Topic: dynablock.njabl.org, combined.njabl.org

[kruhm]

Anyone using these lists in their RBLList:

dynablock.njabl.org
combined.njabl.org

Or combined.njabl.org instead of dnsbl.njabl.org?

[kruhm]

A recent audit of spam that came through my systems showed that the majority were from dynamic IP's.

I thought the dnsbl.njabl.org list was supposed to take care of that but found out it wasn't being updated anymore.
http://www.njabl.org/use.html#nomoredial

* Though dnsbl.njabl.org still contains lots of dialup/dynamic listings, no more are being added. All dialup/dynamic additions are being put into the dynablock.njabl.org zone, also available as part of combined.njabl.org.

I changed the db and added:
-combined.njabl.org (contains the old dnsbl.njabl.org and the newer updatede dynablock.njabl.org)
-psbl.surriel.com (my tests showed this list was fast and caught some IP's not listed in any other list)

Code: [Select]


config setprop qpsmtpd RBLList sbl-xbl.spamhaus.org,whois.rfc-ignorant.org,dnsbl.njabl.org,relays.ordb.org,combined.njabl.org,psbl.surriel.com


Bug created.

[raem]

kruhm

> dynablock.njabl.org

This is a more aggressive list, as is
bl.spamcop.net

dnsbl.sorbs.net
is conservative

[egerards]

I was already using RBL spam checking, but I still received 5 to 10 image based spam messages per day per email account.

I have extended my RBL list with combined.njabl.org and psbl.surriel.com and so far no spam messages got through.

Up till now I can also recommend these extra RBL list entries.

[kryptos]

hi all,

im also using RBL blocking sbl-xbl.spamhaus.org,psbl.surriel.com and combined.njabl.org but still i recieve this image spams.One thing i notice is that when i check in the message source of the email and try to check the ip address source it is listed on njabl.org. Is there anyone out there know why this mail got through? is this suppose to be rejected as this mail was listed on the site?

Kryptos

[raem]

My suggestion (if it wasn't clear) was to add
dnsbl.sorbs.net
to the RBL's being used in sme7.

It is a conservative list and will not block mail from some some popular email systems.

These lists ie dynablock.njabl.org, bl.spamcop.net and (I assume) combined.njabl.org will block email from some popular & very large email systems.

[kryptos]

Hi Ray,

I will add that list also. But what i was wondering why these IMAGE SPAMS even if is listed on NJABL.org still went into my inbox?

Thanks
Kryptos

[kruhm]

It's too late to check the logs on this one message but sometimes the RBL lookups take too long and the message is received before the lookup completes. See a snip from my log below from a message from Johnnyxvsoviet@computer.org:

@40000000458325d32a81011c 26305 Accepted connection 1/40 from 72.43.255.122 / rrcs-72-43-255-122.nys.biz.rr.com
@40000000458325d32a84e91c 26305 Connection from rrcs-72-43-255-122.nys.biz.rr.com [72.43.255.122]
@40000000458325d32a8e37ec 26305 running plugin (connect): check_earlytalker
@40000000458325d41ae81d6c 24800 cleaning up after 26304
@40000000458325d42a906684 26305 check_earlytalker plugin: remote host said nothing spontaneous, proceeding
@40000000458325d42a958aec 26305 Plugin check_earlytalker, hook connect returned DECLINED,
@40000000458325d42a981744 26305 running plugin (connect): check_relay
@40000000458325d42a9bcc7c 26305 trying to get config for relayclients
@40000000458325d42aa2f09c 26305 trying to get config for morerelayclients
@40000000458325d42aa7d684 26305 Plugin check_relay, hook connect returned DECLINED,
@40000000458325d42aaa7e34 26305 running plugin (connect): check_norelay
@40000000458325d42aad972c 26305 trying to get config for norelayclients
@40000000458325d42ab3b594 26305 Plugin check_norelay, hook connect returned DECLINED,
@40000000458325d42ab62e64 26305 running plugin (connect): ident::geoip
@40000000458325d42abd2b74 26305 ident::geoip plugin: GeoIP Country: US
@40000000458325d42abfb3e4 26305 trying to get config for badcountries
@40000000458325d42acc0824 26305 trying to get config for badcountries
@40000000458325d42ad36eac 26305 Plugin ident::geoip, hook connect returned DECLINED,
@40000000458325d42ad5cc24 26305 running plugin (connect): dnsbl
@40000000458325d42ada15cc 26305 dnsbl plugin: RBLSMTPD not set for 72.43.255.122
@40000000458325d42adc9284 26305 trying to get config for dnsbl_allow
@40000000458325d42ae387c4 26305 trying to get config for dnsbl_zones
@40000000458325d42af1eb5c 26305 dnsbl plugin: Checking 122.255.43.72.relays.ordb.org for TXT record in the background
@40000000458325d42b167ea4 26305 dnsbl plugin: Checking 122.255.43.72.combined.njabl.org for TXT record in the background
@40000000458325d42b2a06a4 26305 dnsbl plugin: Checking 122.255.43.72.whois.rfc-ignorant.org for TXT record in the background
@40000000458325d42b3adf24 26305 dnsbl plugin: Checking 122.255.43.72.sbl-xbl.spamhaus.org for TXT record in the background
@40000000458325d42b51784c 26305 Plugin dnsbl, hook connect returned DECLINED,
@40000000458325d42b545a94 26305 trying to get config for smtpgreeting
@40000000458325d42b5a03cc 26305 220 help.mydomain.com ESMTP
@40000000458325d42b5d6ecc 26305 trying to get config for timeoutsmtpd
@40000000458325d42b60ca2c 26305 trying to get config for timeout
@40000000458325d43ad1bb4c 26305 dispatching EHLO raleigh
@40000000458325d43ad6187c 26305 running plugin (ehlo): check_spamhelo
@40000000458325d43ad9931c 26305 trying to get config for badhelo
@40000000458325d43ae0691c 26305 Plugin check_spamhelo, hook ehlo returned DECLINED,
@40000000458325d43ae42624 26305 trying to get config for me
@40000000458325d43ae94e74 26305 trying to get config for databytes
@40000000458325d43aee4014 26305 trying to get config for databytes
@40000000458325d43af0f37c 26305 250-mydomain.tld Hi rrcs-72-43-255-122.nys.biz.rr.com [72.43.255.122]
@40000000458325d43af3e94c 26305 250-PIPELINING
@40000000458325d43af63b0c 26305 250-8BITMIME
@40000000458325d43af890b4 26305 250 SIZE 15000000
@40000000458325d533c2e484 26305 dispatching MAIL FROM: <Johnnyxvsoviet@computer.org>
@40000000458325d533c837cc 26305 full from_parameter: FROM: <Johnnyxvsoviet@computer.org>
@40000000458325d533ca9544 26305 from email address : [<Johnnyxvsoviet@computer.org>]
@40000000458325d533d51c94 26305 running plugin (mail): require_resolvable_fromhost
@40000000458325d533d900ac 26305 trying to get config for invalid_resolvable_fromhost
@40000000458325d533eb34d4 26305 trying to get config for require_resolvable_fromhost
@40000000458325d533f137e4 26305 Plugin require_resolvable_fromhost, hook mail returned DECLINED,
@40000000458325d533f39944 26305 running plugin (mail): rhsbl
@40000000458325d533f87374 26305 trying to get config for rhsbl_zones
@40000000458325d533feb504 26305 rhsbl plugin: Checking computer.org.dsn.rfc-ignorant.org for TXT record in the background
@40000000458325d5341c3b9c 26305 Plugin rhsbl, hook mail returned DECLINED,
@40000000458325d5341c4f24 26305 running plugin (mail): check_badmailfrom
@40000000458325d5341c5ec4 26305 trying to get config for badmailfrom
@40000000458325d5342261d4 26305 Plugin check_badmailfrom, hook mail returned DECLINED,
@40000000458325d5342576e4 26305 getting mail from <Johnnyxvsoviet@computer.org>
@40000000458325d534281e94 26305 250 <Johnnyxvsoviet@computer.org>, sender OK - how exciting to get mail from you!
@40000000458325d61e4029dc 26305 dispatching RCPT TO: <user@mydomain.tld>
@40000000458325d61e44b5ec 26305 to email address : [<user@mydomain.tld>]
@40000000458325d61e48a5bc 26305 running plugin (rcpt): rhsbl
@40000000458325d61e4d975c 26305 rhsbl plugin: waiting for rhsbl dns
@40000000458325d61e50b824 26305 rhsbl plugin: DONE waiting for rhsbl dns, got  1  answers ...
@40000000458325d61e62483c 26305 Plugin rhsbl, hook rcpt returned DECLINED,
@40000000458325d61e64b554 26305 running plugin (rcpt): dnsbl
@40000000458325d61e687e14 26305 trying to get config for dnsbl_zones
@40000000458325d61e6cfa84 26305 dnsbl plugin: waiting for dnsbl dns
@40000000458325d61e6ff43c 26305 dnsbl plugin: DONE waiting for dnsbl dns, got  4  answers ...
@40000000458325d61eca7c04 26305 dnsbl plugin: name  122.255.43.72.sbl-xbl.spamhaus.org
@40000000458325d61ecd085c 26305 dnsbl plugin: got txt record
@40000000458325d61ed05034 26305 trying to get config for dnsbl_rejectmsg
@40000000458325d61ed764b4 26305 Plugin dnsbl, hook rcpt returned DENY, http://www.spamhaus.org/query/bl?ip=72.43.255.122
@40000000458325d61eda181c 26305 550 http://www.spamhaus.org/query/bl?ip=72.43.255.122
@40000000458325d63738aa54 26305 dispatching QUIT
@40000000458325d6373c9a24 26305 trying to get config for me
@40000000458325d6373f8ff4 26305 221 mydomain.tld closing connection. Have a wonderful day.
@40000000458325d637427df4 26305 click, disconnecting
@40000000458325d637450e34 26305 running plugin (disconnect): rhsbl
@40000000458325d63748bf84 26305 Plugin rhsbl, hook disconnect returned DECLINED,
@40000000458325d6374b1914 26305 running plugin (disconnect): dnsbl
@40000000458325d6374eaf0c 26305 Plugin dnsbl, hook disconnect returned DECLINED,

[piran]

kruhm: Comments, if you want or need them from me, include:
I have masquerading locking off a range that includes your example...
/sbin/iptables -A INPUT -s 72.42.0.0/15 -j DROP
...so I can't comment on the example specifically.
If your lookups take too long then try disabling the not always useful RHSBL.
Ray has a HOWTO or few on these matters, very useful they are too;~)
I usually get back DNSBL responses in the low teens for my site's lookups.