Using SpamRats DNSBL in SpamAssassin

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Using SpamRats DNSBL in SpamAssassin

Post by RvdH » 2017-08-18 11:21

21_spamrats_dnsbl.cf

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::DNSEval

	header __RCVD_IN_SPAMRATS       eval:check_rbl('spamrats', 'all.spamrats.com.')
	describe __RCVD_IN_SPAMRATS     SPAMRATS: sender is listed in SpamRats
	tflags __RCVD_IN_SPAMRATS       net
	reuse  __RCVD_IN_SPAMRATS

	header RCVD_IN_SPAMRATS_DYNA    eval:check_rbl_sub('spamrats', '127.0.0.36')
	describe RCVD_IN_SPAMRATS_DYNA  RATS-Dyna: sent directly from dynamic IP address
	tflags RCVD_IN_SPAMRATS_DYNA    net
	reuse  RCVD_IN_SPAMRATS_DYNA
	score  RCVD_IN_SPAMRATS_DYNA    3.0 # please adjust the score value

	header RCVD_IN_SPAMRATS_NOPTR   eval:check_rbl_sub('spamrats', '127.0.0.37')
	describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
	tflags RCVD_IN_SPAMRATS_NOPTR   net
	reuse  RCVD_IN_SPAMRATS_NOPTR
	score  RCVD_IN_SPAMRATS_NOPTR   2.0 # please adjust the score value

	header RCVD_IN_SPAMRATS_SPAM    eval:check_rbl_sub('spamrats', '127.0.0.38')
	describe RCVD_IN_SPAMRATS_SPAM  RATS-Spam: sender is a spam source
	tflags RCVD_IN_SPAMRATS_SPAM    net
	reuse  RCVD_IN_SPAMRATS_SPAM
	score  RCVD_IN_SPAMRATS_SPAM    1.0 # please adjust the score value

	# ---------------------------------------------------------------------------
	# I think you do not need to enable the one below as once a IP is listed in   
	# RCVD_IN_SPAMRATS_AUTH it is automatically in RCVD_IN_SPAMRATS_SPAM as well 
	# ---------------------------------------------------------------------------

	# header RCVD_IN_SPAMRATS_AUTH    eval:check_rbl_sub('spamrats', '127.0.0.43')
	# describe RCVD_IN_SPAMRATS_AUTH  RATS-Auth: sender is a authentication hacker
	# tflags RCVD_IN_SPAMRATS_AUTH    net
	# reuse  RCVD_IN_SPAMRATS_AUTH
	# score  RCVD_IN_SPAMRATS_AUTH    0 # please adjust the score value

endif
If you like to use RATS-AUTH once the connection is made and is executed before the e-mail is accepted, in hMailserver you could easily do this in OnClientConnect as described earlier in Block authentication hackers in HmailServer using the DNSLibrary.DNSResolver Component.

https://vdhout.nl/2017/08/using-spamrat ... mailserver
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Using SpamRats DNSBL in SpamAssassin

Post by RvdH » 2018-03-20 10:00

Addendum

You might want to add -lastexternal and/or -notfirsthop to each of these lookups as i experienced lots of falsely hits without them
Selecting just the last external IP
By using '-lastexternal' at the end of the set name, you can select only the external host that connected to your internal network, or at least the last external host with a public IP.
selecting all IPs except for the originating one
This is accomplished by placing '-notfirsthop' at the end of the set name. This is useful for querying against DNS lists which list dialup IP addresses; the first hop may be a dialup, but as long as there is at least one more hop, via their outgoing SMTP server, that's legitimate, and so should not gain points. If there is only one hop, that will be queried anyway, as it should be relaying via its outgoing SMTP server instead of sending directly to your MX (mail exchange).
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Using SpamRats DNSBL in SpamAssassin

Post by RvdH » 2018-03-20 11:14

RvdH wrote:
2018-03-20 10:00
Addendum

You might want to add -lastexternal and/or -notfirsthop to each of these lookups as i experienced lots of falsely hits without them
Selecting just the last external IP
By using '-lastexternal' at the end of the set name, you can select only the external host that connected to your internal network, or at least the last external host with a public IP.
selecting all IPs except for the originating one
This is accomplished by placing '-notfirsthop' at the end of the set name. This is useful for querying against DNS lists which list dialup IP addresses; the first hop may be a dialup, but as long as there is at least one more hop, via their outgoing SMTP server, that's legitimate, and so should not gain points. If there is only one hop, that will be queried anyway, as it should be relaying via its outgoing SMTP server instead of sending directly to your MX (mail exchange).

Code: Select all

ifplugin Mail::SpamAssassin::Plugin::DNSEval

	header __RCVD_IN_SPAMRATS       eval:check_rbl('spamrats-lastexternal', 'all.spamrats.com.')
	describe __RCVD_IN_SPAMRATS     SPAMRATS: sender is listed in SpamRats
	tflags __RCVD_IN_SPAMRATS       net
	reuse  __RCVD_IN_SPAMRATS

	header RCVD_IN_SPAMRATS_DYNA    eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.36')
	describe RCVD_IN_SPAMRATS_DYNA  RATS-Dyna: sent directly from dynamic IP address
	tflags RCVD_IN_SPAMRATS_DYNA    net
	reuse  RCVD_IN_SPAMRATS_DYNA
	score  RCVD_IN_SPAMRATS_DYNA    3.0 # please adjust the score value

	header RCVD_IN_SPAMRATS_NOPTR   eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.37')
	describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
	tflags RCVD_IN_SPAMRATS_NOPTR   net
	reuse  RCVD_IN_SPAMRATS_NOPTR
	score  RCVD_IN_SPAMRATS_NOPTR   2.0 # please adjust the score value

	header RCVD_IN_SPAMRATS_SPAM    eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.38')
	describe RCVD_IN_SPAMRATS_SPAM  RATS-Spam: sender is a spam source
	tflags RCVD_IN_SPAMRATS_SPAM    net
	reuse  RCVD_IN_SPAMRATS_SPAM
	score  RCVD_IN_SPAMRATS_SPAM    1.0 # please adjust the score value

	# ---------------------------------------------------------------------------
	# I think you do not need to enable the one below as once a IP is listed in   
	# RCVD_IN_SPAMRATS_AUTH it is automatically in RCVD_IN_SPAMRATS_SPAM as well 
	# ---------------------------------------------------------------------------

	# header RCVD_IN_SPAMRATS_AUTH    eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.43')
	# describe RCVD_IN_SPAMRATS_AUTH  RATS-Auth: sender is a authentication hacker
	# tflags RCVD_IN_SPAMRATS_AUTH    net
	# reuse  RCVD_IN_SPAMRATS_AUTH
	# score  RCVD_IN_SPAMRATS_AUTH    0 # please adjust the score value

endif
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20123
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Using SpamRats DNSBL in SpamAssassin

Post by mattg » 2018-03-20 13:04

I have spamRats set as a DNSBL in hMailserver

DNS host = all.spamrats.com
Expected Result = 127.0.0.38|127.0.0.43

I think that this gives me the RatsSPAM and the RatsAUTH lists. I'll research how effective that test is for me... I try to keep DNS BL out of SpamAssassin normally
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply