How to use DNSBL and check DNS/trust/etc issues

Questions and answers about how to do stuff
Post Reply
henk
Posts: 171
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

How to use DNSBL and check DNS/trust/etc issues

Post by henk » 23 May 2018 10:47

As I cannot use postfix to reject mail(using fetchmail and Dovecot on EFA), but still want to catch spam from blocklists, there is a quite simple way to configure this outside postfix. (besides the options you can use in /etc/mail/spamassassin)
You can also use this in the 'normal' EFA setup. Do NOT configure this in Postfix AND MailScanner at the same time!

In mailscanner.conf.

Code: Select all

Spam List = SPAMHAUS SPAMCOP SORBS
Spam Lists To Be Spam = 1   #this is default
Available free lists in /etc/MailScanner/spam.lists.conf

Code: Select all

# You should register your IP before using the Barracuda list. It will work
# without registering your IP, but they might throttle your requests. The
# free registration ensures that you won't get throttled.
# http://barracudacentral.org/rbl
BARRACUDA                       b.barracudacentral.org
# aggregate list - http://www.sorbs.net/using.shtml
SORBS                           dnsbl.sorbs.net
# aggregate list - http://www.spamhaus.org/zen/
SPAMHAUS                        zen.spamhaus.org
# aggregate list - https://www.spamcop.net/bl.shtml
SPAMCOP                         bl.spamcop.net
restart mailscanner and wait for mail.

How to check if these changes have any effect?

Define some filters in search and reports.
Filters.png
Filters.png (5.94 KiB) Viewed 391 times
Now you will see you also catch spam with scores below the defined spam threshold.
result.png
result.png (11.45 KiB) Viewed 391 times
AB76B403AC.A94ED.png
AB76B403AC.A94ED.png (30.8 KiB) Viewed 391 times
Just select one and copy the filename and run this replacing date and message-ID.

sa-learn -D --spam /var/spool/MailScanner/quarantine/20180522/spam/AB76B403AC.A94ED &> /tmp/henk1.log

In this log there is a lot of info that you can use to check if EFA is working as you think it's is working :shifty:

DNS, trusted networks, untrusted networks, etc, etc. Just take some time to examine the logfile.

Code: Select all

vi /tmp/henk1.log
I just post the last part, since it's a big file.

Code: Select all

dns: URIBL_DBL_ABUSE_MALW lookup start
 async: launching NS/EXAMPLE.nl for NS:EXAMPLE.nl
 dns: bgsend, DNS servers: [127.0.0.1]:53
 dns: attempt 1/1, trying connect/sendto to [127.0.0.1]:53
 dns: providing a callback for id: 23081/IN/NS/EXAMPLE.nl
 async: starting: URI-NS, NS:EXAMPLE.nl (timeout 15.0s, min 3.0s)
 async: launching A/EXAMPLE.nl for A:EXAMPLE.nl
 dns: bgsend, DNS servers: [127.0.0.1]:53
 dns: attempt 1/1, trying connect/sendto to [127.0.0.1]:53
 dns: providing a callback for id: 6689/IN/A/EXAMPLE.nl
 async: starting: URI-A, A:EXAMPLE.nl (timeout 15.0s, min 3.0s)
 dns: URIBL_SBL_A lookup start
 uridnsbl: considering host=wl.spotify.com, domain=spotify.com
 async: query 35005/IN/A/spotify.com.multi.surbl.org already underway, adding no.7 URIBL_PH_SURBL
 dns: URIBL_PH_SURBL lookup start
 async: query 110/IN/A/spotify.com.multi.uribl.com already underway, adding no.5 URIBL_BLACK
 dns: URIBL_BLACK lookup start
 async: query 110/IN/A/spotify.com.multi.uribl.com already underway, adding no.6 URIBL_RED
 dns: URIBL_RED lookup start
 async: query 46183/IN/A/spotify.com.dob.sibl.support-intelligence.net already underway, adding no.2 URIBL_RHS_DOB
 dns: URIBL_RHS_DOB lookup start
 async: query 110/IN/A/spotify.com.multi.uribl.com already underway, adding no.7 URIBL_GREY
 dns: URIBL_GREY lookup start
 async: query 35005/IN/A/spotify.com.multi.surbl.org already underway, adding no.8 URIBL_MW_SURBL
 dns: URIBL_MW_SURBL lookup start
 async: query 35005/IN/A/spotify.com.multi.surbl.org already underway, adding no.9 URIBL_ABUSE_SURBL
 dns: URIBL_ABUSE_SURBL lookup start
 async: query 35005/IN/A/spotify.com.multi.surbl.org already underway, adding no.10 URIBL_WS_SURBL
 dns: URIBL_WS_SURBL lookup start
 async: query 13595/IN/A/spotify.com.wild.pccc.com already underway, adding no.2 KAM_BODY_COMPROMISED_URIBL_PCCC
 dns: KAM_BODY_COMPROMISED_URIBL_PCCC lookup start
 async: query 35005/IN/A/spotify.com.multi.surbl.org already underway, adding no.11 URIBL_CR_SURBL
 dns: URIBL_CR_SURBL lookup start
 async: query 110/IN/A/spotify.com.multi.uribl.com already underway, adding no.8 URIBL_BLOCKED
 dns: URIBL_BLOCKED lookup start
 async: query 35005/IN/A/spotify.com.multi.surbl.org already underway, adding no.12 SURBL_BLOCKED
 dns: SURBL_BLOCKED lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.11 URIBL_DBL_ABUSE_REDIR
 dns: URIBL_DBL_ABUSE_REDIR lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.12 URIBL_DBL_ABUSE_BOTCC
 dns: URIBL_DBL_ABUSE_BOTCC lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.13 URIBL_DBL_ERROR
 dns: URIBL_DBL_ERROR lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.14 URIBL_DBL_ABUSE_SPAM
 dns: URIBL_DBL_ABUSE_SPAM lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.15 URIBL_DBL_PHISH
 dns: URIBL_DBL_PHISH lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.16 URIBL_DBL_BOTNETCC
 dns: URIBL_DBL_BOTNETCC lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.17 URIBL_DBL_SPAM
 dns: URIBL_DBL_SPAM lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.18 URIBL_DBL_ABUSE_PHISH
 dns: URIBL_DBL_ABUSE_PHISH lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.19 URIBL_DBL_MALWARE
 dns: URIBL_DBL_MALWARE lookup start
 async: query 51361/IN/A/spotify.com.dbl.spamhaus.org already underway, adding no.20 URIBL_DBL_ABUSE_MALW
 dns: URIBL_DBL_ABUSE_MALW lookup start
 async: launching A/wl.spotify.com for A:wl.spotify.com
 dns: bgsend, DNS servers: [127.0.0.1]:53
 dns: attempt 1/1, trying connect/sendto to [127.0.0.1]:53
 dns: providing a callback for id: 18168/IN/A/wl.spotify.com
 async: starting: URI-A, A:wl.spotify.com (timeout 15.0s, min 3.0s)
 dns: URIBL_SBL_A lookup start
 plugin: Mail::SpamAssassin::Plugin::Bayes=HASH(0x2c08f38) implements 'learner_close', priority 0
 plugin: Mail::SpamAssassin::Plugin::TxRep=HASH(0x3006180) implements 'learner_close', priority 0
Learned tokens from 1 message(s) (1 message(s) examined)

An occasional false positive is possible, but when the sender is on a block list, he should take action.
(No need to mention that sa-learn can always be used to check :geek: )

Post Reply