Ruud's Blog  Ruud's Blog

Using SpamRats in SpamAssassin and hMailServer

Posted by RvdH under hMailserver SpamAssassin on Aug 17 2017

SpamRATS is dedicated to helping ensure that all forms of mail servers can choose to only accept messages from other properly configured mail servers. "Best Practices" dictates that mail servers should have correct Reverse DNS that reflects the operator of the mail servers.

SpamRATS is a completely automated system available to the general public. We hope this service helps protect you against one of the most problematic types of resources draining your email systems.
 

The SpamRats DNSBL consist out of 4 independed list:

RATS-Dyna - RATS-Dyna is a collection of IP Addresses that have been found sending an abusive amount of connections or trying too many invalid users at ISP and Telco's mail servers. They are also known to conform to a naming convention that is indicative of a home connection or dynamic address space.

RATS-NoPtr - RATS-NoPtr is a collection of IP Addresses that have been found sending an abusive amount of connections or trying too many invalid users at ISP and Telco's mail servers. They are also known to have no reverse DNS, a technique often used by bots and spammers. Email servers should always have reverse DNS entries.

RATS-Spam - This is a list of IP Addresses that do not conform to more commonly known threats. This is usually because of compromised servers, hosts, or open relays. However, since there is little accompanying data this list could have false-positives, so we suggest that it only is used if you support a more aggressive stance.

RATS-Auth - RATS-AUTH is a collection of IP Addresses that have been detected as being the source of a trojan/bot attack specifically used to try and guess passwords, or similar technique by attempting to just 'authenticate' without really sending email. We suggest that it be used to protect your servers from these types of attacks, which can also contribute to large loads.

 

RATS is very simple and easy to use. You can access our public lists, just like any other RBL. Most mail servers support this functionality. We have also included references for several of the common mail servers. All you have to do is remember the correct hostnames to use for each list. Simple, and easy to use (copy from any instructions on using RBL)! 

  • RATS-Dyna - Use "dyna.spamrats.com"
  • RATS-NoPtr - Use "noptr.spamrats.com"
  • RATS-Spam - Use "spam.spamrats.com"
  • RATS-Auth - Use "auth.spamrats.com"
They also utilize a combined list, eg: "all.spamrats.com", that includes all of the above.

You got it? OK...So how to get all this working in SpamAssassin?

21_spamrats_dnsbl.cf (copied to .\etc\spamassassin) 
ifplugin Mail::SpamAssassin::Plugin::DNSEval

	header __RCVD_IN_SPAMRATS       eval:check_rbl('spamrats-lastexternal', 'all.spamrats.com.')
	describe __RCVD_IN_SPAMRATS     SPAMRATS: sender is listed in SpamRats
	tflags __RCVD_IN_SPAMRATS       net
	reuse  __RCVD_IN_SPAMRATS

	header RCVD_IN_SPAMRATS_DYNA    eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.36')
	describe RCVD_IN_SPAMRATS_DYNA  RATS-Dyna: sent directly from dynamic IP address
	tflags RCVD_IN_SPAMRATS_DYNA    net
	reuse  RCVD_IN_SPAMRATS_DYNA
	score  RCVD_IN_SPAMRATS_DYNA    3.0 # please adjust the score value

	header RCVD_IN_SPAMRATS_NOPTR   eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.37')
	describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
	tflags RCVD_IN_SPAMRATS_NOPTR   net
	reuse  RCVD_IN_SPAMRATS_NOPTR
	score  RCVD_IN_SPAMRATS_NOPTR   2.0 # please adjust the score value

	header RCVD_IN_SPAMRATS_SPAM    eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.38')
	describe RCVD_IN_SPAMRATS_SPAM  RATS-Spam: sender is a spam source
	tflags RCVD_IN_SPAMRATS_SPAM    net
	reuse  RCVD_IN_SPAMRATS_SPAM
	score  RCVD_IN_SPAMRATS_SPAM    1.0 # please adjust the score value

	# ---------------------------------------------------------------------------
	# I think you do not need to enable the one below as once a IP is listed in   
	# RCVD_IN_SPAMRATS_AUTH it is automatically in RCVD_IN_SPAMRATS_SPAM as well 
	# ---------------------------------------------------------------------------

	# header RCVD_IN_SPAMRATS_AUTH    eval:check_rbl_sub('spamrats-lastexternal', '127.0.0.43')
	# describe RCVD_IN_SPAMRATS_AUTH  RATS-Auth: sender is a authentication hacker
	# tflags RCVD_IN_SPAMRATS_AUTH    net
	# reuse  RCVD_IN_SPAMRATS_AUTH
	# score  RCVD_IN_SPAMRATS_AUTH    0 # please adjust the score value

endif

If you like to use RATS-AUTH once the connection is made and is executed before the e-mail is accepted, in hMailserver you could easily do this in OnClientConnect as described earlier in Block authentication hackers in HmailServer using the DNSLibrary.DNSResolver Component.
  
Sub OnClientConnect(oClient)
    If SpamRatsAuthHacker(oClient.IPAddress) Then
		Result.Value = 1
		Exit Sub
	End If
End Sub

Function SpamRatsAuthHacker(strIP)
	SpamRatsAuthHacker = false
	Dim a : a = Split(strIP, ".")
	On Error Resume Next
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".auth.spamrats.com")
	End With
	On Error Goto 0
	Dim strRegEx : strRegEx = "^(127\.0\.0\.43)$"
	SpamRatsAuthHacker = Lookup(strRegEx, strIP)
End Function

Function Lookup(strRegEx, strMatch)
	With CreateObject("VBScript.RegExp")
		.Global = False
		.Pattern = strRegEx
		.IgnoreCase = True
		Lookup = .Test(strMatch)
	End With
End Function

Last edited Mar 20 2018


Tags:  Hmailserver VbScript AUTH Spam DNSBL SpamAssassin

Comments 0

recent posts

recent comments

archives

posts by year

categories

options

min