Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » my whitelist and blacklist setup
  •  
mickwire

Messages: 5
Karma: 0
Send a private message to this user
We all know the biggest problem with trying to aggressively filter spam is false positives. With this in mind, I set out to create a whitelist of all of our customers that works like the online blacklists. This technique will whitelist the ip of the server sending you the mail, not the domain name. I am running Kerio on Linux so I am not sure how you would do this on Windoze.

You'll need:

-a text file with the domains you want to whitelist
-a linux console
-vi text editor
-dns server running Bind

I started by creating a list of all domains I need to whitelist. In my case this was done by simply querying our customer database. The text file has the domains listed one per line in the format "domain.com" (without quotes)

Using dig, create a dns zone file:

for examples sake, my text file is named (whitelist.kerio)

this will create a file named "named.whitelist" with the domains

for d in `cat whitelist_kerio`; do for mx in `dig mx $d +short | awk '{print $2}'`; do dig A $mx +short; done | awk -F\. '{print $4"."$3"."$2"."$1".rbl\tIN\tA\t127.0.0.2"}'; done >> named.whitelist

note: depending on the size of your list...this can take a while so be patient. If you want to watch the output then do a

tail -f named.whitelist

now you will have a nice tidy file in the format:

30.32.143.95.rbl IN A 127.0.0.2
31.32.143.95.rbl IN A 127.0.0.2
32.32.143.95.rbl IN A 127.0.0.2
33.32.143.95.rbl IN A 127.0.0.2
34.32.143.95.rbl IN A 127.0.0.2
35.32.143.95.rbl IN A 127.0.0.2

edit the file and add the necessary info to the top of your whitelist.local

$TTL 1D ;
$ORIGIN whitelist.local.
<_a.t_> IN SOA whitelist.local admin.whitelist.local. (
2009051815
7200
7200
2400000
86400 )
<_a.t_> IN NS rbl.whitelist.local.
localhost A 127.0.0.1
rbl IN A 192.168.100.21

In your named.conf create the zone. Note: I allow transfer to my active directory domain controllers where I run dns and I run Bind in a chroot environment.

zone "whitelist.local" {
allow-transfer {
192.168.100.2;
192.168.100.3;
};


type master;
file "/var/named/chroot/var/named/named.whitelist";

};

now you can try querying your whitelist to make sure it is working...I use nslookup

mickwire<_a.t_>moe:~$ nslookup
> set type=mx
> siemens.com
Server: 192.168.100.68
Address: 192.168.100.68#53

Non-authoritative answer:
siemens.com mail exchanger = 10 zetes.siemens.com.
siemens.com mail exchanger = 10 meleagros.siemens.com.
siemens.com mail exchanger = 10 hephaistos.siemens.com.
siemens.com mail exchanger = 10 hylas.siemens.com.

Authoritative answers can be found from:
> set type=a
> zetes.siemens.com
Server: 192.168.100.68
Address: 192.168.100.68#53

Non-authoritative answer:
Name: zetes.siemens.com
Address: 217.194.34.75
> 75.34.194.217.rbl.whitelist.local
Server: 192.168.100.68
Address: 192.168.100.68#53

Name: 75.34.194.217.rbl.whitelist.local
Address: 127.0.0.2
>

you see the positve reply of 127.0.0.2 meaning the lookup was successful. If you are questioning, why is the ip backwards please read http://en.wikipedia.org/wiki/RHSBL since I don't have the time to go into that here.

So now just add the whitelist to the Internet Blacklist section of your Kerio Mailserver using the Admin console and give it a -20 score or something like that.

DNS Suffix: rbl.whitelist.local
Description: Our Customers

The beauty of this system is the fact that a customer of yours will not be penalized for NOT being on the list...but if your customer is on the list, even the most spammified message from them will get through. Also, your changes won't be lost with every Kerio upgrade as they are if you make changes to the spamassassin .cf files....and forget to back them up ;)

If you want to see the list in action then go to logs -->debug right click, choose messages and add the dns resolver to the list.

Now for the fun part....BLACKLISTING


using the same technique create another text file to run through the script I showed you above.

Here is how I did it.


I want a list of all mails that were ever moved to the Junk Mail folder by any user. So on the mail server I did the following:

change directory to /opt/kerio/mailserver/store/logs
cat spam.* | grep 'moved a message to Junk E-mail folder' >> named.blacklist

this will create a txt file that will be full of lines like this:

xxx<_a.t_>mydomain.com moved a message to Junk E-mail folder, Folder: ~xxx<_a.t_>mydomain.com/Junk E-mail, Size: 230883, From: "Rate Reduction" <Insure4less<_a.t_>allwinsport.com>
xxx<_a.t_>mydomain.com moved a message to Junk E-mail folder, Folder: ~xxx<_a.t_>mydomain.com/Junk E-mail, Size: 355139, From: "My Home Promotions " <moe<_a.t_>nightradiant.com>
xxx<_a.t_>mydomain.com moved a message to Junk E-mail folder, Folder: ~xxx<_a.t_>mydomain.com/Junk E-mail, Size: 385458, From: "Heating-Cooling Specialist" <idris<_a.t_>teamorangeburg.com>

to make something useful for our dig script above we'll use vi..you linux gurus out there may do this differently but it is all a means to an end. What I want here is to get the domains out of the text file but of course I don't want my own domain

the Kerio spam logs have the domain that sent the spam in between < and > which makes this easier...

vi spamdomains
: <----this first
then enter the following string
g/.*<.*<_a.t_>\(.*\)>.*/s//\1/g
save the file with :x

Breakdown of what this means :g/.*<.*<_a.t_>\(.*\)>.*/s//\1/g
: Command mode
g/ Global search for...
.* Any number of any character
< ...followed by a less than sign
.* ...followed by any number of any character
<_a.t_> ...followed by an at sign
\(.*\) ...followed by any number of any character (and save this stuff in the first search buffer)
> ...followed by a greater than sign
.* ...followed by any number of any character
/s// when we find something that matches the search, Substitute:
\1 the first search buffer
/g globally

Now, sometimes users move messages into the junk folder by mistake and I don't want to accidentally blacklist a customer after going through all this trouble so I'll compare the newly created named.blacklist to my named.whitelist

again using the linux console:

sort file1 file2 | uniq -d

now we will have a tidy file to run through the dig script above. Just create your zone files as above and edit the named.conf accordingly. Then add the blacklist.local to your Kerio Internet Blacklist section and give it a positive score. I personally give it a score high enough so that I KNOW it will land in the spam mailbox for review...since NO system is perfect.

I have been running this system for a while now and only 1% of messages are being marked as spam. I have found this to be very effective for catching image spam which slips through the spamassassin filters.

It does need to be maintained though so I go through this procedure once a week or whenever I have a few minutes. Once it is setup it is easy to maintain simply using the Bind GUI on your DNS server.

I hope this helps a few people...feel free to message me with questions and I will try to help...but I have a job and kids too so the answer may not be immmediate! :)

[Updated on: Tue, 29 September 2009 01:11]

Previous Topic: Connecting Thunderbird and Kerio Address Book
Next Topic: iPhone + Sent Messages = Uh, Where'd You Go, Bob?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 24 06:19:30 CEST 2017

Total time taken to generate the page: 0.00399 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.