On 04/10/2018 05:28 PM, Motty Cruz wrote:
Thank you very much for your suggestions David. MTA is configured to use
RBLs,
reject_rbl_client b.barracudacentral.org
worked really well for me at one point. Also,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client multi.uribl.com,
reject_rbl_client rabl.nuclearelephant.com,
That is too risky to block on a single RBL hit above.
Since you are running Postfix, enable postscreen and postwhite
(https://github.com/stevejenkins/postwhite) to get MUCH better results
from combining the power of many RBLs:
/etc/postfix/main.cf:
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.[10;14]*9
zen.spamhaus.org=127.0.0.[10;11]*8
dnsbl.sorbs.net=127.0.0.5*7
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
zen.spamhaus.org=127.0.0.[4..7]*7
bl.mailspike.net=127.0.0.[10;11;12]*7
zen.spamhaus.org=127.0.0.3*6
hostkarma.junkemailfilter.com=127.0.0.2*4
dnsbl.sorbs.net=127.0.0.7*4
bl.spamcop.net=127.0.0.2*4
bl.spameatingmonkey.net=127.0.0.[2;3]*4
dnsrbl.swinog.ch=127.0.0.3*4
ix.dnsbl.manitu.net=127.0.0.2*4
psbl.surriel.com=127.0.0.2*4
bl.mailspike.net=127.0.0.2*4
ubl.unsubscore.com=127.0.0.2*4
bl.fmb.la=127.0.0.2*4
zen.spamhaus.org=127.0.0.2*3
dnsbl-1.uceprotect.net=127.0.0.2*2
dnsbl.sorbs.net=127.0.0.6*3
dnsbl.sorbs.net=127.0.0.9*2
dnsbl.sorbs.net=127.0.0.8*2
recent.dnsbl.sorbs.net=127.0.0.6*3
recent.dnsbl.sorbs.net=127.0.0.9*2
recent.dnsbl.sorbs.net=127.0.0.8*2
score.senderscore.com=127.0.4.[0..29]*2
hostkarma.junkemailfilter.com=127.0.0.4*2
all.spamrats.com=127.0.0.[36;38]*2
bl.nszones.com=127.0.0.[2;3]*1
dnsbl-2.uceprotect.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.2*1
dnsbl.sorbs.net=127.0.0.4*1
score.senderscore.com=127.0.4.[30..69]*1
dnsbl.sorbs.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.1.2*1
dnsbl.sorbs.net=127.0.0.15*1
ips.backscatterer.org=127.0.0.2*1
bl.nszones.com=127.0.0.5*-1
score.senderscore.com=127.0.4.[80..89]*-2
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
ips.whitelisted.org=127.0.0.2*-2
safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].0*-2
dnswl.inps.de=127.0.[0;1].[2..10]*-2
score.senderscore.com=127.0.4.[90..100]*-3
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
You may adjust the weights above based on your particular mail flow if
needed but they should be pretty good/safe as is.
Setup postwhite and add any domains that need to be bypassed on RBL
checks to /etc/postwhite.conf in the custom_hosts.
custom_hosts="authsmtp.com"
On 04/10/2018 03:14 PM, David Jones wrote:
On 04/10/2018 05:04 PM, Leandro wrote:
2018-04-10 18:52 GMT-03:00 David Jones <djo...@ena.com
<mailto:djo...@ena.com>>:
On 04/10/2018 04:47 PM, Leandro wrote:
2018-04-10 17:49 GMT-03:00 Motty Cruz <motty.c...@gmail.com
<mailto:motty.c...@gmail.com> <mailto:motty.c...@gmail.com
<mailto:motty.c...@gmail.com>>>:
I apologize here is the email headers and body
https://pastebin.com/bgXrfKaQ
You should not take this domain mrface.com <http://mrface.com>
<http://mrface.com> seriously because it is a TLD used for free
dynamic IP service (changeip.com <http://changeip.com>
<http://changeip.com>).
There is even a fake Windows Update domain in this TLD:
ubuntu@matrix:~$ dig +short A windowsupdate.mrface.com
<http://windowsupdate.mrface.com>
<http://windowsupdate.mrface.com
<http://windowsupdate.mrface.com>>
185.133.40.63
Thanks,
I noticed it was listed on the DBL dnsbl.spfbl.net
<http://dnsbl.spfbl.net> and was just working to add that to my
local rules. Anyone know how to set this DBL up in SA? I am trying
to find an example in the stock SA rules now...
Yes. We list any IP using any free dynamic TLD.
A legit mail server never uses crap, or shouldn't use.
Documentation to set this DNSBL at SA:
https://spfbl.net/en/dnsbl/
-- David Jones
I found an example in KAM.cf:
[root@server spamassassin]# pwd
/etc/mail/spamassassin
[root@server spamassassin]# cat 99_spfbl.cf
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_SPFBL eval:check_rbl('spfbl',
'dnsbl.spfbl.net')
tflags __RCVD_IN_SPFBL net
header __RCVD_IN_SPFBL_3 eval:check_rbl_sub('spfbl',
'127.0.0.3')
meta RCVD_IN_SPFBL __RCVD_IN_SPFBL_3 && !RCVD_IN_SPFBL_LASTEXT
describe RCVD_IN_SPFBL Received is listed in SPFBL.net RBL
score RCVD_IN_SPFBL 1.2
tflags RCVD_IN_SPFBL net
header RCVD_IN_SPFBL_LASTEXT
eval:check_rbl('spfbl-lastexternal', 'dnsbl.spfbl.net')
describe RCVD_IN_SPFBL_LASTEXT Last external is listed in
SPFBL.net RBL
score RCVD_IN_SPFBL_LASTEXT 2.2
tflags RCVD_IN_SPFBL_LASTEXT net
endif
ifplugin Mail::SpamAssassin::Plugin::AskDNS
askdns SENDER_IN_SPFBL _SENDERDOMAIN_.dnsbl.spfbl.net A
/^127\.0\.0\.3$/
tflags SENDER_IN_SPFBL nice net
describe SENDER_IN_SPFBL Sending domain listed in SPFBL.net DBL
score SENDER_IN_SPFBL 2.2
endif
--
David Jones