Super RBL fun pack!

Users tips and ideas

Moderators: FlorianB, Pascal, bourgeois, mentor

opg1987
Posts: 44
Joined: Thu Dec 17, 2015 12:14 pm
How did you hear about Mailcleaner: Colleague

Re: Super RBL fun pack!

Postby opg1987 » Fri Feb 26, 2016 2:21 pm

Hi all,

I've added some RBLs to my MailCleaner using this helpful post.

I added Barracuda, Protected Sky and 3 UCEPROTECT. This brings my total RBLs to check up to 9.
Image

When I check my 'filtering engine' log, I see the following:

Code: Select all

Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs module initializing...
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs using 9 RBLs (SORBS, SPAMHAUS, UCEPROTECTA, BBARRACUDACENTRALORG, BACKSCATTERER, PSKY, UCEPROTECTB, UCEPROTECTC, SPAMCOP)
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs loaded 0 whitelisted domains
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs loaded 2211 TLDs
Feb 25 00:01:10 localhost MailScanner[13015]: PreRBLs loaded 6 local domains


It can see and recognises my newly added RBLs. However, when I search the log for 'PSKY' or 'UCEPROTECTA', all I find are these PreBLs loaded entries. I can't find anything marked as spam for them.

When I search for 'SPAMCOP' and 'SORBS' I see thousands of results like this:

Code: Select all

PreRBLs result is spam (SORBS,SPAMCOP) for 1aYyOi-0004


We have received some spam this afternoon and upon inspection, the sending IP is blacklisted on ProtectedSky, UCEPROTECT and Barracuda. I understand that it takes time for blacklists to catch up and that some email can get through before the IP has been listed but it appears my MailCleaner isn't catching ANYTHING from these new RBLs.

Any help would be greatly appreciated.

Oliver.
cglmicro
Posts: 260
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Super RBL fun pack!

Postby cglmicro » Sat Feb 27, 2016 4:14 pm

I see this behaviour every days: hundred of spams to different user I host, all of them on IPs detected by tha major RBLs but still not flag by MailCleaner for days.

Something make me beleive that :
- a first email is received from an IP (or segment) not yet on any RBL; MailCleaner add this IP (or segment) to it's cache so it won't bother RBL for the next X hours
- this IP (or segment) get listed on major RBL;
- MailCleaner receive mor spam from these IP (or segment) but won't query the RBL.

Can an admin confirm this behaviour ?
Can we modify this behaviour to shorten the delay before next query only for IP (or segment) found clean the last time ? Don't have to query blacklisted IP.

Until then, if you want live feedback about what hit positive with the RBL at STAGE 1 (not PreRBL) type this in SSH:

Code: Select all

 
tail /var/mailcleaner/log/exim_stage1/mainlog -n 5000 -f | egrep "listed in"


I did ask in the past for a similar command to track PreRBL queries and answer but never got answered by MailCleaner team. I asked twice on this thread : viewtopic.php?f=3&t=2116&start=15
opg1987
Posts: 44
Joined: Thu Dec 17, 2015 12:14 pm
How did you hear about Mailcleaner: Colleague

Re: Super RBL fun pack!

Postby opg1987 » Mon Feb 29, 2016 10:17 am

cglmicro wrote:I see this behaviour every days: hundred of spams to different user I host, all of them on IPs detected by tha major RBLs but still not flag by MailCleaner for days.

Something make me beleive that :
- a first email is received from an IP (or segment) not yet on any RBL; MailCleaner add this IP (or segment) to it's cache so it won't bother RBL for the next X hours
- this IP (or segment) get listed on major RBL;
- MailCleaner receive mor spam from these IP (or segment) but won't query the RBL.

Can an admin confirm this behaviour ?
Can we modify this behaviour to shorten the delay before next query only for IP (or segment) found clean the last time ? Don't have to query blacklisted IP.


Thanks for the info.

Any update on this from the MailCleaner team would be greatly appreciated.
cglmicro
Posts: 260
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Super RBL fun pack!

Postby cglmicro » Thu Feb 01, 2018 7:28 pm

Hi all.

I've just added 0SPAM to my RBLs since it's popular on MXTOOLBOX these days.

Here is the code to add it to each nodes in your cluster:

Code: Select all

cat <<END  | /usr/mailcleaner/bin/mc_mysql -m
use mc_config;
insert into dnslist values ("ZEROSPAM", '0spam.fusionzero.com.', 'blacklist', 1, '<a target="_blank" http://0spam.fusionzero.com/query/">http://0spam.fusionzero.com/query/</a>' );
END

cat <<END > /usr/mailcleaner/etc/rbls/ZEROSPAM.cf
name=ZEROSPAM
type=IPRBL
dnsname=0spam.fusionzero.com
sublist=127.0.0.\d+,0SPAM,0spam.fusionzero.com list
END

/etc/init.d/mailcleaner restart


Take care not to rename ZEROSPAM to 0SPAM since MailCleaner doesn't like RBL with number in their name I think.
FlorianB
Posts: 269
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Super RBL fun pack!

Postby FlorianB » Mon Feb 12, 2018 11:47 am

Hello,
As i read the forum and the update on this post, i decided to answer this long time question ;-)

Firstly, Requests for RBL are not cached or not really in MailCleaner. But they could probably be by the Bind DNS server embedded in MailCleaner and used if you use 127.0.0.1 as DNS resolver. So you should use another one you possess (not limiting dns call, so not google please....) or check in bind logs for trace of rbl resolution or caching.
I precise than nobody here has done anything with bind since a while except update the root so this was probably the cause of no-answer (we can answer only for things we know !).

Secondly, about PreRBLs logs, there is none except the line you already found in mailscanner logs. You can probably get a bit more by setting the "debug => 0," to 1 in file: /usr/mailcleaner/lib/MailScanner/PreFilters/PreRBLs.pm

Lastly, is someone using this thread technique has success with RBLs added ? we (MailCleaner Team) simply add files to the RBLs directory ad they are added to DB correctly everywhere so we don't have to edit the table as done here. It could be the problem here as if i remember well, spamassassin and other module gets infos from theses files too so on disk. And Yes, i'm sure they'll appears in web gui, but i don't care ;-), is it working well for anyone ? Do you have a line saying "PreRBLs ......... (YourNewRBL)" in MailScanner logs ?

Regards,
Florian Billebault
MailCleaner Team
victorhugops
Posts: 1
Joined: Fri Nov 17, 2017 11:00 pm
How did you hear about Mailcleaner: google

Re: Super RBL fun pack!

Postby victorhugops » Mon Feb 12, 2018 8:22 pm

Hi FlorianB

well, I just add a new DNSBL (dnsblchile.org to chilean spam) and if I configure it on "prerbl", so it make queries on DNS

12-Feb-2018 16:06:00.622 queries: info: client X.X.X.X#54381 (32.182.2.198.dnsblchile.org): view interno: query: 32.182.2.198.dnsblchile.org IN A +

But, if I configure it only in SpamC module it don't work.

I set the debug to on, check all logs but look like this module dont use the files / database.

any idea ??
derdanilo
Posts: 34
Joined: Tue Jun 21, 2016 12:16 pm
How did you hear about Mailcleaner: Search

Re: Super RBL fun pack!

Postby derdanilo » Tue Feb 13, 2018 11:44 pm

I think that it would be really nice if we could just add custom RBL URLs via webui. Other anti-spam solutions support these kind of modification and this is more error free than having to manually editing the DBs.

Mailcleaner leaves through way more SPAM than the basic Spamassasin + some RBLs on the server itself filtered out before. Though we really like to have the anti spam solution separate it comes with mixed feelings. There is SPAM now that was not present before. Not so nice. :-/

Return to “Tips”

Who is online

Users browsing this forum: No registered users and 1 guest