Spam RBL

If you have a program or script that you'd like to give away or sell, this is the place to do it. All offers should include contact info.

Moderators: BBear, theunknownhost, flaguy

User avatar
Okidoki
Official Test Penquin
Posts: 2179
Joined: Mon Jan 13, 2003 12:48 pm

Post by Okidoki » Tue Jun 08, 2004 10:38 pm

one tips for more info.

Code: Select all

R<?>$+<tab><tab><tab>$#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}


http://www.spamhaus.org/query/bl?ip=

Okidoki

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Wed Jun 09, 2004 12:22 am

Oki, what does this line of code do?

User avatar
Okidoki
Official Test Penquin
Posts: 2179
Joined: Mon Jan 13, 2003 12:48 pm

Post by Okidoki » Wed Jun 09, 2004 12:27 am

When sends the error message to the user of the blocked IP, it provides the path of the URL, and he has more info on the reason of the blockade

for example:

http://www.spamhaus.org/query/bl?ip=221.150.20.6


Okidoki

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Wed Jun 09, 2004 12:40 am

Where is this placed for the Spamhaus conf?

User avatar
Okidoki
Official Test Penquin
Posts: 2179
Joined: Mon Jan 13, 2003 12:48 pm

Post by Okidoki » Wed Jun 09, 2004 12:46 am

here

"Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}

in the rule of their sendmail.cf



Code: Select all

R<?>$+<tab><tab><tab>$#error $@ 5.7.1 $: "Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}


Okidoki

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Wed Jun 09, 2004 12:58 am

Sorry, no closing bracket at the end of this statement?

"Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}

or

"Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}/>"

sixpackmx
Hard Drive Crasher
Posts: 640
Joined: Fri Nov 01, 2002 9:44 am
Location: Mexico City, Mexico

Post by sixpackmx » Wed Jun 09, 2004 1:15 am

I've been using Spamhaus SBL+XBL, DSBL, and a local configured SBL with great success. The client being blocked issue is resolved moving the rules to another part of the sendmail.cf file, which allows IP's on the POP before SMTP database to relay mail:

Place below this line and its rules:

# Allow relaying if the connected host has recently POP3 authenticated.

BTW, to resolve the tab issue. Create a rule using a nice text editor (for example, for Windows you can use EditPlus which supports UNIX text files). Simply SCP or FTP the file to/from the server to your local computer and edit it there.

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Wed Jun 09, 2004 1:31 am

So you moved them just above the "Mail Filter Definitions section" ?

User avatar
thebuzzard
Nothing better to do.
Posts: 384
Joined: Thu Jun 05, 2003 2:02 am
Location: Atlanta, GA
Contact:

Any way to use the SpamCop sc.surbl.org list?

Post by thebuzzard » Wed Jun 09, 2004 1:56 am

Thanks to all the good info in this forum, we got the RBLs working perfectly on all our servers.

Is there a way to use the sc.surbl.org SURBL - Spam URI Realtime Blocklist?

We entered the info into sendmail.cf and sendmail runs but this list does not seem to get hits while the others do.

Any thots?? Anybody??

TheBuzzard

sixpackmx
Hard Drive Crasher
Posts: 640
Joined: Fri Nov 01, 2002 9:44 am
Location: Mexico City, Mexico

Post by sixpackmx » Wed Jun 09, 2004 2:27 am

rldev wrote:So you moved them just above the "Mail Filter Definitions section" ?


Actually just below there, to know where they are.

Code: Select all

######################################################################
######################################################################
#####
#####                   MAIL FILTER DEFINITIONS
#####
######################################################################
######################################################################

####################################################################
# Custom test modification by Jordi Domenech              #
# Adding DSBL Blacklist                                             #
#####################################################################
R$*     $: $&{client_addr}
R::ffff:$-.$-.$-.$-     $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $:OK $)
R$-.$-.$-.$-    $: <?> $(host $4.$3.$2.$1.list.dsbl.org. $:OK $)
R<?>OK  $: OKSOFAR
R<?>$+  $#error $@ 5.7.1 $: "IP " $&{client_addr} " is listed on DSBL - see <htt
p://www.dsbl.org/>"

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Wed Jun 09, 2004 2:34 am

Sorry you have me confused. This is the same area as you posted earlier in this thread.
Last edited by rldev on Wed Jun 09, 2004 2:35 am, edited 1 time in total.

sixpackmx
Hard Drive Crasher
Posts: 640
Joined: Fri Nov 01, 2002 9:44 am
Location: Mexico City, Mexico

Re: Any way to use the SpamCop sc.surbl.org list?

Post by sixpackmx » Wed Jun 09, 2004 2:34 am

thebuzzard wrote:Is there a way to use the sc.surbl.org SURBL - Spam URI Realtime Blocklist?


IP RBL's work by quering a DNS server. The query consists in the reversed fomat IP, and the RBL you are quering to:

For example:

IP: 66.111.196.10
RBL: sbl-xbl.spamhaus.org

Code: Select all

[root@tequila root]# nslookup
> 10.196.111.66.sbl-xbl.spamhaus.org
Server:         192.168.0.2
Address:        192.168.0.2#53

Non-authoritative answer:
Name:   10.196.111.66.sbl-xbl.spamhaus.org
Address: 127.0.0.2


However a URI Blocklist need to compare the Uniform Resource Identifiers (often are web addresses). Because sendmail only can process the IP from the connection, a URI Blocklist can't be implemented this way. You will need to pass the info to a special "milter" that can check the body of the message for offending URI's

Anonymous

Post by Anonymous » Wed Jun 09, 2004 9:39 am

rldev wrote:Sorry, no closing bracket at the end of this statement?

"Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}

or

"Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}/>"



Exact, but the variable $& {client_addr} it is taken as text message and non variable.

"Mail from " $&{client_addr} " Email blocked using spamhaus - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}


Okidoki

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Wed Jun 09, 2004 1:09 pm

Thanks.

User avatar
Okidoki
Official Test Penquin
Posts: 2179
Joined: Mon Jan 13, 2003 12:48 pm

Post by Okidoki » Wed Jun 09, 2004 1:37 pm

Interesting Link, to comment here. 8)

http://sendmail.cuzuco.com/home.html


Okidoki

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Thu Jun 10, 2004 12:40 pm

I just sent this into comment@ and I thought you'd be interested in it as well.
-------------------
Hello,
Many of the hosts are experimenting with RBL (email black lists) to cut down on spam. I've found these services to be very helpful as well. However, I'd also like to clarify that they are not the final answer as you will see in a study we'd performed.

I tested two common RBLs, spamhaus.org and dsbl.org. I installed and let them run for 6 hours along with SpamVault (which will filter emails approved as good email by the two RBLs). I think you'll find the results to be interesting but that RBLs are not the ultimate solution as some (including me) would like them to be.

I've been worried that these results people have been getting would make SpamVault obsolete. However, that is clearly not the case. For better or for worse, email filters like SpamVault still has a place in life. <phew!>

Here are the stats.

Spamhaus.org : 780 blocked
dsbl.org: 8946 blocked
SpamVault: 2096 blocked

Emails that were successfully delivered: 2191

This is a lot of spam blocked assuming the RBLs have zero false positives.

The bad news: One downside of the RBLs is that the emails are rejected and being sent back and this in turn uses more bandwidth that is not covered by clients. And, while the amount of spam blocked is good news, based on what I can tell, over 50% of the email that did get through was still... spam.

I was surprised at how much got past the RBLs. Out of the 3387 emails that did, 2096 spam were then caught by my server wide SpamVault filters (with zero false positives by SpamVault). Together, with SpamVault, this combination appears to have caught 11822 spams out of 14013 emails sent in the 6 hours of testing.

Sincerely,
Thomas Leo
----------------------------

One other item that I didn't include in the letter is that on my account: 309 of the 374 emails that made it that far were then blocked as spam as well. I cannot believe that there's so much freaking spam!

User avatar
Okidoki
Official Test Penquin
Posts: 2179
Joined: Mon Jan 13, 2003 12:48 pm

Post by Okidoki » Thu Jun 10, 2004 1:00 pm

In that you are right, the RBL, is not a solution (only help more). For example:

I have put and filter in the procmailrc

Code: Select all

:0 H
* ^(X-Message-Info|X-IP|X-CS-IP|x-esmtp):.*
{
:0
AAA
}



And the RBL has allowed to pass more than 1500 spams that were blocked by this procmailr-rule

Also in my personal site we even receive 120 spams per days (before 500)
Okidoki

sixpackmx
Hard Drive Crasher
Posts: 640
Joined: Fri Nov 01, 2002 9:44 am
Location: Mexico City, Mexico

Post by sixpackmx » Thu Jun 10, 2004 3:13 pm

I've been worried that these results people have been getting would make SpamVault obsolete.


Arf,

No worries, SpamVault would not become obsolote nor outdated (as long as new releases keep coming). No spam tool is perfect, and a combination of various tools is always a must in these days.

In my opinion, RBL's are good for blocking well known spam sources and/or dyanamic users, and therefore, depend on a blocking software.

Best wishes,

Jordi

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Thu Jun 10, 2004 3:50 pm

Jordi,
Thanks for the vote of confidence. As for the updates, yes, I've been working on 4.1 and have some good improvements coming soon.

I'm not sure if it would be so bad if spam filters like SpamVault became obsolete. I'm sure everyone would benefit if that were the case. However, it does help pay some of the bills and pays for further development.

User avatar
BBear
Hosting Superstar
Posts: 1915
Joined: Sat Jun 29, 2002 5:18 pm
Location: Connecticut

Post by BBear » Thu Jun 10, 2004 3:59 pm

I agree with Jordi, no single solution is perfect. The RBL's may do a great job but they don't catch everything, so in my opinion SpamVault will always be a must have. Heck, have you ever seen a carpenter with just one hammer or a mechanic with just one wrench?

:)
Bbear

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Thu Jun 10, 2004 4:19 pm

Same hear, but I can say that several clients called me today to tell me how happy they are with the RBLs. I have been stopping over 40,000 spams a day since deploying it. I have clients whose spam per day has gone from 2000 to 20. My personal spam(which is a lot) has been cut by more then half.

What is needed is to make this a user choice and not a isp choice. In other words, RBL can be set for every client by default. The user can if they want to, shut it off for their domain. All of this thorugh the cp. Most of the cps out there now have some very good spam control features these days. I know for a fact the Hsphere gives each email account(not just domain) the ability to turn spam blocking on and off, and customized white and black lists.

RBLs, Spam Assasin, Clam AV and Spam Vault is a very good solution if a server can handle it. But only good if the user can use what they want and easily do so via their control panel.

rldev
Hosting Superstar
Posts: 1067
Joined: Tue Aug 05, 2003 10:17 pm

Post by rldev » Thu Jun 10, 2004 4:20 pm

Okidoki wrote:In that you are right, the RBL, is not a solution (only help more). For example:

I have put and filter in the procmailrc

Code: Select all

:0 H
* ^(X-Message-Info|X-IP|X-CS-IP|x-esmtp):.*
{
:0
AAA
}



And the RBL has allowed to pass more than 1500 spams that were blocked by this procmailr-rule

Also in my personal site we even receive 120 spams per days (before 500)


Okis what does that procmail rule filter out?

User avatar
Okidoki
Official Test Penquin
Posts: 2179
Joined: Mon Jan 13, 2003 12:48 pm

Post by Okidoki » Thu Jun 10, 2004 4:34 pm

Rocco,

Search in the head the mails that contain that string

for example:
From info@conexionaerea.com.ar Thu Jun 10 12:25:02 2004
Received: from servidor. (168-226-145-126.speedy.com.ar [168.226.145.126])
by host.xxxxxx.com (8.12.10/8.12.9) with SMTP id i5AGP29v003585
for <info@xxxxxx>; Thu, 10 Jun 2004 12:25:02 -0400
x-esmtp: 0 0 1
Message-ID: <1021280-22004641012731515@servidor>
X-Priority: 1
Errors-to: erroneas@conexionaerea.com.ar
Subject: Aprende a VOLAR
Date: Thu, 10 Jun 2004 09:07:31 -0300
MIME-Version: 1.0



The "x-esmtp:0 0 1 " it is a spamware that puts that string to avoid to see the origin IP
Okidoki

User avatar
BBear
Hosting Superstar
Posts: 1915
Joined: Sat Jun 29, 2002 5:18 pm
Location: Connecticut

Post by BBear » Thu Jun 10, 2004 11:58 pm

Well I'm thrilled!
:)

In 90 minutes, after adding the RBL's here's what I caught:

DSBL: 15,805
Spamhaus: 1,519

Leaving 4815 messages that passed through, and of those SpamVault caught 2,534

Gee, now if I could just regain all of that bandwidth the spammers used!

Bbear

pfellner
Alahosts.com-Newbie
Posts: 6
Joined: Sat Apr 26, 2003 10:23 pm
Location: Orlando, FL
Contact:

"Inappropriate use..." Errors

Post by pfellner » Mon Jun 14, 2004 5:54 pm

I keep trying different variations on what your instructions say with tabs and such but it still fails to startup after the mod. Here's what I get:

Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use
of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1124: unknown configuration line ":OK )"
554 5.0.0 /etc/mail/sendmail.cf: line 1125: missing map closing token
554 5.0.0 /etc/mail/sendmail.cf: line 1128: unknown configuration line "blocked
using spamhaus - see <http://spamhaus.org/>""

Could you possibly send me a text file with tabs in the appropriate places? If so, send to webmaster @ abacus-host.com.
Thanks!
Life without challenge,
is mere existence.

User avatar
thebuzzard
Nothing better to do.
Posts: 384
Joined: Thu Jun 05, 2003 2:02 am
Location: Atlanta, GA
Contact:

BLs and SpamAssassin work but not the SpamCop URI

Post by thebuzzard » Thu Jun 17, 2004 6:55 pm

Hi guys:

I got SpamAssassin installed on all our servers and it runs great. We added several additional rules via .cf files and they all work EXCEPT the one we really want which is the SpamCop URI (sc.surbl.org).

We insatlled the .cf and SA runs fine but it does not seem to see that one rule. We know because we have a local SA running on a laptop and that .cf catches nearly all the spam that gets through the sever SA.

Any thots on why this one .cf will not work?????

By the way, we have the dsbl and spamhaus RBLs running on all server too. They catch about 40,000 spams a day on each server.

Buzzard

naplesdave
Nothing better to do.
Posts: 243
Joined: Mon Apr 14, 2003 6:18 pm
Location: Naples, FL
Contact:

Post by naplesdave » Fri Jun 18, 2004 2:20 am

I don't think you'll ever get sc.surbl.org working in sendmail.cf. Since you're already running SpamAssassin, just use the surbl.org SpamCop plugin.

http://sourceforge.net/projects/spamcopuri/
Kind regards,
Dave Jackson
World Wide Mart, Inc.

User avatar
thebuzzard
Nothing better to do.
Posts: 384
Joined: Thu Jun 05, 2003 2:02 am
Location: Atlanta, GA
Contact:

Post by thebuzzard » Fri Jun 18, 2004 3:22 am

naplesdave wrote:I don't think you'll ever get sc.surbl.org working in sendmail.cf. Since you're already running SpamAssassin, just use the surbl.org SpamCop plugin.

http://sourceforge.net/projects/spamcopuri/


That's where I got the .cf file and we followed the instructions to install. SA restarts fine and all the other .cf rules work. It is just that one that will not trap anything.

Buzzard

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Fri Jun 18, 2004 11:48 am

I think you'll find this interesting. It appears that Alabanza has prevented us from using sendmail as it is documented. That would be why many of us are stymied as to why certain things (like compiling a sendmail.mc file) don't work on our servers. :evil:

http://www.alahosts.com/phpBB2/viewtopic.php?t=1570

naplesdave
Nothing better to do.
Posts: 243
Joined: Mon Apr 14, 2003 6:18 pm
Location: Naples, FL
Contact:

Post by naplesdave » Fri Jun 18, 2004 11:59 am

It must give you an error message. Check your /var/log/maillog file.
Kind regards,
Dave Jackson
World Wide Mart, Inc.

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Fri Jun 18, 2004 12:23 pm

I'm happy to say that after compiling a new sendmail.cf file on my non-alabanza server and copying the snippet for spamcop over to my crippled-Alabanza server, it's working fine. I just started this and am getting no error but have blocked 46 pieces of mail in the last 20 minutes with it.

This appears to be working for me. NOTE: I'm providing all the compiled black lists I could find however I've ONLY TESTED SPAMCOP in this list:

http://ourwebpage.net/sendmail.snippet.txt

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Re: "Inappropriate use..." Errors

Post by Arf » Fri Jun 18, 2004 12:24 pm

pfellner wrote:I keep trying different variations on what your instructions say with tabs and such but it still fails to startup after the mod. Here's what I get:

Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use
of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1123: Inappropriate use of $- on RHS
554 5.0.0 /etc/mail/sendmail.cf: line 1124: unknown configuration line ":OK )"
554 5.0.0 /etc/mail/sendmail.cf: line 1125: missing map closing token
554 5.0.0 /etc/mail/sendmail.cf: line 1128: unknown configuration line "blocked
using spamhaus - see <http://spamhaus.org/>""

Could you possibly send me a text file with tabs in the appropriate places? If so, send to webmaster @ abacus-host.com.
Thanks!

I'm guessing :o that your line breaks are in the wrong places. Just a guess.

User avatar
Arf
Official Test Penquin
Posts: 9103
Joined: Tue Apr 09, 2002 12:00 am
Location: IDAHO, USA
Contact:

Post by Arf » Fri Jun 18, 2004 1:30 pm

Okay, now that I feel a little more in control of this, I have another question or two.

Burning Question: Is there a way to check against the RBL without giving the sender the benefit of a return letter? So far, certain RBLs are working very well and I'm not getting any complaints. So why use the bandwidth? Why not vaporize these emails? But how?

Opinion Question: Do you think it would be better not to send back the error message that states that they are being rejected because they are on an RBL? If I were a spammer/hacker this would make me more angry and make me try other nasties against the rejecting domain. So why not provide an error message that says something line, "Mail Server Error. Please contact the recipient by another means and report to this to their Sys-Admin." This will foil the spammer with giving them a reason that would make them seek revenge while also alerting any legitimate users that there's a problem that they might wish to rectify. What-d-ya-think?

User avatar
shpilkus
Hosting Superstar
Posts: 1020
Joined: Mon Aug 05, 2002 8:23 pm
Location: Space Coast, FL
Contact:

Post by shpilkus » Fri Jun 18, 2004 1:49 pm

Thomas:

I know you're leery about SpamAssassin, but that's one of the way we use it. It checks a number of RBLs including some put together by the SA community itself. Nothing bounces to the sender, and you do with it what you wish. For example, to vaporize any mail that comes back as being present in SpamCop, I could just do this:

The name of the test in SA for SpamCop is: "RCVD_IN_BL_SPAMCOP_NET". I just set up a header filter in SpamVault based on this phrase and POOF! No more SpamCopped mail, and no notification to the spammer. This works even if the message does not exceed the spam score threshold - SA will let you know all tests that were a hit by putting them in the header. Want to delete any mail on the SPamHaus Block List? That test is called "RCVD_IN_SBL".

Note: this can be done server-wide by using the server-wide SV and SA, or as we do it, per user.

Hope this is useful to someone! :)
Craig M.
5DollarHosting.com

Anonymous

Post by Anonymous » Fri Jun 18, 2004 1:51 pm

I agree. Seems a waste since the returned e-mail most likely will never reach its recipient.

Locked

Who is online

Users browsing this forum: No registered users and 1 guest