The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Slightly OT - Offloading RBL checks to Firewall

Discussion in 'E-mail Discussions' started by santrix, Aug 28, 2009.

  1. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Like many Cpanel users I have installed APF firewall and have found it to be a straightforward, no fuss addition to my fight against online pains in the proverbial...

    My exim process is under some considerable load in peak times, and I currently only check against the spamcop RBL to limit the number of callouts being made each time a message comes in.

    It would seem obvious to me that an RBL list that formed part of the deny rules for APF would be a million time more efficient as a way of preventing connections from bad hosts. I don't know how spamcop sell/provide data to my cpanel installation, as I just tick a box in WHM, but looking at their website it looks like it's a subscription service, so I assume I get their data as part of my WHM/SCpanel license?

    Anyway - does anyone know of a way to get the current RBL list on a monthly basis? Or even better, of someone has already written a script to parse it and turn it into an APF firewall rule list? And if that's not asking too much, could we have world peace (i guess the last one is stretching things).

    Steve
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    I could go in to how they work, but it all boils down to RBLS are dns based. If you got a list of them every month they wouldn't be very real time. If you're sure it's RBL checks that's driving up the exim load, then I'd check your DNS server in /etc/resolve.conf. It may not be quick enough to keep up with your needs.
     
  4. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    Thanks for that... I know that APF also used the spamcop drop lists, like CSF, and it is enabled, but seems to miss most of the spam hosts that connect. I didn't realise it was DNS based - thanks for that (rtfm!)... maybe the drop lists are just not broad enough...

    I can't find much about how APF actually obtains the drop lists, or how often they are updated... more research required :)
     
  5. chrish.

    chrish. Member

    Joined:
    Jun 30, 2009
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    With regards to the drop lists, I've not used the one from SpamCop, but have used the one from Spamhaus with reasonable success

    The Spamhaus Project - DROP

    Mind you it's not cut down on spam so much as it has brute force attempts against my FTP/SSH.

    In terms of spam tweaking, you may find nowadays the SpamCop RBL is a bit touchy/aggressive in their blacklisting approach, so rejecting at the connection level a risky proposition. Personal preference, none of this is any measure of official cPanel stance.

    In my own setup (for my own personal, non-cpanel-affiliated sites) I've used CBL and the Barracuda lists with great success at the connection level. Because I am very confident in the methods they use for determining who gets blacklisted, I am happy to reject messages from people on either list. CBL, for example, I know for someone to get listed a)they have a malware infiltration, b)real, genuine spam has been sent, c)they have a painless no-questions-asked delisting policy

    Some more info here - Blacklists Compared, 22-Aug-09

    You'll note that Barracuda's list, and Spamhaus ZEN, are the two with the highest hit rate. You will also note the bulk of the hits within ZEN are for the CBL - again, I personally find CBL's listing policy quite conservative, so very suitable for rejecting messages at SMTP time (instead of, for example, parsing the Received header and query IP's against a blacklist). Because the ZEN aggregate zone includes the PBL, it is not doable for me (though, the PBL is completely and totally justified, and frankly, a brilliant list).

    Your mileage may vary, but in terms of DNS blacklists at the SMTP level (e.g. not post-acceptance, not at the firewall), I'd go with:

    -b.barracudacentral.org: please check with them first and make sure it's ok to use their list. This is how they feed their families, and I cannot condone using their list if it violates their usage requirements. I've read their policies, but as I'm no legalese-speaker I can't say whether you'd be authorized to use it or not (or if I'm even getting myself into trouble being a cPanel employee and recommending it?)

    -cbl.abuseat.org: again, please read their usage policies and ensure you meet the criteria.

    If you decide to go with ZEN at the SMTP level, you do not need the CBL in its own lookup; doing so is redundant, and wastes queries.

    For the DROP lists from any provider, they do *not* use DNS queries. They are not dynamic enough to necessitate a realtime lookup against the provider's list, so you'd need/want to manually download the lists, and use some manner of scripting wizardry to incorporate them into your firewall rules.

    Adding a disclaimer again, this next link is provided merely as an example, and you should review its contents before deployment, as this is NOT an officially supported cPanel function. You could incorporate the Spamhaus DROP list with the following iptables rules (plucked this from a bash script - you'd want to remove the comments):

    pastebin - collaborative debugging tool

    In terms of the actual RBL's, like bl.spamcop.net, zen.spamhaus.org, cbl.abuseat.org, dnsbl.sorbs.net, b.barracudacentral.org, these ARE polled through DNS - for performance reasons, this is NOT something you would want to do within something like iptables. I recall somewhere there was an iptables patch for the kernel that enabled querying RBL's (I may be making this up?). Simply put, do not do this. Do the polite thing and let your SMTP server do the RBL lookups, and reject with a 554 so that whomever is attempting and failing to send you mail KNOWS they are on a blacklist. If it's a spam bot, doesn't matter since you aren't accepting the message, and you have no requirement to generate an NDR. If it's a legitimate sender who through some series of unfortunate events became blacklisted, we *want* their mail system to send them an NDR so the problem can be rectified; simply blocking a connection outright at the network level prevents this from happening, and again, is not sensible to put on a firewall or similar device.

    ...and this is where I cut myself off before I make the world's longest post. If you need any clarification on the above points, post back!
     
    #5 chrish., Sep 4, 2009
    Last edited: Sep 4, 2009
  6. santrix

    santrix Well-Known Member

    Joined:
    Nov 30, 2008
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    18
    ceerikey! How much coffee did you drink today?! ;-)

    Thanks for all that - very helpful... I'll have a looksie at those other RBLs and CBL, barracuda etc...

    It's been a steep learning curve these past 12 months, but all this info is invaluable... if I get stuck, I'll no doubt post back here.. cheers :)
     

Share This Page