Adding RBL checks on RAQ550/sendmail

Needed to add RBL checking into sendmail as the machine was under attack by some smtp botnet.  RAQ550s had no inbuilt RBL support so had to update the sendmail.cf manually.

URL: http://www.cobaltuserslist.com/CobaltUsersList/Sun-Cobalt-Users-List-76800.html

The example is a bit old… the RBLs I used are: cbl.abuseat.org , bl.spamcop.net, sbl.spamhaus.org

Cobalt list post:

RBL (Realtime Blackhole List) filtering allows your sendmail installation
to block spammers from sending email to your users. If you desire to learn
more on RBL, visit http://www.mail-abuse.org/rbl/.

Below are two RBLs which I've included in the RBL installation; there are
many other database blacklists, but for the purpose of this document, only
ORDB and Spamcop are specifically discussed.

I encourage that you use Spamcop and ORDB, because Spamcop maintains a
catalog of the servers which are consistently sending out spam, while ORDB
keeps a database of mail servers with open relays.

Ensure that you backup your existing sendmail.cf to avoid damage to your
server. By reading this document, you agree to indemnify and hold me
harmless; I am not liable for your actions.

If you want to make these changes with the sendmail configuration
compiler, view this post:
http://list.cobalt.com/pipermail/cobalt-users/2002-February/063883.html
(After the compilation of your configuration file, you should look for
important changes you should amend to the new file. Use Scooter Software
Beyond Compare to look for changes.)

All changes to your configuration must be done with root privileges:

1. Backup your existing sendmail.cf:

su -
cd /etc/mail # or where your sendmail.cf is located
cp /etc/mail/sendmail.cf /etc/mail/sendmail.backup.cf

2. Search your sendmail.cf for the text below:

###################################################################### ###
 check_relay -- check hostname/address on SMTP startup
######################################################################

SLocal_check_relay
Scheck_relay
R$*			$: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$*	$#$3
R$* $| $* $| $*		$@ $>"Basic_check_relay" $1 $| $2

SBasic_check_relay
# check for deferred delivery mode
R$*			$: < ${deliveryMode} > $1
R< d > $*		$@ deferred
R< $* > $*		$: $2

R$+ $| $+		$: $>LookUpDomain < $1 > <?> < $2 > <+Connect>
R<?> <$+>		$: $>LookUpAddress < $1 > <?> < $1 > <+Connect>	no: another
lookup R<?> < $+ >		$: $1					found nothing
R<$={Accept}> < $* >	$@ $1				return value of lookup
R<REJECT> $*		$#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> $*		$#discard $: discard
R<ERROR:$-.$-.$-:$+> <$*>	$#error $@ $1.$2.$3 $: $4
R<ERROR:$+> <$*>		$#error $: $1
R<$+> <$*>		$#error $: $1

2. Directly below it, insert the following text:

# DNS based IP address spam list bl.spamcop.net
R$*			$: $&{client_addr}
R::ffff:$-.$-.$-.$-	$: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R$-.$-.$-.$-		$: <?> $(host $4.$3.$2.$1.bl.spamcop.net. $: OK $)
R<?>OK			$: OKSOFAR
R<?>$+			$#error $@ 5.7.1 $: "Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}

# DNS based IP address spam list relays.ordb.org
R$*			$: $&{client_addr}
R::ffff:$-.$-.$-.$-	$: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R$-.$-.$-.$-		$: <?> $(host $4.$3.$2.$1.relays.ordb.org. $: OK $)
R<?>OK			$: OKSOFAR
R<?>$+			$#error $@ 5.7.1 $: "Email blocked using ORDB.org - see
<http://ORDB.org/lookup/?host="$&{client_addr}";>"

3. Keep in mind that:

R<?>$+			$#error $@ 5.7.1 $: "Spam blocked see:
http://spamcop.net/bl.shtml?"$&{client_addr}

and...

R<?>$+			$#error $@ 5.7.1 $: "Email blocked using ORDB.org - see
<http://ORDB.org/lookup/?host="$&{client_addr}";>"

need to be on one line (your mail client may have brought it to the next
line). Each line that you add should begin with a R or a R$.

4. Save your sendmail.cf file.
5. Restart your sendmail server:

su
/etc/rc.d/init.d/sendmail restart

6. If you wish to include other RBLs to your configuration, append this to
what has already been added:

# DNS based IP address spam list another.rbl.com
R$*			$: $&{client_addr}
R::ffff:$-.$-.$-.$-	$: <?> $(host $4.$3.$2.$1.another.rbl.com. $: OK $)
R$-.$-.$-.$-		$: <?> $(host $4.$3.$2.$1.another.rbl.com. $: OK $)
R<?>OK			$: OKSOFAR
R<?>$+			$#error $@ 5.7.1 $: "Email blocked using another.rbl.com - see
<http://another.rbl.com/lookup/?host="$&{client_addr}";>"

Replace "another.rbl.com" with the RBL of your choice and add this to the
bottom of your SpamCop and/or ORDB configuration. Each line should begin
with a R or R$.

You may also wish to use Mailscanner
(http://www.sng.ecs.soton.ac.uk/mailscanner) which scans and filters your
email for viruses and spam. It uses an optional SpamAssassin module
(http://www.spamassassin.org/), which is very effective. Mailscanner acts
as the final barrier before your mail reaches your box; if alse else fails
(ORDB and Spamcop don't stop it), Mailscanner with Spamassassin will probe
the email in question. You can also use Procmail to move e-mail marked as
spam to another folder.

Jason

netstat handy commands

These were found in a google cached page:

URL:  http://www.cyberls.com/forum/index.php?t=tree&th=52&

List of connected ips to port 80 : netstat -apn|grep :80|awk ‘{print $5}’ | awk -F\: ‘{print $1} ‘> /tmp/iplist
List of connected ips in a sort way so that you can find no of conn from each : netstat -apn|grep :80|awk ‘{print $5}’ |sort
List of establish connections to port 80 netstat -apn|grep :80 |grep EST |awk ‘{print $5}’ |sort >s.txt
List of TIME_WAIT connections to port 80 and their count:

netstat -pan | sort +4 | grep TIME_WAIT | awk ‘{print $5}’ | sed -e s/’:.*’/”/g | sort | uniq -c | sort -k 1 -nr | head -n 20

netstat -apn | grep TIME_WAIT |awk ‘{print $5}’|awk -F\: ‘{print $1}’|sort| uniq -c | sort -k 1 -nr|head -n 20

List of TIME_WAIT connections to port 80 with more than 15 connections:

netstat -pan | sort +4 | grep TIME_WAIT | awk ‘{print $5}’ | sed -e s/’:.*’/”/g | sort | uniq -c | sort -k 1 -nr | head -n 20 |awk ‘{ if ($1 > 15) print $2 }’

and with a facility to block them

netstat -pan | sort +4 | grep TIME_WAIT | awk ‘{print $5}’ | sed -e s/’:.*’/”/g | sort | uniq -c | sort -k 1 -nr | head -n 20 |awk ‘{ if ($1 > 15) print $2 }’> s.txt; for i in `cat s.txt `;do /sbin/iptables -I INPUT -s $i -p tcp –dport 80:80 -j DROP ; done