TIP: Block Spam from domains on the South Africa ISPA Spam Hall of Shame using DNSBL
April 22, 2012 at 09:30 AM | categories: Postfix, Howto, Exim, Email, Linux, Tips, Security | View CommentsThe South Africa Internet service providers association (ISPA) maintains a list of known spammers dubbed the Spam Hall of Shame. The list is contains both domains as well as email addresses, this list is published on a webpage without downloadable formats.
I extract the data from this web page and publish it in a DNSBL ispa.rbl.baruwa.net, i use this DNSBL in my SAAS mail security product. So anyone should be able to use it in a similar way to the other DNSBL's like spamhaus and spamcop etc.
Command line checking
You can check if a domain is on the list using the normal command line utilities
Using host:
host amazingresults.co.za.ispa.rbl.baruwa.net
Output:
amazingresults.co.za.ispa.rbl.baruwa.net has address 127.0.0.2
Using dig:
dig amazingresults.co.za.ispa.rbl.baruwa.net
Output:
;; QUESTION SECTION:
;amazingresults.co.za.ispa.rbl.baruwa.net. IN A
;; ANSWER SECTION:
amazingresults.co.za.ispa.rbl.baruwa.net. 1993 IN A 127.0.0.2
Checking the TXT output:
host -t txt amazingresults.co.za.ispa.rbl.baruwa.net
Output:
amazingresults.co.za.ispa.rbl.baruwa.net descriptive text
"Domain amazingresults.co.za is listed in the ISPA Hall of Shame,
http://ispa.org.za/spam/hall-of-shame/"
Usage
Usage of the DNSBL in various MTA's is described below.
Exim
Add the following to your rcpt acl (acl_check_rcpt:).
drop message = REJECTED - $dnslist_text
dnslists = ispa.rbl.baruwa.net/$sender_address_domain
Postfix
Add to smtpd_recipient_restrictions after permit_mynetworks in your main.cf file
reject_rhsbl_client ispa.rbl.baruwa.net,
reject_rhsbl_sender ispa.rbl.baruwa.net,
Sendmail
Add to your mc file and rebuild the cf
FEATURE(rhsbl,`ispa.rbl.baruwa.net',`"550 Mail from domain " $`'&{RHS} " refused.
Domain is listed in the ISPA Hall of Shame - http://ispa.org.za/spam/hall-of-shame/"')
How the data is extracted
The data is extracted using an automated custom web crawler written using Scrapy in Python. The crawler extracts both the domains and the email addresses, the domains are processed and added to the DNSBL, the emails addresses get processed and added to the email blacklists on our SAAS platform.
Update
Some of these domains have resorted to using third party senders, which means the smtp envelope is no longer the one listed on the hall of shame, i have written a followup post which describes how you can identify and flag as spam these messages that bypass the SMTP time DNSBL checks.
blog comments powered by Disqus
About
I am a Sysadmin and programmer, passionate about Open source software A few notable projects i am associated with are:
Contact
topdog at fedoraproject.organdrew at topdog.za.net
Follow me on Twitter
Latest blog posts
Categories
- Book review (rss) (10)
- CCSP (rss) (1)
- Centos (rss) (16)
- Certification (rss) (1)
- Cisco (rss) (1)
- CouchDB (rss) (1)
- Cyrus (rss) (2)
- DHCP (rss) (2)
- DKIM (rss) (2)
- DLNA (rss) (2)
- DNS (rss) (2)
- Domainkeys (rss) (1)
- Email (rss) (11)
- Exim (rss) (7)
- Fedora (rss) (1)
- Horde (rss) (2)
- Howto (rss) (29)
- IPSEC (rss) (6)
- IPv6 (rss) (1)
- Kickstart (rss) (1)
- Links (rss) (2)
- Linux (rss) (25)
- Mac OS X (rss) (6)
- Markdown (rss) (1)
- Mediaplayer (rss) (2)
- PHP (rss) (1)
- PS3 (rss) (2)
- Postfix (rss) (6)
- Projects (rss) (1)
- PyMYSK (rss) (14)
- Python (rss) (19)
- RHEL (rss) (7)
- SSL (rss) (2)
- Security (rss) (13)
- Sysadmin (rss) (16)
- Tips (rss) (28)
- Ubuntu (rss) (2)
- Unix (rss) (4)
Archives
- February 2014 (1)
- December 2013 (1)
- September 2013 (1)
- March 2013 (1)
- February 2013 (2)
- January 2013 (4)
- November 2012 (3)
- October 2012 (2)
- September 2012 (5)
- August 2012 (7)
- July 2012 (1)
- June 2012 (2)
- May 2012 (9)
- April 2012 (17)
- March 2012 (4)
- August 2010 (1)
- March 2009 (4)
- January 2009 (2)
- August 2008 (1)
- June 2008 (1)
- March 2008 (1)
- February 2008 (2)
- January 2008 (1)
