SpamRATS is dedicated to helping ensure that all forms of mail servers can choose to only accept messages from other properly configured mail servers. "Best Practices" dictates that mail servers should have correct Reverse DNS that reflects the operator of the mail servers.
SpamRATS is a completely automated system available to the general public. We hope this service helps protect you against one of the most problematic types of resources draining your email systems.
RATS-Dyna - RATS-Dyna is a collection of IP Addresses that have been found sending an abusive amount of connections or trying too many invalid users at ISP and Telco's mail servers. They are also known to conform to a naming convention that is indicative of a home connection or dynamic address space.
RATS-NoPtr - RATS-NoPtr is a collection of IP Addresses that have been found sending an abusive amount of connections or trying too many invalid users at ISP and Telco's mail servers. They are also known to have no reverse DNS, a technique often used by bots and spammers. Email servers should always have reverse DNS entries.
RATS-Spam - This is a list of IP Addresses that do not conform to more commonly known threats. This is usually because of compromised servers, hosts, or open relays. However, since there is little accompanying data this list could have false-positives, so we suggest that it only is used if you support a more aggressive stance.
RATS-Auth - RATS-AUTH is a collection of IP Addresses that have been detected as being the source of a trojan/bot attack specifically used to try and guess passwords, or similar technique by attempting to just 'authenticate' without really sending email. We suggest that it be used to protect your servers from these types of attacks, which can also contribute to large loads.
RATS is very simple and easy to use. You can access our public lists, just like any other RBL. Most mail servers support this functionality. We have also included references for several of the common mail servers. All you have to do is remember the correct hostnames to use for each list. Simple, and easy to use (copy from any instructions on using RBL)!
- RATS-Dyna - Use "dyna.spamrats.com"
- RATS-NoPtr - Use "noptr.spamrats.com"
- RATS-Spam - Use "spam.spamrats.com"
- RATS-Auth - Use "auth.spamrats.com"
You got it? OK...So how to get all this working in SpamAssassin?
21_spamrats_dnsbl.cf (copied to .\etc\spamassassin)
ifplugin Mail::SpamAssassin::Plugin::DNSEval
header __RCVD_IN_SPAMRATS eval:check_rbl('spamrats-lastexternal', 'all.spamrats.com.')
describe __RCVD_IN_SPAMRATS SPAMRATS: sender is listed in SpamRats
tflags __RCVD_IN_SPAMRATS net
reuse __RCVD_IN_SPAMRATS
header RCVD_IN_SPAMRATS_DYNA eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.36')
describe RCVD_IN_SPAMRATS_DYNA RATS-Dyna: sent directly from dynamic IP address
tflags RCVD_IN_SPAMRATS_DYNA net
reuse RCVD_IN_SPAMRATS_DYNA
score RCVD_IN_SPAMRATS_DYNA 3.0 # please adjust the score value
header RCVD_IN_SPAMRATS_NOPTR eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.37')
describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
tflags RCVD_IN_SPAMRATS_NOPTR net
reuse RCVD_IN_SPAMRATS_NOPTR
score RCVD_IN_SPAMRATS_NOPTR 2.0 # please adjust the score value
header RCVD_IN_SPAMRATS_SPAM eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.38')
describe RCVD_IN_SPAMRATS_SPAM RATS-Spam: sender is a spam source
tflags RCVD_IN_SPAMRATS_SPAM net
reuse RCVD_IN_SPAMRATS_SPAM
score RCVD_IN_SPAMRATS_SPAM 1.0 # please adjust the score value
# ---------------------------------------------------------------------------
# I think you do not need to enable the one below as once a IP is listed in
# RCVD_IN_SPAMRATS_AUTH it is automatically in RCVD_IN_SPAMRATS_SPAM as well
# ---------------------------------------------------------------------------
# header RCVD_IN_SPAMRATS_AUTH eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.43')
# describe RCVD_IN_SPAMRATS_AUTH RATS-Auth: sender is a authentication hacker
# tflags RCVD_IN_SPAMRATS_AUTH net
# reuse RCVD_IN_SPAMRATS_AUTH
# score RCVD_IN_SPAMRATS_AUTH 0 # please adjust the score value
endif
If you like to use RATS-AUTH once the connection is made and is executed before the e-mail is accepted, in hMailserver you could easily do this in OnClientConnect as described earlier in Block authentication hackers in HmailServer using the DNSLibrary.DNSResolver Component.
Sub OnClientConnect(oClient)
If SpamRatsAuthHacker(oClient.IPAddress) Then
Result.Value = 1
Exit Sub
End If
End Sub
Function SpamRatsAuthHacker(strIP)
SpamRatsAuthHacker = false
Dim a : a = Split(strIP, ".")
On Error Resume Next
With CreateObject("DNSLibrary.DNSResolver")
strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".auth.spamrats.com")
End With
On Error Goto 0
Dim strRegEx : strRegEx = "^(127\.0\.0\.43)$"
SpamRatsAuthHacker = Lookup(strRegEx, strIP)
End Function
Function Lookup(strRegEx, strMatch)
With CreateObject("VBScript.RegExp")
.Global = False
.Pattern = strRegEx
.IgnoreCase = True
Lookup = .Test(strMatch)
End With
End Function
Last edited Mar 20 2018