cf file as in step one. I went to "open" the original to modify it, using VI i'm assuming???? Anyway I type in:

VI /etc/mail/sendmail.cf

It opens a file that it say is that file but it only has:


# Copyright (c) 1998-2002 Sendmail, Inc. and its suppliers.
# All rights reserved.
# Copyright (c) 1983, 1995 Eric P. Allman. All rights reserved.
# Copyright (c) 1988, 1993
# The Regents of the University of California. All rights reserved.
#
# By using this file, you agree to the terms and conditions set
# forth in the LICENSE file which can be found at the top level of
# the sendmail distribution.
#
#

######################################################################
######################################################################
#####
##### SENDMAIL CONFIGURATION FILE
#####
##### built by root@rh7x.php.alabanza.com on Mon Jul 21 14:16:20 EDT 2003
##### in /home/netop/sendmail-8.12.9
##### using cf/ as configuration include directory
#####
######################################################################

There are no other lines in this file, so I dont know what to do from here.

Thanks for any tips.

[mbodamer]

Somebody HELP me! I dont know how to edit the sendmail.cf file to implement this stuff.

Anxiously awaiting a response.

Thanks

[datazen]

try

pico /etc/mail/sendmail.cf

[Anonymous]

You guys are AWESOME! Thanks DATAZEN that worked.... I was able to painlessly set this up and it is working perfectly so far. I installed it 10 minutes ago and went to check and see if I caught any spam and already had a few hundred in there... man this is great!

To me this is the exact purpose of this forum, I am greatful that you guys are sharing your knowledge with underlings like me

THANKS!

[sixpackmx]

BTW, I've found that the correct place to put the RBL is under the "MAIL FILTER SECTION" of the sendmai.cf. Done that way allows authenticaded users (POP before SMTP) to sendmail even when their IP is listed (for example, in case of bynamic IP".

Code: Select all

######################################################################
######################################################################
#####
#####                   MAIL FILTER DEFINITIONS
#####
######################################################################
######################################################################

R$*     $: $&{client_addr}
R::ffff:$-.$-.$-.$-     $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $:OK $)
R$-.$-.$-.$-    $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $:OK $)
R<?>OK  $: OKSOFAR
R<?>$+  $#error $@ 5.7.1 $: "IP " $&{client_addr} " is listed on DSBL - see <htt
p://www.dsbl.org/>"

[sunckell]

hey guys,

Here are some tips and pointers..

1. rbl such as spamhaus and dsbl tend to just block full isp's. If you get complaints here is what you can do. (false positives)

add a line like this in /etc/mail/access

Connect:$ispname.net OK

where $ispname.net is the name of the ISP. restart sendmail and you are good to go.

2. I have spamhaus and dsbl operating on our own mail server. There appears to be no load issues what so ever. We been using this for about 2 month.

3.Some issues that might arise. Before implementing the rbl's. It may be a good idea for those of you with multiple server to check the actaul list at the site (wether it be spamhaus or dsbl) to make sure none of your servers are blacklisted to begin with. We made a script about a month ago, that went through all our hosts to make sure none of you are on it. Any of you that were we removed. So idealistically you should not have any trouble. But it wouldn't hurt to check.

We are actaully "beta" testing a new sendmail.cf on a few servers. Besides the isp menta.net being blocked by every rbl out there we are having pretty goo success with it. Before we implemeted it on our own mail server, I used to get about 500 spam messages a night ( just because of all the mailing lists I subscribe to.) Now I get about 35 on average.


Happy spam hunting, and good luck.

Chad


PS.. You know what. If anyone wants to beta it, contact you account manager. I can put it on there with no issues. Like I said before we use dsbl.org and spamhaus

[Okidoki]

I have seen in spamhaus that have a new service for both lists.

How is it configured to use it?

sbl-xbl.spamhaus.org

Okidoki

P.S. FYI, A milter exists to use several services DSBL.
http://www.five-ten-sg.com/dnsbl.html

[Greg]

hey guys,

Here are some tips and pointers..

1. rbl such as spamhaus and dsbl tend to just block full isp's. If you get complaints here is what you can do. (false positives)

add a line like this in /etc/mail/access

Connect:$ispname.net OK

where $ispname.net is the name of the ISP. restart sendmail and you are good to go.

2. I have spamhaus and dsbl operating on our own mail server. There appears to be no load issues what so ever. We been using this for about 2 month.

3.Some issues that might arise. Before implementing the rbl's. It may be a good idea for those of you with multiple server to check the actaul list at the site (wether it be spamhaus or dsbl) to make sure none of your servers are blacklisted to begin with. We made a script about a month ago, that went through all our hosts to make sure none of you are on it. Any of you that were we removed. So idealistically you should not have any trouble. But it wouldn't hurt to check.

We are actaully "beta" testing a new sendmail.cf on a few servers. Besides the isp menta.net being blocked by every rbl out there we are having pretty goo success with it. Before we implemeted it on our own mail server, I used to get about 500 spam messages a night ( just because of all the mailing lists I subscribe to.) Now I get about 35 on average.


Happy spam hunting, and good luck.

Chad


PS.. You know what. If anyone wants to beta it, contact you account manager. I can put it on there with no issues. Like I said before we use dsbl.org and spamhaus

I can't believe it! We actually got an Alabanza staff member to post here with tips, this is so cool!

I've been a member of a few forums which were completely Alabanza reseller based since 1999, and i've never seen one of the staff posting to help us....please keep coming here.

Let us know if we can be of any help to you guys also

Sorry, just had to mention it.....back to the topic....

[Okidoki]

Chad,

Thank you!!!.

A question I have.

If I add that it lines (Connect:$ispname.net OK ) in the /etc/mail/access.
Is necessary restart sendmail or is isufficient make : makemap hash /etc/mail/access.db < /etc/mail/access ?

Okidoki

[sunckell]

I have been just restarting sendmail and it has been working. I guess if it doesn't you may want to run that command. I am not sure (off the top of my head) whether the access.db is needed/used in 8.12.10 or if you can just get by with access.

[crashdump]

I can't believe that I have been ignoring this thread this long. I finally read it and implemented the RBLs. 1700 SPAMS blocked in the first 30 minutes on a server with 400 domains.

This is exactly the solution I and my customers are looking for. Something that requires no user intervention, is maintained and updated automatically, and works well using proven/tested filters.

[Arf]

This is really good. I have two comments.

In durandels first post he says, "- There are tabs in the middle of each line (before the $: on the first four lines, .... ". In my experience I couldn't restart sendmail without making sure the tabs were only before the FIRST $: in the lines specified.

Also, when implimented, this error appears in the /var/log/maillog pretty regularly and the email is not delivered:

Code: Select all

Jun  3 12:37:45 host sendmail[32015]: i53GbchJ032015: SYSERR(root): buildaddr: no user

I'm interpreting this to mean, that email to non-existant email boxes will vaporize. I use my default address quite a bit because I give out email addresses to people and never want to give them my 'real addresses' until I know they're not going to spam me. Appearently, many of my clients do this same thing.

Anyone wish to weigh in on this second point?

[crashdump]

...I'm interpreting this to mean, that email to non-existant email boxes will vaporize. I use my default address quite a bit because I give out email addresses to people and never want to give them my 'real addresses' until I know they're not going to spam me. Appearently, many of my clients do this same thing.

Anyone wish to weigh in on this second point?

I am not finding this to be the case. If I have default email set to foward to you@whatever.com and then I send an email from a off-network email account to asdlfjalkjdflajdlfjalkdjfds@hostspring.com .... it still makes it to you@whatever.com which RBLs in place.

[Arf]

I am not finding this to be the case. If I have default email set to foward to you@whatever.com and then I send an email from a off-network email account to asdlfjalkjdflajdlfjalkdjfds@hostspring.com .... it still makes it to you@whatever.com which RBLs in place.

That sounds good but doesn't appear to be the case on my server. Are there any of these errors in your /var/log/maillog?