Realtime Block List (RBL) - qmail-dnsbl

October 28, 2022 by Roberto Puzzanghera 32 comments

A Realtime Block List (RBL) is a list of addresses that an RBL list supplier believes are a source of Spam.

Update as of Oct 28, 2022: added a note on how to avoid being cutoff by spamhaus (tx Marco Varanda)

  • Download qmail-dnsbl patch
  • Code and logic from rblsmtpd and qmail-dnsbl patch by Fabio Busatto
  • Added support for welcomelists, TXT and A queries, configurable return codes 451 or 553 with custom messages (by Luca Franceschini)

This patch replaces the djb's rblsmtpd program. It incorporates into qmail-smtpd the RBL stuff with the advantage that you can see the envelope in the logs. Registering the envelope as well as the sender ip is important to always know what happened to not received messages.

An additional improvement with respect to the use of the RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned; this means that we are able to switch on the filter on the 587 submission port as well :)

To activate the RBL check just add your favourite block lists in the dnsbllist control file (one per line).

cat > /var/qmail/control/dnsbllist << __EOF__
-b.barracudacentral.org
-zen.spamhaus.org
-psbl.surriel.com 
-bl.spamcop.net
__EOF__

Now restart qmail and check that the RBL lists have been parsed:

> qmailctl restart
> qmail-showctl |grep dnsbl
dnsbllist:
List at -zen.spamhaus.org configured for dnsbl check. 
List at -b.barracudacentral.org configured for dnsbl check. 
List at -psbl.surriel.com configured for dnsbl check. 
List at -bl.spamcop.net configured for dnsbl check.

Improvements with respect to the original qmail-dnsbl patch

  • default file control/dnsbllist can be overridden with env variable DNSBLLIST
  • if DNSBLSKIP env variable is set, qmail-smtpd skips the rbl check
  • if control/dnsblfailclosed or DNSBLFAILCLOSED are defined, qmail-smtpd considers the source ip as blocked even in case of lookup failures (check rblsmtpd man page for more details)
  • support for environment variable RBLSMTPD (check rblsmtpd man page for more details)
  • dnsbllist can contain empty lines and comments with '#' at start or end of lines; leading and trailing spaces are automatically removed

Examples and formats

Query rbl for TXT records, return code 451: "451 http://www.spamhaus.org/query/bl?ip=30.50.20.3"

zen.spamhaus.org

Query rbl for TXT records, return code 553: "553 http://www.spamhaus.org/query/bl?ip=30.50.20.3"

-zen.spamhaus.org

 Query rbl for A records, custom return message with ret code 451: "451 Message rejected"

zen.spamhaus.org:Message rejected

 Query rbl for A records, custom return message with ret code 553: "553 Message rejected", the following syntaxes are allowed:

-zen.spamhaus.org:Message rejected
zen.spamhaus.org:-Message rejected
-zen.spamhaus.org:-Message rejected

Query rbl for A records, custom return message with IP variable, replaced by remote ip:

zen.spamhaus.org:Message blocked from %IP%

dns welcomelist A query:

+welcome.dnsbl.local:welcomelist test
+welcome.dnsbl.local

The following syntaxes are NOT ALLOWED:

zen.spamhaus.org:
zen.spamhaus.org:-

Howto avoid being "cut off" by spamhaus.org

At the end of this guide I will show how to set up fail2ban in order to ban malicious IPs and then decrease the amount of connections to the RBL lists, avoiding to be banned consequently.

As an alternative, you may be interested to take a look to the idea of Costel Balta, which is addressed to solve the same problem.

One thing to pay close attention to when configuring the servers is avoiding to use public dns like google's 8.8.8.8 to resolve their services (more info here). This will cause a cut off due to the fact that they cannot measure our load of traffic on their servers if you use a public dns.

Check your IP's reputation

When you buy an IP address, you know that it's not new and you inherit its reputation. So the first thing you may want to do is to check if it's listed in some RBL here: http://multirbl.valli.org or https://mxtoolbox.com/SuperTool.aspx

Comments

Different zone name

Hello,

I am trying to use the DNSBL service truncate.gbudb.net. However, I've noticed that the zone name (truncate.gbudb.net) and the DNS server (blns0.gbudb.net) are different. This is causing some confusion for me on how to properly use this DNSBL. If I add"truncate.gbudb.net" into the list, I get an error "dnserr".

Any guidance or insights would be greatly appreciated.

Reply |

Different zone name

Hi,

it seems that truncate.gbudb.net doesn't exist. The DNS server is different but this is normal. It doesn't have any truncate.gbudb.net record. So there's nothing you can do except wait for them to fix it

Reply |

Different zone name

Hi

Please see below:

# dig +short 16.164.19.162.truncate.gbudb.net. @blns0.gbudb.net.
127.0.0.2

# dig truncate.gbudb.net ns
; <<>> DiG 9.16.44-Debian <<>> truncate.gbudb.net ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33267
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;truncate.gbudb.net. IN NS
;; ANSWER SECTION:
truncate.gbudb.net. 7200 IN NS blns1.gbudb.net.
truncate.gbudb.net. 7200 IN NS blns0.gbudb.net.
truncate.gbudb.net. 7200 IN NS blns5.gbudb.net.
truncate.gbudb.net. 7200 IN NS blns2.gbudb.net.
truncate.gbudb.net. 7200 IN NS blns3.gbudb.net.
;; Query time: 412 msec
;; SERVER: 202.169.192.61#53(202.169.192.61)
;; WHEN: Sat Dec 09 21:03:11 NZDT 2023
;; MSG SIZE  rcvd: 147

Reply |

Different zone name

yes, there's no public IP related to that zone

Reply |

RBL and Bordermailer

Hi Roberto,

here at our site we have a bordermailer who "prechecks" the EMails and puts a "Received" Line with its name and IP into the EMails.

So the RBL checks the IP of our Bordermailer which is of course normally not blacklisted.

Do you know a solution Where I can skip "Received" Lines in the Header for RBL checks?

Otherwise I have to disable RBL because its useless.....

Regards,

Herbert

Reply |

RBL and Bordermailer

Try to use DNSBLSKIP with that ip in the tcprules. Let me know...

Reply |

RBL and Bordermailer

....nope...not working...

I tried in smtpd run:

export DNSBLSKIP="ip.of.border.mailer"

and/or in tcp.smtp:

DNSBLSKIP="ip.of.border.mailer"

same behavior with both - it completely skips RBL check then....

Regards,

Herbert

Reply |

RBL and Bordermailer

I did some tests and it's working as expected by declaring DNSBLSKIP in my tcp.smtp

1.2.3.4:DNSBLSKIP=""

Reply |

RBL and Bordermailer

Hi Roberto,

I suppose the IP 1.2.3.4 in your example is the IP of the bordermailer ?

When I put this line into tcp.smtp I get the error message:

tcprules: syntax: unable to parse this line: 1.2.3.4:DNSBLSKIP=""

Maybe my problem was not described detailed enough.... 

I don't want to skip RBL checking for EMail from the bordermailer!

Because all EMails have a "Received" Line with the IP from the bordermailer, I only want to SKIP this "Received" line so that the next Received line will be checked or all "Received" lines are checked.

But maybe this is impossible?

Reply |

RBL and Bordermailer

Yes . The syntax is correct. Double check

If your server gets the IP of the bordermailer then you can't have an rbl filter

Reply |

RBL and Bordermailer

I've never used it. I'll look at the code when I have some time

Reply |

RBL and Bordermailer

Great! Thank you!

Reply |

dnslist issue

Hi, I have psbl.surriel.com and spamhaus in my dnslist.

[root@brilliance bin]# qmail-showctl |grep dnsbl
dnsbllist:
List at zen.spamhaus.org configured for dnsbl check.
List at sbl.spamhaus.org configured for dnsbl check.
List at pbl.spamhaus.org configured for dnsbl check.
List at xbl.spamhaus.org configured for dnsbl check.
List at bl.spamcop.net configured for dnsbl check.
List at psbl.surriel.com configured for dnsbl check.
List at b.barracudacentral.org configured for dnsbl check.

I noticed that at times listed IPs are not blocked.

Take for example IP 213.142.156.102. This IP was listed multiple times on psbl.surriel.com since 2019 July. But in my log, netqmail still allows it to pass thru

surriel.com
@400000005ece1c472916a37c qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.psbl.surriel.com result=ignore message=''

spamhaus
@400000005ece1c4718fd7024 qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.zen.spamhaus.org result=ignore message=''
@400000005ece1c47196c915c qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.sbl.spamhaus.org result=ignore message=''
@400000005ece1c4719cb7a3c qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.pbl.spamhaus.org result=ignore message=''
@400000005ece1c471a3309f4 qmail-smtpd[3241]: rbl: ip=213.142.156.102 query=102.156.142.213.xbl.spamhaus.org result=ignore message=''

My nslookup captured it correctly.

[root@brilliance bin]# nslookup 102.156.142.213.psbl.surriel.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 102.156.142.213.psbl.surriel.com
Address: 127.0.0.2

[root@brilliance bin]# nslookup 102.156.142.213.zen.spamhaus.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 102.156.142.213.zen.spamhaus.org
Address: 127.0.0.3

[root@brilliance bin]# nslookup 102.156.142.213.sbl.spamhaus.org
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 102.156.142.213.sbl.spamhaus.org
Address: 127.0.0.3

As my volume is not large, i don't think i am blocked.

Any idea what went wrong?

Thanks
nic

Reply |

dnslist issue

Hi Roberto.

Thanks for your job.

I want to tell you and your visitors, that pay attention on gateway and mail servers.

If you are using a public DNS like 8.8.8.8 or 1.1.1.1, and others, the /var/qmail/control/dnsbllist will be IGNORED.
https://www.spamhaus.com/resource-center/successfully-accessing-spamhauss-free-block-lists-using-a-public-dns/

If you got receiving LOGs ONLY bypassing dnsbllist on /var/log/qmail/smtpd/current

rbl: ip=xxx.yyy.zzz.ttt query=ttt.zzz.yyy.xxx.b.barracudacentral.org result=ignore message=''
rbl: ip=xxx.yyy.zzz.ttt query=ttt.zzz.yyy.xxx.zen.spamhaus.org result=ignore message=''
rbl: ip=xxx.yyy.zzz.ttt query=ttt.zzz.yyy.xxx.sbl.spamhaus.org result=ignore message=''

then you MUST change your GATEWAY, not using public DNS (now I'm using my own public IP with my own DNS Server)
and after that, dnsbllist finally will works and REJECT some IPs with bad reputation:

rbl: ip=188.121.120.30 query=30.120.121.188.b.barracudacentral.org result=reject message='http://www.barracudanetworks.com/reputation/?pr=1&ip=188.121.120.30'
rbl: ip=37.32.8.31 query=31.8.32.37.sbl.spamhaus.org result=reject message='https://www.spamhaus.org/sbl/query/SBLCSS'

Thanks again !

Reply |

dnslist issue

spamhaus started to work again here. Thanks Marco, I will add a note about this

Reply |

dnslist issue

Good to know. Do you get any error code from spamhaus?

I disabled spamhaus a couple of years ago because they were bypassing my queries, and I hope this is the reason why. Now I changed my dns' forwarders and restored spamhaus. Let's see if it works again.

These three blocklists work well even with public dns

b.barracudacentral.org 
psbl.surriel.com
bl.spamcop.net

At any rate, just to clarify, a log message like this is not an error return code

@400000006358736e0a44c2e4 qmail-smtpd[17480]: rbl: ip=121.5.19.34 query=34.19.5.121.b.barracudacentral.org result=ignore message=''

it just means that the IP is not listed.

Reply |

dnslist issue

Hi,

I don't think i am blocked at all. I received those spams and immediately do a lookup the IPs against the list.

Very strange indeed.  

Looks like i will have to create a blacklist myself.

Thanks
nic

Reply |

dnslist issue

Nic, this only proves that you did the query to those block list, not that they considered your query and provided a response

Reply |

dnslist issue

Hi, I think you have been blocked by those rbl. I also don't have a very busy server, but I think that spamhaus is blocking me.

Unfortunately there is no way to check if the server has been blocked or not. Any hint on the purpose would be appreciated.

I suggest to turn on fail2ban in order to decrease the number of calls to rbl

Reply |

dnsbllist: I have no idea what this file does.

Hi Roberto

First, thank you for your guide, which saved me countless hours getting our mailserver up and running!

I've got a problem though when trying to enable dnsbl like described here. I'm using your combined patch (current version as of now), but qmail seems not to recognize the dnsbllist file.

# qmail-showctl |grep dnsbl
dnsbllist: I have no idea what this file does.

Do you have any idea what I might have missed?

Sincerely
Steffen

Reply |

Hi Steffen, it's strange..

Hi Steffen,

it's strange.. it's like you haven't patched qmail with the qmail-dnsbl patch... are you absolutely sure that you have actually patched qmail?

Reply |

OK, please discard my

OK, please discard my comment.

Issue was that I had an old (timestamp indicates it's from the qmail compile before vpopmail install and patching qmail) qmail-showctl in /usr/sbin which was beeing called...

All is fine, dnsbl working as expected. Thank you!

Reply |

Yes, I have checked the

Yes, I have checked the patched source files and they contain the patched lines.
I've also checked the compiled and installed binaries (qmail-smtpd and qmail-showctl) and they contain the dnsbllist string.

Indeed, very strange.

Reply |

Local User with Dynamic IP get banned

Hello Roberto,

i have the problem that local users with dynamic ips get banned from list even if i use submission port 587 with this user. Is it possible to whitelist local users? Thanks for helping.

Greetings

Marc

Reply |

outgoingip

Marc, I think you can change your outgoing ip, adding it to control/outgoingip. take a look here http://notes.sagredo.eu/node/82#outgoingip

let us know if it will do the case, please

Reply |

Hi, the server has only one

Hi, the server has only one ip adress -  i know this outgoingip from another server which has more network interfaces and i don't think that  this is the reason. The user has an dynamic ip from his dsl provider, which is on zehnaus blacklist. And i thought when he use the port 587 the RBL filter is bypassed. The log shows this:
qmail-smtpd: message rejected (qmail-dnsbl) (1.1.1.1.zen.spamhaus.org): info@localdomain.xy from 1.1.1.1 to info@localdomain.xy helo PCLokal    1.1.1.1=DynamicDSL.IP.Adress from User

You wrote in the description: RBL filter *before* qmail-smtpd as rblsmtpd did is that the authenticated users who want to send messages from a remote dynamic IP will not be banned - but in this case it get banned and i don't know why. For the moment i have deleted spamhaus from the dnsbllist file and then it works for the client. But Zenhaus catches a much amount of spam an i like to use this again. Do you have another suggestion? Thanks!

Reply |

can you post your

can you post your qmail-submission run file and a smtp telnet session on 587 port?

Reply |

Telnet Output:telnet

Telnet Output:

telnet 127.0.0.1 587
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 xyz.net ESMTP
EHLO test
250-xyz.net
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 30000000
mail from:mail@test.xy
250 ok
quit
221 xyz.net
Connection closed by foreign host.

submission run file:

#!/bin/sh

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
SOFTLIMIT=`cat /var/qmail/control/softlimit`

# You MUST export this, otherwise you'd get a 30 sec timeout
export SMTPAUTH=""

# This enables greetdelay for qmail-smtpd.
export SMTPD_GREETDELAY=1
export DROP_PRE_GREET=1

# This disables FORCETLS
#export FORCETLS=1

# This enables chkuser
export CHKUSER_START=ALWAYS

# This enables simscan debug
#export SIMSCAN_DEBUG=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \
    /var/qmail/bin/qmail-smtpd \
    /home/vpopmail/bin/vchkpw /bin/true 2>&1

Reply |

REALYCLIENT

if you want to allow your LAN to relay without authentication, use port 25 and put your localnet in the REALYCLIENT variable inside tcp.smtp...

Reply |

auth first

you are not authenticating, so it's normal that qmail-dnsbl checks for the block list and you are banned. You have to do the auth before the mail from: command, as this is not an open relay.

As an alternative you can always decide to turn off dnsbl:

Exception: If the environment variable DNSBLSKIP is set, qmail- smtpd ignores dnsbllist, and the dnsbl check is not performed. The check is skipped even if some other authentication method succedeed and authorized the client to relay (smtp-auth or tls client certificate), or if RELAYCLIENT enviromnent variable is set.

Reply |

Need some more explantion

Hello Roberto, thanks for helping. Just for clearing it more up to me, there is one thing that i didn't understand:

In the telnet sesion i missed the authentification, but when the user connects with his Mailclient to send the Mail, he gets forwarded to the submission run file and in this the authentification comes first or do i have to change something in the run file? 
And if i want to use the DNSBLSKIP parameter i have to write the following in the submission run file?:
export RBLSMTPD=""

Thanks!

Reply |

the run file is correct

the run file is correct. But you must do the auth if you want to relay with the 587 port, unless you are a RELAYCLIENT. And if you do the auth, dnsbl is turned off, so no need to use DNSBLSKIP

Anyway,

export RBLSMTPD=""

disables rblsmtpd, but we are not using it anymore, so forget.

Instead, if for some reason you want to disable qmail-dnsbl check just do this in your run file (qmail-smtpd or qmail-submission or both)

export DNSBLSKIP=""

but I can assure that it works if you do the auth

EDIT:

as already said, the simplest thing to do is assign the RELAYCLIENT on port 25 to the IPs that have to do the relay without auth (localnets for instance) and force the auth on port 587, but I guess that port 587 cannot be used without authentication.

Reply |