Anti-spam DNSBL by BOates [CHANGES REQUIRED TO WORK WITH SPAMASSASSIN 3.4.2 or later in v76+]

[BOates]

It seems that for me something is not working, I cannot seem to see anything from it in logs, and I am unable to get any results from dig +short test.fresh.dieinafire.com . I would like a tutorial to add this via CMM.

Looks like I had messed up the test host logic. "test.fresh.dieinafire.com" should return as respected now (propagation may be involved).

Regarding CMM, it looks like CMM has no concept of ability to understand or maintain a DNSBL, so there would not be any instructions that I could generate to allow management via CMM. You would need to implement as per my original post instructions. You also won't see any changes in the logs *unless* a fresh domain attempts to deliver to a user on your machine.

 

[MACscr]

Anyone created a spamassasin rule for this? Would be nice to use this to give it a score vs simply rejecting it directly. Just a thought at least.

 

[BOates]

Anyone created a spamassasin rule for this? Would be nice to use this to give it a score vs simply rejecting it directly. Just a thought at least.

Not sure if anyone else has, but here's one I whipped up:

(1) Open /etc/mail/spamassassin/local.cf

(2) Add the snippet at the bottom of the file

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header          URIBL_FRESHDOM  eval:check_rbl_from_domain('fresh', 'fresh.dieinafire.com.', '127.0.0.2')
describe        URIBL_FRESHDOM  Header contains a URL listed in the fresh.dieinafire.com blacklist
tflags          URIBL_FRESHDOM  net
score           URIBL_FRESHDOM  5.0
endif

(3) If desired, modify the "score" from 5.0 to whatever you would like the default score value to be

(4) If on a per-cPanel-user basis you would like to adjust the score, then adjust the score of "URIBL_FRESHDOM" accordingly as you would any other rule. This usually means using the cPanel UI for SpamAssassin or manually adding the custom score line into /home/$user/.spamassassin/user_prefs

 

[UHLHosting]

Not sure if anyone else has, but here's one I whipped up:

(1) Open /etc/mail/spamassassin/local.cf

(2) Add the snippet at the bottom of the file

ifplugin Mail::SpamAssassin::Plugin::DNSEval
header          URIBL_FRESHDOM  eval:check_rbl_from_domain('fresh', 'fresh.dieinafire.com.', '127.0.0.2')
describe        URIBL_FRESHDOM  Header contains a URL listed in the fresh.dieinafire.com blacklist
tflags          URIBL_FRESHDOM  net
score           URIBL_FRESHDOM  5.0
endif

(3) If desired, modify the "score" from 5.0 to whatever you would like the default score value to be

(4) If on a per-cPanel-user basis you would like to adjust the score, then adjust the score of "URIBL_FRESHDOM" accordingly as you would any other rule. This usually means using the cPanel UI for SpamAssassin or manually adding the custom score line into /home/$user/.spamassassin/user_prefs

I am using

• ConfigServer MailScanner Front-End (MSFE)

This has a bit modified settings for the usage of spamassasing, I have these location

[email protected] [/var/lib/spamassassin/3.004001/updates_spamassassin_org]# ls
./ 20_freemail.cf 20_ratware.cf 25_replace.cf 60_awl.cf MIRRORED.BY
../ 20_freemail_domains.cf 20_uri_tests.cf 25_spf.cf 60_shortcircuit.cf regression_tests.cf
10_default_prefs.cf 20_freemail_mailcom_domains.cf 20_vbounce.cf 25_textcat.cf 60_txrep.cf sa-update-pubkey.txt
10_hasbase.cf 20_head_tests.cf 23_bayes.cf 25_uribl.cf 60_whitelist.cf STATISTICS-set0-72_scores.cf.txt
20_advance_fee.cf 20_html_tests.cf 25_accessdb.cf 30_text_de.cf 60_whitelist_dkim.cf STATISTICS-set1-72_scores.cf.txt
20_aux_tlds.cf 20_imageinfo.cf 25_antivirus.cf 30_text_fr.cf 60_whitelist_spf.cf STATISTICS-set2-72_scores.cf.txt
20_body_tests.cf 20_mailspike.cf 25_asn.cf 30_text_it.cf 60_whitelist_subject.cf STATISTICS-set3-72_scores.cf.txt
20_compensate.cf 20_meta_tests.cf 25_dcc.cf 30_text_nl.cf 72_active.cf user_prefs.template
20_dnsbl_tests.cf 20_net_tests.cf 25_dkim.cf 30_text_pl.cf 72_scores.cf
20_drugs.cf 20_pdfinfo.cf 25_hashcash.cf 30_text_pt_br.cf 73_sandbox_manual_scores.cf
20_dynrdns.cf 20_phrases.cf 25_pyzor.cf 50_scores.cf languages
20_fake_helo_tests.cf 20_porn.cf 25_razor2.cf 60_adsp_override_dkim.cf local.cf
[email protected] [/var/lib/spamassassin/3.004001/updates_spamassassin_org]#

You think I should add the rules in another place? Thank you!

 

[BOates]

I have very little working experience with MSFE, but if that is indeed the location that its implementation of SpamAssassin works out of, then I would assume this file:

/var/lib/spamassassin/3.004001/updates_spamassassin_org/local.cf

But that seems odd for the functional working directory to be in something called "updates_spamassassin_org" tied to a very specific spamassassin version. Your best bet is to reach out to ConfigServer support or refer to their documentation for instructions on adding custom rules to their implementation of SpamAssassin. It likely still is a "local.cf" file, but no idea on the location.

 

[UHLHosting]

You can add new rules to any new .cf file in /etc/mail/spamassassin and they will be used by spamassassin within MailScanner. We would recommend NOT using local.cf as that may be modified by cPanel during updates. When we do an install we create a new .cf file for our own added rules, called configserver.cf. You can create a .cf file and call it whatever you wish.

This si the reply from them.

 

[BOates]

That reply essentially clarifies that use of MSFE has no bearing on my original instructions, and you can just follow those instructions.

ConfigServer's claim that local.cf will get overridden is incorrect. In practice, and per official cPanel & WHM documentation, /etc/mail/spamassassin/local.cf is the correct global config file to utilize for SpamAssassin when it comes to manual edits.

How to Configure the Apache SpamAssassin Report_Safe Option - cPanel Knowledge Base - cPanel Documentation

The concern might stem from that cPanel & WHM *does* automate certain actions in this file, however they are all limited in scope to lines that end with the specific comment

# Autoconfigured by cPanel - Remove this end of line comment to avoid future updates

This specific handling is actually what allows cPanel & WHM's changes and manual changes to coexist. Of course, if MSFE's updates wipe out local.cf then that's a different story.

 

[UHLHosting]

@BOates, are you using also MailScanner by chance?

 

[BOates]

@BOates, are you using also MailScanner by chance?

I do not make use of any of the 3rd party email packages like MailScanner. Just out-of-the-box cPanel & WHM's Exim with manual customizations similar to what is shown in the original post of this thread. I have not had good experiences with Mailscanner and similar, so I tend to avoid them.

 

[UHLHosting]

@BOates Can you explain the part with not good experiences? What was the issues, and so.

 

[Infopro]

Agreed, I'd like to know as well. I'm a huge fan of MailScanner and MSFE.

 

[BOates]

The reasons are essentially negativity bias. Having supported countless cPanel & WHM systems in the past (since 2005), the sheer volume of mail delivery problems and other critical Exim failures that I personally traced back to MailScanner were numerous. This was to the point that virtually any customer exclaiming system-wide mail delivery issues, where MailScanner was found to be installed, were almost always related to MailScanner. Perhaps this has changed in recent years with improved 3rd party implementation of MailScanner or perhaps it simply just is my own negativity bias from seeing so many failures. It's probably the latter and that those failures were actually a statistical minority to the overall systems using it. I really wouldn't hang much weight to my opinions of MailScanner. I simply have no need for any of its features.

With MSFE, I don't think I've ever utilized it to any capacity. This is primarily because I do not use MailScanner. Because of this, I have no opinion of MSFE either way.

 

[brt]

Is this project abandoned? Doesn't look like it's up and the URL for it redirects to some crapsite.

 

[BOates]

Nope, it's very much alive and has been for some time.

Although, it looks like I have entirely neglected the A record for fresh.dieinafire.com itself (the host that provides the simple explanation page). I moved servers back in June, and the site that has been showing in its stead appears to be whoever took over my old netblock after I moved from it (the explanation page is hosted on a separate server from the actual DNSBL).

Give it a few hours and fresh.dieinafire.com's site should load the basic explanation page. But the DNSBL portion of fresh.dieinafire.com has been working this entire time without interruption.

 

[brt]

I just re-enabled on a couple servers. If I recall correctly, these blocks don't show up in the cPanel "Mail Delivery Reports" like other RBLs, right? If not, is there any way to make them?

 

[BOates]

Mail Delivery Reports depend upon Exim getting far enough in the transaction to create a Message ID for the transaction. Since these RBL based blocks occur well before this occurs, they won't list in Mail Delivery Reports.

In theory, you can basically "tease" the spammers and let them get further in the transaction before you have the logic that checks and blocks them based on sender. But, you're expending extra CPU/Memory/Bandwidth to allow MAIL FROM and DATA commands to come across Exim that otherwise wouldn't even be bothered with. You also run the risk of generating back scatter spam with your delivery failure notices since you're not rejecting the transaction outright and otherwise initially accepting it.

In essence, causing the convenience of showing up on Mail Delivery Reports would force you to make several negative concessions for your server that will only hurt it. I would not advise it.

 

[StingRay2k01]

Recently I had to setup a server from scratch and needed to keep costs down so I didn't go the mailscanner+frontend route.
I skipped mailscanner and just used RBLs's... like this one

It is working great, spamhaus, barracuda, and dieinafire are catching everything. I'm more than happy with the spam level. (almost zero, no false positives so far).

Just wanted to contribute a big thanks to BOates for dieinafire, much appreciated!

 

[tmurdock]

Is dieinafire still active? I've been getting a lot of DNS lookup defers and a huge increase in spam that is passing through.

 

[BOates]

Memory usage on the box has been up quite a bit lately. It's been a bit temperamental. Looks like the daemon that drives it ceased up at about 12:30am EST. Just restarted the service now. I'll keep an eye on it and work on fixing the issues. Hopefully I can avoid having to bump it to a beefier box. Good news is it looks like some folks are making use of it.

 

[Rodrigo Gomes]

Hello @BOates,

This works for Brazilian domains (example: domain.com.br)?

I think 5 days very conservative, I think that up to 20 days is fine.