[6bone] RBLcheckd (was Re: Nothing is sacred...)

Pim van Pelt pim@ipng.nl
Tue, 5 Aug 2003 11:17:37 +0200


Hi,

.. and thanks for the interest. Let me expand a little on the program I
was talking about. It's a client server combination that embodies a
blacklist system for MTAs, written by Sabri Berisha and myself.

First some background: I am not entirely happy with using DNS for
looking up blacklists. Especially users with large amounts (10+) of
DNSBL's will end up taking considerable amounts of resources per email.

The idea is to abstract the blacklisting so that the MTA persistantly 
logs in to a RBL check daemon (IANA port registration tcp/3768). For 
each mail it receives, it asks the daemon permission to accept the mail, 
based on four attributes:
  (connecting IPv46, mail-from, rcpt-to, md5-hmac-secret)

The md5-hmac-secret is used for authentication, as we do not want
arbitrary MTAs (ie, ones we don't know of) to make use of our service.

Sending rcpt-to/mail-from allows the rblcheckd to facilitate user based 
blacklisting, eg if the rcpt-to has specific wishes, it can read which 
RBLs to run for this user.

The daemon responds with one of PASS, BLOCK or ENOACCESS within a set
timelimit. ENOACCESS occurs if the client does not have access to the
server (meaning it did not whisper the correct shared secret). PASS
means that all of the user-defined RBLs say its okay to pass the mail
and BLOCK means that at least one of them told us to block it. On any
type of error (socket, IO, file, timeout), PASS is returned.

The RBLs can be either plain DNS or CDB file, with possible other
extensions to be implemented without having to touch the MTA.

The MTA
----------
The MTA is then patched to query the rblcheckd for each RCPT-TO it
receives. For Sendmail, we have written a simple milter program. For
Qmail, we have patched DJB's source. For other MTAs, I do not expect the
patching to be very difficult. All you need is two (clientside) C files,
called rbl.h and rbl.c, which are re-entrant and threadsafe (exporting
only what they need to export to the calling program).

An Example
------------
Here's our running setup at AS12859. For convenience, I've also included
a standalone binary (./rbl) which compiles rbl.[ch] together into a
binary. We type:
$ ./rbl -h crow -p 3768 -s mypasswd \
	-f eu-registry@internetdrive.com \
	-t alarm@bit.nl \
	-i 62.150.9.42
It replies:
*** main: crow told us to block this mail

And rblcheckd logs:
Aug  5 11:00:40 crow rblcheck[80515]: info: white: (42.9.150.62.as12859.rbl.cluecentral.net) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:00:40 crow rblcheck[80515]: info: black: (42.9.150.62.sbl.spamhaus.org) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:00:40 crow rblcheck[80515]: listed: black: (42.9.150.62.list.dsbl.org) (eu-registry@internetdrive.com/alarm@bit.nl) 

Looking at these lines, we deduct that there are 'whitelists' and
'blacklists'. If an entry hits a whitelist, it is passed. If it hits a
blacklist, it is blocked. If it hits both, it is passed. 

* Line 1 queries if the IP is a member of AS12859. In that case, it is an
  nl.bit IP so we whitelist it. It is logged as informational.
* Line 2 queries spamhaus.org, which does not know the IP. It is logged
  as informational.
* Line 3 queries list.dsbl.org, which knows the IP. It is logged
  'listed' and results in the above BLOCK statement. As we now have a
  definitive answer, we do not persue any other blacklists.

Notes
-----------
This software is IPv6 compliant, in that it can do lookups between MTA
and rblcheckd using IPv6 transport, as well as looking up IPv6
addresses:

$ ./rbl -h crow -p 3768 -s mypasswd \
	-f eu-registry@internetdrive.com \
	-t alarm@bit.nl \
	-i 3ffe:8110::1
*** main: crow told us to pass this mail

Checking the log, we now see more lines (sorry for the ugly paste):
Aug  5 11:08:55 crow rblcheck[82259]: info: white: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.as12859.rbl.cluecentral.net) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.sbl.spamhaus.org) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.list.dsbl.org) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.proxies.blackholes.easynet.nl) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.proxies.relays.monkeys.com) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.blackholes.easynet.nl) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.dnsbl.njabl.org) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.spam.dnsrbl.net) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.opm.blitzed.org) (eu-registry@internetdrive.com/alarm@bit.nl) 
Aug  5 11:08:55 crow rblcheck[82259]: info: black: (1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.8.E.F.F.3.relays.ordb.org) (eu-registry@internetdrive.com/alarm@bit.nl) 

All available blacklists for alarm@bit.nl are checked and none matches.
This is of course due to no DNSBL operator having IPv6 addresses in
their servers (except for rbl.cluecentral.net, operated by Sabri Berisha
at BIT).

Does this spark some interest ? The program is a bit rough around the
edges, and we're just about ready to open it up to the public (it's been
running production at AS12859 under qmail and sendmail for a couple of
months now (doing 100K smtp transactions per day). I could be easily
convinced to persuade the co-author to put it up on sourceforge.

groet,
Pim
-- 
---------- - -    - - -+- - -    - - ----------
Pim van Pelt                 Email: pim@ipng.nl
http://www.ipng.nl/             IPv6 Deployment
-----------------------------------------------