Ever notice how the public RBL databases aren’t enough? spamcop and spamhaus are great, but there are spammers still getting through. Did you ever want to do it yourself?<\/p>\n
This procedure explains how to run your own RBL DNS Blacklist. It uses a mysql table to store the IP address you want to blacklist and whitelist. Based on this data, it rebuilds a flatfile that the dns server uses on a regular basis. I prefer every 5 minutes. I run it on a Blue Quartz server which is CentOS Linux (Red Hat EL4) based. You will need a local mysql server.
\nStep 1:Download the RBL DNS Daemon<\/p>\n
We use rbldnsd from here
\nDownload the rbldns server:
\nRHEL 4 \/ CentOS 4 rbldnsd RPM ver. 0.995
\nRHEL 5 \/ CentOS 5 rbldnsd RPM ver 0.995
\nSource rbldnsd RPM ver 0.996b
\nStep 2: Turn off any existing DNS server<\/p>\n
Make sure you are not already running a DNS server on this machine. Turn off “named” if its on.<\/p>\n
service named stop<\/p>\n
Step 3:Install the RPM<\/p>\n
useradd rbldns
\nrpm -Uvh rbldnsd*.rpm<\/p>\n
Step 4: Create a mysql table
\nMake sure the MySQL server is running.<\/p>\n
CREATE TABLE `ips` (
\n `ipaddress` varchar(15) NOT NULL default ”,
\n `dateadded` datetime NOT NULL default ‘0000-00-00 00:00:00’,
\n `reportedby` varchar(40) default NULL,
\n `updated` datetime default NULL,
\n `attacknotes` text,
\n `b_or_w` char(1) NOT NULL default ‘b’,
\n PRIMARY KEY (`ipaddress`),
\n KEY `dateadded` (`dateadded`),
\n KEY `b_or_w` (`b_or_w`)
\n) ENGINE=MyISAM DEFAULT CHARSET=latin1 COMMENT=’spammer list’;<\/p>\n
You may want to create a mysql user just for this purpose with limited permissions.
\nStep 5: Download the perl script that rebuilds the flat file from a mysql database
\nrebuild_rbldns.pl script
\nPut this script in \/usr\/local\/bin<\/p>\n
wget -O \/usr\/local\/bin\/rebuild_rbldns.pl http:\/\/www.blue-quartz.com\/rbl\/rebuild_rbldns.txt
\nchmod 750 \/usr\/local\/bin\/rebuild_rbldns.pl<\/p>\n
You will want to put this in the root cron and run it every 5 minutes<\/p>\n
crontab -e
\n*\/5 * * * * \/usr\/local\/bin\/rebuild_rbldns.pl<\/p>\n
Please edit lines 25-27 of this perl script to change your mysql user and password.
\nStep 6: Edit the \/etc\/sysconfig\/rbldnsd config file<\/p>\n
# My boot rbldnsd options
\n# —————————————–
\n# TTL 35m, check files every 60s for changes, -f = smooth reloads
\n# -l logfilepath
\n# Please change 101.102.103.104 to your real public IP that you want the dns daemon to listen on
\n# Please change mydomain.com to your real domain name.
\n#
\nRBLDNSD=”dsbl -l \/var\/lib\/rbldns\/log\/rbl.log -f -r\/var\/lib\/rbldns\/dsbl -b 101.102.103.104 \\
\n rbl.mydomain.com:ip4set:spammerlist,whitelist \\
\n rbl.mydomain.com:generic:forward
\n”<\/p>\n
Step 7: Create directory structure for flat file<\/p>\n
mkdir \/var\/lib\/rbldns\/dsbl
\ntouch \/var\/lib\/rbldns\/dsbl\/forward
\ntouch \/var\/lib\/rbldns\/dsbl\/spammerlist
\ntouch \/var\/lib\/rbldns\/dsbl\/whitelist
\ntouch \/var\/lib\/rbldns\/dsbl\/rbl.log
\nchown -R rbldns:rbldns dsbl<\/p>\n
Step 8: Add some records to the MySQL database you have of known spammers<\/p>\n
INSERT INTO ips SET
\nipaddress=’123.456.789.1′,
\nreportedby=’101.102.103.104′,
\nattacknotes=’dictionary attack from badboy.com’,
\nb_or_w=’b’,
\ndateadded=now(),
\nupdated=now();<\/p>\n
To help in diagnosing problems, add these entries in the “\/var\/lib\/rbldns\/dsbl\/forward” file:<\/p>\n
@ A 1.2.3.4
\ntest A 1.2.3.4<\/p>\n
And please replace 1.2.3.4 with the ip address of your rbl server.<\/p>\n
Step 9: Run the script to build the flat file
\n\/usr\/local\/bin\/rebuild_rbldns.pl and if you want to see if it actually created the file type this:<\/p>\n
cat \/var\/lib\/rbldns\/dsbl\/spammerlist<\/p>\n
Step 10: Start the rbldns service<\/p>\n
service rbldnsd start<\/p>\n
Step 11: Create a DNS subdomain zone for rbl.mydomain.com
\nYou must create a DNS zone (subdomain) in your main DNS server for rbl.mydomain.com and point it to your rbldnsd server.<\/p>\n
; subdomain delegation
\nrbl.mydomain.com. in ns rbl.mydomain.com.
\nrbl.mydomain.com. in a 101.102.103.104<\/p>\n
Step 12: test rbl.mydomain.com lookups
\nIf a blacklisted IP address is in your rbl database it will “exist” in the DNS system.<\/p>\n
For example:<\/p>\n
if you blacklisted IP 89.40.1.32
\nthen doing a regular DNS lookup like this:<\/p>\n
nslookup test.rbl.mydomain.com
\nnslookup 32.1.40.89.rbl.mydomain.com<\/p>\n
should result in a match of 127.0.0.2<\/p>\n
nslookup test.rbl.mydomain.com<\/p>\n
should result in a match for 1.2.3.4 (your public ip address of your rbl server). If this works then the file \/var\/lib\/rbldns\/dsbl\/forward is working.<\/p>\n
Every entry in your RBL database will return a match of 127.0.0.2<\/p>\n
If an IP address is not in your RBL database it will fail to find an entry. This is how mail servers know how to block relays of email from known spammers.
\nStep 13: Having Your Mail Servers Use This RBL database
\nIf you are using sendmail, and want it to use this database, do this:<\/p>\n
cd \/etc\/mail
\nvi sendmail.mc
\nmake<\/p>\n
add this line right below the “blacklist_recipients” line:<\/p>\n
FEATURE(dnsbl, `rbl.mydomain.com’, `Rejected – known spammer’)dnl<\/p>\n
Now sendmail will reject messages from bad IP addresses in your database. You can monitor your \/var\/log\/maillog file to see if sendmail really did block a specific IP.
\nStep 14: Filling your database with known spammers
\nNow you need to decide how you are going to add records to your MySQL table. I suggest you write a script that monitors mailboxes or mail server logs. This is a great way to discover those spammers that are getting through the system.<\/p>\n
I also wrote some PHP web pages with forms to allow me to quickly add IP’s to my blacklist. You might want to try that.<\/p>\n
In my dictionary attack monitoring scripts, I use this command to update the rbl database:<\/p>\n
wget -q -O \/dev\/null ‘http:\/\/rbl.domain.com\/drop.php?ipaddress=133.25.2.1&blackorwhite=b¬es=dictionary attack’<\/p>\n
This way all my servers can add to the database. Of course, only approved IPs in my network are allowed to submit rbl data. I ignore all others.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ever notice how the public RBL databases aren’t enough? spamcop and spamhaus are great, but there are spammers still getting through. Did you ever want to do it yourself? This procedure explains how to run your own RBL DNS Blacklist. It uses a mysql table to store the IP address you want to blacklist and… <\/p>\n