Spam blocking HOWTO using qpsmtpd & RBL for sme server
Release supported: sme 7.0
Author: Ray Mitchell - mitchellcpa_AT_yahoo.com.au
Updated: 1 April 2006 v1.1
Problem:
Your sme server receives a lot of spam email and you want to reject it.
Solution:
sme server v7.0 has a feature in qpsmtpd which allows incoming email messages to be rejected if the senders IP address is on a nominated Real Time Blacklist or Blocklist (RBL). As a result there is no further processing or manual checking required. In practice a large number of spam messages will be rejected, perhaps 75 -95 % depending on which lists you use and the type of spam your system is exposed to.
This method works for servers configured as Server & Gateway or Server Only as long as the mail server components are enabled and the server has access to the Internet via another sme server or firewall.
Additional Information:
The RBL blocking feature and ASSP are not compatible with each other. You need to uninstall ASSP before using RBL blocking feature. Effectively ASSP is obseleted by RBL blocking.
Thanks:
This how to is based on devinfo posts by Gordon Rowell and my own investigations, thanks particularly to Gordon Rowell and Charlie Brady for implementing this feature in sme v7.0.
Install Procedure: (v7.0 sme server only )
In order to enable the RBL list functionality, the DNSBL plug in for qpsmtpd must be enabled.
By default four lists are configured in the configuration database, these are:
sbl-xbl.spamhaus.org
whois.rfc-ignorant.org
dnsbl.njabl.org
relays.ordb.org
If you wish to specify different RBL's see separate section below.
All the lists shown below as "conservative" appear safe to use.
The lists shown below as "aggressive" block many common sending IP's/sites (also applies to some other lists not shown).
Please assess the suitability of the lists for your own purposes.
To enable RBL blocking for the default lists do the following
config setprop qpsmtpd DNSBL enabled
signal-event email-update
svc -t /service/qpsmtpd
To enable RBL blocking for a single list do the following
config setprop qpsmtpd RBLList sbl-xbl.spamhaus.org
config setprop qpsmtpd DNSBL enabled
signal-event email-update
svc -t /service/qpsmtpd
To enable RBL blocking for multiple lists do the following
To add multiple RBLs to the RBLList property, separate them with a comma.
config setprop qpsmtpd RBLList sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,
dnsbl.njabl.org,dnsbl.sorbs.net,relays.ordb.org, bl.spamcop.net
(the above should all be on one line)
config setprop qpsmtpd DNSBL enabled
signal-event email-update
svc -t /service/qpsmtpd
To disable RBL blocking do the following
config setprop qpsmtpd DNSBL disabled
signal-event email-update
svc -t /service/qpsmtpd
Using SBL lists
SBL lists list spammers by domain name rather than IP.
By default one list is configured in the configuration database, this is:
dsn.rfc-ignorant.org
If you wish to specify different SBL's see appropriate web sites for details.
Currently there is only the one list in popular use.
The practical effectiveness of using SBL is questionable as many ISP's are listed on the SBL list mentioned as they are non conforming.
Please assess the suitability of lists for your own purposes.
config setprop qpsmtpd RHSBL enabled
signal-event email-update
svc -t /service/qpsmtpd
To change SBL entries do
config setprop qpsmtpd SBLList dsn.rfc-ignorant.org
signal-event email-update
svc -t /service/qpsmtpd
Using both RBL & SBL lists
If you wish to enable both RBL & SBL lists you can combine entries in the one config command
config setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update
svc -t /service/qpsmtpd
Real Time Blacklist or Blocklist (RBL) Information
Using more lists will result in more queries being sent & received over your Internet connection but should result in more spam being rejected.
Some lists are included on other lists so be careful not to include "double listings" as these only result in extra unnecessary queries, potentially slowing down the list servers response times.
Choose RBL lists carefully to ensure they meet your needs.
Some lists are very aggressive in the implementation of their "inclusion" policy, and while using those lists may block more spam they will also block legitimate messages.
You can read the "criteria for inclusion policies" on each list at the list owners web site. The web site addresses are readily discernible from the list names. See Web sites section below.
For example using the bl.spamcop.net list will result in email messages from yahoo, hotmail & earthlink accounts being rejected. If you have legitimate users sending messages from those types of accounts, then do not use the bl.spamcop.net list. This also applies to some other lists.
Inclusion on a list can happen for many reasons, including being a known spammer or having a dynamic dial up IP number or sending via open relay servers or having incorrect address information or being listed by a system admin after receiving a spate of unsolicited email. Inclusion on "conservative" lists usually requires a positive identification of spamming or similar type activity. It is possible for legitimate users to be listed as part of a "block listing" of an IP number range such as has happened with Telstra Bigpond, AOL & other "large" ISP's etc. These listings are generally temporary until the specific spam culprit is identified and has their account cancelled by the ISP.
Here is a list of what appear to be "conservative & safe" lists ie there is justifiable or provable reason for being included on these lists. This is by no means an exhaustive list but is the result of my own investigations and conclusions.
Note that all the lists except spamhaus.org include open relays, so using these lists will block email sent via open relays.
Conservative lists
sbl-xbl.spamhaus.org - (a combination of the two spamhaus lists)
dsn.rfc-ignorant.org
postmaster.rfc-ignorant.org
abuse.rfc-ignorant.org
whois.rfc-ignorant.org
bogusmx.rfc-ignorant.org
dnsbl.njabl.org
relays.ordb.org
dnsbl.sorbs.net
list.dsbl.org
Registration required/Commercial list
blackholes.mail-abuse.org
relays.mail-abuse.org
dialups.mail-abuse.org
Included on other lists mentioned above
cbl.abuseat.org - (included in xbl.spamhaus.org)
opm.blitzed.org - (included in xbl.spamhaus.org)
Aggressive lists
dynablock.njabl.org - (was dynablock.easynet.nl)
bl.spamcop.net
ISP non conforming list
(Note that too many legitimate ISPs do not conform to this lists requirements. The use of this list will cause too many legitimate messages to be blocked so its use is not recommended
ipwhois.rfc-ignorant.org
Defunct lists
contacts.abuse.net
Web sites for further information
http://www.spamhaus.org/
http://www.abuse.net/
http://dsbl.org/main
http://mail-abuse.org/
http://www.sorbs.net/
http://www.spews.org/
http://www.rfc-ignorant.org/policy-dsn.php
Checking the database entries
After you have enabled the RBLList or SBLList property you can check your settings as follows
db configuration getprop qpsmtpd RBLList
or
config getprop qpsmtpd RBLList
which will give an output something like the following
(Note that your servers output may be different depending on your configuration)
sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org
and
db configuration getprop qpsmtpd SBLList
or
config getprop qpsmtpd SBLList
which will give an output something like the following
(Note that your servers output may be different depending on your configuration)
dsn.rfc-ignorant.org
If you want to check the complete entry for qpsmtpd do this
db configuration show qpsmtpd
or
config show qpsmtpd
which will give an output something like the following
(Note that your servers output may be different depending on your configuration)
qpsmtpd=service
Bcc=disabled
BccUser=maillog
DNSBL=enabled
LogLevel=6
MaxScannerSize=25000000
RBLList=sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org
RHSBL=disabled
RequireResolvableFromHost=no
SBLList=dsn.rfc-ignorant.org
access=public
status=enabled