Topic: which DNSBL and RHSBL list I need to enable for fighting against spam

[stephdl]

Hi All

Probably a newby question but the documentation is not clear enough for me

I have enabled following this documentation https://wiki.contribs.org/Email#Real-time_Blackhole_List_.28RBL.29

DNSBL Zones (qpsmtpd RBLList)
bl.spamcop.net
dnsbl-1.uceprotect.net
dnsbl-2.uceprotect.net
psbl.surriel.com
zen.spamhaus.org

RHSBL (qpsmtpd SBLList)
multi.surbl.org
rhsbl.sorbs.net

I have removed the RHSBL 'black.uribl.com' because I have had some issues in the past, and it is listed as problematic

Does it is enough to fight against spam, not enough violent or simply useless

What other possibilities I could have also, which list I could add or remove.

[Stefano]

uceprotect, in my personal experience, is too aggressive..

I found somewhere here some useful suggestions about spam fighting:
- increasing (via a custom fragment) the check_earlytalker value (raising to 3 or 4 secs)
- enabling barracudacentral
- adding custom signatures to clam

[bunkobugsy]

How about http://www.barracudacentral.org/rbl ?

[janet]

stephdl

What other possibilities I could have also, which list I could add or remove.

Enabling executable content blocking can have a side effect of stopping a lot of spam.

Also if you seriously want to stop spam then enable greylisting plugin & spam will go down to almost zero.

[Knuddi]

I agree that greylisting is very very effective. I am using SQLGrey (https://sourceforge.net/projects/sqlgrey/) as its more sophisticated than the one that comes with qpsmtpd. All the blacklists are nice additions but none of them solves your spam problems. I would suggest to add many different variants to SpamAssassin rather than the qpsmtpd. This way you can afford to have aggressive variants as part of the mix - just with a low score.

The Bayes system in SpamAssassin does an awesome job but requires much more than just the LearnSpam scripts to work well. I have build a learning plugin to qpsmtpd that trains based on other clear events such as listed in Spamhaus, user whitelist, etc. This brings in periods the Bayes systems to block ~30% of all mails that reaches SpamAssassin.

But the fact is that there is absolutely no silver bullet here and especially not if you received mail in smaller languages (such as I do in Danish).

[mmccarn]

Here are my current spam filter settings:

qpsmtpd=service
    A_Record_RBL=b.barracudacentral.org:Blocked - see <http://bbl.barracudacentral.com/q.cgi?ip=%IP%>
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    KeepLogFiles=50
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=zen.spamhaus.org:bl.spamcop.net:bl.nosolicitado.org
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=dbl.spamhaus.org:badconf.rhsbl.sorbs.net:nomail.rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=enabled
    status=enabled

Here are some past notes on spam filter setup and monitoring, including notes & links on getting bl.barracudacentral.org to work:
https://forums.contribs.org/index.php/topic,52155.msg267080.html#msg267080

[Jean-Philippe Pialasse]

be extremely careful with greylisting as it goes against the design of email. The side effect is that your users can wait hours or days to get their email to reach them. SMTP will try again the delivery, but there is no obligation in term of time, and if your users wait for a confirmation email to authenticate them, they might even recieve it after it is not valid anymore.


the blacklisting could help, but they need to be adjusted to your particular needs, there is no magical blacklist, the best one for me could be the worst in the world for you with too many false postive with an efficiency near zero in detecting your spams.

learning bayes and users intervention is a key to adapt the filtering to your needs.

I second the tunning like longuer wait time, also could cut some spam, and finally the clamav unofficial  plugin is a great enhancement, if you could reserve 1.5 Go of RAM for clamav.


In order to choose the best blacklists for you there is one or 2 script that allow to test your spam against the lists

see https://wiki.contribs.org/Email_Statistics#Count_messages_denied_by_DNSBL_Block_Lists

http://bugs.contribs.org/show_bug.cgi?id=9387

http://bugs.contribs.org/show_bug.cgi?id=9110

[Knuddi]

Agree with the greylisting and that is why SQLGrey is quite good - it learns well and whitelists entire subnets after a while. You should be able to whitelist certain users/domains that do not comply to the standard retry times. But as I am receiving millions of mails daily - with greylistning enabled - it can be done so that it works.

I have also build scripts that whitelists all the major mail providers IP address (taken from their SPF) so that they always get through.

[CharlieBrady]

I am using SQLGrey (https://sourceforge.net/projects/sqlgrey/) as its more sophisticated than the one that comes with qpsmtpd.

How are you using that postfix tool with qpsmtpd? Are you using this plugin?

http://grokbase.com/t/perl/qpsmtpd/061gcravsd/sqlgrey-and-qpstmpd

[Hmmm, that plugin is 404... do you have a copy of the code?]

[Knuddi]

I have written a plugin myself for SQLGrey. Its quite simple as SQLGrey has a socket interface. Let me clean the plugin up a little (it has a lot of ScanMailX code as well) and share it. The raw variant is here:

  my $host = "sqlgrey.scanmailx.com";
  my $port = 2501;

  my %connect_args = (
    PeerAddr => $host,
    PeerPort => $port,
    Proto => 'tcp',
    Timeout => 5);


#  $self->log( LOGWARN,"SQLGrey: Connecting to $host:$port");

  my $sock = IO::Socket::INET->new(%connect_args);

  if (not $sock) {
    $self->log( LOGWARN,"SQLGrey: Connect to SQLGrey failed ($@)" );
    return DECLINED;
  }

  $sock->print("request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
client_address=$client_address
client_name=$client_name
sender=$from_addr
recipient=$to_addr

");

  my $answer = $sock->getline();

  # make sure we got an answer
  if (not defined($answer)) {
    return DECLINED;
  }

  $answer =~ s/[\n\r]//;

  if ($answer =~ m/action=defer_if_permit/) {
    my ($msg) = $answer =~ m/action=defer_if_permit (.*)/;
    my $from = $transaction->notes('ScanMailXFrom');
    if (not $from) {
      $from = '';
    }
    $self->log(LOGWARN,"SQLGrey: $from $msg");
    return (DENYSOFT, "Temporarily rejected: $from $msg");
  } else {
    $answer =~ s/action=//;
    $self->log( LOGWARN,"SQLGrey: OK ($answer)" );
  }


The /etc/sqlgrey/clients_ip_whitelist.local file is the one that gets updated with SPF IP addresses.

[Knuddi]

Here is a clean plugin which I have tested on a standalone server with a newly installed SQlGrey.

Code: [Select]

#!/usr/bin/perl -Tw
#############################################################################
#
#          Scandinavian Mail eXchange
#
# Copyright Scandinavian Mail eXchange - all rights reserved 
##############################################################################


sub register {
  my ($self, $qp, @args) = @_;

}

sub hook_rcpt {
  my ($self, $transaction, $recipient) = @_;

  $self->{_to} = $recipient;

  my ($retcode,$retmsg) = $self->check_sqlgrey($transaction);
  if ($retcode != DECLINED) {
    return ($retcode,$retmsg);
  }

  return DECLINED;
}


sub hook_mail {
  my ($self,$transaction, $sender) = @_;
 
  $self->{_from} = lc($sender->user) . '@' . lc($sender->host);
  $self->{_client_name} = lc($sender->host);
 
  return DECLINED;
}

#############################################################################
#
#
#############################################################################

sub check_sqlgrey {
  my ( $self, $transaction ) = (@_);

  my $host = "localhost";
  my $port = 2501;

  my $client_name = $self->{_client_name};

  my $client_address = $self->connection->remote_ip;
  if (not $client_address) {
    $self->log( LOGWARN,"SQLGrey: No Client IP address" );
    return DECLINED;
  }

  my $from_addr = $self->{_from};
  if (not $from_addr) {
    $self->log( LOGWARN,"SQLGrey: No From address" );
    return DECLINED;
  }

  my $to_addr = $self->{_to};
  if (not $to_addr) {
    $self->log( LOGWARN,"SQLGrey: No TO address" );
    return DECLINED;
  }

  my %connect_args = (
      PeerAddr => $host,
      PeerPort => $port,
      Proto => 'tcp',
      Timeout => 5
      );
 
 
  $self->log( LOGWARN,"SQLGrey: Connecting to $host:$port");

  my $sock = IO::Socket::INET->new(%connect_args);
 
  if (not $sock) {
    $self->log( LOGWARN,"SQLGrey: Connect to SQLGrey failed ($@)" );
    return DECLINED;
  }
 
  $sock->print("request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
client_address=$client_address
client_name=$client_name
sender=$from_addr
recipient=$to_addr

");

  my $answer = $sock->getline();

  # make sure we got an answer
  if (not defined($answer)) {
    return DECLINED;
  }

  $answer =~ s/[\n\r]//;

  if ($answer =~ m/action=defer_if_permit/) {
    my ($msg) = $answer =~ m/action=defer_if_permit (.*)/;
    $self->log(LOGWARN,"SQLGrey: $from_addr $msg");
    return (DENYSOFT, "Temporarily rejected: $from_addr $msg");
  } else {
    $answer =~ s/action=//;
    $self->log( LOGWARN,"SQLGrey: OK ($answer)" );
  }

  return DECLINED;
}



[Stefano]

Very interesting.. Would you mind to create a NFR in bugzilla? Thank you

[Knuddi]

Hereby done at https://bugs.contribs.org/show_bug.cgi?id=9707