This is not new idea, actually. someone at spamassassin plugin developers have been made before. basically, the idea was put email addresses in RBLDNSD zone dnset format, ie:
Email user@example.com RBLDNSD user.example.com
So, we replace @ sign into dot (.) sign. that way, we can save the email addresses into the RBLDNSD dnset zone.
RBLDNSD part:
create emailbl zone, meta information
zone
:127.0.0.4:DNSBL. $ - Not receiving email right now. example.user.gmail.com example.user.rediffmail.com
meta
$NS 1w ns.example.com ns.example.com $SOA 1w ns.example.com admin.example.com 0 2h 2h 1w 1h $DATASET generic @ @ A 1.2.3.4 @ MX 10 mx.example.com @ TXT "example email blocklist"
in /etc/sysconfig/rbldnsd
RBLDNSD="dsbl -r/var/lib/rbldns/dsbl -t 300 -b 1.2.3.4 \ emailbl.example.com:combined:meta,emailbl "
ofcourse we should delegate the subdomain emailbl.example.com in example.com authoritative nameserver
; subdomain delegation emailbl.example.com. IN NS ns.example.com. ns.example.com. IN A 1.2.3.4
start rbldnsd service
service rbldnsd start
now, test query to our rbldnsd for email in blacklist
# dig a example.user.gmail.com.emailbl.example.com +short 127.0.0.4
great we got answer, 127.0.0.4 that mean half of our work is done.
and now, spamassassin plugin part, i should warn you, i’m not a spamassassin expert, the code was base on other plugin which i modified. most of spams that comes to my server are hacked/compromised legitimate freemail account, spammer set reply-to header to their email address (or both From and Reply-To are bogus)
plugin code:
ReplyTo.pm
package ReplyTo;
use strict;
use Net::DNS;
use Mail::SpamAssassin;
use Mail::SpamAssassin::Plugin;
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new {
my ($class, $mailsa) = @_;
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsa);
bless ($self, $class);
$self->register_eval_rule('check_for_spam_replyto');
return $self;
}
our $dns = Net::DNS::Resolver->new(
udp_timeout => 2,
retry => 2,
);
sub check_for_spam_replyto {
my ($self, $msg) = @_;
my $replyto = $msg->get('Reply-To:addr');
my $replyto_hit = $replyto;
$replyto =~ s/@/\./;
my $found_replyto = '';
my $query = $dns->query($replyto . ".emailbl.example.com", "A");
if ($query) {
foreach my $rr ($query->answer) {
if ($rr->address=~/^127/) {
$found_replyto = "FOUND";
}
}
}
Mail::SpamAssassin::Plugin::dbg("ReplyTo: matching Reply-To: $replyto");
if ($replyto ne '' && $found_replyto eq 'FOUND') {
$self->_got_hit($msg, $replyto_hit, "is blacklisted");
return 1;
}
return 0;
}
sub _got_hit {
my ($self, $msg, $email, $desc) = @_;
my $rulename = $msg->get_current_eval_rule_name();
$email =~ s/\@/[at]/;
$msg->clear_test_state();
$msg->test_log ("$email");
$msg->got_hit ($rulename, "");
$msg->register_async_rule_finish($rulename);
}
1;
Put plugin to, say in /etc/smail/spamassassin/plugins directory.
load plugin and set rules, we can create new pre file ie:, v350.pre
loadplugin ReplyTo plugins/ReplyTo.pm header RCVD_REPLYTO_EMAILBL eval:check_for_spam_replyto() describe RCVD_REPLYTO_EMAILBL Email adress Listed in Reply-To: score RCVD_REPLYTO_EMAILBL 5.5
Restart spamassassin and test using this modified gtube template, modified Reply-To header to one of email address in our emailbl zone.
Subject: Test spam mail (GTUBE)
Message-ID: <GTUBE1.1010101@example.net>
Date: Wed, 23 Jul 2003 23:30:00 +0200
From: Sender <sender@example.com>
To: Recipient <recipient@example.net>
Reply-To: "spam" <example.user@gmail.com>
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This is the GTUBE, the
Generic
Test for
Unsolicited
Bulk
Email
If your spam filter supports it, the GTUBE provides a test by which you
can verify that the filter is installed correctly and is detecting incoming
spam. You can send yourself a test mail containing the following string of
characters (in upper case and with no white spaces and line breaks):
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
You should send this test mail from an account outside of your network.
# spamc -R < gtube.txt
1013.1/5.0
Spam detection software, running on the system "mx.example.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
admin@example.com for details.
Content preview: This is the GTUBE, the Generic Test for Unsolicited Bulk Email
If your spam filter supports it, the GTUBE provides a test by which you can
verify that the filter is installed correctly and is detecting incoming spam.
You can send yourself a test mail containing the following string of characters
(in upper case and with no white spaces and line breaks): [...]
Content analysis details: (1007.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(acctan57mam[at]live.com)
5.5 RCVD_REPLYTO_EMAILBL Email adress Listed in Reply-To:
[example.user[at]gmail.com]
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
-0.0 NO_RECEIVED Informational: message has no Received headers
1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
freemails
Great, that email trigger our plugin. this plugin also can be modified for matching email in From: header or anything alse.
i put 5.5 for the score just for example, tune it YMMV. this email blacklist can be also use for rejecting email on smtp conversation.
use it carefully, the code is experimental.
There was a discussion about this while ago on SpamAssassin list and no conclusion was made (http://spamassassin.1065346.n5.nabble.com/DNSBL-for-email-addresses-td12165.html), however I believe it might cauce some FP. At least at $WORK we have emails example.test@domain.tld and example@test.domain.tld, which is the first one I can think of…
However, I like your effort 😉
yeah, i’ve read about that discussion too :), that’s why i only encourage somenone that might be interested, to do freemail list in rbldns zone (in exanple). i think it safe enough. but thanks for remind me.
cheers