Topdog.za.net

Block Spam from domains on the South Africa ISPA Spam Hall of Shame using DNSBL Part2

Fri, 11 May 2012 07:30:00 SAST

I previously wrote about how to block domains named in the ISPA Spam Hall of Shame using DNSBL at SMTP time, these domains have now resorted to using 3rd party senders to try and get their Junk through. Because they are using 3rd party senders the envelope from address is no longer the one that is listed on the hall of shame.

In this post i will describe how you can catch the mail that has slipped through your SMTP DNSBL checks.

To identify these messages i use Spamassassin's URIDNSBL plugin which extracts the uri's in an email and checks each of them against the DNSBL.

Create a file called ispa.cf in your Spamassassin configuration directory usually /etc/mail/spamassassin with the following contents

# /etc/mail/spamassassin/ispa.cf
urirhsbl        URIBL_BARUWA    ispa.rbl.baruwa.net.   A
body            URIBL_BARUWA    eval:check_uridnsbl('URIBL_BARUWA')
describe        URIBL_BARUWA    Contains a URL listed in the Baruwa blocklist
score           URIBL_BARUWA    7.0

Restart Spamassassin and email from those domains that by pass the DNSBL checks by using 3rd party senders should now be tagged as Spam by Spamassassin with a score of 7.0

Feedback is welcome, as Spam fighting is always an on going battle.

Setup DKIM on Postfix with OpenDKIM

Sun, 29 Apr 2012 06:50:00 SAST

Introduction

DKIM is an authentication framework which stores public-keys in DNS and digitally signs emails on a domain basis. It was created as a result of merging Yahoo's domainkeys and Cisco's Identified Internet mail specification. It is defined in RFC 4871.

I previously wrote about setting up DKIM using dkim-milter, dkim-milter has since been depreciated.

We will be using the OpenDKIM implementation Centos, OpenDKIM is a fork of dkim-milter.

Installation

yum install opendkim

Generate the Keys

opendkim-genkey -d  -s

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

.txt - contains the public key you publish via DNS
.private - the private key you use for signing your email

Create a sub directory in /etc/opendkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv .private /etc/opendkim/keys//.pem
# chmod 600 /etc/opendkim/keys//.pem
# chown opendkim.opendkim /etc/opendkim/keys//.pem

DNS Setup

You need to publish your public key via DNS, client servers use this key to verify your signed email. The contents of .txt is the record you need to add to your zone file a sample, is below (it uses default as the selector and example.com as the domain_name)

default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for example.com

Configuration

Edit /etc/opendkim.conf comment out "KeyFile /etc/opendkim/keys/default.private" and uncomment "#KeyTable /etc/opendkim/KeyTable"

Edit the file /etc/opendkim/KeyTable and add your domain using the following format

._domainkey. ::/etc/opendkim/keys//.pem

Add your servers IP addresses to /etc/opendkim/TrustedHosts

More advanced configuration options can be set in the file /etc/opendkim.conf

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Append the OpenDKIM options to the existing milters if you have other milters already configured.

Start OpenDKIM and restart postfix

# service opendkim start
# service postfix restart

Testing

Send an email to sa-test@sendmail.net or autorespond+dkim@dk.elandsys.com, you will receive a response stating if your setup is working correctly. If you have a Gmail account you can send an email to that account and look at the message details similar to the picture below, you should see signed-by “your domain” if your setup was done correctly.

TIP: Block Spam from domains on the South Africa ISPA Spam Hall of Shame using DNSBL

Sun, 22 Apr 2012 09:30:00 SAST

The South Africa Internet service providers association (ISPA) maintains a list of known spammers dubbed the Spam Hall of Shame. The list is contains both domains as well as email addresses, this list is published on a webpage without downloadable formats.

I extract the data from this web page and publish it in a DNSBL ispa.rbl.baruwa.net, i use this DNSBL in my SAAS mail security product. So anyone should be able to use it in a similar way to the other DNSBL's like spamhaus and spamcop etc.

Command line checking

You can check if a domain is on the list using the normal command line utilities

Using host:

host amazingresults.co.za.ispa.rbl.baruwa.net

Output:

amazingresults.co.za.ispa.rbl.baruwa.net has address 127.0.0.2

Using dig:

dig amazingresults.co.za.ispa.rbl.baruwa.net

Output:

;; QUESTION SECTION:
;amazingresults.co.za.ispa.rbl.baruwa.net. IN A

;; ANSWER SECTION:
amazingresults.co.za.ispa.rbl.baruwa.net. 1993 IN A 127.0.0.2

Checking the TXT output:

host -t txt amazingresults.co.za.ispa.rbl.baruwa.net

Output:

amazingresults.co.za.ispa.rbl.baruwa.net descriptive text 
"Domain amazingresults.co.za is listed in the ISPA Hall of Shame,
http://ispa.org.za/spam/hall-of-shame/"

Usage

Usage of the DNSBL in various MTA's is described below.

Exim

Add the following to your rcpt acl (acl_check_rcpt:).

drop    message       = REJECTED - $dnslist_text
        dnslists      = ispa.rbl.baruwa.net/$sender_address_domain

Postfix

Add to smtpd_recipient_restrictions after permit_mynetworks in your main.cf file

reject_rhsbl_client ispa.rbl.baruwa.net,
reject_rhsbl_sender ispa.rbl.baruwa.net,

Sendmail

Add to your mc file and rebuild the cf

FEATURE(rhsbl,`ispa.rbl.baruwa.net',`"550 Mail from domain " $`'&{RHS} " refused.
Domain is listed in the ISPA Hall of Shame -  http://ispa.org.za/spam/hall-of-shame/"')

How the data is extracted

The data is extracted using an automated custom web crawler written using Scrapy in Python. The crawler extracts both the domains and the email addresses, the domains are processed and added to the DNSBL, the emails addresses get processed and added to the email blacklists on our SAAS platform.

Update

Some of these domains have resorted to using third party senders, which means the smtp envelope is no longer the one listed on the hall of shame, i have written a followup post which describes how you can identify and flag as spam these messages that bypass the SMTP time DNSBL checks.

Setup DKIM on Postfix with dkim-milter

Tue, 10 Mar 2009 23:54:00 SAST

Introduction

We will be using the milter implementation of dkim http://dkim-milter.sf.net on centos 5.3.

This howto has been updated to allow for the following.

Multiple domains using different keys
Same domain using different selectors
Selective signing of email

Older versions are provided below for reference.

Installation

I provide Centos rpms for Dkim-milter at http://www.topdog- software.com/oss/ so we will install the latest version.

Install the rpm, ( 32bit and 64bit intel supported )

# wget http://www.topdog-software.com/oss/roundcube/andrew_topdog-software.com_key.txt
# rpm --import andrew_topdog-software.com_key.txt
# http://www.topdog-software.com/oss/dkim-milter/dkim-milter-2.8.2-2.$(uname -i).rpm

Generate the Keys

# dkim-genkey -d  -s  -t

Replace with the domain name you will be signing the mail for, and with a selector name it can be anything (but just one word). The command will create two files.

.txt - contains the public key you publish via DNS
.private - the private key you use for signing your email

Create a sub directory in /etc/mail/dkim/keys to store your key, i prefer to use the domain name as the sub directory name.

# mv .private /etc/mail/dkim/keys//.pem
# chmod 600 /etc/mail/dkim/keys//.pem
# chown dkim-milt.dkim-milt /etc/mail/dkim/keys//.pem

DNS Setup

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA
DCBiQKBgQDG81CNNVOlWwfhENOZEnJKNlikTB3Dnb5kUC8/zvht/S8SQnx+YgZ/KG7KOus0By8cIDDv
wn3ElVRVQ6Jhz/HcvPU5DXCAC5owLBf/gX5tvAnjF1vSL8ZBetxquVHyJQpMFH3VW37m/mxPTGmDL+z
JVW+CKpUcI8BJD03iW2l1CwIDAQAB" ; ----- DKIM default for topdog-software.com

Also add this to your zone file. (This sets your policy see http://www.sendmail.org/dkim/wizard for an explanation or refer to the RFC)

_adsp._domainkey    IN  TXT "dkim=unknown"

Configuration

Edit the file /etc/mail/dkim/keylist and add your domain using the following format

*@::/etc/mail/dkim/keys//
#sign only for andrew
andrew@::/etc/mail/dkim/keys//

Add your servers IP addresses to /etc/mail/dkim/trusted-hosts

More advanced configuration options can be set in the file /etc/dkim-filter.conf (Refer to the file and the man pages for details)

Configure Postfix

You need to add the following options to the postfix main.cf file to enable it to use the milter.

smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209

Append the dkim-milter options to the existing milters if you have other milters already configured.

Start dkim-milter and restart postfix

# service dkim-milter start
# service postfix restart

Testing

Updates

Updated rpms are always provided at http://www.topdog-software.com/oss/dkim-milter/

Setup Postfix to sign and verify Domainkeys email

Mon, 10 Mar 2008 23:54:00 SAST

Introduction

Domainkeys is DomainKeys is a method of e-mail authentication. Unlike some other methods, it offers almost end-to-end integrity from a signing to a verifying Mail Transfer Agent (MTA). In most cases the signing MTA acts on behalf of the sender, and the verifying MTA on behalf of the receiver. DomainKeys is specified in Historic RFC 4870, which is obsoleted by Standards Track RFC 4871, DomainKeys Identified Mail (DKIM) Signatures. according to the wikipedia. So why a how to on it when there is DKIM ? Well domainkeys is still actively being used and is more widely deployed than DKIM, the developer yahoo still uses it to sign and verify mail although they are contributers to the DKIM standard.

We will be using the milter implementation of domainkeys http://sourceforge.net/projects/dk-milter on CENTOS 5.1.

Installation

Install the rpm

# rpm -Uvh http://www.topdog-software.com/oss/dk-milter/dk-milter-0.6.0-1.i386.rpm

Generate the keys

A script to do this is provided with the rpm.

# /usr/share/doc/dk-milter-0.6.0/gentxt.sh

Where is anything you want to call it i use default and is your domain name for which you will be signing mail. This script will produce 3 files

.txt - this contains the text to add to your zone file

default._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADS
wAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoRillFNbOpNOr5Gst5H8wG9Oh2SpUytaru
P/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==" ; ----- DomainKey default for example.com

.public - It is the public key

-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJQfGTmsFzILU6ep6aSFg+WrTkaOLmoR
illFNbOpNOr5Gst5H8wG9Oh2SpUytaruP/7j/eWQ8Wyz6zX2gAtzwF0CAwEAAQ==
-----END PUBLIC KEY-----

.private - This is the private key

Install the private key

mv default.private /etc/mail/domainkeys/dk_.pem

 # chown dk-milt.dk-milt /etc/mail/domainkeys/dk_.pem
 # chmod 600 /etc/mail/domainkey/dk_.pem

DNS

Add the contents of .txt to your DNS zone file

Add the following to your DNS zone file

_domainkey IN TXT "t=y; o=~"

Verify your DNS configuration http://domainkeys.sourceforge.net/policycheck.html

Configuration

Edit the file /etc/sysconfig/dk-milter and set the following options

# Default values
#
USER="dk-milt"
PORT="local:/var/run/dk-milter/dk.sock"
SIGNING_DOMAIN=""
SELECTOR_NAME=""
KEYFILE="/etc/mail/domainkeys/dk_${SIGNING_DOMAIN}.pem"
SIGNER=yes
VERIFIER=yes
CANON=simple
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
MILTER_GROUP="mail"

Configure Postfix

Add this to the postfix configuration file /etc/postfix/main.cf

smtpd_milters = unix:/var/run/dk-milter/dk.sock
non_smtpd_milters = unix:/var/run/dk-milter/dk.sock

Append to the existing milters if you have other milters already configured.

Start dk-milter and Restart Postfix

chkconfig –level 345 dk-milter on

# service dk-milter start
# service postfix restart

Testing

To test send a mail to autorespond+dk@dk.elandsys.com. you will recieve a response email with the test results. If you have a yahoo account you can send a mail to that as well a sample of signed message in yahoo is below

References

Creating a Cacert postfix certificate

Sun, 03 Feb 2008 18:58:00 SAST

Introduction

Cacert is a certification authority that provides free certificates, i guess using them is much better that having your own local CA.

Install root certificate

We need to download the cacert root certificate and install it on the server

Download and install

mkdir /etc/pki/postfix
wget -nv https://www.cacert.org/certs/root.crt --no-check-certificate -O /etc/pki/postfix/root.crt

Verify the certificate

openssl x509 -in /etc/pki/postfix/root.crt -text -noout

The output should look like this

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Mar 30 12:29:49 2003 GMT
            Not After : Mar 29 12:29:49 2033 GMT
        Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
                    33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
                    7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
                    cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
                    ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
                    c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
                    ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
                    e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
                    64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
                    61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
                    44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
                    42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
                    1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
                    25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
                    c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
                    eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
                    c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
                    66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
                    72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
                    b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
                    b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
                    04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
                    ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
                    c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
                    1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
                    87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
                    04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
                    b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
                    38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
                    f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
                    75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
                    d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
                    dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
                    ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
                    e5:a1:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
            X509v3 Authority Key Identifier:
                keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
                DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
                serial:00

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 CRL Distribution Points:
                URI:https://www.cacert.org/revoke.crl

            Netscape CA Revocation Url:
                https://www.cacert.org/revoke.crl
            Netscape CA Policy Url:
                http://www.cacert.org/index.php?id=10
            Netscape Comment:
                To get your own certificate for FREE head over to http://www.cacert.org
    Signature Algorithm: md5WithRSAEncryption
        28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
        99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
        ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
        58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
        68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
        5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
        9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
        70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
        bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
        bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
        c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
        c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
        37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
        f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
        f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
        b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
        25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
        77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
        68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
        10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
        2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
        b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
        e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
        6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
        4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
        ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
        70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
        35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
        da:76:ad:25:73:4c:c5:43

Generate signing request

cd /etc/pki/postfix
openssl req -nodes -days 700 -newkey rsa:1024 -keyout key.pem -out req.pem

The signing request is in the file req.pem

Get the signed certificate

Next you need to login in to the cacert.org website and go to "server certificates" then "New" and paste the contents of req.pem in the text box provided then click submit. A certificate will be generated

Install certificate

Copy the certificate and paste into the file /etc/pki/postfix/server.pem