Realtime Blackhole Lists with Postfix

5
(3)

Realtime Blackhole Lists (RBL) and Domain Name System BlockList (DNSBL) are publicly available lists on the Internet, with addresses and servers that have recently been the source of malicious and unwanted or suspicious activity, such as the sending of spam or phishing e-mails.

Prevent SPAM and phishing emails

Blacklists were created to prevent the flood of unwanted emails. IP addresses of suspicious mail senders reported by spamtraps are collected on blacklists. E-mail servers compare received e-mails to see whether the sender is on a blacklist. If the classification is positive, the e-mail is moved directly to the Junk E-mail folder or not accepted at all and rejected by the server.

The widely used open-source spam filters SpamAssassin from the Apache project, and the Postfix MTA (Mail Transfer Agent) for Unix and Unix derivatives, are particularly suitable for integration. This tutorial deals with the integration of Realtime Blackhole Lists (RBL) and DNS Based Realtime Blocklists (DNSBL) using Postfix.

How to use DNS-based Blackhole List on Postfix

As the name suggests, querying a DNSBL is, from a technical point of view, a DNS query. DNS-based blackhole lists are queried in near real time, DNSBLs are adding in the/etc/postfix/main.cffile usually under smtpd_recipient_restrictions, as shown in the example.

smtpd_recipient_restrictions = permit_mynetworks,
        reject_invalid_helo_hostname,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org=127.0.0.[2..11],
        reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
        reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],
        reject_rhsbl_reverse_client dbl.spamhaus.org=127.0.1.[2..99],
        warn_if_reject reject_rbl_client zen.spamhaus.org=127.255.255.[1..255],
        reject_rbl_client dnsbl-1.uceprotect.net,
        reject_rbl_client bl.0spam.org=127.0.0.[7..9],
        reject_unverified_recipient,
        Permit

There are usually many more rules for checking the criteria, this tutorial will show how to use DNSBL query.

  A right-hand side blacklist (RHSBL) is a listing that contains the domain names of spammers, which mail servers can be programmed to reject. RHSBL functions the same way as a domain name system blacklist (DNSBL) with one important distinction: RHSBLs include domain names rather than IP addresses.

The sooner the better – the verification is done before queuing, with the guidelines be carried out undersmtpd_client_restrictions

smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_sender_restrictions =
smtpd_client_restrictions = permit_mynetworks,
        reject_non_fqdn_hostname,
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_sender,
        reject_unauth_pipelining,
        reject_unknown_sender_domain,
        reject_unknown_hostname,
        reject_unknown_client,
        reject_invalid_hostname,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
        reject_rhsbl_sender hostkarma.junkemailfilter.com=127.0.0.2,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        Permit

With this check, the DNSBL query takes place before writing to the mail spool, and a NOQUEUE: reject: is returned. The advantage comes from the fact that the system resources are used less.

As after any change, Postfix must be reloaded.

$ postfix reload

SBL DNSBL Black List testing

The Black List test record 127.0.0.2 is the loopback address of the SBL DNS zone like “sbl.spamhaus.org” used for testing SBL configuration on mailservers. It is also listed in most other DNSBL systems as the standard testing address for those zones, as recommended by RFC5782 and RFC6471.

$ dig +short ANY 2.0.0.127.zen.spamhaus.org @your_dns
"https://www.spamhaus.org/sbl/query/SBL2"
"https://www.spamhaus.org/query/ip/127.0.0.2"
127.0.0.2
127.0.0.10
127.0.0.4

Note. If you are using a free “open DNS resolver” service such as the Google Public DNS (8.8.8.8) in most cases they will return a “not listed” (NXDOMAIN) reply from Spamhaus’ public DNSBL servers. It is recommend using your own DNS servers when doing DNSBL queries to Spamhaus.

The DNSBL query for the dummy record returns 127.0.0.2 if the IP is listed as a spam source in the database. To check a domain query, for example 0spam.org, a lookup to bl.0spam.org can by used, depending on the respective DNSBL.

$ host 2.0.0.127.bl.0spam.org

The query with reverse loopback address of bl.0spam.org.

$ host -tTXT 2.0.0.127.bl.0spam.org

Querying the TXT record from 0spam.org outputs the following.

2.0.0.127.bl.0spam.org descriptive text "This listings is for RFC Compliance. See RFC 5782. For support and listing removal go to https://0spam.org Possible Values: 127.0.0.1(General Listings), 127.0.0.2(depreciated) 127.0.0.3(can-spam violators) 127.0.0.4(non RFC compliant) 127.0.0.5(repeat of" "fender) 127.0.0.6(bouncing email to the wrong server) 127.0.0.7(open relay) 127.0.0.8(bouncing spoofed emails) 127.0.0.9(fraud/scam, malware or illegal/abusive content)"

Some DNSBLs provide useful information, such as multiple loopback addresses able to testing queries.

$ dig +short TXT 2.0.0.127.hostkarma.junkemailfilter.com @8.8.8.8
"Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=127.0.0.2"
"Black listed (authentication hacker) at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=127.0.0.2"
"White listed 127.0.0.2 See http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists"
"Yellow listed 127.0.0.2 See http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists"

$ dig +short ANY 2.0.0.127.multi.surbl.org
127.0.0.254
"wild.surbl.org permanent test point"

$ dig +short ANY 2.0.0.127.psbl.surriel.com
"Listed in PSBL, see http://psbl.org/listing?ip=127.0.0.2"
127.0.0.2

$ dig +short ANY 2.0.0.127.dnsbl.sorbs.net
127.0.0.10
"Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?127.0.0.2"
127.0.0.5
"Open SMTP Relay See: http://www.sorbs.net/lookup.shtml?127.0.0.2"
127.0.0.7
"Exploitable Server See: http://www.sorbs.net/lookup.shtml?127.0.0.2"
127.0.0.2
"HTTP Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2"
127.0.0.3
"SOCKS Proxy See: http://www.sorbs.net/lookup.shtml?127.0.0.2"

$ dig +short ANY 2.0.0.127.bl.nordspam.com
"RFC5782 TEST-record."
127.0.0.2

$ dig +short ANY 2.0.0.127.truncate.gbudb.net
127.0.0.2
"Test Record"

queries can be narrowed down, for example to only get the RBL addresses from U.S. by using usa.bl.blocklist.de

$ host -t any 2.0.0.127.usa.bl.blocklist.de
2.0.0.127.usa.bl.blocklist.de has address 127.0.0.2
2.0.0.127.usa.bl.blocklist.de descriptive text "Infected System, see http://www.blocklist.de/en/view.html?ip=127.0.0.2"

The zone bruteforcelogin.bl.blocklist.de queries IPs that attacks Joomla, WordPress and other web logins via brute force attacks, or ftp.bl.blocklist.de queries only IPs from which FTP attacks have been recorded. The individual RBL zones with used return codes and guidelines can be found on the websites of the DNSBL providers. Whitelists such as DNSWL are also used to avoid false positives.

DNSWL.ORG

E-Mail Reputation Protect against false positives

Useful Frequently Asked Questions (FAQ) by Spamhaus.org

  DNS-based Blackhole List (DNSBL) not allow exceed 1,000 requests per second, if the requests exceed 1,000 per second, the rsync method should be applied.

$ rsync -z psbl-mirror.surriel.com::psbl/psbl.txt .

GitHub Postfix main configuration main.cf

Table of some DNSBLs

List NameWebsiteBlocklist Typ
nixspamnixspam.orgIP-based
spamhausspamhaus.org
sbl.spamhaus.org
xbl.spamhaus.org
dbl.spamhaus.org
zen.spamhaus.org
IP-based
Domain-based
Combined List (SBL, SBLCSS, XBL, PBL)
CBLcbl.abuseat.orgIP-based
Spamcopspamcop.orgIP-based
SwiNOGswinog.chIP-based
SURBLsurbl.orgDomain-based
SORBSsorbs.netIP-based
URIBLuribl.comDomain-based
Mailspikemailspike.orgCombined List
Blocklist.deblocklist.deIP-based
Barracudacentralbarracudacentral.orgIP-based
UCEPROTECTwww.uceprotect.netIP-based
JunkEmailFilterjunkemailfilter.comIP-based
Domain-based
0spam0spam.orgIP-based
NordSpamnordspam.comIP-based
GBUdbgbudb.comIP-based

Conclusion

DNSBLs are generally the first line of defense against spam. The DNSLB providers pursue their own requirements for criteria and quality, the results must be determined in order to make the choice of DNSBLs so that they meet the desired requirements and criteria. Most postmasters rely on real-time DNS-based blocklists (DNSBL). Messages from these are not even accepted or the information from a listing is included in the spam scoring. These methods are also technically described by the IETF: https://tools.ietf.org/html/rfc5782

  • 0spam.org free DNSBL for eMail Service providers
  • blocklist.de free and voluntary anti-fraud/abuse service
  • spamhaus IP and domain reputation data
  • Surbl reputation data provided in near real-time feeds
  • dnswl.org E-Mail Reputation Protect against false positives

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 3

No votes so far! Be the first to rate this post.

Leave a Reply

Your email address will not be published. Required fields are marked *