Realtime Blackhole List (RBL) - qmail-rblchk

Update: you may be interested to join in the poll "Which is the most accurate and reliable RBL list?"


This module is still under testing

A Realtime Blackhole List (RBL) is a list of addresses that an RBL list supplier believes are a source of Spam.

As an alternative to Bernstein's rblsmtpd, you can use Luca Morettoni's qmail-rblchk to block IPs from such lists.

For an exaustive guide about the program you are invited to visit the author's site.

Install qmail-rblchk

We have to patch the program for errno, since it is derived from DJB's djbdns. The patch is included in the netqmail package.

cd /usr/local/src
wget http://www.morettoni.net/qmail/qmail-rblchk-2.4.1.tar.gz
tar xzf qmail-rblchk-2.4.1.tar.gz
cd qmail-rblchk
chown -R root.root .
patch < /usr/local/src/netqmail-1.06/other-patches/djbdns-1.05.errno.patch
make setup check

This will install qmail-rblchk in the /var/qmail/bin dir.

Prepare the log folder

If you want to let the program log its work and record the blocked IPs (which is useful to create your own rbl later) you have to create a log dir and assign write priviledges to the user who run qmail-smtpd:

mkdir /usr/local/etc/rbl
chown -R vpopmail /usr/local/etc/rbl

Usage

qmail-rblchk is a filter to be executed before the delivery. You have to install it in the first line on the .qmail-default file.

> /var/qmail/bin/qmail-rblchk -h

qmail-rblchk: usage: qmail-rblchk [opz] [dir]

 options may be:
  -h       this screen
  -s       add X-Spam header into the incoming mail (work only with delivery ``dir'')
  -c       turn on condredirect compatibility mode
  -i NUM   ignore first ``NUM'' IPs found in the header
  -x IP    do not check ``IP'', try to find other address in header
  -v       verbose (debug) mode
  -V       show program version
  -q       quiet mode (suppress any output)
  -p       don''t check private IP class:
             127.0.0.0   - 127.255.255.255
             10.0.0.0    - 10.255.255.255
             172.16.0.0  - 172.31.255.255
             192.168.0.0 - 192.168.255.255
  -m       check all IPs in email (default: check only first IP)
  -l log   write program action to ``log'' file
  -L data  write blocked IP to ``data'' file
  -r addr  use ``addr'' for RBL checking (if TXT record exist block mail)
  -R addr  use ``addr'' for RBL reverted checking (if TXT record NOT exist block mail)
  -C addr  use ``addr'' for one time RBL checking (if TXT or A record exist don''t block mail)
  -a addr  use ``addr'' for anti-RBL checking (if A record NOT exist block mail)
  -A addr  use ``addr'' for anti-RBL reverted checking (if A record exist block mail)
  -X cdb   check IP from tcpserver-style ``cdb'' file (IP:deny block mail from that IP)

You must specify one or more (max 32) RBL address, example:
 qmail-rblchk -r dnsbl.sorbs.net -r sbl-xbl.spamhaus.org -r relays.ordb.org

You can ignore (-x option) no more than 16 IP address

If ``dir'' is given in command line and it exist all blocked mails are delivered
into Maildir ``dir'' (dir must start with a / or a . and end with a /);
the program run in ``delivery mode''.

The program exit status may be (normal mode):
 0    when the message is not blocked
 100  when the message is blocked
 111  when fails or no checking options was given
In ``delivery mode'':
 0    the message is not blocked (continue .qmail checking)
 99   the blocked message has been wrote to ``dir'' Maildir
 111  same as above
In ``condredirect compatibility mode'':
 0    when the message is blocked
 1    when the message is not blocked
 111  same as above

This powerful program can log its activity, store blocked IPs, move spam in the Junk folder, bypass incoming messages from the internal net.

This is how I use it inside my .qmail-default files. You have to insert a line like this at the top of the .qmail-default file of the domain where you want to enable the filter:

|/var/qmail/bin/qmail-rblchk -r zen.spamhaus.org -r dnsbl.sorbs.net -p -L /usr/local/etc/rbl/rbl.txt -l /usr/local/etc/rbl/qmail-rblchk.log

NB: If you decide to use zen.spamhaus.org as suggested here, check the free use terms and be aware the exceeding these terms causes the cut off of your server.

Another thing you can do is to use the shell script from the contrib folder in the source dir to rotate the log file and periodically advice you via email about the program's activity.

> cp /usr/local/src/qmail-rblchk/contrib/spam-report.sh /usr/local/etc/rbl/qmail-rblchk-report.sh
> crontab -e

3 02 * * * /usr/local/etc/rbl/qmail-rblchk-report.sh postmaster@yourdomain.net 5

where 5 is the maximum number of log file to leave on the disk.