Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat. The purpose of this eBook is to educate the reader about ransomware attacks.
Course Of The Month
2 days, 7 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
How to implement "Realtime Blackhole List database"
Posted on 2002-07-02
I would like to activate the Realtime Blackhole List database on my install of sendmail...
I would like to know :
1) how to activate this
2) if there might be any implications of activating this
3) if I can switch it on and off for particular domains on my server
4) If I need to pay anything for it
5) how i can test it
I have found the following information in the sendmail manual... But it doesn't realy answer all of my questions.
I have the latest version of sendmail.
--------------------------
FEATURE(`dnsbl')
This will cause sendmail to reject mail from any site in the Realtime Blackhole List database. You can specify an alternative RBL name server to contact by specifying an argument to the FEATURE. The default error message is "Mail from $&{client_addr} refused by blackhole site DOMAIN" where DOMAIN is replaced by the first argument. A second argument can be used to specify a different text. This FEATURE can be included several times to query different DNS based rejection lists, e.g., the dial-up user list (see http://maps.vix.com/dul/).
The features described above make use of the check_relay, check_mail, and check_rcpt rulesets. If you wish to include your own checks, you can put your checks in the rulesets Local_check_relay, Local_check_mail, and Local_check_rcpt. For example if you wanted to block senders with all numeric usernames (i.e. 2312343@bigisp.com), you would use Local_check_mail and the new regex map:
LOCAL_CONFIG
Kallnumbers regex -a@MATCH ^[0-9]+$
LOCAL_RULESETS
SLocal_check_mail
# check address against various regex checks
R$* $: $>Parse0 $>3 $1
R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $)
R@MATCH $#error $: 553 Header Error
These rules are called with the original arguments of the corresponding check_* ruleset. If the local ruleset returns $#OK, no further checking is done by the features described above and the mail is accepted. If the local ruleset resolves to a mailer (such as $#error or $#discard), the appropriate action is taken. Otherwise, the results of the local rewriting are ignored.
--------------------------
Many thanks in advance
I would like to know :
1) how to activate this
2) if there might be any implications of activating this
3) if I can switch it on and off for particular domains on my server
4) If I need to pay anything for it
5) how i can test it
I have found the following information in the sendmail manual... But it doesn't realy answer all of my questions.
I have the latest version of sendmail.
--------------------------
FEATURE(`dnsbl')
This will cause sendmail to reject mail from any site in the Realtime Blackhole List database. You can specify an alternative RBL name server to contact by specifying an argument to the FEATURE. The default error message is "Mail from $&{client_addr} refused by blackhole site DOMAIN" where DOMAIN is replaced by the first argument. A second argument can be used to specify a different text. This FEATURE can be included several times to query different DNS based rejection lists, e.g., the dial-up user list (see http://maps.vix.com/dul/).
The features described above make use of the check_relay, check_mail, and check_rcpt rulesets. If you wish to include your own checks, you can put your checks in the rulesets Local_check_relay, Local_check_mail, and Local_check_rcpt. For example if you wanted to block senders with all numeric usernames (i.e. 2312343@bigisp.com), you would use Local_check_mail and the new regex map:
LOCAL_CONFIG
Kallnumbers regex -a@MATCH ^[0-9]+$
LOCAL_RULESETS
SLocal_check_mail
# check address against various regex checks
R$* $: $>Parse0 $>3 $1
R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $)
R@MATCH $#error $: 553 Header Error
These rules are called with the original arguments of the corresponding check_* ruleset. If the local ruleset returns $#OK, no further checking is done by the features described above and the mail is accepted. If the local ruleset resolves to a mailer (such as $#error or $#discard), the appropriate action is taken. Otherwise, the results of the local rewriting are ignored.
--------------------------
Many thanks in advance
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
2
-
2
- +4
10 Comments
The "Realtime Blackhole List" mentioned above is a subscription service, so unless you've bought that service you can't simply enable it. Take a look at http://mail-abuse.org for more information about it. There are some free lists available that you can use, like: http://www.ordb.org/
I think this question is more focused on how to activate m4 features - I did this a while back, but I usually just grab a good sendmail.cf that does what I want and adjust it if needed.
>so unless you've bought that service you can't simply enable it
Sigh - I long for the days of free MAPS. I could ruminate at length about the politics of free vs pay services (and the evolution of one from the other), but I would bore everyone to tears, and this question would remain unsolved.
I will attempt to address the above 5 issues:
1. Read up on regenerating your sendmail.cf via m4 - if you need specific examples, I may be able to provide them.
2. False positives are your biggest concern, as well as the balkenization of blackhole lists after the demise or ORBS and the transitiion of MAPS to a pay service - if you use a blackhole list, be sure you are getting it from the originating collector of such data.
3. Jim might be able to provide more info, but AFAIK, there is not currently a way (without hacking sendmail.cf, which as anyone can tell you is mind-numbing, and makes your eyes bleed)
4. Depends which RBL you wish to use
5. Easy - just configure another server to have a blacklisted IP, set up an appropriate networking config to be able to reach your mailserver, and hammer away.
Cheers,
-Jon
>so unless you've bought that service you can't simply enable it
Sigh - I long for the days of free MAPS. I could ruminate at length about the politics of free vs pay services (and the evolution of one from the other), but I would bore everyone to tears, and this question would remain unsolved.
I will attempt to address the above 5 issues:
1. Read up on regenerating your sendmail.cf via m4 - if you need specific examples, I may be able to provide them.
2. False positives are your biggest concern, as well as the balkenization of blackhole lists after the demise or ORBS and the transitiion of MAPS to a pay service - if you use a blackhole list, be sure you are getting it from the originating collector of such data.
3. Jim might be able to provide more info, but AFAIK, there is not currently a way (without hacking sendmail.cf, which as anyone can tell you is mind-numbing, and makes your eyes bleed)
4. Depends which RBL you wish to use
5. Easy - just configure another server to have a blacklisted IP, set up an appropriate networking config to be able to reach your mailserver, and hammer away.
Cheers,
-Jon
Thanks Jon and jlevie.
I am away on holiday for 2 weeks but I'll post more on this when I get back.
I have noticed some sendmail.mc code that you can enable on http://www.ordb.org/ (which looks free... is it?)
anyway when I put that in the .mc and ran that through m4 It came up with the following sendmail.cf lines...
As you said jon, these imediately caused eye-bleed.
I placed them in the sendmail.cf file and restarted sendmail... shock-horror it wouldn't restart... something about missing <TAB> characters.
Here are the sendmail.if lines.... Any ideas ?
# DNS based IP address spam list relays.ordb.org
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.relays.ordb.or
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.relays.ordb.or
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "Email blocked using ORDB.org - see <http://ORDB.org/lookup/?host="$&{client_addr}>
I am away on holiday for 2 weeks but I'll post more on this when I get back.
I have noticed some sendmail.mc code that you can enable on http://www.ordb.org/ (which looks free... is it?)
anyway when I put that in the .mc and ran that through m4 It came up with the following sendmail.cf lines...
As you said jon, these imediately caused eye-bleed.
I placed them in the sendmail.cf file and restarted sendmail... shock-horror it wouldn't restart... something about missing <TAB> characters.
Here are the sendmail.if lines.... Any ideas ?
# DNS based IP address spam list relays.ordb.org
R$* $: $&{client_addr}
R::ffff:$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.relays.ordb.or
R$-.$-.$-.$- $: <?> $(host $4.$3.$2.$1.relays.ordb.or
R<?>OK $: OKSOFAR
R<?>$+ $#error $@ 5.7.1 $: "Email blocked using ORDB.org - see <http://ORDB.org/lookup/?host="$&{client_addr}>
Worked it out....
between all of those lines of code I needed a <tab> character
R$* $: $&{client_addr}
^these should be tabs not spaces.
I'll retry this when I get back in two weeks.
between all of those lines of code I needed a <tab> character
R$* $: $&{client_addr}
^these should be tabs not spaces.
I'll retry this when I get back in two weeks.
Yes, ordb.org is free, and yes you have to use tabs not spaces in a sendmail config file. Also one needs to be aware that single quotes in a config file are left and right single quotes, i.e., `nnn', not 'nnn'.
uninstall sendmail and install Postfix. You can probably find a FAQ on how to do this with your distribution. edit the /etc/postfix/main.cf to include:
maps_rbl_domains = relays.osirusoft.com bl.spamcop.net
and
smtpd_client_restrictions = hash:/etc/postfix/access, permit_mynetworks, reject_maps_rbl, permit
issue a postfix reload and you're off.
My experiance with these two RBLs is very positive and can't remember legitimate mail being rejected...your mileage may vary...its free, and you can argue that sites should not be listed if you have a valid reason to....
maps_rbl_domains = relays.osirusoft.com bl.spamcop.net
and
smtpd_client_restrictions = hash:/etc/postfix/access, permit_mynetworks, reject_maps_rbl, permit
issue a postfix reload and you're off.
My experiance with these two RBLs is very positive and can't remember legitimate mail being rejected...your mileage may vary...its free, and you can argue that sites should not be listed if you have a valid reason to....
The easiest way to add RBL support is add lines like this to sendmail.mc
FEATURE(`dnsbl',`sbl.spamh
FEATURE(`dnsbl',`relays.os
and then regenerate sendmail.cf with the command:
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
It seems to be happy and puts all the right entries into sendmail.cf but it isn't working for me. I have another question posted on this exact topic.
FEATURE(`dnsbl',`sbl.spamh
FEATURE(`dnsbl',`relays.os
and then regenerate sendmail.cf with the command:
m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
It seems to be happy and puts all the right entries into sendmail.cf but it isn't working for me. I have another question posted on this exact topic.
Featured Post
Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Utilizing an array to gracefully append to a list of EmailAddresses
New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Mail Flow >> Rules tab.: To cr…
Suggested Courses
Course of the Month2 days, 7 hours left to enroll
719 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.