I was getting SPAM that slipped through my highly customized SpamAssassin (courtesy of the Solarspeed.net AV-SPAM!). It was about 30-40 emails per day and from looking at the headers I noticed a few commonalities.
These emails usually originated in the same subnet and every day they came back with another subnet from another ASN somewhere entirely differently. That made up around 80% of the SPAM that made it through. The remaining 20% was the usual leakage from other SPAM senders.
I tweaked my SpamAssassin rules some and also created some nifty new rules based on content or types of SPAM I was getting. That cut the leakage down to about half.
But the rest was still keeping me pissed off and I was thinking about what would be necessary to run my own RBL.
We do run a set of master/slave PowerDNS servers with MySQL backend. So I set a zone in that aside and created a PHP script that presents a form, checks and reverses the IP and (if not already RBL’ed) inserts it into the PowerDNS MySQL database and increments the serial in the SOA for that record.
That was surprisingly simple.
However: Wading through the SPAM emails manually and feeding the IPs to the form got a bit tiresome. Why not automate that as well?
As easily said as done:
I created an IMAP-folder called “autorbl” into which I sort all SPAMs whose IPs I want to feed to the RBL. A Perl script then parses that IMAP folder and extracts the sender IPs.
It then checks if the sender IPs are not whitelistet (because there are senders we sure don’t wanna block and that doesn’t only include our own servers!). If an IP is not whitelisted, we check if we have an RBL entry for it. If not, we do a GET request to our PHP-script with the proper URL options and that automatically feeds the offending IPs that we extracted from the emails in the IMAP folder into our RBL blacklist.
This script then got turned into a cronjob.
All I now need to do is to move offending emails into the separate IMAP folder and the sender IP extracted from this SPAM gets automatically fed into the RBL blacklist.
But even better: I do have some ancient email accounts that get nothing but SPAM. So they are now turned into automated SPAM-traps and emailing to them will directly feed the offending sender IP into the RBL.
Ah, automation is a fine thing. \o/