rblsmtpd 451 Sender has sent to LashBack

Bounce message received:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

[email protected]

Malformed SMTP reply from mail.server.com [192168.1.1]
in response to initial connection:
rblsmtpd: 192.168.6.62 pid 14483: 451 Sender has sent to LashBack
Unsubscribe Probe accounts:
retry timeout exceeded

Looking further into this it appears that the sending IP address was listed in a RBL black list.  The RBL server being queried was: ubl.unsubscore.com

This in turn (www.unsubscore.com) took me to: http://www.lashback.com/support/UnsubscribeBlacklistSupport.aspx

Most RBL systems return a useful message with a URL, but, not lashback.

Adding RBL checks on RAQ550/sendmail

Needed to add RBL checking into sendmail as the machine was under attack by some smtp botnet.  RAQ550s had no inbuilt RBL support so had to update the sendmail.cf manually.

URL: http://www.cobaltuserslist.com/CobaltUsersList/Sun-Cobalt-Users-List-76800.html

The example is a bit old… the RBLs I used are: cbl.abuseat.org , bl.spamcop.net, sbl.spamhaus.org

Cobalt list post:

RBL (Realtime Blackhole List) filtering allows your sendmail installation
to block spammers from sending email to your users. If you desire to learn
more on RBL, visit http://www.mail-abuse.org/rbl/.

Below are two RBLs which I've included in the RBL installation; there are
many other database blacklists, but for the purpose of this document, only
ORDB and Spamcop are specifically discussed.

I encourage that you use Spamcop and ORDB, because Spamcop maintains a
catalog of the servers which are consistently sending out spam, while ORDB
keeps a database of mail servers with open relays.

Ensure that you backup your existing sendmail.cf to avoid damage to your
server. By reading this document, you agree to indemnify and hold me
harmless; I am not liable for your actions.

If you want to make these changes with the sendmail configuration
compiler, view this post:
http://list.cobalt.com/pipermail/cobalt-users/2002-February/063883.html
(After the compilation of your configuration file, you should look for
important changes you should amend to the new file. Use Scooter Software
Beyond Compare to look for changes.)

All changes to your configuration must be done with root privileges:

1. Backup your existing sendmail.cf:

su -
cd /etc/mail # or where your sendmail.cf is located
cp /etc/mail/sendmail.cf /etc/mail/sendmail.backup.cf

2. Search your sendmail.cf for the text below:

###################################################################### ###
 check_relay -- check hostname/address on SMTP startup
######################################################################

SLocal_check_relay
Scheck_relay
R$*			$: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$*	$#$3
R$* $| $* $| $*		[email protected] $>"Basic_check_relay" $1 $| $2

SBasic_check_relay
# check for deferred delivery mode
R$*			$: < ${deliveryMode} > $1
R< d > $*		[email protected] deferred
R< $* > $*		$: $2

R$+ $| $+		$: $>LookUpDomain < $1 > <?> < $2 > <+Connect>
R<?> <$+>		$: $>LookUpAddress < $1 > <?> < $1 > <+Connect>	no: another
lookup R<?> < $+ >		$: $1					found nothing
R<$={Accept}> < $* >	[email protected] $1				return value of lookup
R<REJECT> $*		$#error [email protected] 5.7.1 $: "550 Access denied"
R<DISCARD> $*		$#discard $: discard
R<ERROR:$-.$-.$-:$+> <$*>	$#error [email protected] $1.$2.$3 $: $4
R<ERROR:$+> <$*>		$#error $: $1
R<$+> <$*>		$#error $: $1

2. Directly below it, insert the following text:

# DNS based IP address spam list bl.spamcop.net
R$*			$: $&{client_addr}
R::ffff:$-.$-.$-.$-	$: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R$-.$-.$-.$-		$: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R<?>OK			$: OKSOFAR
R<?>$+			$#error [email protected] 5.7.1 $: "Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}

# DNS based IP address spam list relays.ordb.org
R$*			$: $&{client_addr}
R::ffff:$-.$-.$-.$-	$: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R$-.$-.$-.$-		$: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R<?>OK			$: OKSOFAR
R<?>$+			$#error [email protected] 5.7.1 $: "Email blocked using ORDB.org - see
<http://ORDB.org/lookup/?host="$&{client_addr}";>"

3. Keep in mind that:

R<?>$+			$#error [email protected] 5.7.1 $: "Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}

and...

R<?>$+			$#error [email protected] 5.7.1 $: "Email blocked using ORDB.org - see
<http://ORDB.org/lookup/?host="$&{client_addr}";>"

need to be on one line (your mail client may have brought it to the next
line). Each line that you add should begin with a R or a R$.

4. Save your sendmail.cf file.
5. Restart your sendmail server:

su
/etc/rc.d/init.d/sendmail restart

6. If you wish to include other RBLs to your configuration, append this to
what has already been added:

# DNS based IP address spam list another.rbl.com
R$*			$: $&{client_addr}
R::ffff:$-.$-.$-.$-	$: <?> $(host $4.$3.$2.$1.another.rbl.com. $: OK $)
R$-.$-.$-.$-		$: <?> $(host $4.$3.$2.$1.another.rbl.com. $: OK $)
R<?>OK			$: OKSOFAR
R<?>$+			$#error [email protected] 5.7.1 $: "Email blocked using another.rbl.com - see
<http://another.rbl.com/lookup/?host="$&{client_addr}";>"

Replace "another.rbl.com" with the RBL of your choice and add this to the
bottom of your SpamCop and/or ORDB configuration. Each line should begin
with a R or R$.

You may also wish to use Mailscanner
(http://www.sng.ecs.soton.ac.uk/mailscanner) which scans and filters your
email for viruses and spam. It uses an optional SpamAssassin module
(http://www.spamassassin.org/), which is very effective. Mailscanner acts
as the final barrier before your mail reaches your box; if alse else fails
(ORDB and Spamcop don't stop it), Mailscanner with Spamassassin will probe
the email in question. You can also use Procmail to move e-mail marked as
spam to another folder.

Jason