Realtime Blackhole Lists (RBL's)

One of the best ways to fight spam is to use RBL's. RBL's are lists of servers that usually you don't want to talk to, sometimes they are lists of servers that are open relays or they are lists of servers that are proxies or maybe lists of servers that are dynamic ip's. There are many different types of RBL's out there so you might want to do some investigation before you deicde which ones to use. The idea is that when a server connects to your server SurgeMail will then check the RBL to see if the connecting server is listed, if it is then we can simply drop their connection or we can stamp the message to say its listed on a RBL and increase the ASPAM score. Using RBL's can dramatically decrease the amount of SPAM coming into your system and we highly recommend using them.

Here are some RBL's you can use. Please note that you should double check with their website to make sure these are still operating.

Name of RBL What to enter in SurgeMail
(name section)
Response Code General Information on RBL.
spamhaus sbl.spamhaus.org 127.0.0.2

Very well known RBL, well recommended.
Direct UBE sources, verified spam services and ROKSO spammers
More info here on SBL list. http://www.spamhaus.org/sbl/index.lasso

spamhaus xbl.spamhaus.org 127.0.0.4-6

Illegal 3rd party exploits, including proxies, worms and trojan exploits
More info here on XBL list. http://www.spamhaus.org/xbl/index.lasso

spamhaus zen.spamhaus.org 127.0.0.2
127.0.0.4|5|6
127.0.0.8

If you want to use both SBL and XBL and the new PBL then you can just enter this into SurgeMail.
More info here on ZEN list. http://www.spamhaus.org/zen/

Domain Name System Real-time Black List (DNSRBL) dun.dnsrbl.net 127.0.0.2-9 List of IP addresses of machines that are either direct SPAM sources or Dial-up (dynamic address) pools which would never be a source of non-spam messages.
RFC Ignorant (Whois) whois.rfc-ignorant.org 127.0.0.7 or 127.0.0.5

List of IP's that do not comply with RFC's.
(Careful about using this one) ?

Spamcop bl.spamcop.net    

 

There are plenty more out there, but the above ones are well known and will probably do the trick
To add them into SurgeMail, click Spam control, then scrol down in the right frame until you find RBL settings.
You will need to click on the advanced mode link to view all RBL settings.

Once you have clicked on Edit RBL's

So under the name section you add the domain of the rbl (eg bl.spamcop.net), then what action you would like to take (deny, accept, or stamp) and then in the stamp section you can add the stamp.

deny = connection is banned and sending server is sent the stamp message.
stamp = message will be allowed through but it will be stamped with stamp you set. The stamp is a message header and should normally start with X- eg X-RBL: Listed in SPAMCOP (||remoteip||)

The RBL's are processed in the order they are listed and if the sending server is found on one of the RBL's the rest will not be checked to save processing power.

There are servers that you might not want to ever risk being denied, sometimes servers can accidentally get themselves on RBL's or the RBL's can add servers by mistake at times. In the first screen shot you can see the third option(exception list of IP's) allows you to add IP's that will never be checked by SurgeMail.

If you click on the advanced mode in the web admin you can look for (do late disconnect - g_orbs_late) This means that the your users are allowed to authenticate first and then the RBL checks are done, this means that if your users are on a RBL they will still be able to send messages through your server. This can also be used with the setting g_spf_skip_to which allows you to add recipients that will be bypassed for RBL checks, so you might add postmaster in here as everyone should be able to send to postmaster.

 

Editing surgemail.ini directly

For those that prefer to edit surgemail.ini directly here are the settings and some examples

g_orbs_list name="zen.spamhaus.org" action="deny" stamp="Your ip ||remoteip|| is
  			listed in the spamhaus RBL http://www.spamhaus.org"
g_orbs_list name="bl.spamcop.net" action="stamp" stamp="Listed in SPAMCOP" 

RBL Exceptions:

  • g_orbs_exception "ip,ip,ip"
  • g_orbs_late "true" - This makes the RBL checks happen after the authentication phase and allows you to also use g_spf_skip_to.
  • g_spf_skip_to "fred@mydomain.com" - This will make SurgeMail not use the RBL if the message is going to fred@mydomain.com and you also have g_orbs_late "true" activated.
  • g_spf_skip_from "fred@anotherdomain.com" - Will make SurgeMail skip RBL checks if the from address matches this, must have g_orbs_late "true" activated.
  • g_spam_allow_rbl "true/false" - Give unblock message to RBL bounces too. Make sure you read documentation on this setting before setting to true!.

Misc. RBL settings

  • g_orbs_force "true/false" - Force RBL check even if g_allow_ip matches this ip number.
  • g_orbs_timeout "seconds" - Seconds to wait for RBL lookups, default is 10 seconds.
  • g_orbs_report "true/false" - Use this setting to test your own ip addresses, as soon as one is found in orbs you will be sent an email to alert you.
  • g_orbs_check_all "true/false" - Keep doing lookups even if found in a RBL.

 

HostKarma.junkemailfilter.com

This is like an RBL but some responses are good, and some are bad. So you use a rule like this:

 

g_orbs_list name="hostkarma.junkemailfilter.com" action="stamp" stamp="127.0.0.1=hostkarma_white:accept~127.0.0.2=http://ipadmin.junkemailfilter.com/remove.php:deny~127.0.0.3=hostkarma_yellow~127.0.0.4=hostkarma_brown~127.0.0.5=hostkarma_nobl~127.0.1.1=hostkarma_quitok~127.0.1.2=hostkarma_noquit"

 

Note:
g_relay_allow_ip "ip" allows users to bypass RBL checks, this behaviour can be stopped by using the setting g_orbs_force "true"

Adding scoring to ASPAM when found in a RBL

Instead of just outright denying, you can set to stamp mode and then use those stamps to add scoring to ASPAM. The argument for using this method is it gives the end user more control and also adds a bit more reliability as you can set SurgeMail so it will only reject messages if found in a certain number of RBL's instead of just one.

So if we have:

g_orbs_list name="bl.spamcop.net" action="stamp" stamp="Listed in SPAMCOP"
g_orbs_list name="zen.spamhaus.org" action="stamp" stamp="Listed in zen.spamhaus.org" 

Then we would edit sf_mfilter_local.txt in the surgemail directory and add this to it.

if(isin("X-ORBS-Stamp", "Listed in SPAMCOP")) then
  	call feature_manual(.98, "Senders ip was found in SPAMcop RBL")
end if
if(isin("X-ORBS-Stamp", "Listed in zen.spamhaus.org")) then
  	call feature_manual(.98, "Senders ip was found in zen.spamhaus.org RBL")
end if     

The header that is always added is "X-ORBS-Stamp" so you always check against that.

The above will add 6 points if the senders ip is found in spamcop RBL. By default when SurgeMail finds a sender's ip in a RBL it doesn't bother checking the rest of the RBL's you have listed. In this situation it can be useful to make SurgeMail keep checking the other RBL's so that if the sender is found on more than one RBL it will increase the scoring and lessen the chances of a false positive and increase the chances that the message will be detected as SPAM due to high scoring. You can make SurgeMail do this with the following setting.

g_orbs_check_all "true"

So with this setting, if the above sender is found in both spamcop and spamhaus the message will have a total score of 12 added to it.