August 19, 2013 Roberto Puzzanghera14 comments
SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders.
Web sites seen in unsolicited messages tend to be more stable than the rapidly changing botnet IP addresses used to send the vast majority of them. Sender lists like zen.spamhaus.org can be used in a first stage filter to help identify 80% to 90% of unsolicited messages. SURBLs can help find about 75% of the otherwise difficult, remaining unsolicited messages in a second stage filter. Used together with sender lists, SURBLs have proven to be a highly-effective way to detect 95% of unsolicited messages.
To enable this filter you must export the variable SURBL with any value in your run file and pass the filter program to the QMAILQUEUE variable so that it can be executed before the delivery:
export SURBL=1 export QMAILQUEUE=/var/qmail/bin/surblqueue export SURBLQUEUE=/var/qmail/bin/simscan
Actually the program is wrapped by
surblqueue, as you can see. SURBLQUEUE will make the program to execute
simscan when finished. If you don't define SURBLQUEUE the program executes qmail-queue to do the delivery.
NB: Remember to remove QMAILQUEUE from your tcp.smtp, otherwise it will overwrite your run file.
Be aware that the directory
/var/qmail/control/cache must have the write priviledges for the user who runs
qmail-smtpd, vpopmail in our case. I have adjusted my combined patch accordingly.
surblfilter requires two control files
/var/qmail/control. The same can be obtained from surbl.org website http://www.surbl.org/tld/three-level-tlds http://www.surbl.org/tld/two-level-tlds. These files sholud not be confused with the SURBL lists themselves but it is worth to update them monthly or so on building a cronjob like this:
#!/bin/sh # cd /var/qmail/control /usr/bin/wget http://www.surbl.org/tld/three-level-tlds http://www.surbl.org/tld/two-level-tlds mv two-level-tlds level2-tlds mv three-level-tlds level3-tlds
Save this file as /usr/local/bin/update_tlds.sh, make it executable
chmod +x /usr/local/bin/update_tlds.sh
and insert a line like this in your crontab
# surbl tlds update 2 2 23 * * /usr/local/bin/update_tlds.sh 1> /dev/null
Using a combination of QMAILQUEUE, SURBLQUEUE and DKIMQUEUE will make you run both filters and finally pass the message to simscan, which in turn calls clamd, spamd and finally executes qmail-queue:
export SURBL=1 # Comment to disable SURBL filtering export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim afer sublfilter export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim # DKIM verification export DKIMVERIFY="FGHIKLMNOQRTVWjpu" # This is to avoid verification of outgoing messages export RELAYCLIENT_NODKIMVERIFY=1
Send yourself an email with an URL such as http://surbl-org-permanent-test-point.com/ in the body. You should see the filter in action in your qmail-smtpd log:
qmail-smtpd: message rejected (message contains an URL listed in SURBL blocklist): email@example.com from 126.96.36.199 to firstname.lastname@example.org helo yourmailserver.xy
apache clamav dkim dovecot ezmlm fail2ban hacks lamp linux linux-vserver mariadb mediawiki mozilla mysql owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin ssh surbl tcprules tex ucspi-tcp vpopmail vqadmin