How to configure Spamhaus DBL

Has anyone configured EXIM to use a DBL?  I really need to get this working today.

I've found one example that uses a perl script callout, but it's like 15 years old and doesn't really cover what I am trying to do.

What is the easiest way to get Spamhaus Domain Block List (DBL) working using Sophos UTM?

Namecheap.com stepped up their attacks today, and now they are spamming using .com domains.



better title
[edited by: Remuflon at 11:54 PM (GMT -8) on 27 Feb 2021]
Parents
  • I figured it out on my own.  This was the solution.  Added to the ACL section in exim.conf.

      drop message = $sender_address_domain blacklisted at $dnslist_domain
           !condition = WL_IS_WHITELISTED
           dnslists = dbl.spamhaus.org/$sender_address_domain
           set acl_c0 = rbl
           set acl_c1 = $dnslist_domain
           condition = INSERT_REJECT
           logwrite = LOG_RCPT_REJECT
    

  • I usually just add zen.spamhaus.org to 'Extra RBL Zones'.  I was able to add dbl.spamhaus.org there - are you saying that that doesn't work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I too have used zen for years.  That's an RBL.  I'm talking about a DBL, (domain black list) which is not directly supported by UTM.

    I don't see how adding dbl.spamhaus.org to UTM could work, because UTM is going to use IP addresses, which are not supported by dbl.  If I am wrong I would like to know that and I will update my notebook.  There would need to be a switch on the UTM config to tell it to use ip / domain, and there is no switch, so how could it work?

  • Interesting!

    DON'T PUT dbl.spamhaus.org into 'Extra RBL Zones'!  I rejected several emails I wanted to receive.

    I found the following from my US senator among others that were also rejected by the dbl so I immediately removed that!

    02-26 13:57:05 H=a-ess-cssb224072. senate.gov [156.33.224.72]:46374 F=<enewsletters@lankford.senate.gov> rejected RCPT <myname@ourdomain.com>: 156.33.224.72 blacklisted at dbl.spamhaus.org

    Another rejected by dbl was from Sophos Support.

    Remuflon, do you know enough about Exim to make your code quarantine the emails instead of rejecting them?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Interesting!

    DON'T PUT dbl.spamhaus.org into 'Extra RBL Zones'!  I rejected several emails I wanted to receive.

    I found the following from my US senator among others that were also rejected by the dbl so I immediately removed that!

    02-26 13:57:05 H=a-ess-cssb224072. senate.gov [156.33.224.72]:46374 F=<enewsletters@lankford.senate.gov> rejected RCPT <myname@ourdomain.com>: 156.33.224.72 blacklisted at dbl.spamhaus.org

    Another rejected by dbl was from Sophos Support.

    Remuflon, do you know enough about Exim to make your code quarantine the emails instead of rejecting them?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Of course it did, as I explained, you have it misconfigured.  You are passing an IP address to a Domain Blacklist.  It says right in the FAQ that if you do this it will block it.  You have to pass a domain name to dbl.spamhaus.org.

    It is working correctly.

    If you configure it in Exim as I explained, it works fantastic.  I'm into my 2 days of it now and it has correctly blocked lots of .CYOU and .TOP junk domains.  It has not had one false positive yet, on my server.

    I checked your record here at Spamhaus: lankford.senate.gov is not listed in the DBL

  • OK, I'm ready to admit a misunderstanding, but I'd like to try your idea with quarantining instead of rejecting first.  Do you know how to do that?

    When you run the following command, do you see any blocks that should not have occurred?

    grep lacklist /var/log/smtp.log|grep 'dbl\.spamhaus'|grep -oP 'F\=\<.*?\>'|sort -n|uniq -c

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I checked my logs.  There have been no false positives since I started using it.  However, a couple of spams got through because they got in before the list was updated.  I'm looking at getting faster response from spamhaus.  I think there is a pay option for that?