Rbl-add-ip

From Lundman Wiki
Revision as of 09:27, 2 November 2006 by Lundman (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

rbl_add_ip.pl

For our RBL implementation at work, we went with a DLZ named, initially using the "file system" driver (proof of concept) then change to a BDBHPT driver.

To create the BDB files, add/remove/list IP's we wrote this perl script.

 [rbl_add_ip.pl] 2006-11-02

Download the script and change the path location of your DBD's and DB environment home. To initially create your BDB files use:

 ./rbl_add_ip.pl -Z

But you do not want to run that on a live system, it will erase your BDB files.

Other uses are:

# ./rbl_add_ip 123.2.12.3
# ./rbl_add_ip -d 123.2.12.3
# ./rbl_add_ip 12.22.22.34 "550 You sent too much spam, you suck."
# ./rbl_add_ip -D 86400

The default message is:

450 You have been blocked for sending SPAM or similar."

which is a little tame, but the 450 message has saved me already. (Real servers queue the emails when some servers were added by mistake).

The whitelist file is a file of perl regular expressions on each line. For example:

^127.0.0.1$
^192.168.
.your.domain.com$

The current list of RBL codes (is this current? It was easy to find)

       "127.0.0.2"=>"UCE",
       "127.0.0.3"=>"Fraud",
       "127.0.0.4"=>"Spam Promo",
       "127.0.0.5"=>"Illegal Content",
       "127.0.0.6"=>"Pre-emptive",
       "127.0.0.7"=>"Improper List Practices"
       "127.0.0.8"=>"Botnet Activity / Malware" 

Where rbl_add_ip.pl will use "2" unless otherwise specified.

There is currently an idea of temporary vs permanent additions. If you use the -p switch when adding an IP to RBL, it will be added permanent. The only difference is in the records TTL. However, using the -D <age> option, rbl_add_ip.pl will clean out entries that are temporary and older than <age> (in seconds). That way you can put an IP in the penalty box for, say, 24 hours. (-D 86400). If you do not use the -D option, all entries stay in the BDB until you use the -d option to delete them.

For sendmail, we add this code:

# cat rbl.m4
FEATURE(`delay_checks')
define(`DNSBL_MAP', `dns -R A -a. -r2 -d3')dnl
dnl FEATURE(dnsbl,`rbl.domain.com')dnl
FEATURE(`dnsbl', `rbl.domain.com', `$&{client_addr}": "$>GetTXT $&{client_addr} $| rbl.domain.com $| $(dequote "Address " $&{client_addr} " blocked by rbl.domain.com" $)')
LOCAL_CONFIG 
KDNSTXT dns -R TXT
LOCAL_RULESETS
# Pass in $&{client_addr} $| txt-lookup.dom.ain $| default-text 
SGetTXT
R$-.$-.$-.$- $| $+ $| $+        $: $(DNSTXT $4.$3.$2.$1.$5 $: $6 $)

Watch out for the TAB in the last line!


Currently, our RBL are as follows:

-rw-rw-rw-   1 root     other    8785887232 Nov  2 09:16 DLZ.dnsdata.db
530327  Number of hash buckets.
18,178,801 IPs in the Database.