instantlinux/blacklist

By instantlinux

Updated 6 months ago

DNSBL for spam control based on rbldnsd.

Image

2.6K

DNS blacklist for spamassassin

This is based on Running Your Own RBL DNS Blacklist (or see alt link) using the Debian rbldnsd package adapted from scripts published by Herb Rubin some years ago. This attempts to counter large-scale botnets (with hundreds of thousands of scattered IP addresses) that spammers use to bypass the well-known DNSBL sites. We do this by examining known-spam messages' Received headers, and inserting their source IP addresses into a local MySQL table, almost immediately blacklisting against multiple uses of any given source IP. This tool maintains that table and provides a local DNSBL which you can add to Spamassassin's rules. To make the most use of it, set up honeypot email addresses separate from your primary users' addresses; greylisting unknown senders for several minutes will add to this protection.

Usage

Before running it, grant access to a mysql user thus:

    USER=blacklister
    PSWD=xxx
    mysql> GRANT SELECT,UPDATE,INSERT,CREATE ON `blacklist`.* TO
     '$USER'@'10.%' IDENTIFIED BY '$PSWD';

Add a mysql-blacklist-user that contains the $PSWD you've set:

    # docker secret create mysql-blacklist -
    user=blacklister
    password=$PSWD

Decide on a subdomain name, such as blacklist.yourdomain.com. Set that name as an environment variable RBL_DOMAIN. To delegate to this subdomain, list hosts where you'll be running this in environment variable NS_SERVERS (if you're running a swarm cluster, this will be the DNS names of the cluster nodes).

In the local.cf file for spamassassin (separate Docker image), define these rules for your local blacklist:

score    HONEY_RCVD_IN_RBL  4.5
header   HONEY_RCVD_IN_RBL  eval:check_rbl('bl', 'blacklist.yourdomain.com.', '127.0.0.2')
describe HONEY_RCVD_IN_RBL  Seen in rbldnsd by honeypot address
tflags   HONEY_RCVD_IN_RBL  net
reuse    HONEY_RCVD_IN_RBL

(Below items are performed by scripts in postfix-python image.)

Then to add new IPs into the blacklist, set up procmail to run the
honeypot-ip.py parser script (included here under src directory) to
insert into the MySQL ips table upon receipt of any known spam message.
Example:
~~~bash
    :0fw
    #| /usr/local/bin/honeypot-ip.py --db-config ~/.my.cnf -q \
      --honeypot honeyforbees@instantlinux.net \
      --relay 'by mx-caprica.?\.easydns\.com' --cidr-min-size 32

Add a .my.cnf file with db credentials:

    [client]
    host=xdb00
    database=blacklist
    user=blacklist
    password=xxx

This script can also be invoked as a spamfilter under postfix; use the --pipe-stdout command option for that use case.

Launch this docker image in kubernetes or docker-compose using one of the files provided here. This repo has complete instructions for building a kubernetes cluster where you can launch with helm, kubernetes.yaml using make and customizing Makefile.vars after cloning this repo:

git clone https://github.com/instantlinux/docker-tools.git
cd docker-tools/k8s
make blacklist
Variables

These variables can be passed to the image from kubernetes.yaml or docker-compose.yml as needed:

VariableDefaultDescription
CFG_NAMEdsblconfig name (default: dsbl)
DB_NAMEblacklistdatabase name (blacklist)
DB_HOSTdbhostdatabase host or IP (dbhost)
DB_USERblacklisterdb user (blacklister)
HOMEDIR/var/lib/rbldnshome directory
NS_SERVERS127.0.0.1upstream nameservers having NS records
RBL_DOMAINblacklist.mydomain.comdomain name to serve
TZUTCtime zone
USERNAMErbldnsusername to run as
Contributing

If you want to make improvements to this image, see CONTRIBUTING.

Docker Pull Command

docker pull instantlinux/blacklist