Oct 192012
 

This is not new idea, actually. someone at spamassassin plugin developers have been made before. basically, the idea was put email addresses in RBLDNSD zone dnset format, ie:

Email
user@example.com

RBLDNSD
user.example.com

So, we replace @ sign into dot (.) sign. that way, we can save the email addresses into the RBLDNSD dnset zone.

RBLDNSD part:

create emailbl zone, meta information

zone

:127.0.0.4:DNSBL. $ - Not receiving email right now.
example.user.gmail.com
example.user.rediffmail.com

meta

$NS 1w ns.example.com ns.example.com
$SOA 1w ns.example.com admin.example.com 0 2h 2h 1w 1h
$DATASET generic @
@ A 1.2.3.4
@ MX 10 mx.example.com
@ TXT "example email blocklist"

in /etc/sysconfig/rbldnsd

RBLDNSD="dsbl -r/var/lib/rbldns/dsbl -t 300 -b 1.2.3.4 \
emailbl.example.com:combined:meta,emailbl
"

ofcourse we should delegate the subdomain emailbl.example.com in example.com authoritative nameserver

; subdomain delegation
emailbl.example.com.	IN NS ns.example.com.
ns.example.com.			IN A 1.2.3.4

start rbldnsd service

service rbldnsd start

now, test query to our rbldnsd for email in blacklist

# dig a example.user.gmail.com.emailbl.example.com +short
127.0.0.4

great we got answer, 127.0.0.4 that mean half of our work is done.

and now, spamassassin plugin part, i should warn you, i’m not a spamassassin expert, the code was base on other plugin which i modified.  most of spams that comes to my server are hacked/compromised legitimate freemail account, spammer set reply-to header to their email address (or both From and Reply-To are bogus)

plugin code:
ReplyTo.pm

package ReplyTo;

use strict;
use Net::DNS;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
our @ISA = qw(Mail::SpamAssassin::Plugin);

sub new {
        my ($class, $mailsa) = @_;
        $class = ref($class) || $class;
        my $self = $class->SUPER::new($mailsa);
        bless ($self, $class);
        $self->register_eval_rule('check_for_spam_replyto');
        return $self;
}

our $dns = Net::DNS::Resolver->new(
        udp_timeout  => 2,
        retry        => 2,
);

sub check_for_spam_replyto {

        my ($self, $msg) = @_;
        my $replyto = $msg->get('Reply-To:addr');

        my $replyto_hit = $replyto;

        $replyto =~ s/@/\./;
        my $found_replyto = '';

                my $query = $dns->query($replyto . ".emailbl.example.com", "A");
                if ($query) {
                        foreach my $rr ($query->answer) {
                                if ($rr->address=~/^127/) {
                                        $found_replyto = "FOUND";
                                }
                        }
                }

        Mail::SpamAssassin::Plugin::dbg("ReplyTo: matching Reply-To: $replyto");
        if ($replyto ne '' && $found_replyto eq 'FOUND') {
                $self->_got_hit($msg, $replyto_hit, "is blacklisted");
                return 1;
        }
        return 0;
}

sub _got_hit {
    my ($self, $msg, $email, $desc) = @_;
    my $rulename = $msg->get_current_eval_rule_name();

    $email =~ s/\@/[at]/;

    $msg->clear_test_state();
    $msg->test_log ("$email");
    $msg->got_hit ($rulename, "");
    $msg->register_async_rule_finish($rulename);
}
1;

Put plugin to, say in /etc/smail/spamassassin/plugins directory.
load plugin and set rules, we can create new pre file ie:, v350.pre

loadplugin ReplyTo plugins/ReplyTo.pm
header          RCVD_REPLYTO_EMAILBL eval:check_for_spam_replyto()
describe        RCVD_REPLYTO_EMAILBL Email adress Listed in Reply-To:
score           RCVD_REPLYTO_EMAILBL 5.5

Restart spamassassin and test using this modified gtube template, modified Reply-To header to one of email address in our emailbl zone.

Subject: Test spam mail (GTUBE)
Message-ID: <GTUBE1.1010101@example.net>
Date: Wed, 23 Jul 2003 23:30:00 +0200
From: Sender <sender@example.com>
To: Recipient <recipient@example.net>
Reply-To: "spam" <example.user@gmail.com>
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

This is the GTUBE, the
        Generic
        Test for
        Unsolicited
        Bulk
        Email

If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

You should send this test mail from an account outside of your network.
# spamc -R < gtube.txt
1013.1/5.0
Spam detection software, running on the system "mx.example.com", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
admin@example.com for details.

Content preview:  This is the GTUBE, the Generic Test for Unsolicited Bulk Email
   If your spam filter supports it, the GTUBE provides a test by which you can
   verify that the filter is installed correctly and is detecting incoming spam.
   You can send yourself a test mail containing the following string of characters
   (in upper case and with no white spaces and line breaks): [...]

Content analysis details:   (1007.6 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                            (acctan57mam[at]live.com)
 5.5 RCVD_REPLYTO_EMAILBL   Email adress Listed in Reply-To:
                            [example.user[at]gmail.com]
-0.0 NO_RELAYS              Informational: message was not relayed via SMTP
1000 GTUBE                  BODY: Generic Test for Unsolicited Bulk Email
 1.1 DCC_CHECK              Detected as bulk mail by DCC (dcc-servers.net)
-0.0 NO_RECEIVED            Informational: message has no Received headers
 1.0 FREEMAIL_REPLYTO       Reply-To/From or Reply-To/body contain different
                            freemails

Great, that email trigger our plugin. this plugin also can be modified for matching email in From: header or anything alse.
i put 5.5 for the score just for example, tune it YMMV. this email blacklist can be also use for rejecting email on smtp conversation.

use it carefully, the code is experimental.

  2 Responses to “Simple Email Blacklist Using Spamassassin Plugin And RBLDNSD”

Comments (2)
  1. There was a discussion about this while ago on SpamAssassin list and no conclusion was made (http://spamassassin.1065346.n5.nabble.com/DNSBL-for-email-addresses-td12165.html), however I believe it might cauce some FP. At least at $WORK we have emails example.test@domain.tld and example@test.domain.tld, which is the first one I can think of…

    However, I like your effort 😉

  2. yeah, i’ve read about that discussion too :), that’s why i only encourage somenone that might be interested, to do freemail list in rbldns zone (in exanple). i think it safe enough. but thanks for remind me.

    cheers

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.