May 24, 2019 Roberto Puzzanghera 16 comments
SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders.
Web sites seen in unsolicited messages tend to be more stable than the rapidly changing botnet IP addresses used to send the vast majority of them. Sender lists like zen.spamhaus.org can be used in a first stage filter to help identify 80% to 90% of unsolicited messages. SURBLs can help find about 75% of the otherwise difficult, remaining unsolicited messages in a second stage filter. Used together with sender lists, SURBLs have proven to be a highly-effective way to detect 95% of unsolicited messages.
The SURBL filter is part of the DKIM patch by Manvendra Bhangui and it's embedded in my combined patch.
To enable this filter you must export the variable SURBL
with any value in your run file and pass the filter program to the QMAILQUEUE
variable so that it can be executed before the delivery:
export SURBL=1 export QMAILQUEUE=/var/qmail/bin/surblqueue export SURBLQUEUE=/var/qmail/bin/simscan
Actually the program is wrapped by surblqueue
, as you can see. SURBLQUEUE
will make the program to execute simscan
when finished. If you don't define SURBLQUEUE
the program executes qmail-queue
to do the delivery.
NB: Remember to remove QMAILQUEUE from your tcp.smtp, otherwise it will overwrite your run file.
Be aware that the directory /var/qmail/control/cache
must have the write priviledges for the user who runs qmail-smtpd
, vpopmail in our case. I have adjusted my combined patch accordingly.
surblfilter requires two control files level2-tlds
and level3-tlds
in /var/qmail/control
. The same can be obtained from surbl.org website http://www.surbl.org/tld/three-level-tlds http://www.surbl.org/tld/two-level-tlds. These files sholud not be confused with the SURBL lists themselves but it is worth to update them monthly or so on building a cronjob like this:
cat > /usr/local/bin/update_tlds.sh << __EOF__ #!/bin/bash # cd /var/qmail/control /usr/bin/wget http://www.surbl.org/tld/three-level-tlds http://www.surbl.org/tld/two-level-tlds mv two-level-tlds level2-tlds mv three-level-tlds level3-tlds __EOF__ chmod +x /usr/local/bin/update_tlds.sh
Now setup the cronjobs (the second one cleans the cache folder once a day):
# surbl tlds update 2 2 23 * * /usr/local/bin/update_tlds.sh 1> /dev/null # surbl cache purge 2 9 * * * find /var/qmail/control/cache/* -cmin +5 -exec /bin/rm -f {} \;
surblfilter
, qmail-dkim
and simscan
in cascadeUsing a combination of QMAILQUEUE
, SURBLQUEUE
and DKIMQUEUE
will make you run both filters and finally pass the message to simscan
, which in turn calls clamd
, spamd
and finally executes qmail-queue
:
export SURBL=1 # Comment to disable SURBL filtering export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim afer surblfilter export DKIMQUEUE=/var/qmail/bin/simscan # simscan is executed after qmail-dkim export DKIMKEY=/usr/local/etc/domainkeys/%/default # DKIM verification. Use carefully export DKIMVERIFY="FGHKLMNOQRTVWp" # This is to allow msg without "subject" in the h= list export UNSIGNED_SUBJECT=1 # This is to avoid verification of outgoing messages export RELAYCLIENT_NODKIMVERIFY=1
Send yourself an email with an URL such as http://surbl-org-permanent-test-point.com/ in the body. You should see the filter in action in your qmail-smtpd
log:
qmail-smtpd: message rejected (message contains an URL listed in SURBL blocklist): user@domain.xy from 123.45.67.89 to yourself@yourdomain.xy helo yourmailserver.xy
RBL and Bordermailer
March 20, 2023 09:31
RBL and Bordermailer
March 20, 2023 09:13
RBL and Bordermailer
March 18, 2023 15:52
Bug in dknewkey
March 18, 2023 11:35
What is qq_internal_bug_?
March 18, 2023 11:28
What is qq_internal_bug_?
March 18, 2023 11:08
What is qq_internal_bug_?
March 18, 2023 08:48
What is qq_internal_bug_?
March 18, 2023 08:08
What is qq_internal_bug_?
March 18, 2023 07:43
What is qq_internal_bug_?
March 18, 2023 04:37
Tags
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmail to postfix qmail-spp qmailadmin rbl roundcube rsync sieve simscan slackware solr spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin
Comments
Error compiling surblfilter
Pablo Murillo February 14, 2019 03:07
Hi
I'm trying to apply the patch on FreeBsd, but after solving many errors I was stuck with this
After reading & reading I finally understund that FreeBSD doesn't have "resolv", so, the solution was to remove "-lresolv" from patch
I'm not using "all" the patch that you made, because I'm using ports on freebsd, but I use your guide to configure a lot of things
Thanks for your work
Reply | Permalink
Error compiling surblfilter
Roberto Puzzanghera Pablo Murillo February 14, 2019 09:32
Thanks for the contribution. As many others here reported compilation breaks with freeBSD, it would be nice if you share more informations about the fixes you made...
Reply | Permalink
SURBL not working..
Tiago Oliveira de Jesus November 30, 2016 04:15
Hi Roberto!
i using your howto to build a new mailserver and SURBL seemed very cool.
I do all , but, not happend.. I send messages with urls from list but all have passed.
I not implement DKIM, this is problem?
my qmail-smtpd/run is:
Please, send one light! :-)
[] s
Tiago Oliveira de Jesus
Reply | Permalink
did you try to include this
roberto puzzanghera Tiago Oliveira de Jesus November 30, 2016 14:52
did you try to include this http://surbl-org-permanent-test-point.com/ in your test msg? did you check if the logs have that line mentioned above?
Reply | Permalink
Hi... again..
Tiago Oliveira de Jesus roberto puzzanghera November 30, 2016 17:19
Hi... again..
forget my last message, after i remove QMAILQUEUE from tcp.smtp, simscan is gone...
The SURBL ok, but simscan not work :(
TFA
Reply | Permalink
now simscan is not enabled
roberto puzzanghera Tiago Oliveira de Jesus November 30, 2016 19:25
now simscan is not enabled anymore because it is executed after qmail-dkim (take a moment to read the comments in the code as well :-)
but you are not running qmail-dkim.
Comment out that
line and you'll have it working
Reply | Permalink
Roberto, hi!
Tiago Oliveira de Jesus roberto puzzanghera November 30, 2016 20:21
Roberto, hi!
Yes, i read... but, my file is exact you say... see:
In my first message i write a comment, say i try enable and disabled dkim, for tests only..
Reply | Permalink
you have the third line
roberto puzzanghera Tiago Oliveira de Jesus November 30, 2016 20:42
you have the third line commented. Remove that comment and it will work :-)
Reply | Permalink
Sorry for the insistence, had
Tiago Oliveira de Jesus roberto puzzanghera November 30, 2016 21:04
Sorry for the insistence, had already tested with this active line, but I commented, because I'm not using dkim.
Even so, it did not work.
I only had success when I removed QMAILQUEUE from /home/vpopmail/tcp.smtp, but then it did not pass the other tests, (virus and spam)
[] s
Reply | Permalink
Forget what you did before,
roberto puzzanghera Tiago Oliveira de Jesus November 30, 2016 21:24
Forget what you did before, because you were overwriting QMAILQUEUE in your tcp.smtp. This is the reason why the directives in your run file were ignored. In particular you got the same behaviour both when that line was commented or not.
But now you have the run file dictating its rules. Unfortunately, according to what you have now in your run file, simscan can't be executed.
Your run file has no way to run simscan unless you don't let SURBLQUEUE or DKIMQUEUE point to it (simscan). If you don't want DKIM then use the first example on the top of this page
Please take the time to read carefully the docs, so that I don't have to repeat those explanations again inside the comments, something that is not useful for this blog
Reply | Permalink
Sorry for abuse... and, i
Tiago Oliveira de Jesus roberto puzzanghera November 30, 2016 22:33
Sorry for abuse... and, i catch my wrong... after remove QMAILQUEUE from /home/vpopmail/etc/tcp.smtp, i forget run qmailctl cdb to compile those......
Thank you so much.
Reply | Permalink
This is the last.. i
Tiago Oliveira de Jesus Tiago Oliveira de Jesus November 30, 2016 22:50
This is the last.. i promissed..
I re-read all passes from your tutorial, and, i download your scripts from supervise, and all.
In config phase at simscan, at "Turning on scanning" exists this:
How you note, my english is bad.. not find if this config need to disable.
How i do step by step, this stay at file. Sorry for my fault.
[] s
Reply | Permalink
You are right, I should have
roberto puzzanghera Tiago Oliveira de Jesus December 1, 2016 14:49
You are right, I should have pointed out that QMAILQUEUE should be removed from tcp.smtp. I'll do that as soon as possibile.
Summarizing, now that you have removed QMAILQUEUE from tcp.smtp, SURBL is working and to execute simscan after SURBL you should define SURBLQUEUE as follows:
Reply | Permalink
Yes, i try.
Tiago Oliveira de Jesus roberto puzzanghera November 30, 2016 16:34
Yes, i try.
I remove QMAILQUEUE from tcp.smtp and work:
What you think, is done?
Reply | Permalink
I think that in this way you
roberto puzzanghera Tiago Oliveira de Jesus November 30, 2016 14:38
I think that in this way you can't execute simscan. You must comment out that line.
I would look the details with strace
Reply | Permalink
Hi Roberto!
Tiago Oliveira de Jesus roberto puzzanghera November 30, 2016 16:22
Hi Roberto!
The simscan is executing.. i enable simscan debug, see:
[...]
One question, at my /home/vpopmail/etc/tcp.smtp o have:
This environment read after or before QMAILQUEUE from smtpd/run ?
Reply | Permalink