Super RBL fun pack!

Users tips and ideas

Moderators: FlorianB, Pascal, bourgeois, mentor

opg1987
Posts: 37
Joined: Thu Dec 17, 2015 12:14 pm
How did you hear about Mailcleaner: Colleague

Re: Super RBL fun pack!

Postby opg1987 » Fri Feb 26, 2016 2:21 pm

Hi all,

I've added some RBLs to my MailCleaner using this helpful post.

I added Barracuda, Protected Sky and 3 UCEPROTECT. This brings my total RBLs to check up to 9.
Image

When I check my 'filtering engine' log, I see the following:

Code: Select all

Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs module initializing...
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs using 9 RBLs (SORBS, SPAMHAUS, UCEPROTECTA, BBARRACUDACENTRALORG, BACKSCATTERER, PSKY, UCEPROTECTB, UCEPROTECTC, SPAMCOP)
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs loaded 0 whitelisted domains
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs loaded 2211 TLDs
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs loaded 6 local domains


It can see and recognises my newly added RBLs. However, when I search the log for 'PSKY' or 'UCEPROTECTA', all I find are these PreBLs loaded entries. I can't find anything marked as spam for them.

When I search for 'SPAMCOP' and 'SORBS' I see thousands of results like this:

Code: Select all

PreRBLs result is spam (SORBS,SPAMCOP) for 1aYyOi-0004


We have received some spam this afternoon and upon inspection, the sending IP is blacklisted on ProtectedSky, UCEPROTECT and Barracuda. I understand that it takes time for blacklists to catch up and that some email can get through before the IP has been listed but it appears my MailCleaner isn't catching ANYTHING from these new RBLs.

Any help would be greatly appreciated.

Oliver.
cglmicro
Posts: 257
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Super RBL fun pack!

Postby cglmicro » Sat Feb 27, 2016 4:14 pm

I see this behaviour every days: hundred of spams to different user I host, all of them on IPs detected by tha major RBLs but still not flag by MailCleaner for days.

Something make me beleive that :
- a first email is received from an IP (or segment) not yet on any RBL; MailCleaner add this IP (or segment) to it's cache so it won't bother RBL for the next X hours
- this IP (or segment) get listed on major RBL;
- MailCleaner receive mor spam from these IP (or segment) but won't query the RBL.

Can an admin confirm this behaviour ?
Can we modify this behaviour to shorten the delay before next query only for IP (or segment) found clean the last time ? Don't have to query blacklisted IP.

Until then, if you want live feedback about what hit positive with the RBL at STAGE 1 (not PreRBL) type this in SSH:

Code: Select all

 
tail /var/mailcleaner/log/exim_stage1/mainlog -n 5000 -f | egrep "listed in"


I did ask in the past for a similar command to track PreRBL queries and answer but never got answered by MailCleaner team. I asked twice on this thread : viewtopic.php?f=3&t=2116&start=15
opg1987
Posts: 37
Joined: Thu Dec 17, 2015 12:14 pm
How did you hear about Mailcleaner: Colleague

Re: Super RBL fun pack!

Postby opg1987 » Mon Feb 29, 2016 10:17 am

cglmicro wrote:I see this behaviour every days: hundred of spams to different user I host, all of them on IPs detected by tha major RBLs but still not flag by MailCleaner for days.

Something make me beleive that :
- a first email is received from an IP (or segment) not yet on any RBL; MailCleaner add this IP (or segment) to it's cache so it won't bother RBL for the next X hours
- this IP (or segment) get listed on major RBL;
- MailCleaner receive mor spam from these IP (or segment) but won't query the RBL.

Can an admin confirm this behaviour ?
Can we modify this behaviour to shorten the delay before next query only for IP (or segment) found clean the last time ? Don't have to query blacklisted IP.


Thanks for the info.

Any update on this from the MailCleaner team would be greatly appreciated.

Return to “Tips”

Who is online

Users browsing this forum: No registered users and 1 guest