Ever notice how the public RBL databases aren't enough? spamcop and spamhaus are great, but there are spammers still getting through. Did you ever want to do it yourself?
This procedure explains how to run your own RBL DNS Blacklist. It uses a mysql table to store the IP address you want to blacklist and whitelist. Based on this data, it rebuilds a flatfile that the dns server uses on a regular basis. I prefer every 5 minutes. I run it on a Blue Quartz server which is CentOS Linux (Red Hat EL4) based. You will need a local mysql server.
We use rbldnsd from hereDownload the rbldns server:
Make sure you are not already running a DNS server on this machine. Turn off "named" if its on.
service named stop
useradd rbldns rpm -Uvh rbldnsd*.rpm
CREATE TABLE `ips` ( `ipaddress` varchar(40) NOT NULL default '', `dateadded` datetime NOT NULL default '0000-00-00 00:00:00', `reportedby` varchar(40) default NULL, `updated` datetime default NULL, `attacknotes` text, `b_or_w` char(1) NOT NULL default 'b', PRIMARY KEY (`ipaddress`), KEY `dateadded` (`dateadded`), KEY `b_or_w` (`b_or_w`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT='spammer list';You may want to create a mysql user just for this purpose with limited permissions.
wget -O /usr/local/bin/rebuild_rbldns.pl http://www.blue-quartz.com/rbl/rebuild_rbldns.txt chmod 750 /usr/local/bin/rebuild_rbldns.plYou will want to put this in the root cron and run it every 5 minutes
crontab -e */5 * * * * /usr/local/bin/rebuild_rbldns.plPlease edit lines 25-27 of this perl script to change your mysql user and password.
# My boot rbldnsd options # ----------------------------------------- # TTL 35m, check files every 60s for changes, -f = smooth reloads # -l logfilepath # Please change 126.96.36.199 to your real public IP that you want the dns daemon to listen on # Please change mydomain.com to your real domain name. # RBLDNSD="dsbl -l /var/lib/rbldns/log/rbl.log -f -r/var/lib/rbldns/dsbl -b 188.8.131.52 \ rbl.mydomain.com:ip4set:spammerlist,whitelist \ rbl.mydomain.com:generic:forward "
mkdir /var/lib/rbldns/dsbl touch /var/lib/rbldns/dsbl/forward touch /var/lib/rbldns/dsbl/spammerlist touch /var/lib/rbldns/dsbl/whitelist touch /var/lib/rbldns/dsbl/rbl.log chown -R rbldns:rbldns dsbl
INSERT INTO ips SET ipaddress='123.456.789.1', reportedby='184.108.40.206', attacknotes='dictionary attack from badboy.com', b_or_w='b', dateadded=now(), updated=now();
To help in diagnosing problems, add these entries in the "/var/lib/rbldns/dsbl/forward" file:
@ A 220.127.116.11 test A 18.104.22.168And please replace 22.214.171.124 with the ip address of your rbl server.
service rbldnsd start
; subdomain delegation rbl.mydomain.com. in ns rbl.mydomain.com. rbl.mydomain.com. in a 126.96.36.199
if you blacklisted IP 188.8.131.52then doing a regular DNS lookup like this:
nslookup test.rbl.mydomain.com nslookup 184.108.40.206.rbl.mydomain.comshould result in a match of 127.0.0.2
nslookup test.rbl.mydomain.comshould result in a match for 220.127.116.11 (your public ip address of your rbl server). If this works then the file /var/lib/rbldns/dsbl/forward is working.
Every entry in your RBL database will return a match of 127.0.0.2
If an IP address is not in your RBL database it will fail to find an entry. This is how mail servers know how to block relays of email from known spammers.
cd /etc/mail vi sendmail.mc makeadd this line right below the "blacklist_recipients" line:
FEATURE(dnsbl, `rbl.mydomain.com', `Rejected - known spammer')dnlNow sendmail will reject messages from bad IP addresses in your database. You can monitor your /var/log/maillog file to see if sendmail really did block a specific IP.
Here's an example I wrote: watch_dic_attack.pl
I also wrote some PHP web pages with forms to allow me to quickly add IP's to my blacklist. You might want to try that.
Here's an example I wrote: drop.php
In my dictionary attack monitoring scripts, I use this command to update the rbl database:
wget -q -O /dev/null 'http://rbl.domain.com/drop.php?ipaddress=18.104.22.168&blackorwhite=b¬es=dictionary+attack'
This way all my servers can add to the database. Of course, only approved IPs in my network are allowed to submit rbl data. I ignore all others.