Use a real RBL

Jarland · April 3, 2021, 7:40pm

3lK:

First, sorry about my poor english. I working on it.

I just have a spam problem from a subnet and your RBL works when other no…

I use RSpamd. If I understand well, this can be a valid configuration?

/etc/rspamd/local.d/rbl.conf
rbls {
    brbl {
        symbol = JARLAND_RBL;
        rbl = "bl.mxrbl.com";
        received = true;
        returncodes {
             JARLAND_RBL_BAN = "127.0.0.2";
             JARLAND_RBL_WTF = "127.0.0.3";
       }
    }
}
/etc/rspamd/local.d/groups.conf (add)
symbols = {
  "JARLAND_RBL_BAN" {
    weight = 2.0; # For example
    description = "Resolver blocked due to mx_route rbl";
   }
}
Thanks for your work!

That looks correct. I suppose if it fails you’ll know quickly. Either rspamd won’t start or it just won’t do anything.

NodePing · April 5, 2021, 2:33am

Let us know when that’s up and going. I’d like to add this RBL to NodePing but without a good way to request removal, it’s less useful.

Daniel · April 5, 2021, 5:42pm

That should work.

received = true is optional - It means that IP addresses in the Received headers will be checked on the RBL in addition to just the IP the email comes from (so eg. it’ll catch if the email is relayed via an IP that’s on the blocklist).

Instead of editing groups.conf you can just look for JARLAND_RBL_BAN in the “symbols” tab of rspamd’s web UI and edit the score there.

3lK · April 6, 2021, 1:39pm

Yes, I see i can also put a score when fail. That’s nice.

Thanks for the info anyway!

Jarland · June 12, 2021, 1:53am

MXRBL has really grown up. On just one of our servers we rejected 4,578 emails in 24 hours from it. Expecting to beat that record in just 24 hours.

Projects in motion:

Helping providers understand why they’re listed
Creating a whitelist for IPs that should never be added (Google, Outlook, providers showing that they can keep their space clean)

daffy · June 12, 2021, 7:20am

I love you for your efforts, my friend <3

This is from my small private spamfilters, only since Sunday:

root@sf1:~# grep mxrbl /var/log/mail.log|wc -l
129
root@sf2:~# grep mxrbl /var/log/mail.log|wc -l
113

Edit: (sorry, forgot we switched to asshole format)
Stop fighting spam, dickhead! Jar is stupid.

Jarland · June 18, 2021, 7:49pm

Rebuilt the RBL today. It now uses rbldnsd, and the website now tells you why your IP is listed. Soon it’ll include deep insights for providers to use, including redacted logs they can record for handling abuse notices.

Jarland · July 16, 2021, 12:06am

Massive updates today after an equally massive log audit. I’ve come to a conclusion that will inform how I block a great deal of spam for MXRBL users. I’m not the first to come to this conclusion, but it makes a difference.

If the residential ISP doesn’t allow server hosting, doesn’t set PTR records for customers, and best of all has dynamic IPs, the whole ASN should be on the RBL. Chasing compromised IoT devices across dynamic IPs is pointless. So is hosting a mail server without a PTR record. If I happen to cross paths with someone determined to send mail from their home system without use of a relay, I can work with them. But until then, I’ll block a fuck load of spam.

In just a few hours I’ve neared an additional 20k emails blocked due to blocking direct emails from a wealth of residential ISPs. Parsing the logs I haven’t found any evidence of a false positive yet.

This spam attack I’ve tracked that I’m heavily targeting is interesting:

F=[email protected]
F=[email protected]
F=[email protected]
F=[email protected]
F=[email protected]
F=[email protected]

T=“What are we going to do at the weekend?”
T=“what are your plans for the weekend?”
T=“excellent day”
T=“Help me make my ex-boyfriend jealous”

You can visually see the patterns, but trying to tackle them in a dynamic way with all of the changes they’re making, by tackling the patterns we can eyeball right there, I can’t come up with an algorithm that doesn’t risk false positives. Blocking residential ISPs that shouldn’t be sending mail anyway, though, is making a huge dent in them.

HalfEatenPie · July 19, 2021, 5:32am

I see the following:

You have a ton of body text strings
You have a ton of subject text strings
You have a ton of IP addresses where they’re from with their PTR Record and other misc data related to the IP
You also know certain spam emails have a modified send-to record (usually different from the “sent from” field)

Seems you need a dynamic method to fighting these things that are beyond the tools you have available to you. Sounds like you might need to take this to the next step and build a custom algorithm. I’d recommend a machine learning algorithm that takes these values as an input. Literature suggests Single Value Decomposition (SVD) models are the best for this application. You don’t want to risk false positives so what you can do is continue tuning your algorithm until it works, or maybe you can just dump those with slightly lower scores (from the outright spam) into a separate folder. Honestly even if SVD doesn’t work, then you can switch to different algorithm frameworks like ANN or decision trees.

Or you can maybe outsource this to a different organization that already handles all this. I mean in today’s day and age you can get 80% there with static filters and rules, but the way I see it, the future will require us to move towards more fluid and dynamic rules as our tools continue to evolve.

This published paper seems to have a decent number of citations and gives you a fairly open playbook as to how to build your own solution: Machine learning for email spam filtering: review, approaches and open research problems - ScienceDirect

webix · August 10, 2022, 8:09am

Actually, you said you won’t play GOD but it’s actually what you’re doing with us…
We reach to you to know why you blacklisted all our ASN (we have more than 3000 IPs). And this is our mail exchange. I’ll leave it here for everyone to know how you manage your RBL list and how wrong your “best practices” are:
Me:

Hello.
I was notified that you have blacklisted my whole ASN. That is not a good practice.
Also, we are not a spam network. We are a legit datacenter company operating in Viseu, Portugal.
We also have counter-measures to prevent any of our clients to send spam from our network.
If someone complains about spam going out from one of our IPs, you have to forward the complain to our abuse email ([email protected]). We handle the abuse reports at 15 mins from 7am till 11pm.
So, can you please unblock all the IPs and inform me what IP has originated spam so we can handle the issue?

Reply from mxrbl:

To be clear, I don’t have to do anything and what is a “good practice” is what best serves my company and my customers. If I only find spam from your network and long listings of PTR records look like obvious spam trends, I list the whole ASN. It’s not personal, I have a job to do the same as you.
A quick run through your ASN looks like spam to me. Let me tell you what I see, you can run with it after hopefully understanding my perspective.
All of this matches spam trends:
[list of 8 IPs and their PTR records]
Randomly generated hostnames for a domain that either has no website or looks suspiciously like something that wouldn’t at all need multiple IPs for the type of business implied:
[list of 256 IPs and their PTR records]
Should I go on or is that enough for you to work with?

Me:

So… You block the ips and ASN based only o PTR records?
There are several reasons why PTR records need to be configured for IP addresses (mail is only one of them).
Did you actually have records of spam being sent from my ASN/IPs?
If yes, please send the signature.
Since September 2020 that we filter all mail going out on our IPs to insure the good reputation of our network.
Also, juste because there are 10-20 ips that where detected sending spam, you can’t block a ASN that has more than 3000 IPs. That’s not fair! If you act like that, why not block the hurricane electric or cogent? The answer is obvious, isn’t it?
Let’s work correctly.
I have a public abuse mail for where complains can be sent. And that abuse is publicly listed on the RIR (ripe). I pay a team to handle the complaints and act quickly.
Best Regards,

mxrbl:

Yes I go by reverse DNS as well. If you don’t have a ton of spammers on your network, then you once did and you never cleaned their PTR records. Let me know when things look cleaner. You don’t have to like the way I do things, your approval is not required. You are free to ignore MXRBL entirely and consider us irrelevant if you like. Please don’t write back while your ranges are littered with obvious spammer PTR records.

me:

Hello.
My ranges are clean. I won’t change the PTR records because those PTR are needed for other services.
I contacted you in first place because I have a client that subscribed a SSL certificate and he isn’t receiving the email with the invoice and the certificate itself because his provider is using your rbl.
So, doing like everyone do, if you don’t have any reports from actual spam being sent from my network, you please remove all records?

still me:

For info, the PTR records you listed aren’t using for mail but for server automation on a energy counting record system of one of our clients.
We have a lot of clients that do use PTR records for other means than mailing systems (SAN traffic, diagnosis, etc…). And asking them to change all PTR records is overkill.
You start by blocking a full ASN just because you’re based on a single aspect. Maybe 2-3 years ago we had a client that sent spam from one of our IPs, but I can assure you that today that is not possible. And also, you should base your filtering on spam signatures and not on PTR records. Are you also blocking the full HE ASN? I guess not or otherwise you’ll be out of business…
Best Regards,

mxrbl:

If you need the PTR records that I pointed out, then you are in fact running a spam network. Delisting denied.

So, my question is: Will you, has a webhosting provider, use this RBL list to fight SPAM? I certainly not!

I point out the lack of knowledge of how SPAM filtering works and how is mxrbl “implicated” on reducing the false positives…

simlev · August 10, 2022, 8:45am

Welcome Webix to this community, and thank you for taking the time to share this insightful conversation. I’d like to limit myself to pointing out that while “That is not a good practice” and “you have to forward” do indeed seem too strong, I woud let them pass. I’d take into consideration the fact that English is probably not the author’s native language, and they seem entirely focused on facts and practical issues: this doesn’t sound like carefully chosen language trying to imply anything other than the general meaning of the message.

Jarland · August 10, 2022, 12:47pm

I am leaving the reply to this post from @webix in place because removing it would be a conflict of interest as it seeks to disparage me personally. However, a user who signed up for the sole purpose of being combative and confrontational is in direct opposition to my intentions for this community and I think it’s quite fair that the user is banned as a result. It’s not so that they can’t defend their position, in fact, I won’t even offer a counter statement here because this simply isn’t a place where I want these interactions taking place. Whether they involve me or not.

The user is welcome to do more mudslinging in a place that is more appropriate for such activity: https://lowendtalk.com/discussion/179346/how-is-mxroute

HalfEatenPie · August 10, 2022, 3:28pm

And… another Wednesday it is. Spammer complaining. Coffee’s still warm.

alento · August 10, 2022, 4:49pm

Hmm, seems like @webix is slinging mud everywhere they can and seeing if it sticks.

Obviously that person is clueless … as Mail-in-a-Box has nothing to do with MXRBL, yet he posted his tirade in their help forum.

Because … reasons.

https://discourse.mailinabox.email/t/entire-asn-blocked-by-mxrbl-because-reasons/9384

HalfEatenPie · August 10, 2022, 5:33pm

They’re going on an entire PR campaign against MXRBL.

But they’re doing it in a stupid way where it comes off as disingenuous and just aggressive (definitely a person with an axe to grind)… which they are… and everyone reads and gets letting their message fall on deaf ears.

Basically, they really suck at this don’t they lol

mwt · August 10, 2022, 5:59pm

I think it makes some sense to post in a self hosting community. Those users are likely to be against the sort of arbitrary block list that he paints mxrbl to be.

alento · August 10, 2022, 6:16pm

Any and every user should be against arbitrary blocks. In this case though there is nothing arbitrary about it.

mwt · August 10, 2022, 7:05pm

I’m not saying that the block is arbitrary. This person is clearly a spammer. (There’s conclusive proof in other threads). He even approached his defamation campaign in a spammy way.

I just don’t think it’s so weird to post a complaint about blocklists on the MiaB forums. MiaB users are more likely to be impacted by blocklists than people who use a mail provider.

Jarland · August 10, 2022, 9:07pm

I guess I can respect the scorched earth campaign against an RBL. I just feel like when I do it, my reasoning is a bit better

Daevien · August 10, 2022, 11:22pm

he posted same message to https://forum.directadmin.com/threads/easy_dns_blacklist-where-is-rbl-list.63008/#post-350689 and https://forum.directadmin.com/threads/rbl_dns_list-suggestion.64780/#post-350688 as well. Seems to be awful good at spamming posts everywhere for a non spammer…