Skip to main content

Adding a new custom RBL

keat63
I found an RBL yesterday which will supposedly block newly created domains. SEM (Spam Eating Monkey) Has anyone used this as an exim custom RBL. I believe I applied this last night, but not entirly sure at this stage that I applied it correctly. Just want to know if anyone else has used it, or know of any others which are proven to work.

Comments

32 comments

Date Votes
  • cPanelLauren
    Hi @keat63 I know for myself I haven't even heard of it before so I don't have a lot to add, I'd monitor it closely for a while to ensure it's not being too restrictive. This will, of course, stay open so others who may have used it can chime in. Thanks!
    0
  • keat63
    I'm guessing that it's working on the basis that everyday I would see spam emails originating from what I'd call disposable TLD's. .space, .date, .website, .loan, .club etc. I've not seen any of these for 3 days now. However, I can't see anything in exim reject log to indicate they were rejected.
    0
  • cPanelLauren
    I believe that's standard behavior for RBL's they're rejecting at SMTP time which means exim doesn't actually process them. Is there a mail transaction for the messages at all? Thanks!
    0
  • keat63
    if I search exim reject log, I see rejections foe Spamhaus and Barracuda, but nothing for SEM. Looking at the instructions for SEM, it would indicate that you add the config to spam assassin, I thought I'd take a chance and add the URL to exim config custom RBL and see what happens, hence my original post. Something I need to keep my eye on for a few days more I guess.
    0
  • rpvw
    Hi @keat63 Nice find. I have added the SEM-FRESH30 and the SEM-URI to the Custom RBLs and will see if they have any impact. Don't forget to enable them in your Exim Configuration Manager, and then Save the config so that Exim can rebuild the file and restart.
    0
  • keat63
    It will be interesting to see if someone else notices any impact. Please keep me posted.
    0
  • rpvw
    I also added SEM-BLACK and SEM-BACKSCATTER and am already seeing good results from SEM-BLACK
    0
  • keat63
    I'n convinced something is working as its now been about 4 days. The results you see from SemBlack, are these based on reductions, or are you observing something in log files ?
    0
  • rpvw
    Log files: 2018-10-26 11:06:00 H=server.someserver.tld (domain.tld) [95.110.207.71]:53287 F= rejected RCPT : "JunkMail rejected - server.someserver.tld (domain.tld) [12.34.56.78]:53287 is in an RBL: listed, see https : //spameatingmonkey.com/lookup/12.34.56.78" In the mail delivery reports, I am seeing incoming messages blocked by the SEM RBL with a message like; [quote]JunkMail rejected - server.someserver.tld (domain.tld) [12.34.56.78]:53287 is in an RBL: listed, see https : // spameatingmonkey.com/lookup/12.34.56.78
    Domains and IP have been changed to protect the .... innocent ? o_O
    0
  • keat63
    I'm not seeing any of this is any exim logs, so I'm confused.
    0
  • rpvw
    Does this help ? 55129
    0
  • keat63
    Mine is slightly different. Thanks
    0
  • keat63
    where did you pickup the info URL from ?
    0
  • rpvw
    The info URL is optional, I just used the URL of the SEM services page. The important one is the Query zone that goes in the DNS List, and all the ones you put in seem OK. Just check that you have enabled the new Custom RBLs in the WHM >> Service Configuration >> Exim Configuration Manager RBL tab: 55137 And don't forget to SAVE, and that should rebuild and restart the Exim/spam/clamav services. Something like: 55141
    0
  • keat63
    I have enabled them. Just not seeing any rejections, but yet those spam emails have stopped since monday. Odd.
    0
  • rpvw
    Well if it's working ...... probably time for a beer :-D
    0
  • keat63
    Its Friday, beer is a must. ;)
    0
  • keat63
    when you added these to your custom RBL list, did you do anything else other than enable and restart exim. I've come in this morning and found a number of spam emails, from domains that were created at the weekend. And still see no reference to SEM in exim reject logs
    0
  • rpvw
    Nope - I did nothing other than to add the custom RBLs, enable them in the Exim Configuration Manager and then SAVE at the bottom of the page which rebuild and restarts Exim and clamd and spamd. I have had 224 spam emails blocked by SEM since installation
    0
  • keat63
    Very odd. My main objective was to block these throw away domains, the ones which appear, send out tons of spam, then move on once they are blacklisted. To a point, i'm seeing a huge reduction in these spam type emails, but the odd one is still getting through, and I'm seeing no mention of spameatingmonkey in any of my logs. I'm a tad confused.
    0
  • keat63
    FInally have a log entry this morning. xxx.xxx.xxx.xxx is in an RBL: listed, see https://spameatingmonkey.com/lookup/xxx.xxx.xxx.xxx
    0
  • rpvw
    Happy to see it's working for you (especially since it was your recommendation :-D )
    0
  • keat63
    I've been using an RBL from 'spameatingmonkey' for a few months without issue. However, today i've had a number of customers telling me that thier email is being rejected. After a little digging, it seems that the RBL is the culprit. However, I did update our server to 8.0.14 last night and wonder if it could be related. Please see 2 x reject messages, one from a few days ago, and one from today. Note how the one from today has a truncated IP in the lookup section, and that it also has octets the wrong way around ??? Could this simply be that the rbl is malfunctioning, or could it be related to 8.0.14. Could this info be getting screwed up as it arrives in my logs/server etc. I've switched the RBL off for now. 2019-05-29 11:14:26 H=(example.com) [211.250.xxx.xxx]:44151 X=TLSv1:AES128-SHA:128 CV=no F= rejected RCPT : "JunkMail rejected - (example.com) [211.250.131.xxxx]:44151 is in an RBL: listed, see https://spameatingmonkey.com/lookup/211.250.xxx.xxx" 2019-06-12 14:40:31 H=by.d.example.com [185.41.28.xxxx]:36626 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F= rejected RCPT : "JunkMail rejected - by.d.example.com [185.41.28.xxxx]:36626 is in an RBL: listed, see https://spameatingmonkey.com/lookup/41.185"
    0
  • Jean Boudreau
    I know it's an old post but I had spam eating monkey blocking good emails today. It seems that it was reversing the IP order so it was blocking them. I had to disable all rules by spam eating monkey for now. JunkMail rejected - mail-ot1-f52.google.com [209.85.210.52]:46128 is in an RBL: listed, see spameatingmonkey(dot)com/lookup/85.209 As you can see, it is reading the IP addresses wrong. Anyone had the same issue?
    0
  • keat63
    Me too, in fact I just posted a new thread about the same. I wasn't sure if the RBL was malfunctioning or if it might have been related to me updating our server last night. I've emailed SEM, but whether or not they respond is anyones guess.
    0
  • keat63
    Seems I'm not alone.
    0
  • Jean Boudreau
    Yep, same thing here with truncated IP and wrong way around. Also on 80.0.14 but did not reboot yet even if WHM tells me that I need to reboot to apply software updates.
    0
  • sparek-3
    Is this only affecting spameatingmonkey? Is spamhaus or any other RBL affected by this? For what it's worth, I'm not seeing this in cPanel 78. I would think that if exim is messing up the backwards IP address, it would affect all RBLs.
    0
  • Jean Boudreau
    It is only affecting Spam Eating Monkey. WORKING RBL bl.spamcop.net zen.spamhaus.org AbuseAT Barracuda NOT WORKING RBL Semblack SemFrench30 SemURIBL
    0
  • sparek-3
    Hmm Have you checked to verify if the actual IP is actually listed in Spameating Monkey? Spam Eating Monkey Realtime Reputation Service i.e. [plain]2019-06-12 14:40:31 H=by.d.example.com[/plain] [plain][185.41.28.xxxx]:36626[/plain] [plain]X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F= rejected RCPT : "JunkMail rejected - by.d.example.com [185.41.28.xxxx]:36626 is in an RBL: listed, see https://spameatingmonkey.com/lookup/41.185"[/plain] What ever that IP address is that I've highlighted in bold. Secondly, what exactly do you have in your exim.conf as it pertains to using this blacklist? Unfortunately, I don't have any cPanel 80 servers to test this out on. I really can't wrap my head around this being an exim issue, if all other blacklists are working properly. And given all the issues I'm seeing mentioned with cPanel 80... I don't really have any incentive to jump in with cPanel 80. My thoughts are... The connecting IP is actually listed in spameatingmonkey, but for whatever reason the TXT record for that listing on the spameatingmonkey DNS is reporting the wrong IP - but I'm not seeing that with cPanel 78, which would seem to disprove that theory. I suppose a DNS resolver could be getting in the way, what DNS resolvers are you using? The two of you that are having this problem, are you using the same resolvers? Same datacenter? Or, the way this is being implemented in exim.conf, the IP address is being captured incorrectly. This would make sense if spameatingmonkey is being checked separate from spamhaus, spamcop, and other RBLs and just depending on how it is being implemented. If the connecting IP actually is listed, but exim log_message or message is fumbling with how to reconstruct that IP address... that might explain the issue. Both of these are a bit far fetched, but it's all I've got at the moment.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post