DNSBL config for gersch.com

This was originally posted to the OLM Sphera Forums. I've copied it here for my own documentation.

To help combat spam I decided to activate DNS Black Lists in Sendmail on my server. I was underwhelmed by SpamAssassin, and it did nothing to help the email alias users, which are most of my addresses. Although I was worried about false positives, a DNSBL was the only thing that would work.

I'm sure this is old knowledge for the majority of users here. But I'm a network hardware guy, not a linux geek, so it took some time to puzzle out. So, for any other newbs out there, this is what I got to work.

This config works on an OLM Sphera VDS server. It may work on other Linux based systems. If any of the more experienced users see any issues, or would like to clarify/correct anything, please comment.

- Modifying sendmail.mc

The 'sendmail.mc' file is the base configuration file to mess with. It gets converted with the M4 macro tool to the final 'sendmail.cf' file. You could mess with sendmail.cf directly, but that's for uber-geeks, and was discouraged by every reference I found.

'sendmail.mc' uses 'dnl' as a comment marker. It is also used to end a command line. So, if the line starts with 'dnl', it is ignored, and there should be a 'dnl' at the end of each line.

The 'sendmail.mc' file is located in the '/etc/mail' directory. I used Pico to edit it. Be sure to make backups before messing with it, etc.

This is what I changed:

Commented out this line:

dnl FEATURE(`accept_unresolvable_domains')dnl

This might make sense somewhere, but it didn't for me. Commenting it out allows the server to reject mail from fake domains. It only catches a few emails, but every bit helps.

Uncommented these lines:

FEATURE(delay_checks)dnl

I really have no idea what this line does, but it was referenced in many of the guides, and the DNSBL's didn't work until I enabled it. If anyone can shed light on why it's needed, please let me know.

Added 'access.db' support with these lines:

FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl

These two lines let you specify additional blocking rules in the 'access.db' file (more details below). They aren't necessary for DNSBL use, but add some additional useful blocking. This was particularly useful in blocking mail sent to the sortof root account that matches your domain name on the Sphera server.

The 'access.db' and DNSBL 'FEATURE' lines were added in the middle of the 'sendmail.mc' file, where all of the other 'FEATURE' lines were. It's not clear if order makes much difference in this source file.

Added the actual DNSBL lines:

FEATURE(`dnsbl',`<use-your-trial-key>.r.mail-abuse.com', ` "550 Mail from " $&{client_addr} " blocked using Trend Micro RBL+. Please see http://www.mail-abuse.com/cgi-bin/lookup?ip_address =" $&{client_addr} ')dnl

FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl

The 'FEATURE' commands must be a single line. They wrap here due to margins.

At this time I'm using two DNSBL services. Trend Micro, aka mail-abuse.com, which is the old MAPS service, is a paid service. However, they do offer 30 day free trials, so I'm trying it. They have a website which will give you pretty graphs of your mail volume, but it's not accurate. Because the DNS servers cache results, it doesn't count multiple attempts from the same domain.

The Spam Cop DNSBL is free for small non-profit sites like mine. It works quite well. For every two spam that Trend catches, Spam cop will catch another one. I haven't changed the order yet to see if Trend has sites Spam Cop doesn't.

Order is important with the DNSBL lookups, and the each email will be checked against each DNSBL on your list, in order, until it's either rejected by one or passed all of them.

SpamHaus is another major free DNSBL provider. However, they have a reputation of being a bit more aggressive than Trend or SpamCop, with the occasional false positive. So, I haven't added them to my list. Yet.

Modified this line:

define(`confLOG_LEVEL',9)dnl

This line is toward the end of the 'sendmail.mc' file. The '9' indicates the level of detail in the Sendmail logs. '9' is a good compromise level.

The log level was originally set to '0' in my config so I wasn't getting any logs. You need some level of logging to determine what is going on. The logs are created in the '/var/log' directory. The Sphera VDS will automatically rotate, zip, and store 5 days worth of logs. (Maybe longer if they're small.) At least, mine was set up that way.

- Converting the 'sendmail.mc' macro file to 'sendmail.cf'.

To convert the macro file to the actual Sendmail config file, issue this command:

m4 sendmail.mc > sendmail.cf

If you aren't in the '/etc/mail' directory, you'll have to add appropriate pathing.

The references on this file usually refer to restarting Sendmail for it to take effect. However, on a Sphera VDS, it doesn't appear that Sendmail actually runs in our space. It gets called when an an email comes in. So, whatever changes in 'sendmail.cf' will take effect whenever the next email comes in.

- Creating the 'access.db' table.

Sort of like the Sendmail config files, there is a plain text 'access' file, and a compiled 'access.db' file that Sendmail actually uses.

The 'access' is also located in the '/etc/mail' directory. Mine was a zero byte file. I copied this one off the web and modified it:

http://www.faqs.org/docs/securing/chap22sec178.html

The documentation to use this file is all in the sample. I used the default localhost related RELAY commands in the file. I also added the IP of my site, just in case some process doesn't use the loopback.

The key thing I added was a blacklist REJECT line for the named sort of root account on my server. This keeps this account from getting spam and filling up. I figured it was easier to block any inbound mail to this account, than trying to disable it.

The command to convert the text file to the actual .db file is this:

makemap hash access.db < access

Be careful about the redirect '<' symbol. It is the opposite direction of the redirect used in the m4 sendmail.mc conversion. And again, if you aren't in the /etc/mail directory, add appropriate pathing.

The docs on this file, from various sources, keep referring to a RHS and a LHS. I finally figured out that RHS is 'right hand side' and LHS is 'left hand side'. It makes sense looking at the examples in the file, where the LHS is the variable, and the RHS is the command.

- Resources

I Googled all over the web researching this. These are some links I found useful:

http://us.trendmicro.com/us/products/enterprise/network-reputation-services/index.html

http://www.technoids.org/dnsbl.html

http://www.webservertalk.com/archive58-2006-7-1583074.html

http://www.faqs.org/docs/securing/chap22sec173.html

http://www.spamcop.net/bl.shtml

http://www.dnsbl.com

I hope some of you find this useful. These changes are successfully blocking 80%+ of the spam headed to my server, and all of my users have noticed the effects.

Greg