Menu

#76 DNSBL sample

v1.0 (example)
closed
nobody
dnsbl (1)
5
2023-09-01
2022-10-02
No

Could you please provide a good sample of the --dsnbl option? Probably that one that you are using yourself.
I tried this one:
--dsnbl 127.0.0.1:53,500,1,dbl.spamhaus.org

And guess what, it blocked me :)
I just can't event telnet to the 25 port.

Turns out that my ISP is in the blocklist and the smtp server is on a router from another ISP is blocked too. From logread I see
dnsbl: client address [46.98.212.67] blocked by [dbl.spamhaus.org]
That's probably because I have a residential IP and some other PC in the network were infected.

Here it's not clear for me why it checked my IP on connection. I expected that the DNSBL will verify domain of MAIL FROM: instead.

From the FAQ https://www.spamhaus.org/faq/section/Spamhaus%20DBL
It says "The DBL is a domain-only blocklist and does not include or support IP addresses."

So now I'm confusing and don't know how it actually checked my IP.

Also the returned IP from DNSBL means different things:

127.0.1.2 spam domain
127.0.1.4 phish domain
127.0.1.5 malware domain
127.0.1.6 botnet C&C domain
127.0.1.102 abused legit spam
127.0.1.103 abused spammed redirector domain
127.0.1.104 abused legit phish
127.0.1.105 abused legit malware
127.0.1.106 abused legit botnet C&C
127.0.1.255 IP queries prohibited!

Does ER relays on these codes? Are they affecting behaviour?
I'm asking because probably residential area IPs may be represented by some of the code and in practice can be allowed.

Related

Support Requests: #76

Discussion

  • Graeme Walker

    Graeme Walker - 2022-10-02

    It's not something that I use in earnest; there was a feature request for it and I had all the DNS code lying around so it went in quite easily.

    For testing purposes I use a zero threshold value so that the DNSBL queries are made and reported in the logs but not acted upon:

    1.1.1.1:53,1000,0,spam.dnsbl.sorbs.net,bl.blocklist.de,b.barracudacentral.org

    I reviewed the logs during a recent spam attack but did not see much value in the results. Perhaps spamhaus would have done a better job.

    The different 'result codes' are not interpreted by emailrelay, they are just logged. IIRC some DNSBL providers have subdomains to provide a similar degree of flexibility (eg. nomail.rhsbl.sorbs.net as a sub-set of spam.dnsbl.sorbs.net).

     
  • Graeme Walker

    Graeme Walker - 2022-11-03
    • status: open --> closed
     
  • Sergey Ponomarev

    For those who following: I found a good list of the DNSBL
    https://docs.cloudron.io/email/#dnsbl

     
  • Sergey Ponomarev

    Sorry for the late question but maybe we can simplify the --dnsbl option.
    I'm confused: why to we need to specify the transport DNS server? Maybe the ER can use a default system DNS.

    The timeout of DNS on Linux is 5 sec on Windows it's 15. That's not that much.

    Also for me it's not clear why I may use the treshhold different than 0 or 1. If I have two DNBSL servers and I want to avoid false positives then I can require both 2. But anyway the DNSBL lists are usually sharing information between each others.
    So maybe it can be also omitted.

    Based on the thread https://forum.cloudron.io/topic/4677/is-there-a-way-to-add-in-more-dnsbl-rbl-sources/30 I crafted the following --dnsbl option:

    127.0.0.1:53,5000,1,zen.spamhaus.org,bl.mailspike.net
    

    So it uses a local DNS resolver, wait's for 5 seconds and if any of the two DNSBL denied then the connection is dropped.
    Maybe it makes sense to add this option as an example to documentation so lazy users will just copy it.
    Also it makes sense to add the link to list of DNSBL services:
    https://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists

     

    Last edit: Sergey Ponomarev 2023-08-07
  • Graeme Walker

    Graeme Walker - 2023-08-07

    You're right that the DNS server address should be optional. I have recently added code (for the new "mx:" filter) that obtains the system's DNS server address list, so I could use that for the default.

    If I understand you correctly, you are suggesting that the timeout could reasonably default to 5s (or 15s) and the threshold could default to 1. Is that right?

    The current syntax for the --dnsbl option string does not work well with defaults though: you would have something like ",10000,,spamhaus.org,mailspike.net" to default the DNS server and threshold but override the timeout, which is ugly. Using keywords is easier to default, but still clumsy when you end up with this sort of thing: "--dnsbl=ns=10.0.0.1:53,timeout=10000,threshold=0,spamhaus.org,mailspike,net"

    Perhaps the fields could be reversed, with trailing fields that are omitted taking a default value, like "--dnsbl=spamhaus.org,bl.mailspike.net,2,10000,10.0.0.1:53" or, with defaults, just "--dnsbl=spamhaus.org,bl.mailspike.net". The parser would just see if the first field looks like domain name to decide which way to work; if the first field looks like a domain name (ie. not an integer and not a valid TCP address) then all following fields that also look like a domain name are the DNSBL list and any remaining fields are the threshold, timeout and nameserver.

     
  • Sergey Ponomarev

    Thank you for the explanation. I think that we can just check if the first comma separated part contains : e.g. 10.0.0.1:53 and that will mean a full form.
    The short form with domains only will make it easier to configure and simplify understanding (which is important for self-hosters).
    But this is a minor thing. Thank you for the clarification.

     
  • Graeme Walker

    Graeme Walker - 2023-08-09

    I've added this to the 2.5 release and committed it as 2.5rc7 to the sf svn trunk. If you want to test it you will have to be quick because I think this release will have to go out soon so that I can work on other stuff!

     
    • Sergey Ponomarev

      That's great news, thank you.
      Meanwhile, I developed a plugin for OpenWrt admin dashboard Luci that will
      provide a GUI to configure the EmailRelay. So it would be much easier for
      non experienced users to set up their own email server just on a router.
      Today it was merged so I believe soon it will be available to install with
      the luci-app-email package.

      https://github.com/openwrt/luci/tree/master/applications/luci-app-email

      When a new version of the ER will be released and the corresponding package
      in OpenWrt updated then I'll send another PR for the GUI with more options.
      I will simplify the DNSBL option to use the new short form.
      Additionally I am going to add a dedicated page to view and send mail.

      Also I tried to play and learn the code of the ER but CPP is too
      complicated for me.
      It's especially hard to debug because I am using JetBrains Clion IDE which
      supports debugging only for CMake projects.
      I made some minor changes with docs changes and reduced some code.

      I already acked you but can you please import the ER to Git and make a
      GitHub mirror?
      That will simplify contribution and I can send pull requests to you.
      Also many developers already know about GitHub and how to work with it.

      You can try importer that will fetch history from SVN and convert to Git:
      https://docs.github.com/en/migrations/importing-source-code/using-github-importer/importing-a-repository-with-github-importer

      It's arlready quite a lot of ER related repostitories
      https://github.com/search?q=+emailrelay&type=repositories

      On Wed, Aug 9, 2023 at 6:40 PM Graeme Walker graeme_walker@users.sourceforge.net wrote:

      I've added this to the 2.5 release and committed it as 2.5rc7 to the sf
      svn trunk. If you want to test it you will have to be quick because I think
      this release will have to go out soon so that I can work on other stuff!


      [support-requests:#76]
      https://sourceforge.net/p/emailrelay/support-requests/76/ DNSBL sample

      Status: closed
      Group: v1.0 (example)
      Labels: dnsbl
      Created: Sun Oct 02, 2022 10:28 AM UTC by Sergey Ponomarev
      Last Updated: Tue Aug 08, 2023 02:25 PM UTC
      Owner: nobody

      Could you please provide a good sample of the --dsnbl option? Probably
      that one that you are using yourself.
      I tried this one:
      --dsnbl 127.0.0.1:53,500,1,dbl.spamhaus.org

      And guess what, it blocked me :)
      I just can't event telnet to the 25 port.

      Turns out that my ISP is in the blocklist and the smtp server is on a
      router from another ISP is blocked too. From logread I see
      dnsbl: client address [46.98.212.67] blocked by [dbl.spamhaus.org]
      That's probably because I have a residential IP and some other PC in the
      network were infected.

      Here it's not clear for me why it checked my IP on connection. I expected
      that the DNSBL will verify domain of MAIL FROM: instead.

      From the FAQ https://www.spamhaus.org/faq/section/Spamhaus%20DBL
      It says "The DBL is a domain-only blocklist and does not include or
      support IP addresses."

      So now I'm confusing and don't know how it actually checked my IP.

      Also the returned IP from DNSBL means different things:

      127.0.1.2 spam domain
      127.0.1.4 phish domain
      127.0.1.5 malware domain
      127.0.1.6 botnet C&C domain
      127.0.1.102 abused legit spam
      127.0.1.103 abused spammed redirector domain
      127.0.1.104 abused legit phish
      127.0.1.105 abused legit malware
      127.0.1.106 abused legit botnet C&C
      127.0.1.255 IP queries prohibited!

      Does ER relays on these codes? Are they affecting behaviour?
      I'm asking because probably residential area IPs may be represented by
      some of the code and in practice can be allowed.


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/emailrelay/support-requests/76/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

      --
      Sergey Ponomarev https://linkedin.com/in/stokito,
      stokito.com

       

      Related

      Support Requests: #76

  • Graeme Walker

    Graeme Walker - 2023-08-09

    I love what you are doing with OpenWRT; it's one of my favourite projects and I use it for all my wifi routers. And I think emailrelay is a good fit for OpenWRT because it is (now) a single executable that runs as a single process, configurable from the command-line.

    You can use cmake to build emailrelay: just run "./configure.sh -q ; make cmake" or just "sh libexec/make2cmake". The make2cmake script parses the automake files and generates all the CMakeLists.txt files.

    It's a shame you did not make progress with the code. I used to think that most developers would be put off my the fact that it is event-driven, which makes some simple things annoyingly difficult. Perhaps nowadays asynchronisity is coming back into fashion so that might be less of a barrier. In case it's not obvious, the code is documented in header files rather than cpp files, and there is a developer.txt file for a higher-level perspective.

    Moving to git is a good idea. I did give it a go when you mentioned it before, but as I have never used git for development the learning curve at the time was too steep. SourceForge can do git, so perhaps that would be a gentler first step. I can give you admin rights if you want to make that happen.

     
  • Sergey Ponomarev

    the ER git repo is not synced automatically with SVN and outdated https://sourceforge.net/p/emailrelay/git/ci/master/tree/

    And as far I understood when a PR merged this will require for cherry picking back to svn.
    In practice it may be easier to switch to git completely and leave the SVN as an archive.

     
  • Graeme Walker

    Graeme Walker - 2023-08-09

    Ah yes, it looks like I made a mess when I tried sourceforge git previously. Let me get this 2.5 release out before anything else but I would be very happy with a complete switch to git on sourceforge straight after that. I am less keen on rehosting to github .

     
  • Sergey Ponomarev

    great, ty

     
  • Sergey Ponomarev

    I tested the new dnsbl form and looks like there is a bug:
    This works
    -dnsbl=spamhaus.com
    But this doesn't:
    -dnsbl=zen.spamhaus.com

    I believe this may be because the DnsBlock::isDomain() doesn't detect properly.
    src/gnet/gdnsblock.cpp:170

    Maybe the isDomain check can be removed?

     
    • Sergey Ponomarev

      The dnsbl option can be used many times, so maybe if anyone wants to use
      the short form just add an option to each domain.
      Then we can simplify parsing to just check for a comma.

      On Fri, Sep 1, 2023 at 6:43 PM Sergey Ponomarev stokito@users.sourceforge.net wrote:

      I tested the new dnsbl form and looks like there is a bug:
      This works
      -dnsbl=spamhaus.com
      But this doesn't:
      -dnsbl=zen.spamhaus.com

      I believe this may be because the DnsBlock::isDomain() doesn't detect
      properly.
      src/gnet/gdnsblock.cpp:170

      Maybe the isDomain check can be removed?

      [support-requests:#76]
      https://sourceforge.net/p/emailrelay/support-requests/76/ DNSBL sample

      Status: closed
      Group: v1.0 (example)
      Labels: dnsbl
      Created: Sun Oct 02, 2022 10:28 AM UTC by Sergey Ponomarev
      Last Updated: Wed Aug 09, 2023 10:24 PM UTC
      Owner: nobody

      Could you please provide a good sample of the --dsnbl option? Probably
      that one that you are using yourself.
      I tried this one:
      --dsnbl 127.0.0.1:53,500,1,dbl.spamhaus.org

      And guess what, it blocked me :)
      I just can't event telnet to the 25 port.

      Turns out that my ISP is in the blocklist and the smtp server is on a
      router from another ISP is blocked too. From logread I see
      dnsbl: client address [46.98.212.67] blocked by [dbl.spamhaus.org]
      That's probably because I have a residential IP and some other PC in the
      network were infected.

      Here it's not clear for me why it checked my IP on connection. I expected
      that the DNSBL will verify domain of MAIL FROM: instead.

      From the FAQ https://www.spamhaus.org/faq/section/Spamhaus%20DBL
      It says "The DBL is a domain-only blocklist and does not include or
      support IP addresses."

      So now I'm confusing and don't know how it actually checked my IP.

      Also the returned IP from DNSBL means different things:

      127.0.1.2 spam domain
      127.0.1.4 phish domain
      127.0.1.5 malware domain
      127.0.1.6 botnet C&C domain
      127.0.1.102 abused legit spam
      127.0.1.103 abused spammed redirector domain
      127.0.1.104 abused legit phish
      127.0.1.105 abused legit malware
      127.0.1.106 abused legit botnet C&C
      127.0.1.255 IP queries prohibited!

      Does ER relays on these codes? Are they affecting behaviour?
      I'm asking because probably residential area IPs may be represented by
      some of the code and in practice can be allowed.


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/emailrelay/support-requests/76/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       

      Related

      Support Requests: #76

  • Graeme Walker

    Graeme Walker - 2023-09-01

    Ah yes, there is a bug in isDomain() because the tailView is intended to give the top-level-domain (eg, "com") but it matches on the first dot, not the last. The fix is to use rfind() to get the position of the last dot:

        G::string_view tld = G::Str::tailView( s , s.rfind('.') ) ;
    
     
  • Graeme Walker

    Graeme Walker - 2023-09-01

    I should have added a comment that in order to distinguish the old and new dnsbl formats the isDomain() function has to accept "127.0.0.com" as a domain but reject an IP address like "127.0.0.1". It can test the top-level domain part because there are no top-level domains that are numeric.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.