qmail-rblchk

qmail-rblchk filter all incoming mail and check if it comes from RBL listed IPs.

Installation

Download the package at qmail-rblchk-2.4.1.tar.gz (Perugia, Italy)

Compile it with:

     tar -xfz qmail-rblchk-[version].tar.gz
     cd qmail-rblchk
     make setup check

Edit conf-* files to set compile and install options.

If you use FreeBSD you can install qmail-rblchk with his port:

    cd /usr/ports/mail/qmail-rblchk
    make install clean

Use

    |qmail-rblchk [options] [/dir/]

qmail-rblchk is for use in .qmail to check the IP address from the Received: from lines. It has the same function as rblsmtpd, but the messages are checked at local delivery time, with this you can check the content of the message simply redirecting it to another mailbox or address.

If a directory is given with dir all spam message are delivered to that directory if it exist and is in Maildir format.
Directory name must start with a / or . (dot) and end with a /.

General options

-h: show a sort program description;
-s: add "X-Spam" header into the incoming mail (work only with delivery in dir/);
-i NUM: ignore first NUM IPs found in the header;
-x IP: do not check IP, try to find other address in header (you can ignore max 16 IPs);
-m: check all IPs that find in mail header (default check only the first);
-v: debug mode, make output more verbose;
-p: don't check private IP classes:
- 127.0.0.0 - 127.255.255.255
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0 - 172.31.255.255
- 192.168.0.0 - 192.168.255.255
-q: quiet mode;
-l LOG: redirect to file LOG program messages;
-L DATA: write blocked IP address tu file DATA (you can use the DATA file to build your RBL list, see example below);
-c: turn on the condredirect compatibility mode for exit code.

Control options

-r addr: request if a TXT record exist into addr;
-R addr: request if a TXT record not exist into addr;
-a addr: request if a A record not exist into addr;
-A addr: request if a A record exist into addr;
-C addr: request if a A or TXT record exist into addr, if true the mail is not SPAM and the program exit;
-X cdb: check if the sender IP is listed in cdb file, see tcprules or EXAMPLES section for the format

It's possible to use up to 32 control options to specify more RBL server; those are checked until the first of them answere true and the mail will be tagged as a "spam" (unless you use -C option).

If a mail come from a.b.c.d IP, the request that the program send to DNS server is: d.c.b.a.addr where addr is the parameter that come after -r, -R, -a or -A options.

Exit code

The exit code of program depends on use of -c option or delivery dir:

Message Standard with -c with dir

Normal 0 1 0

Spam 100 0 99

Problem 111 111 111

Examples

This are some example of qmail-rblchk use, please read carefully dot-qmail(5), qmail-command(8) and condredirect(1) man pages to prevent lost of mail.

We check bl.spamcop.net and dialups.mail-abuse.org RBL list. If the mail is spam the delivery fail and the sender will receive a bounce message.

    # we discard all suspected mail
    | qmail-rblchk -r bl.spamcop.net -r dialups.mail-abuse.org

We delivery all mail that comeis from RBL listed IPs to our spam Maildir.

    # save spam-suspected mail in another Maildir
    | qmail-rblchk -r bl.spamcop.net -r dialups.mail-abuse.org ../spam/

Same as above, but all spam message are delivered to me-spam address with condredirect

    # save spam-suspected mail in another box
    | condredirect me-spam qmail-rblchk -c -r bl.spamcop.net -r dialups.mail-abuse.org

Into contrib directory you can find a script (spam-report.sh) that send to you some stats about qmail-rblchk filtering actions.
You must run qmail-rblchk with -l option (to have the logs), after check the paths into the script and run it into crontab like this:

    0    0    *    *    * spam-report.sh email_addr NUM

at 00:00 you receive at email_addr a mail like this (the script preserve and gzip NUM old log files):

    Date: 23 Jan 2006 00:00:03 -0000
    From: luca@home.morettoni.local
    To: luca@home.morettoni.local
    Subject: qmail-rblchk report

    qmail-rblchk report
    ===================

    Messages:
     total: 137
     good:  76      (55.500%)
     spam:  61      (44.500%)

    Check:
     DNS query: 306
     over cdb:  122

    RBL list usage:
     list #1 hits: 11
     list #2 hits: 32
     list #3 hits: 16

    cdb usage:
     allowed IPs:   5
     blocked IPs:   7

    --
    qmail-rblchk 2.4.1 - Luca Morettoni <luca@morettoni.net>
    See more at http://morettoni.net

If you want to use a cdb file with the -X option, create a rule file like that:

    # allow mails from local network
    192.168.0.:allow
    # some spammer IPs
    10.0.0.1:deny
    1.2.3.4:deny

create the CDB file with:

    tcprules rule.cdb rule.tmp < rule

and use in your .qmail file with:

    | qmail-rblchk -X ./rule.cdb -r sbl-xbl.spamhaus.org ../spam/

if the IP is found in rule.cdb qmail-rblchk follow the rule in the file:

allow the message is good;
deny the message is spam

if the IP is not listed qmail-rblchk continue with normal RBL checking. You can insert into the CDB file a default rule (:allow or :deny), to block or accept all other IPs.

Build your list

If you use the -L option you can build your private RBL list, remember that qmail-rblchk only appends blocked IP to the file, filter it with uniq before use. You can build your data file for rbldns with the script contrib/rbllist.sh.

With the utility getsenderip you can take the sender IP and append it to a text file, the syntax is:

    getsenderip [-s num] out

where out is the file where IPs are stored, with the -s option you can skip first num IPs in the header of the mail. The script contrib/dot-qmail-storeip is an example of use into your .qmail file: you can use into a .qmail-spam to add other IPs to your private spammer list, and a .qmail-friends for the good IPs (use a different output file for the two system!!).
NOTE: The example script skip first IP, usually is your IP and is not usefull to add it to the lists! The EXT2 variable was used to allow a more extensible usage, if you use the example into a .qmail-spam-default, you can send spam mails to spam-3@yourdom.tld and the script skip first 3 IPs.

Thanks

Joerg Backschues <jbks AT tca-os DOT de> for the English page check and testing on 300.000 users and 500.000 mails system! (results);
Brian T Glenn <glenn AT delink DOT net> for some option suggestions and for the disk space at USA mirror;
Emanuel Haupt <haupt AT critical DOT ch> for the FreeBSD port and manpage hints;
Emanuel's wife for the manpage correction;
Everybody download, check, debug and use the package!

Message	Standard	with `-c`	with `dir`
Normal	0	1	0
Spam	100	0	99
Problem	111	111	111