Spam Jazz

10/08/2008 - [ qmail spam rblsmtpd smtp email mail networking server configuration blacklist spamcop ] - posted by fansipans

Three cheers for Dan Bernstein's rblsmtpd!

After initially setting up qmail and procmail years ago, one of the long-lingering items on my todo list was make napkindrawing's spam handling much better. I've basically been operating in whitelist mode, with aggressive procmail rules, which required somewhat regular scans through my Junk and Unfiltered folders to check for valid mail marked as spam. I'd always assumed that a more reliable option would take a few hours of configuration and tweaking.

Well I finally took a few minutes to see if could tweak my existing anti-spam setup (procmail), and see what my other options are, what would be the easiest path given my current setup. I quickly realized that rblsmtpd is already installed, and simply needs to be uncommented in my qmail init script!

rblsmtpd is a simple program that serves a tiny purpose, in the spirit of all of Dan Bernstein's other software. It sits between tcpserver, which actually listens for connections, and qmail, which handles mail delivery. rblsmtpd is passed domain names on the command line like "bl.foo.com", which are run by organizations maintaining ip address blacklists. When a remote server, say with ip address from a.b.c.d, connects to deliver mail, rblsmtpd does a DNS lookup on the domain "d.c.b.a.bl.foo.com". If the DNS server for bl.foo.com returns a TXT record, the connection is denied, and the contents of the TXT record are displayed to the client, and logged locally. So you get the speed, configurability, and hierarchical nature of DNS giving a practically instant, fresh, YES/NO answer as to whether the sending party is in the blacklist or not. Sweet!

After enabling rblsmtpd, and adding bl.spamcop.net, and removing relays.ordb.org, I'm seeing it block an average of 5 emails per hour, which is almost all of my spam. The remaining couple that slip through I've been forwarding to spamcop, and adding to my procmail rules.

Forwarding the remaining spam to spamcop helps all users of spamcop. They also provide relatively long-term subscriptions for reasonable prices, which I'll certainly consider after I've run this setup enough to trust it.


Edit: The most effective DNS BlackList seems to be zen.spamhaus.org. It's a combination of a number of other blacklists, and no spam has managed to get through in the last few hours since I added it. We'll see ...

Edit Edit: After a week or so of using Spamhaus' Zen DNSBL, only a few junk emails get through every day, out of 300+ attempts. My use of spamcop catches about 10 spams a day (that Zen misses), and the few that get through I've noticed on spamcop's reporting site are usually registered in cbl.abuseat.org's DNSBL, so I've added cbl.abuseat.org as the third DNSBL to check. That should drop it to no more than one junk message every other day :)