Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

How to configure Spamhaus DBL

Has anyone configured EXIM to use a DBL?  I really need to get this working today.

I've found one example that uses a perl script callout, but it's like 15 years old and doesn't really cover what I am trying to do.

What is the easiest way to get Spamhaus Domain Block List (DBL) working using Sophos UTM?

Namecheap.com stepped up their attacks today, and now they are spamming using .com domains.



better title
[edited by: Remuflon at 11:54 PM (GMT -8) on 27 Feb 2021]
  • I figured it out on my own.  This was the solution.  Added to the ACL section in exim.conf.

      drop message = $sender_address_domain blacklisted at $dnslist_domain
           !condition = WL_IS_WHITELISTED
           dnslists = dbl.spamhaus.org/$sender_address_domain
           set acl_c0 = rbl
           set acl_c1 = $dnslist_domain
           condition = INSERT_REJECT
           logwrite = LOG_RCPT_REJECT
    

  • I usually just add zen.spamhaus.org to 'Extra RBL Zones'.  I was able to add dbl.spamhaus.org there - are you saying that that doesn't work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I too have used zen for years.  That's an RBL.  I'm talking about a DBL, (domain black list) which is not directly supported by UTM.

    I don't see how adding dbl.spamhaus.org to UTM could work, because UTM is going to use IP addresses, which are not supported by dbl.  If I am wrong I would like to know that and I will update my notebook.  There would need to be a switch on the UTM config to tell it to use ip / domain, and there is no switch, so how could it work?

  • Interesting!

    DON'T PUT dbl.spamhaus.org into 'Extra RBL Zones'!  I rejected several emails I wanted to receive.

    I found the following from my US senator among others that were also rejected by the dbl so I immediately removed that!

    02-26 13:57:05 H=a-ess-cssb224072. senate.gov [156.33.224.72]:46374 F=<enewsletters@lankford.senate.gov> rejected RCPT <myname@ourdomain.com>: 156.33.224.72 blacklisted at dbl.spamhaus.org

    Another rejected by dbl was from Sophos Support.

    Remuflon, do you know enough about Exim to make your code quarantine the emails instead of rejecting them?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Of course it did, as I explained, you have it misconfigured.  You are passing an IP address to a Domain Blacklist.  It says right in the FAQ that if you do this it will block it.  You have to pass a domain name to dbl.spamhaus.org.

    It is working correctly.

    If you configure it in Exim as I explained, it works fantastic.  I'm into my 2 days of it now and it has correctly blocked lots of .CYOU and .TOP junk domains.  It has not had one false positive yet, on my server.

    I checked your record here at Spamhaus: lankford.senate.gov is not listed in the DBL

  • OK, I'm ready to admit a misunderstanding, but I'd like to try your idea with quarantining instead of rejecting first.  Do you know how to do that?

    When you run the following command, do you see any blocks that should not have occurred?

    grep lacklist /var/log/smtp.log|grep 'dbl\.spamhaus'|grep -oP 'F\=\<.*?\>'|sort -n|uniq -c

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I checked my logs.  There have been no false positives since I started using it.  However, a couple of spams got through because they got in before the list was updated.  I'm looking at getting faster response from spamhaus.  I think there is a pay option for that?

  • This question illustrates the inadequacies of UTM as a spam filter.   Making unsupported changes to the undocumented under-the-covers Exim is not a very suitable solution.

    I would be interested in someone discussing how to build a spam filter using native EXIM.    I read the EXIM documentation once, and was put off because the scripting language never mentioned the message From address as a filtering variable, but later I was told that ACLs could have done what I wanted.

    My spam comes from two primary sources:    Dedicated infrastructure and Email Service Providers (ESPs), particularly sendgrid.net.   You probably have the same two categories

    For dedicated infrastructure, blocking based on DNS name (HELO and Reverse DNS) is pretty effective.  Blocking source IP, DNS, and email addresses is even better.

    For ESPs, you need to be able to filter on the From address to detect the client.    Necessary messages such as password resets from technology vendors and account statements from your utility company need to be allowed.   Messages from clients that fraudulently impersonate a bank need to be blocked.   Messages from unrecognized clients need to be quarantined.   I will be bold enough to say that if you don't know that you have a sendgrid.net problem, you don't understand your email problem.

    To state the obvious, UTM does not know how to filter on DNS name and does not know how to filter on From address.

    The only serious mail product from Sophos is Sophos Mail in the Cloud.    After offering two embedded solutions, three appliance solutions, and 1 other cloud product, we can hope that they got it right.   I have talked to product management and they think they do have it right this time.   I do not know for sure because I have created my own solution, based on a freeware product for source filtering, with UTM and another commercial product following after to perform content filtering.