WhiteSites Blog

Stop Spam in SmarterMail with RBL SBL and BL

Posted on Feb 8, 2008 by Paul White

smatermail
First thing you want to do is login to smarter mail as the server admin.
Then rollover security and click on Anti-Spam Administration.
This will bring up a page like this

smatermail_antispam
What is that? You don't have all these great RBL and SBL lists?

No problem Here are the servers I use for these
  • cbl.abuseat.org
  • bl.csma.biz
  • sbl.csma.biz
  • t1.dnsbl.net.au
  • no-more-funn.moensted.dk
  • smtp.dnsbl.sorbs.net
  • zombie.dnsbl.sorbs.net
  • bl.spamcannibal.org
  • zen.spamhaus.org
  • dnsbl-1.uceprotect.net
After you add these RBL lists to smarter mail you will still need to specify how you want them filtered.
Your have two options
  • Enable for Filtering
  • Enable for Incoming Blocking
Enable for Filtering will simply take your spam and move it to your spam folder

Enable for Incoming Blocking will reject the connections entirely.

Start out with the first option, then check after a couple days to make sure you aren't getting any false positives.
Then if everything looks good start enabling for blocking. 

One other thing you will want to make sure you do is block the Dictionary attacks.  This is when spammers setup servers to ping your mail server with every name they can find in a dictionary @ yourdomain.com.  Naturally SmarterMail will just respond with "User Not Here".  But eventually the dictionary attach will determine exactly what email exists at your mail server.  To stop this you will want to enable Abuse Detection on SmarterMail.

Rollover Security, click on Abuse Detection
smartermail abuse detection

What I have found works well is to set the Bad SMTP Sessions ( Harvesting) to check back for IPs that have tried a dictionary attach within the last 60 minutes. If it find 2 or more instances of a bad request, IE ( 2+ attempts to send you email to a user that doesn't exists on your mail server ) Then it will put the IP on the Block list and refuse any future connections from this IP for your Block time, of which is 43200 minutes for me ( I am not friendly to spammers ), this is about 1 month. 

To see how many Spammers get caught in your little trap, rollover Reports and click on Current Blocks.
You should see a list of IPs that are being blocked because they tried to dictionary attack one of your domains.

UPDATE 3/15/2008
My client reported that some of his clients were having trouble sending him email.  I am not sure which RBL list was causing this, so I had to take them all back to filter only, and not block.  I am slowly adding them back on block status. 




Permalink
9265 Visitors
9265 Views

Categories associated with Stop Spam in SmarterMail with RBL SBL and BL

Discussion

shuffles | Mar 1, 2008 3:31 AM
Paul, your tutorial here kicks ass! Within 5 minutes of adding your lists, my year of struggling with finding just the right settings has come to an end! What kind of false positives have you experienced? THANK YOU!
Paul White | Mar 1, 2008 4:03 PM
Shuffles, I am glad my tutorial helped you out.  I only have 6 domains running on smartermail right now.  One of them gets a huge amount of spam.  My Client used to get 350 Spam emails / day before I setup these RBL lists.  I initially set him up with just the filtering.  After 2 weeks he didn't have a single false positive.  Even though he still had maybe 1 or 2 spam get through per day.  I have now setup the entire server to block on these RBL lists.  I told my client to let me know if anyone has trouble sending emails to him, and thus far no complaints yet.  So to answer your question I have not received any false positives yet with this setup.  The biggest thing that used to cause false positives was filtering with the Reverse DNS and or SBL record.  Too many Server Admins still have not setup these.  Thus Far just using RBL and SBL seems to be a full proof way to block spam on SmarterMail.
Peter Boyd | Mar 27, 2008 11:41 AM
Question, what your filter settings at though?  For example are they:

Low - 30 - Nothing
Medium - 60 - Move to Junk Mail
High - 90  - Delete

Thanks.
Paul White | Mar 27, 2008 12:55 PM
Peter,
I am running with the following setup.
10 - Move to Junk Email Folder
20 - Move to Junk Email Folder
30 - Move to Junk Email Folder

This could probably be improved, as right now it only takes 1 RBL list to trigger the filter.  Recently I had a client complain that they weren't getting some of their emails, so I had to cut down the number of Blocks.  Currently I am only running No More Fun and SpamCop for blocking.  While still filtering the rest. 

For the last 24 hours here are the results
Blocked 5404
Spam-High 297
Spam-Medium 8
Total delievered messages 465


shuffles | Mar 28, 2008 4:39 PM
We have about 40 domains and block about 15-20K per day with these settings, but too many false positives as well, so I adjusted to just the lists you just mentioned. Will let you know how it works! Might upgrade to SM 5 next month when $ permits.
Paul White | Mar 28, 2008 5:01 PM
Shuffles,
I too was running into problems with false positives.  It seems that some of the RBL lists are a little more conservative than others.  I cut back my RBLs for blocking to only SpamCop and No More Fun.  Everything else is on filter.  I wish smartermail would not only filter spam but also tell me what specific filters blocked the spam, this way I could tell what RBL lists are worth using, and what are going to give me problems.  I suspect most of my false positives were from one or two of the RBLs, but no way to know which one. 

As a side note I am also very excited about Smartermail 5.x.  Depending on the tools available to fight spam I might make the upgrade.  I don't mind using RBLs and so forth, but I am against running spam assasin due to the memory usage.  I am on a VPS, and as it is I am constantly pushing the memory ceiling.  I wish SmarterTools would create their own RBL, and developers like us could contribute.  With the thousands of people using smartermail, and many of them motivated developers like ourselves, we could put the hurt to spammers. 
Peter Boyd | Mar 28, 2008 5:19 PM
Yeah 5x should be good, but I will wait for awhile until all the bugs are worked out.  I usually wait for at least 1 or 2 patches before moving as we have too many domains to take a chance. 

I would like an official RBL list to use.  I am running into problems with SORBS as its overly aggressive and blocks ranges of IP addresses, even though there is only one offender in the IP block.  They do this to punish the ISP and force them to pay a "fine" to rectify the situation, but its more like throwing a grenade into a room of people to knock out one person.
name
Email Needed to confirm comment, but not made public.
Website
 
 
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article