Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Domain Block List (DBL) support? (Anyone know a way?)
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
I'd like to use dbl.spamhaus.org to supplement my anti-spam arsenal. Does anyone know a way to tell Kerio to query the host name vs. the IP address for a specific blacklist entry?

Thanks!
  •  
garetjax

Messages: 35
Karma: 0
Send a private message to this user
Lyle,

You can easily add additional anti-spam sources. In the Admin console, select Configuration->Content Filter->Spam Filter. Select the Blacklists tab. Scroll down to the Internet blacklists section and below the list select the Add... button. Add your spamhaus blacklist and its default action (block, add to score). Make sure the new blacklist is enable in the Internet Blacklists list.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Hi Dave,

Thanks for your reply. My concern is that dbl.spamhaus.org uses the sending server's domain instead of the IP address.

So, instead of querying with 1.82.70.90.dbl.spamhaus.org,

it would be... newspost.com.spamhaus.org

How will Connect know to use the domain vs. the IP?

Thanks,
Lyle
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Spamhaus' DBL zone cannot be used as a straight DNSBL: http://www.spamhaus.org/faq/section/Spamhaus%20DBL#279

Kerio Connect only feed the connecting IP to the DNSBL checker, and if you look up an IP in DBL it will always come back as listed.

DBL checks belong in SpamAssassin or other content scanners, just like URIBL.
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
TorW wrote on Thu, 10 May 2012 18:35
Spamhaus' DBL zone cannot be used as a straight DNSBL:


The host query for the DBL is essentially the same (with host vs. IP) and responds identically to an IP-based DNSBL. It could be used if the query could include the host name.

Quote:
Kerio Connect only feed the connecting IP to the DNSBL checker, and if you look up an IP in DBL it will always come back as listed.


Thanks, I'm aware of that. Sorry my original question didn't convey that clearly - I could have saved you some typing.

Quote:
DBL checks belong in SpamAssassin or other content scanners, just like URIBL.


I try to avoid messing with Kerio's SpamAssassin setup. In the past, I had to restore my customizations with each upgrade. I also try to keep our configs as high-level as possible to ease things for 'the next guy.' However, if it's the only option...

I appreciate the feedback.
  •  
freakinvibe

Messages: 1487
Karma: 57
Send a private message to this user
Spamhaus DBL is included in the KC 7.4 version. You can see that by inspecting the email headers:

URIBL_DBL_SPAM: 1.7

If you see this, the rule has been triggered. So no need to add it to the custom Blacklists tab. As already mentioned, it wouldn't work anyway.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Thanks Pascal.

After Tor's response (instead of going to sleep) I poked into the SA rules to refresh myself on formatting urirhssub. In 25_uribl.cf I saw (and felt silly):

# DBL, http://www.spamhaus.org/dbl/
if can(Mail::SpamAssassin::Plugin::URIDNSBL::has_tflags_domains _only)
urirhssub URIBL_DBL_SPAM dbl.spamhaus.org. A 127.0.1.2
body URIBL_DBL_SPAM eval:check_uridnsbl('URIBL_DBL_SPAM')
describe URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist
tflags URIBL_DBL_SPAM net domains_only

# this indicates that IP-address queries were sent to DBL, and should
# never appear; if it does, something is wrong with SpamAssassin
urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A 127.0.1.255
body URIBL_DBL_ERROR eval:check_uridnsbl('URIBL_DBL_ERROR')
describe URIBL_DBL_ERROR Error: queried the DBL blocklist for an IP
tflags URIBL_DBL_ERROR net domains_only
endif

Yesterday, I was spot checking incoming spam and found an instance where the domain generated a positive with dbl.spamhaus.org (which is why I was interested in adding it). I looked back at the email last night, but the headers didn't contain a URIBL_DBL_SPAM hit. My original review was only a few minutes after receipt.

I ran the SA debug logs last night and found that dbl.spamhaus.org is working as it should. I must have been dealing with a domain that was only recently blacklisted after my host received it.

(from debug)
dbg: async: completed in 0.102 s: URI-DNSBL, DNSBL:dbl.spamhaus.org.:ocatt.ru
dbg: uridnsbl: domain "ocatt.ru" listed (URIBL_DBL_SPAM): 127.0.1.2

So, today I'll tweak the scoring in 50_scores.cf a little.

I appreciate everyone's feedback and guidance. Many thanks.

Regards,
Lyle
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
It's funny. Had I not started poking around in the SA rules, I likely wouldn't have noticed that some of my entries in the Blacklists GUI are redundant with those in spamassassin.
That's another reason why I like having all the queries in one place! It's a shame the GUI can't be a link to the SA rules/scores.

Cheers.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Blocking mails with DNSBL entries are much "cheaper" in terms of processing power than scoring and subsequently blocking them in SpamAssassin. That being said, I agree that we could benefit from more control of the very powerful SpamAssassin.

Tip: gather all your custom SA config in one file named x-customrules.cf or similar. SpamAssassin reads all the config files in alphabetical order when it starts up, using the config from the last read. It's easier to back up and restore across version upgrades ...

[Updated on: Mon, 14 May 2012 10:37]

  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Hi Tor,

I appreciate the tip. Easier is better!

Cheers.
Lyle
  •  
hugogomes

Messages: 1
Karma: 0
Send a private message to this user
TorW wrote on Mon, 14 May 2012 10:36
Blocking mails with DNSBL entries are much "cheaper" in terms of processing power than scoring and subsequently blocking them in SpamAssassin. That being said, I agree that we could benefit from more control of the very powerful SpamAssassin.

Tip: gather all your custom SA config in one file named x-customrules.cf or similar. SpamAssassin reads all the config files in alphabetical order when it starts up, using the config from the last read. It's easier to back up and restore across version upgrades ...


Thanks TorW, that's a good tip. I'll be doing that from now on.
Previous Topic: Migration - Kerio 8.2.4 from OS X to Kerio 9.0.2 on Windows Server
Next Topic: SSL on Connect for many domains
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Mar 30 22:30:28 CEST 2017

Total time taken to generate the page: 0.01516 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.