topic Re: RLB problem? in Operating System - OpenVMS

RLB problem?

Willem Grooters — Tue, 23 Sep 2003 13:41:51 GMT

I wonder who has experience with SMTP as in TCPIP 5.3-18, ECO2, and is able to help me out with this.
I have to define my SMTP server as relay host since local PC's will send mail through it to any place on the internet; however, non-local SMTP servers are only allowed to send mail to my domain - unless they are know spammers. I use RLB lists for that, at least, I want to do that.
To test it, I logged in on a login server at my ISP and start a telnet session to my (external) address, port 25 (Firewall will forward to VMS machine). But it fails from the beginning:

$ telnet aaa.bbb.ccc.ddd 25
Trying aaa.bbb.ccc.ddd...
Connected to aaa.bbb.ccc.ddd.
Escape character is '^]'.
550 I Spotted you in an RBL. SPAMBREATH!
Connection closed by foreign host.
$

but I'm quite sure that this is NOT true.

When I take out the RLB list, it seems Ok. Unknown/bogus addresses, not translatable addresses and known bad domains will be rejected, and known good domains won't be able to send outside my own domain - i checked that the same way.

However, I would like to use RBL's, since it takes quite a lot of maintenance off my back. How to get that working?

I must admit I have no MX record yet pointing to my 'own' mail address. Could that be the case? (point is, that before I have my ISP setting an MX record for my domain, I want to be sure it all works as I want, and open relay is NOT permitted (obviously))

I added the relevant part of smtp.config (but obscured my location for obvious reasons ;-) (Not that I don't trust you, just to be sure)

Re: RLB problem?

John Gillings — Tue, 23 Sep 2003 16:16:12 GMT

Willem,

When you connect with RBLs disabled, what address do you come in on?

Have you tried setting your RBL list to ONE source at a time? Perhaps only one of them is failing? Perhaps your ISP really is a source of SPAM?

There are web pages that let you check your IP address against RBLs. For example: http://mail-abuse.org/cgi-bin/lookup (though this one probably isn't relevant for the default set of RBLs in SMTP.CONFIG)

Re: RLB problem?

Willem Grooters — Wed, 24 Sep 2003 00:46:26 GMT

John,
With or without RBL, I use the same machine (at ISP), same login (my own on that machine), same destination (my SMTP server at aaa.bbb.ccc.ddd). I checked the ISP machine against RBL's (via mail-abuse.org, indeed) but none found that (ISP) address to be a bad one, so I wonder why this happened.
I'll add RBL's one at a time, then, in case one is failing....

Re: RLB problem?

Martin P.J. Zinser — Wed, 24 Sep 2003 09:08:45 GMT

Me too! ;-)

Same problem over here. My server at home came under siege by Spammers yesterday, so I had plenty of opportunity to experiment :-(

Disallowing non-translatable addresses cuts a good part of the spammers, but unfortunatly not enough. As soon as I uncomment the RBLs in smtp.config all incoming/relay traffic is bounced as being from a SPAM site. I did check this by explicitly sending mail from some systems I have access to to my home system.

So, right now I am back to norelay, which is good for the internet at large, but bad for me.

This looks like a problem in TCP/IP (Config: OpenVMS Alpha 7.3-1, TCP/IP 5.3 ECO 2)

P.S. Not Willems problem, but one I ran into yesterday - smtp.config needs to be W:RE to be used at all

Re: RLB problem?

Willem Grooters — Fri, 26 Sep 2003 16:38:48 GMT

Ha, so I'm not the only one.
Martin, I guess you have a support contract so would you issue an SPR for this. I could make one but since I have no support contract I can't leave it somewhere (as a small user, support is far too expensive and _so_ I'll never have a problem?)

Re: RLB problem?

Martin P.J. Zinser — Sat, 27 Sep 2003 12:27:59 GMT

Found the culprit: MR-OUT.IMRSS.ORG returns
every addres I tried as a SPAM originator.
Either just drop it from the list or replace it
e.g. with bl.spamcop.net.

I have not yet activated this on my server since I do want to monitor this closely and right now do not have the time to do so.

Re: RLB problem?

Martin P.J. Zinser — Sun, 28 Sep 2003 13:06:33 GMT

Seems to work ok now. My RBL list looks like
this

RBLs: rbl.maps.vix.com, dul.maps.vix.com, relays.orbs.org, bl.spamcop.net

and the operator log shows the RBL in action:

--> This is a spammer
%%%%%%%%%%% OPCOM 28-SEP-2003 12:19:32.85 %%%%%%%%%%%
Message from user INTERnet on KORONA
INTERnet ACP SMTP Accept Request from Host: 219.80.7.126 Port: 3603

$
%%%%%%%%%%% OPCOM 28-SEP-2003 12:19:35.48 %%%%%%%%%%%
Message from user TCPIP$SMTP on KORONA
TCPIP-W-SMTP_CLNTINRBL, client IP address 219.80.7.126 matched RBL list

---> Legitimate external host
%%%%%%%%%%% OPCOM 28-SEP-2003 12:20:09.34 %%%%%%%%%%%
Message from user INTERnet on KORONA
INTERnet ACP SMTP Accept Request from Host: 149.68.45.24 Port: 3717

---> Legitimate internal Relay host
%%%%%%%%%%% OPCOM 28-SEP-2003 12:29:27.92 %%%%%%%%%%%
Message from user INTERnet on KORONA
INTERnet ACP SMTP Accept Request from Host: 10.0.0.7 Port: 39134

Re: RLB problem?

John Gillings — Sun, 28 Sep 2003 22:43:25 GMT

It looks like imrss.org has gone out of business (see http://www,imrss.org) and left a "block everything" rule to let you know.

Re: RLB problem?

Willem Grooters — Mon, 29 Sep 2003 03:29:17 GMT

John,
Am I right then, that if a RBL goes offline, accessing it will result in blocking *@* - (anyone from anywhere) virtually everything?
I couldn't find anything on the vix.com site, I wonder if the RBL still exists over there. Is there a way to check the validity of an RBL-list? It would be better if you explicitly had a way to do so. A wiser approach then just stating "Block all" if a RBL goes offline...
Anyway, I did what Martin did - but domains that can not be translated into an IP-address, still seem to be Ok. But that could be because the source is the same network as my external address.

Re: RLB problem?

Martin P.J. Zinser — Mon, 29 Sep 2003 10:26:09 GMT

Hello Willem,

the way an RBL works is that essentially they do run a DNS server with entries for each address on the blacklist, i.e. to find out if ip address 1.2.3.4 is a spammer you do a

e.g. tcpip show host 1.2.3.4.bl.spamcop.net

if you get an error here the address is clean and not on the list. If the name is resolved it is a spammer

So easy test: Write a DCL to do this with each of your RBL servers. Use your own ip address as
the one to check. If this gets resolved either the RBL has a problem or you have a problem ;-) In any case it is time to investigate then.

Greetings, Martin