Internal DNS Block List - take two

[exi1ed0ne]

I really didn't like my first effort at creating a dns block list that worked with plesk, so I went back to the drawing board. This one uses perl to watch the maillog in real-ish time for IPs sending rejected and good email, storing the info in a MySQL database. It will also give a bit of slack for senders that send mail that makes it through without getting tagged by spamassassin. This is really meant to replace all the other dnsbl lists in qmail, and use spamassassin to query them (and score them into oblivion) to build up your own. Doing it this way will have the added benefit of knowing who is being blocked, since qmail doesn't log rejected connections. After a configured time entries in the dns list are removed, and all entries also gradually drift back to a "neutral" stance.

By default you get 5 rejects before blocking, up to 15 rejects for hosts that send good email (5 + 1 for each clear message up to 10), entries live in DNS for 5 days, and any host that hasn't been seen in 180 days is removed from the database. All of which are configurable. You can use the spamassassin cf example from my first attempt to see how something like this works in your environment. After less than 24 hours of testing on my host, it was the number 3 hit rule - beat out only by AWL and RELAY_COUNTRY_US. See the sa-stats.txt file in the attached archive for detail - my list is RCVD_IN_ASBL.

Thoughts and critiques are welcome.

[exi1ed0ne]

Looks like it is back to the drawing board . . . again. For whatever reason the correct entry is in DNS, but the DNS blackhole service isn't stopping it. A tcpdump of dns traffic on loopback shows a response of NXdomain, rather than the expected hit (for some IPs). That makes no sense, as the IP is in there. Reloading DNS and xinetd make no difference.

Oh well. I modified the script to just blacklist/unblacklist the IP with ASL for now.

[faris]

Keep at it. This looks interseting

Don't give up.

Faris.

[exi1ed0ne]

Well I opened a ticket with Parallels to deal with the inability to remove txt records from the command line. It has been put on the wish list for a future release, so I'm not holding my breath. Still, the non-optimal outright blocking the worst of the worst has worked extremely well. For the first time since I've been fighting spam (years!), my spam caught by spamassassin is BELOW my ham count. I was getting about 3-5 spam to each ham previously. Of course my sample size is fairly small - only a few hundred legit messages per day. It also reduced the CPU time to less than an hour per day. Sure it isn't exactly RFC to just drop connection attempts for port 25 on a mailserver, but like the pirate code - they're just guidelines anyway.

I still have to figure out why the DNSBL approach fails so hard, since the goal is to centralize it for multiple boxes to query. Even with the TXT message thing, a wildcard DNS entry could give some basic info on how to de-list. I can't for the life of me figure out why it wouldn't query a local source. Oh well, I'll get back to it soon hopefully.

If anyone is using the perl script, please be aware there is a typo in it that will prevent de-listing from the ASL blacklist. PM me if you'd like the fix.

[faris]

Why not try it with rbldnsd instead of using Bind for the DNS side of things? I've been using it with great sucess and adding/removing an IP/TXT record is as simple as editing a file. It works perfectly in parallel with Bind (either on a dedicated public IP, or on a 127.0.0.x loopback IP or a Private IP, with a forward statement in named.conf )

Faris.

[exi1ed0ne]

I was trying for something that would work with a vanilla plesk install without changing the base system - drop in the script and sit back. I'm probably just making things harder for myself that way though.