Spam blocking HOWTO using qpsmtpd & RBL for sme server

Release supported: sme 7.0

Author: Ray Mitchell - mitchellcpa_AT_yahoo.com.au

Updated: 1 April 2006 v1.1

Problem:

Your sme server receives a lot of spam email and you want to reject it.

 

Solution:

sme server v7.0 has a feature in qpsmtpd which allows incoming email messages to be rejected if the senders IP address is on a nominated Real Time Blacklist or Blocklist (RBL). As a result there is no further processing or manual checking required. In practice a large number of spam messages will be rejected, perhaps 75 -95 % depending on which lists you use and the type of spam your system is exposed to.

This method works for servers configured as Server & Gateway or Server Only as long as the mail server components are enabled and the server has access to the Internet via another sme server or firewall.

 

Additional Information:

The RBL blocking feature and ASSP are not compatible with each other. You need to uninstall ASSP before using RBL blocking feature. Effectively ASSP is obseleted by RBL blocking.

 

Thanks:

This how to is based on devinfo posts by Gordon Rowell and my own investigations, thanks particularly to Gordon Rowell and Charlie Brady for implementing this feature in sme v7.0.

 

Install Procedure: (v7.0 sme server only )

In order to enable the RBL list functionality, the DNSBL plug in for qpsmtpd must be enabled.

By default four lists are configured in the configuration database, these are:

sbl-xbl.spamhaus.org

whois.rfc-ignorant.org

dnsbl.njabl.org

relays.ordb.org

If you wish to specify different RBL's see separate section below.

All the lists shown below as "conservative" appear safe to use.

The lists shown below as "aggressive" block many common sending IP's/sites (also applies to some other lists not shown).

Please assess the suitability of the lists for your own purposes.

 

To enable RBL blocking for the default lists do the following

config setprop qpsmtpd DNSBL enabled

signal-event email-update

svc -t /service/qpsmtpd

 

To enable RBL blocking for a single list do the following

config setprop qpsmtpd RBLList sbl-xbl.spamhaus.org

config setprop qpsmtpd DNSBL enabled

signal-event email-update

svc -t /service/qpsmtpd

 

To enable RBL blocking for multiple lists do the following

To add multiple RBLs to the RBLList property, separate them with a comma.

config setprop qpsmtpd RBLList sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,

dnsbl.njabl.org,dnsbl.sorbs.net,relays.ordb.org, bl.spamcop.net

(the above should all be on one line)

config setprop qpsmtpd DNSBL enabled

signal-event email-update

svc -t /service/qpsmtpd

 

To disable RBL blocking do the following

config setprop qpsmtpd DNSBL disabled

signal-event email-update

svc -t /service/qpsmtpd

 

 

Using SBL lists

SBL lists list spammers by domain name rather than IP.

By default one list is configured in the configuration database, this is:

dsn.rfc-ignorant.org

If you wish to specify different SBL's see appropriate web sites for details.

Currently there is only the one list in popular use.

The practical effectiveness of using SBL is questionable as many ISP's are listed on the SBL list mentioned as they are non conforming.

Please assess the suitability of lists for your own purposes.

config setprop qpsmtpd RHSBL enabled

signal-event email-update

svc -t /service/qpsmtpd

 

To change SBL entries do

config setprop qpsmtpd SBLList dsn.rfc-ignorant.org

signal-event email-update

svc -t /service/qpsmtpd

 

Using both RBL & SBL lists

If you wish to enable both RBL & SBL lists you can combine entries in the one config command

config setprop qpsmtpd DNSBL enabled RHSBL enabled

signal-event email-update

svc -t /service/qpsmtpd

 

 

Real Time Blacklist or Blocklist (RBL) Information

Using more lists will result in more queries being sent & received over your Internet connection but should result in more spam being rejected.

Some lists are included on other lists so be careful not to include "double listings" as these only result in extra unnecessary queries, potentially slowing down the list servers response times.

Choose RBL lists carefully to ensure they meet your needs.

Some lists are very aggressive in the implementation of their "inclusion" policy, and while using those lists may block more spam they will also block legitimate messages.

You can read the "criteria for inclusion policies" on each list at the list owners web site. The web site addresses are readily discernible from the list names. See Web sites section below.

For example using the bl.spamcop.net list will result in email messages from yahoo, hotmail & earthlink accounts being rejected. If you have legitimate users sending messages from those types of accounts, then do not use the bl.spamcop.net list. This also applies to some other lists.

Inclusion on a list can happen for many reasons, including being a known spammer or having a dynamic dial up IP number or sending via open relay servers or having incorrect address information or being listed by a system admin after receiving a spate of unsolicited email. Inclusion on "conservative" lists usually requires a positive identification of spamming or similar type activity. It is possible for legitimate users to be listed as part of a "block listing" of an IP number range such as has happened with Telstra Bigpond, AOL & other "large" ISP's etc. These listings are generally temporary until the specific spam culprit is identified and has their account cancelled by the ISP.

Here is a list of what appear to be "conservative & safe" lists ie there is justifiable or provable reason for being included on these lists. This is by no means an exhaustive list but is the result of my own investigations and conclusions.

Note that all the lists except spamhaus.org include open relays, so using these lists will block email sent via open relays.

 

Conservative lists

sbl-xbl.spamhaus.org - (a combination of the two spamhaus lists)

dsn.rfc-ignorant.org

postmaster.rfc-ignorant.org

abuse.rfc-ignorant.org

whois.rfc-ignorant.org

bogusmx.rfc-ignorant.org

dnsbl.njabl.org

relays.ordb.org

dnsbl.sorbs.net

list.dsbl.org

Registration required/Commercial list

blackholes.mail-abuse.org

relays.mail-abuse.org

dialups.mail-abuse.org

Included on other lists mentioned above

cbl.abuseat.org - (included in xbl.spamhaus.org)

opm.blitzed.org - (included in xbl.spamhaus.org)

 

Aggressive lists

dynablock.njabl.org - (was dynablock.easynet.nl)

bl.spamcop.net

 

ISP non conforming list

(Note that too many legitimate ISPs do not conform to this lists requirements. The use of this list will cause too many legitimate messages to be blocked so its use is not recommended

ipwhois.rfc-ignorant.org

 

Defunct lists

contacts.abuse.net

 

 

Web sites for further information

http://www.spamhaus.org/

http://www.abuse.net/

http://dsbl.org/main

http://mail-abuse.org/

http://www.sorbs.net/

http://www.spews.org/

http://www.rfc-ignorant.org/policy-dsn.php

 

Checking the database entries

After you have enabled the RBLList or SBLList property you can check your settings as follows

db configuration getprop qpsmtpd RBLList
or

config getprop qpsmtpd RBLList

which will give an output something like the following

(Note that your servers output may be different depending on your configuration)


sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org

and

db configuration getprop qpsmtpd SBLList
or

config getprop qpsmtpd SBLList

which will give an output something like the following

(Note that your servers output may be different depending on your configuration)


dsn.rfc-ignorant.org

 

If you want to check the complete entry for qpsmtpd do this

db configuration show qpsmtpd

or

config show qpsmtpd

which will give an output something like the following

(Note that your servers output may be different depending on your configuration)

qpsmtpd=service

Bcc=disabled

BccUser=maillog

DNSBL=enabled

LogLevel=6

MaxScannerSize=25000000

RBLList=sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org

RHSBL=disabled

RequireResolvableFromHost=no

SBLList=dsn.rfc-ignorant.org

access=public

status=enabled