See the changelog for details on changes.
This document describes using SURBL (Spam URI Realtime Blocklists) and URIBL in conjunction with the Exim MTA to block spam containing "spamvertizing" URLs. To achieve this, one can use the Perl script that is found below. This utilizes Exim's MIME and/or DATA ACLs and Exim's embedded Perl engine.
The Perl routine from this page should be relatively easy to modify to use in any other MTA that can call an external script to scan a message.
The SURBL and URIBL systems functions just like a normal DNSBL system but instead of containing a list of IPs of servers that send spam, they maintain a list of the domains that are found in the bodies of messages. These are the domains that are part of the URL the spammers want you to click on to buy their wares. It's quite an effective way of filtering for spam and can be used in conjunction with traditional DNSBLs for maximum effectiveness.
Exim MUST be compiled with the option to enable the embedded Perl engine. See Chapter 12 of the Exim Specification for details. By default, it is commented out in the official source distribution and thus will not be enabled when compiled. Exim's perl_startup runtime option is used to call the embedded Perl engine and define what file contains any Perl routines you want Exim to use. For example:
perl_startup=do '/usr/local/etc/exim.pl'
In addition to scanning the body of a plain text mail message, the Perl subroutine can scan any MIME attachment if Exim is using the exiscan additions (included in Exim 4.60 and higher).
The following two ACLs are working examples of Exim MIME and DATA ACLs that call the Perl subroutine to scan the message for blacklisted domain names in URLs. See Chapter 39 of the Exim Specification for details on Exim ACLs.
MIME ACL - This ACL should go in the MIME ACL section of the Exim configuration.
deny condition = ${if <{$message_size}{100000}{yes}{no}}
set acl_m0 = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m0}{false}{no}{yes}}
message = $acl_m0
DATA ACL - This ACL should go in the DATA ACL section of the Exim configuration.
deny condition = ${if <{$message_size}{100000}{yes}{no}}
condition = ${if eq{$acl_m0}{}{yes}{no}}
set acl_m1 = ${perl{surblspamcheck}}
condition = ${if eq{$acl_m1}{false}{no}{yes}}
message = $acl_m1
The second condition statement in the DATA ACL above ensures that the DATA ACL is only called if no MIME ACL was called (i.e. there were no MIME parts). This keeps the message from being scanned inefficiently twice by both the MIME and DATA ACLs.
Exim's message_body_visible option will determine how much of of the body is scanned during the DATA ACL and the default value won't catch much. I use a value of 5000.
Download and extract the contents of the gzipped TAR file (see below). The archive contains four files:
If this is the only Perl subroutine in the Exim installation then copy the Perl subroutine file to the location specified in the perl_startup Exim configuration setting (mentioned above). If other subroutines are in use then append the contents of the Perl subroutine file to the existing file defined in perl_startup.
Copy the ccTLD.txt file to the same location as the Perl subroutine script.
Copy the surbl_whitelist.txt file to the same location as the Perl subroutine script.
The Perl subroutine script follows the SURBL Implementation Guidelines found at the SURBL website. The script makes use of a file containing Country Code Top Level Domains. Near the top of the script is the following variable definition example:
my $cctld_file = "/usr/local/etc/exim/ccTLD.txt";
This $cctld_file variable MUST be set to the full path of the file containing the list of ccTLDs or the script will not work.
Also as part of the SURBL Implementation Guidelines, the Perl subroutine script makes use of a whitelist file which contains certain known good domains such as yahoo.com which will never be blacklisted. The use of this whitelist file will prevent unnecessary queries.
Near the top of the script is the following variable definition example:
my $whitelist_file = "/usr/local/etc/exim/surbl_whitelist.txt";
This $whitelist_file variable MUST be set to the full path of the file containing the whitelisted domains or the script will not work.
The file of whitelisted domains can contain additional domains that need to be whitelisted locally. The domains should be entered exactly one domain per line. Blank lines and those beginning with # (comments) are ignored. Each entry should be entered exactly as it is found in the SURBL database. Entries are case insensitive. Entries that are IP addresses should be in IN-ADDR format (reversed). Here is an example of some simple whitelist entries:
### BEGIN SAMPLE WHITELIST ENTRIES # This is a sample SURBL whitelist file # test.surbl.org # The following is an example of an IP address entry for 127.0.0.2 2.0.0.127 ### END SAMPLE WHITELIST ENTRIES
Since the Perl subroutine script now has the ability to check both the SURBL and URIBL, the ability has been added to disable these checks. Both are enabled by default. Near the top of the script are two variables:
my $surbl_enable = 1; my $uribl_enable = 1;
Set either of these variables to 0 to disable the desired list check. While it will not produce an error, it should go without saying that disabling both of these checks would be a waste of resources.
Scanning large MIME attachment can cause excessive load on the mail system. This situation can be exacerbated by the way Exim decodes the MIME attachments prior to scanning.
Near the top of the script is the following variable definition:
my $max_file_size = 50000;
Set this variable to be the maximum size of an attachment that will be scanned. If the attachment is larger than this size, scanning of that attachment will be skipped. By default, this size is 50KB. The variable is specified in bytes.
If you find this software useful and you feel it is worth something, please consider donating whatever you feel is appropriate via PayPal.
|
Last modified: Saturday, 06-Jan-2007 21:37:29 MST :: My Main Page :: My Contact Page :: Powered by Teuton |