We now publish our blacklists via DNS which allows integration into sendmail for blocking or into SpamAssassin for scoring messages (see integration help below).
Available lists
The various lists we publish are listed below as follows:
- Dictionary spammers - These are creatures who harvest accounts from targeted mail servers by running through lists of possible account names. The entries left behind in the logs are similar to these:
Jul 26 14:45:12 beowulf sendmail[7538]: h6QLjCP07545: <vishalb@arix.com>... User unknown
Jul 26 14:47:46 beowulf sendmail[7543]: h6QLliP07545: <csimmons@arix.com>... User unknown
Jul 26 14:48:00 beowulf sendmail[7545]: h6QLlvP07545: <dangel@arix.com>... User unknown
Jul 26 14:48:01 beowulf sendmail[7545]: h6QLlvP07545: lost input channel from lofeihqueph@adsl-68-73-147-134.dsl.ipltin.ameritech.net [68.73.147.134] to MTA after rcpt
We collect these IP addresses and make them available in two forms:
fresh.dict.rbl.arix.com
a fresh version which includes all addresses used within the last 30 days
stale.dict.rbl.arix.com
a stale version which includes the last 3 months of attempts (please note: this list does not include the addresses listed in the fresh listing)
Those with strong stomachs can use the fresh list to block whilst the stale list can be used for scoring. The less adventurous can use both lists for scoring at different strengths.
Note: Some spam sources may get through our filter by masquerading correctly. For more information please see our answer to the question "Are you not blacklisting joe-job bounces?" on our FAQ.
- Slippers - This list consists of the ip addresses of spammers whose messages have managed to slip through my spamassassin filters (my threshold is set to 5.0). As with the dictionary list above, this list comes in fresh and stale versions available as
fresh.sa_slip.rbl.arix.com and stale.sa_slip.arix.com.
Application Integration
DNS-based RBLs (Real-time Blackhole Lists) are easy to integrate into your favourite MTA or spam-filterring software. We use the packages listed below and thus herewith provide some guidance on integrating our lists with them. If you use another package and feel like sending us some documentation about it, we're happy to include it here.
- SpamAssassin
Add the following lines to your /etc/mail/spamassassin/local.cf:
header ARIX_DF rbleval:check_rbl('arix-df', 'fresh.dict.rbl.arix.com.')
describe ARIX_DF Recent dictionary spammer
tflags ARIX_DF net
header ARIX_DS rbleval:check_rbl('arix-ds', 'stale.dict.rbl.arix.com.')
describe ARIX_DS Sender has a history of dictionary spamming
tflags ARIX_DS net
score ARIX_DF 3.0
score ARIX_DS 0.5
You may modify the recommended score for a match as you like, keeping in mind that the various lists should carry different weights.
- Sendmail
Add the following lines to your /etc/mail/sendmail.mc:
FEATURE(`dnsbl', \
`fresh.dict.rbl.arix.com', \
`550 Mail rejected: http://nospam.arix.com/blocked.php' \
)dnl
(note that the above should be entered into a single line) ...and don't forget to regenerate the sendmail.cf with:
m4 sendmail.mc > /etc/sendmail.cf
- Postfix
I don't run Postfix but John Mendenhall managed to get the lists working with it. He sent us the following notes which might be meaningful/helpful to anyone looking to do the same. If there are steps missing and you figure them out, please mail us so we can add them here.
-----Original Message-----
From: John Mendenhall [mailto:]
Sent: Tuesday, September 09, 2003 3:20 PM
To: Erick Calder
Subject: Re: new DNS-based RBLs
Erick,
> > If I can get it working using postfix, I will let you know how I
> > did it, if you want to put it up on your site.
>
> I most definitely do. thx.
I have had your DNS-based RBLs working under postfix now for over
a month (minus the time there was some trouble getting to your
domain last week or so).
Here is what I did to get your RBLs working under postfix:
(1) If you don't have the 'reject_maps_rbl' restriction in place,
you can add it to any or all of the restriction lists, of which
here are some of them:
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
Each of these restriction lists restricts who can connect, and how
they connect to your postfix server. Better descriptions of these
are available at the postfix site http://postfix.org/
(2) Once the 'reject_maps_rbl' restriction is in place, you need
to list the new RBLs you want to add to the 'maps_rbl_domains'
parameter. This is how you can do this:
maps_rbl_domains = fresh.dict.rbl.arix.com stale.dict.rbl.arix.com
If there are more than these, just add them with spaces separating
them. You can put them on the following line, if the line starts
with at least one space, like this:
maps_rbl_domains = fresh.dict.rbl.arix.com
stale.dict.rbl.arix.com
I hope this helps.
JohnM
--
John Mendenhall
surf utopia
internet services
Acknowledgements
| This service is made possible by TinyDNS, a free server provided by D.J. Bernstein at: http://cr.yp.to. A big thanks to all those on the mailing list who patiently explained and helped install and configure the software.
|
|
