Anti-spam DNSBL by BOates [CHANGES REQUIRED TO WORK WITH SPAMASSASSIN 3.4.2 or later in v76+]
This functionality must be updated to work with SpamAsasssin 3.4.2 or it will break all mail delivery on cPanel v76+ : Anti-spam DNSBL by BOates [CHANGES REQUIRED TO WORK WITH SPAMASSASSIN 3.4.2 or later in v76+]
I've put together a new anti-spam DNSBL that I feel fills a current gap in the existing anti-spam block lists out there. I'm looking for some individuals whom run cPanel servers to add the DNSBL to their configuration and see how it fares, as a sort of beta test.
THE PROBLEM
I've personally observed a growing trend with spammers involving short lived domains. They register a brand new domain, ensure that a valid SPF record, valid PTR (RDNS) record, and sometimes even valid DKIM are setup. Then they blast out mail for a few hours/days, and abandon the domain before it's effectively evaluated by existing anti-spam block lists.
The spam I've been getting from this spammer technique has even registered a negative score from SpamAssassin (meaning it is inclined to believe it's definitely good email).
THE RESPONSE
How am I attacking this technique? Essentially, the DNSBL I've put together blocks any domain name that were registered less than 5 days ago. Once the domain ages past 5 days, it automatically expires from the block list.
Now, you may be familiar with a DNSBL that attempts to fulfill this very need already. SpamEatingMonkey's "Fresh" DNSBL. The problem is, I've tried it. In fact, attempting to use SEM's Fresh DNSBL is what prompted me to produce my own DNSBL because it was only catching about 1 in 50 fresh domains, sometimes even a much worse effectiveness ratio.
STATISTICS
I've been running this on my own personal machine for just under a month, which has a handful of personal use domains.
2015-03-20 => 2015-04-12
Emails Blocked by my DNSBL: 8,326
Emails Blocked by SpamHaus/Barracuda: 3,525
Emails Blocked by SpamAssassin: 266
Emails Delivered to inboxes: 3,870
RISKS
As I'm sure is painfully obvious to everyone, the risk here is that the DNSBL does not make any attempt to discern from a legitimate new internet user deploying their brand new shiny domain versus a devious spammer abusing freshly registered domains. Both are unilaterally blocked until their domains are 5 days old.
The difference is that the legitimate user will keep using their domain after 5 days, whereas the spammer will have long since abandoned their (now widely recognized and blacklisted) domain. Since this block list requires no de-listing (all domains auto-delist after the domain is over 5 days old), it's at least a short lived temporary problem at best.
I may look into a forced early-delist if legitimate customers are finding this too much of a problem, but the early-delist option could be abused by spammers as well, of course.
INTERESTED?
Well, hopefully I've piqued your interest. That's my goal here so I can test in more real world scenarios and see if it's as effective as I seem to find on my own personal box. This DNSBL is still in early stages of testing, though. It could very well fall flat on its face and be unscalable in its current form. That's why I need your help with testing it.
If you'd like help test it, follow the below steps:
1.) SSH into your server as root and create/edit the following file:
/usr/local/cpanel/etc/exim/perl/trimdomain
2) Copy/Paste the below code inside and save it (This has been updated to SpamAssassin 3.4.1+)
3.) Still on the server as root, create/edit the following file: /usr/local/cpanel/etc/exim/acls/ACL_MAIL_POST_BLOCK/custom_begin_mail_post 4.) Copy/Paste the below code inside and save it
5.) Make Exim rebuild its exim.conf to include the two changes we made by running: /scripts/buildeximconf 6.) Restart Exim by running: /scripts/restartsrv_exim 7.) When the DNSBL rejects a message, you will see log output in /var/log/exim_mainlog that looks similar to below: 2015-04-13 10:14:22 H=(ftj09.freezebloodsugarcure.ninja) [192.200.201.9]:47300 rejected MAIL : Fresh Domain Blocked - [freezebloodsugarcure.ninja] is listed on (fresh.dieinafire.com)
8.) Done! You're now utilizing the DNSBL. Please post some feedback if you do decide to test it out. UNINSTALL 1.) Remove the file: /usr/local/cpanel/etc/exim/perl/trimdomain 2.) Remove the snippet previously added to the file: /usr/local/cpanel/etc/exim/acls/ACL_MAIL_POST_BLOCK/custom_begin_mail_post 3.) Rebuild exim.conf by running: /scripts/buildeximconf 4.) Restart Exim by running: /scripts/restartsrv_exim 5.) The DNSBL is now entirely uninstalled FAQ Q: Will this block my new customers from sending out email? A: Not on your end. The exim.conf entry ignores authenticated users, which permits your own server's users to send email outbound even if their own domain is less than 5 days old. However, if the receiving server is using this same DNSBL, they'll be blocked from delivering to that server. As mentioned, once their domain is over 5 days old they'll auto-delist from the block list. TROUBLESHOOTING Q: In exim_mainlog, I see: 2015-04-13 12:13:05 DNS list lookup defer (probably timeout) for domain.tld.fresh.dieinafire.com: assumed not in list
A: Something is blocking you from running a DNS Lookup against the DNSBL *or* your DNS Queries are taking far too long to resolve. This could be a problem on your end *or* my DNSBL's end (one of the reasons I'm trying to load test it). Verify that you can query the DNSBL directly by running: dig +short test.fresh.dieinafire.com It should return '127.0.0.2' like below: # dig +short test.fresh.dieinafire.com 127.0.0.2
If it just returns to a blank prompt, then something is wrong and either your DNS resolvers in /etc/resolv.conf are causing problems or some firewall settings are at fault.
sub trimdomain {
require Mail::SpamAssassin::RegistryBoundaries;
my $domain = shift;
my $rb = new Mail::SpamAssassin::RegistryBoundaries;
return $rb->trim_domain($domain);
}
3.) Still on the server as root, create/edit the following file: /usr/local/cpanel/etc/exim/acls/ACL_MAIL_POST_BLOCK/custom_begin_mail_post 4.) Copy/Paste the below code inside and save it
drop
!authenticated = *
dnslists = fresh.dieinafire.com/${perl{trimdomain}{$sender_address_domain}}
message = Fresh Domain Blocked - [${perl{trimdomain}{$sender_address_domain}}] is listed on (fresh.dieinafire.com)
5.) Make Exim rebuild its exim.conf to include the two changes we made by running: /scripts/buildeximconf 6.) Restart Exim by running: /scripts/restartsrv_exim 7.) When the DNSBL rejects a message, you will see log output in /var/log/exim_mainlog that looks similar to below: 2015-04-13 10:14:22 H=(ftj09.freezebloodsugarcure.ninja) [192.200.201.9]:47300 rejected MAIL : Fresh Domain Blocked - [freezebloodsugarcure.ninja] is listed on (fresh.dieinafire.com)
8.) Done! You're now utilizing the DNSBL. Please post some feedback if you do decide to test it out. UNINSTALL 1.) Remove the file: /usr/local/cpanel/etc/exim/perl/trimdomain 2.) Remove the snippet previously added to the file: /usr/local/cpanel/etc/exim/acls/ACL_MAIL_POST_BLOCK/custom_begin_mail_post 3.) Rebuild exim.conf by running: /scripts/buildeximconf 4.) Restart Exim by running: /scripts/restartsrv_exim 5.) The DNSBL is now entirely uninstalled FAQ Q: Will this block my new customers from sending out email? A: Not on your end. The exim.conf entry ignores authenticated users, which permits your own server's users to send email outbound even if their own domain is less than 5 days old. However, if the receiving server is using this same DNSBL, they'll be blocked from delivering to that server. As mentioned, once their domain is over 5 days old they'll auto-delist from the block list. TROUBLESHOOTING Q: In exim_mainlog, I see: 2015-04-13 12:13:05 DNS list lookup defer (probably timeout) for domain.tld.fresh.dieinafire.com: assumed not in list
A: Something is blocking you from running a DNS Lookup against the DNSBL *or* your DNS Queries are taking far too long to resolve. This could be a problem on your end *or* my DNSBL's end (one of the reasons I'm trying to load test it). Verify that you can query the DNSBL directly by running: dig +short test.fresh.dieinafire.com It should return '127.0.0.2' like below: # dig +short test.fresh.dieinafire.com 127.0.0.2
If it just returns to a blank prompt, then something is wrong and either your DNS resolvers in /etc/resolv.conf are causing problems or some firewall settings are at fault.
-
I received tens of messages today from the .LOAN TLD, which looks like it's not returning results from [Removed] Few examples that were registered today: [Removed] The public WHOIS service brings back the correct creation date. 0 -
BOates, I've been using this for over a year now, however the last week I have been getting tons of spam. Is the system down? 0 -
I received tens of messages today from the .LOAN TLD, which looks like it's not returning results from [Removed] Few examples that were registered today: [Removed] The public WHOIS service brings back the correct creation date.
Looks like ".loan" is among some newer TLDs that weren't manually configured in the system with its proper WHOIS server. These should now be trapped by the DNSBL; just added it in now. I'm going to have to go perusing for new TLDs again and add any missing ones' whois servers.BOates, I've been using this for over a year now, however the last week I have been getting tons of spam. Is the system down?
Nope, the system has been operating essentially 24/7 since inception. Any trends to the mail being let through? PM me any particular examples or list the TLDs that seem commonly let through and I'll check on it. All the spam getting through is coming from domains registered within the last few days?0 -
Thanks, Today's TLD seems to be .download Yesterday's was a .com, however registered 27th Jan, so I guess it just wasn't new enough. 0 -
.download now added. In the next few days I'll go try and pull a new TLD list. 0 -
@BOates does this list still work? Any idea how to implement it in CMM? 0 -
@BOates does this list still work? Any idea how to implement it in CMM?
Yep this list is still up and running. Still effective and I've still been using it for my personal mail/server. :) Usage of CMM shouldn't affect or change the implementation of the list. You should be able to follow the original instructions all the same.0 -
Is there a way to add this via CMM? And monitor it from there. 0 -
It seems that for me something is not working, I cannot seem to see anything from it in logs, and I am unable to get any results from dig +short test.fresh.dieinafire.com . I would like a tutorial to add this via CMM. 0 -
It seems that for me something is not working, I cannot seem to see anything from it in logs, and I am unable to get any results from dig +short test.fresh.dieinafire.com . I would like a tutorial to add this via CMM.
Looks like I had messed up the test host logic. "test.fresh.dieinafire.com" should return as respected now (propagation may be involved). Regarding CMM, it looks like CMM has no concept of ability to understand or maintain a DNSBL, so there would not be any instructions that I could generate to allow management via CMM. You would need to implement as per my original post instructions. You also won't see any changes in the logs *unless* a fresh domain attempts to deliver to a user on your machine.0 -
Anyone created a spamassasin rule for this? Would be nice to use this to give it a score vs simply rejecting it directly. Just a thought at least. 0 -
Anyone created a spamassasin rule for this? Would be nice to use this to give it a score vs simply rejecting it directly. Just a thought at least.
Not sure if anyone else has, but here's one I whipped up: (1) Open /etc/mail/spamassassin/local.cf (2) Add the snippet at the bottom of the fileifplugin Mail::SpamAssassin::Plugin::DNSEval header URIBL_FRESHDOM eval:check_rbl_from_domain('fresh', 'fresh.dieinafire.com.', '127.0.0.2') describe URIBL_FRESHDOM Header contains a URL listed in the fresh.dieinafire.com blacklist tflags URIBL_FRESHDOM net score URIBL_FRESHDOM 5.0 endif
(3) If desired, modify the "score" from 5.0 to whatever you would like the default score value to be (4) If on a per-cPanel-user basis you would like to adjust the score, then adjust the score of "URIBL_FRESHDOM" accordingly as you would any other rule. This usually means using the cPanel UI for SpamAssassin or manually adding the custom score line into /home/$user/.spamassassin/user_prefs0 -
Not sure if anyone else has, but here's one I whipped up: (1) Open /etc/mail/spamassassin/local.cf (2) Add the snippet at the bottom of the file
ifplugin Mail::SpamAssassin::Plugin::DNSEval header URIBL_FRESHDOM eval:check_rbl_from_domain('fresh', 'fresh.dieinafire.com.', '127.0.0.2') describe URIBL_FRESHDOM Header contains a URL listed in the fresh.dieinafire.com blacklist tflags URIBL_FRESHDOM net score URIBL_FRESHDOM 5.0 endif
(3) If desired, modify the "score" from 5.0 to whatever you would like the default score value to be (4) If on a per-cPanel-user basis you would like to adjust the score, then adjust the score of "URIBL_FRESHDOM" accordingly as you would any other rule. This usually means using the cPanel UI for SpamAssassin or manually adding the custom score line into /home/$user/.spamassassin/user_prefs
I am using [LIST]- ConfigServer MailScanner Front-End (MSFE) This has a bit modified settings for the usage of spamassasing, I have these location root@panel [/var/lib/spamassassin/3.004001/updates_spamassassin_org]# ls ./ 20_freemail.cf 20_ratware.cf 25_replace.cf 60_awl.cf MIRRORED.BY ../ 20_freemail_domains.cf 20_uri_tests.cf 25_spf.cf 60_shortcircuit.cf regression_tests.cf 10_default_prefs.cf 20_freemail_mailcom_domains.cf 20_vbounce.cf 25_textcat.cf 60_txrep.cf sa-update-pubkey.txt 10_hasbase.cf 20_head_tests.cf 23_bayes.cf 25_uribl.cf 60_whitelist.cf STATISTICS-set0-72_scores.cf.txt 20_advance_fee.cf 20_html_tests.cf 25_accessdb.cf 30_text_de.cf 60_whitelist_dkim.cf STATISTICS-set1-72_scores.cf.txt 20_aux_tlds.cf 20_imageinfo.cf 25_antivirus.cf 30_text_fr.cf 60_whitelist_spf.cf STATISTICS-set2-72_scores.cf.txt 20_body_tests.cf 20_mailspike.cf 25_asn.cf 30_text_it.cf 60_whitelist_subject.cf STATISTICS-set3-72_scores.cf.txt 20_compensate.cf 20_meta_tests.cf 25_dcc.cf 30_text_nl.cf 72_active.cf user_prefs.template 20_dnsbl_tests.cf 20_net_tests.cf 25_dkim.cf 30_text_pl.cf 72_scores.cf 20_drugs.cf 20_pdfinfo.cf 25_hashcash.cf 30_text_pt_br.cf 73_sandbox_manual_scores.cf 20_dynrdns.cf 20_phrases.cf 25_pyzor.cf 50_scores.cf languages 20_fake_helo_tests.cf 20_porn.cf 25_razor2.cf 60_adsp_override_dkim.cf local.cf root@panel [/var/lib/spamassassin/3.004001/updates_spamassassin_org]# You think I should add the rules in another place? Thank you!
0 -
I have very little working experience with MSFE, but if that is indeed the location that its implementation of SpamAssassin works out of, then I would assume this file: /var/lib/spamassassin/3.004001/updates_spamassassin_org/local.cf But that seems odd for the functional working directory to be in something called "updates_spamassassin_org" tied to a very specific spamassassin version. Your best bet is to reach out to ConfigServer support or refer to their documentation for instructions on adding custom rules to their implementation of SpamAssassin. It likely still is a "local.cf" file, but no idea on the location. 0 -
You can add new rules to any new .cf file in /etc/mail/spamassassin and they will be used by spamassassin within MailScanner. We would recommend NOT using local.cf as that may be modified by cPanel during updates. When we do an install we create a new .cf file for our own added rules, called configserver.cf. You can create a .cf file and call it whatever you wish. This si the reply from them. 0 -
That reply essentially clarifies that use of MSFE has no bearing on my original instructions, and you can just follow those instructions. ConfigServer's claim that local.cf will get overridden is incorrect. In practice, and per official cPanel & WHM documentation, /etc/mail/spamassassin/local.cf is the correct global config file to utilize for SpamAssassin when it comes to manual edits. 0 -
@BOates, are you using also MailScanner by chance? 0 -
@BOates, are you using also MailScanner by chance?
I do not make use of any of the 3rd party email packages like MailScanner. Just out-of-the-box cPanel & WHM's Exim with manual customizations similar to what is shown in the original post of this thread. I have not had good experiences with Mailscanner and similar, so I tend to avoid them.0 -
@BOates Can you explain the part with not good experiences? What was the issues, and so. 0 -
Agreed, I'd like to know as well. I'm a huge fan of MailScanner and MSFE. 0 -
The reasons are essentially negativity bias. Having supported countless cPanel & WHM systems in the past (since 2005), the sheer volume of mail delivery problems and other critical Exim failures that I personally traced back to MailScanner were numerous. This was to the point that virtually any customer exclaiming system-wide mail delivery issues, where MailScanner was found to be installed, were almost always related to MailScanner. Perhaps this has changed in recent years with improved 3rd party implementation of MailScanner or perhaps it simply just is my own negativity bias from seeing so many failures. It's probably the latter and that those failures were actually a statistical minority to the overall systems using it. I really wouldn't hang much weight to my opinions of MailScanner. I simply have no need for any of its features. With MSFE, I don't think I've ever utilized it to any capacity. This is primarily because I do not use MailScanner. Because of this, I have no opinion of MSFE either way. 0 -
Is this project abandoned? Doesn't look like it's up and the URL for it redirects to some crapsite. 0 -
Nope, it's very much alive and has been for some time. Although, it looks like I have entirely neglected the A record for fresh.dieinafire.com itself (the host that provides the simple explanation page). I moved servers back in June, and the site that has been showing in its stead appears to be whoever took over my old netblock after I moved from it (the explanation page is hosted on a separate server from the actual DNSBL). Give it a few hours and fresh.dieinafire.com's site should load the basic explanation page. But the DNSBL portion of fresh.dieinafire.com has been working this entire time without interruption. 0 -
I just re-enabled on a couple servers. If I recall correctly, these blocks don't show up in the cPanel "Mail Delivery Reports" like other RBLs, right? If not, is there any way to make them? 0 -
Mail Delivery Reports depend upon Exim getting far enough in the transaction to create a Message ID for the transaction. Since these RBL based blocks occur well before this occurs, they won't list in Mail Delivery Reports. In theory, you can basically "tease" the spammers and let them get further in the transaction before you have the logic that checks and blocks them based on sender. But, you're expending extra CPU/Memory/Bandwidth to allow MAIL FROM and DATA commands to come across Exim that otherwise wouldn't even be bothered with. You also run the risk of generating back scatter spam with your delivery failure notices since you're not rejecting the transaction outright and otherwise initially accepting it. In essence, causing the convenience of showing up on Mail Delivery Reports would force you to make several negative concessions for your server that will only hurt it. I would not advise it. 0 -
Recently I had to setup a server from scratch and needed to keep costs down so I didn't go the mailscanner+frontend route. I skipped mailscanner and just used RBLs's... like this one :) It is working great, spamhaus, barracuda, and dieinafire are catching everything. I'm more than happy with the spam level. (almost zero, no false positives so far). Just wanted to contribute a big thanks to BOates for dieinafire, much appreciated! 0 -
Is dieinafire still active? I've been getting a lot of DNS lookup defers and a huge increase in spam that is passing through. 0 -
Memory usage on the box has been up quite a bit lately. It's been a bit temperamental. Looks like the daemon that drives it ceased up at about 12:30am EST. Just restarted the service now. I'll keep an eye on it and work on fixing the issues. Hopefully I can avoid having to bump it to a beefier box. Good news is it looks like some folks are making use of it. :) 0 -
Hello @BOates, This works for Brazilian domains (example: domain.com.br)? I think 5 days very conservative, I think that up to 20 days is fine. 0 -
Hi @BOates, I have difficulties creating this one 2) Copy/Paste the below code inside and save it Code: sub trimdomain { require Mail::SpamAssassin::Util::RegistrarBoundaries; my $domain = shift; my $trimmed_domain = Mail::SpamAssassin::Util::RegistrarBoundaries::trim_domain($domain); return $trimmed_domain; } Although I already created directory mkdir /usr/local/cpanel/etc/exim/perl/trimdomain but I cant copy paste step 2 scripts using nano /usr/local/cpanel/etc/exim/perl/trimdomain. Did I miss something?? but I'm done with this steps /usr/local/cpanel/etc/exim/acls/ACL_MAIL_POST_BLOCK/custom_begin_mail_post and Copy/Paste the below code inside and save it. Thanks for your help. 0
Please sign in to leave a comment.
Comments
86 comments