Spam Filtering: November 2004 Archives

A handy little utility that integrates with Outlook 2003 (and older versions) is Spam Source Install the plugin and setup your spamcop (or other) reporting addresses and off you go.

Introduction I am currently mirroring a number of DNS blacklists, often referred to as RBLs, on our network in order to speed up mail processing. By keeping the queries local not only do we get a definite speed increase, faster processing and fewer timeouts but we also reduce our bandwidth usage. In order to setup a local mirror (or caching server) you will need the following:

• Rsync
• Rsync access to a number of data sources
• A DNS server - preferably BIND
• RBLDNSD - a DNS daemon designed to serve DNSBLs (DNS blacklists). Although it is fast it uses quite a lot of memory depending on the size of the data set you are using, so make sure you run it on a machine with plenty of RAM

Rsync is available on all distros of linux but it might not be installed by default. In order for this to work you will need to have been granted rsync access to one or more DNSBLs. Some of the DNSBLs have an "open" policy on rsync, so you can simply access it directly, however it is more common to have to ask explicitly for permission and supply the DNSBL maintainer(s) with your IP(s). In the case of SpamHaus you will need to pay a fee. For the purposes of this document I will be looking at only one DNSBL - dsbl.org. , as they allow rsync access freely. Setting up RBLDNSD Grab a copy of the daemon from the site. Packages for a number of distros are available or you can install from source. The server I am using is running WhiteBox linux, so I was able to use one of the rpm packages: wget http://www.corpit.ru/mjt/rbldnsd/rbldnsd-0.993.1-1.i386.rpm rpm -ivh rbldnsd-0.993.1-1.i386.rpm NB: The latest version of the packages are available here We do not want to run the daemon as root, so we add a user for it. adduser dnsbl We'll need to get some data before we can start using it, so let's do that. Setting up Rsync DSBL provides quite clear instructions on setting up rsync with their data. After choosing which data you want to use write a small script to "grab" the data as the user dnsbl: su - dnsbl vim dsblscript #!/bin/sh cd /home/dnsbl rsync -tvPz rsync.dsbl.org::dsbl/rbldns-list.dsbl.org /home/dnsbl/data/ Don't forget to make the script executable: chmod 500 dsblscript you can test it by running it directly from the command prompt: ./dsblscript If it is working correctly you should have some data in your "data" directory. A DNSBL is only as good as its last update, so we'll setup a cronjob to automatically update our data: 10,40 * * * * /home/dnsbl/dsblscript Every 30 minutes we will check to see if there are any changes. Doing it more frequently is neither required nor advisable. Now that we have our data we need to do something with it, so let's finish setting up RBLDNSD. For some odd reason the rpm version does not ship with a fully functional init script, so I had to put together my own based on a few documents I found online: #!/bin/bash # # chkconfig: 2345 85 15 # description: rbldnsd is a DNS server designed for dnsbls. # processname: rbldnsd # pidfile: /var/run/rbldnsd.pid # source function library . /etc/init.d/functions [ -e /etc/sysconfig/rbldnsd ] && . /etc/sysconfig/rbldnsd RETVAL=0 start() { echo -n $"Starting rbldnsd service: " daemon /usr/sbin/rbldnsd $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rbldnsd } stop() { echo -n $"Shutting down rbldnsd service: " killproc rbldnsd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rbldnsd } case "$1" in start) start ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/rbldnsd ]; then stop start RETVAL=$? fi ;; status) status rbldnsd RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|status}" exit 1 esac exit $RETVAL This will give you:

• start
• stop
• restart
• status
• condrestart

which you can call as /etc/rc.d/init.d/rbldnsd $option Before we can use it we need to tell it what data to use and where to publish it: vim /etc/sysconfig/rbldnsd OPTIONS="-u dnsbl -r /home/dnsbl/data -t 21600 -c 60 -p /var/run/rbldnsd.pid -b xxx.xxx.xxx.xx/53 list.dsbl.org:ip4set:rbldns-list.dsbl.org multihop.dsbl.org:ip4set:rbldns-multihop.dsbl.org unconfirmed.dsbl.org:ip4set:rbldns-unconfirmed.dsbl.org" The option -u defines the user to run as, -r the data directory, -p the process ID and -b which IP and port to bind to. As I've set this to run on port 53 it could not be run on the same machine as our main nameserver. Make sure you use the backslashes () at the end of lines as the syntax is vital. You can now try to start your daemon: /etc/rc.d/init.d/rbldnsd start If you get any errors read them carefully and modify your config to fix them. NB: It will not work if there is no data present. Adding the Zone(s) to BIND The last step is putting the new mirror live on your network. To do this you will create forwarding zone(s) in your BIND DNS server (it will work with other DNS servers, but I am not familiar with their configuration). Open your named.conf in vim and go to the end of the file. Add the following: zone "list.dsbl.org" IN { type forward; forward first; forwarders { xxx.xxx.xxx.xx; }; }; The example above is for the zone list.dsbl.org, so you can replace that with the zones you are using ie. create a separate entry for each one. Replace the "xxx.xxx.xxx.xx" with the IP of the server running RBLDNSD. Reload BIND: rndc reload If you want to see the queries against your DNS you can turn on logging in BIND or you could turn on logging in RBLDNSD's config. NB: Do not leave logging on for more than a short period while verifying. The log files grow exponentially. You should now have a working DNSBL mirror. DISCLAIMER: This configuration and setup works for me. Your mileage may vary.

Well... Not really... One of the spam trends I've noticed recently is "link swap" spam. If you only run one website you might be duped into believing it was a genuine request for a link swap.. ... except when you get 100's of them with almost identical text and very obvious indications that they have never "visited" your site except with their spam bot! Typically the text reads something like this: Hello, I came across your web site recently http://www.xxxxx.com/, and I am intrigued by its contents. I was particularly fascinated by your site. I thought our web site might interest you and be of help to your web site visitors. Here we listed the brief description of our site, Title - description of spammer's site - http://www.somespammersdomain.tld I feel that exchange of links would elicit mutual beneficial effects to both the sites and their visitors. If you feel that exchange of links would prove to be apt and beneficial, please do include our links in your site and forward your link details. Even if you should feel that you are not happy including our link in your site, do let us know whether you would have any objections if we were to include your link in our site. If you should feel that it requires further discussion, please do get in touch with us at Best Regards, Some Spammer or some spammers "promotion company" What amuses me is that they tend to either pick sites like search.ie or translationresearch.com which actively accept links! Or else they choose sites that have zero relevance to them. I blame google! (sort of)