Realtime Blackhole List (RBL) - qmail-rblchk
Update: you may be interested to join in the poll "Which is the most accurate and reliable RBL list?"
This module is still under testing
A Realtime Blackhole List (RBL) is a list of addresses that an RBL list supplier believes are a source of Spam.
As an alternative to Bernstein's rblsmtpd, you can use Luca Morettoni's qmail-rblchk to block IPs from such lists.
- Info: http://www.morettoni.net/qmail-rblchk.en.html
- Download: http://www.morettoni.net/qmail/qmail-rblchk-2.4.1.tar.gz
- See also: http://www.spamhaus.org/
For an exaustive guide about the program you are invited to visit the author's site.
We have to patch the program for errno, since it is derived from DJB's djbdns. The patch is included in the netqmail package.
cd /usr/local/src wget http://www.morettoni.net/qmail/qmail-rblchk-2.4.1.tar.gz tar xzf qmail-rblchk-2.4.1.tar.gz cd qmail-rblchk chown -R root.root . patch < /usr/local/src/netqmail-1.06/other-patches/djbdns-1.05.errno.patch make setup check
This will install qmail-rblchk in the /var/qmail/bin dir.
Prepare the log folder
If you want to let the program log its work and record the blocked IPs (which is useful to create your own rbl later) you have to create a log dir and assign write priviledges to the user who run qmail-smtpd:
mkdir /usr/local/etc/rbl chown -R vpopmail /usr/local/etc/rbl
qmail-rblchk is a filter to be executed before the delivery. You have to install it in the first line on the .qmail-default file.
> /var/qmail/bin/qmail-rblchk -h qmail-rblchk: usage: qmail-rblchk [opz] [dir] options may be: -h this screen -s add X-Spam header into the incoming mail (work only with delivery ``dir'') -c turn on condredirect compatibility mode -i NUM ignore first ``NUM'' IPs found in the header -x IP do not check ``IP'', try to find other address in header -v verbose (debug) mode -V show program version -q quiet mode (suppress any output) -p don''t check private IP class: 127.0.0.0 - 127.255.255.255 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 -m check all IPs in email (default: check only first IP) -l log write program action to ``log'' file -L data write blocked IP to ``data'' file -r addr use ``addr'' for RBL checking (if TXT record exist block mail) -R addr use ``addr'' for RBL reverted checking (if TXT record NOT exist block mail) -C addr use ``addr'' for one time RBL checking (if TXT or A record exist don''t block mail) -a addr use ``addr'' for anti-RBL checking (if A record NOT exist block mail) -A addr use ``addr'' for anti-RBL reverted checking (if A record exist block mail) -X cdb check IP from tcpserver-style ``cdb'' file (IP:deny block mail from that IP) You must specify one or more (max 32) RBL address, example: qmail-rblchk -r dnsbl.sorbs.net -r sbl-xbl.spamhaus.org -r relays.ordb.org You can ignore (-x option) no more than 16 IP address If ``dir'' is given in command line and it exist all blocked mails are delivered into Maildir ``dir'' (dir must start with a / or a . and end with a /); the program run in ``delivery mode''. The program exit status may be (normal mode): 0 when the message is not blocked 100 when the message is blocked 111 when fails or no checking options was given In ``delivery mode'': 0 the message is not blocked (continue .qmail checking) 99 the blocked message has been wrote to ``dir'' Maildir 111 same as above In ``condredirect compatibility mode'': 0 when the message is blocked 1 when the message is not blocked 111 same as above
This powerful program can log its activity, store blocked IPs, move spam in the Junk folder, bypass incoming messages from the internal net.
This is how I use it inside my .qmail-default files. You have to insert a line like this at the top of the .qmail-default file of the domain where you want to enable the filter:
|/var/qmail/bin/qmail-rblchk -r zen.spamhaus.org -r dnsbl.sorbs.net -p -L /usr/local/etc/rbl/rbl.txt -l /usr/local/etc/rbl/qmail-rblchk.log
NB: If you decide to use zen.spamhaus.org as suggested here, check the free use terms and be aware the exceeding these terms causes the cut off of your server.
Another thing you can do is to use the shell script from the contrib folder in the source dir to rotate the log file and periodically advice you via email about the program's activity.
> cp /usr/local/src/qmail-rblchk/contrib/spam-report.sh /usr/local/etc/rbl/qmail-rblchk-report.sh > crontab -e 3 02 * * * /usr/local/etc/rbl/qmail-rblchk-report.sh email@example.com 5
where 5 is the maximum number of log file to leave on the disk.