short.rbl.jp (for use with Sendmail)

A recent trend among spammers is to start up their own mail servers connecting to the internet via the likes of ADSL for a short time to send a large amount of spam, disconnecting and then reconnecting. Every time they reconnect they get a different IP address.

This kind of behaviour will not usually be caught by third party relay checks like ORDB (Open-relay Database) because sometimes SMTP connections are filtered from outside and/or because the SMTP server is not running permanently on a fixed IP address.

In place of this you can use bl.spamcop.net to block connections but it takes a few reports of a spammer's activity before the IP address is registered in that RBL. We've found in the past that this hasn't been so useful because by the time an IP address gets registered in the database the spammer has usually reconnected and has a different IP address.

Here at short.rbl.jp, volunteers analyse any spam they get an register it straight away into the RBL. Once registered the IP address will become effective in the RBL no later than 30 mins after registration.

Because the IP addresses registered in short.rbl.jp are automatically deleted after 2 days there should be no problems caused for the next user who is allocated the IP address that the spammer was using.

How to use

You will need an MTA (Mailer Transport Agent) such as Sendmail. For Sendmail, add the following to your sendmail .mc file:
FEATURE(dnsbl,`short.rbl.jp')dnl
and then rebuild sendmail.cf. Once you've rebuilt it copy sendmail.cf into the fixed location and restart Sendmail.

Now once an IP connects to your server, the IP is reversed (eg. 12.34.56.78 becomes 87.65.43.21), prepended to "short.rbl.jp" and a DNS query is perfomed using this hostname. If the IP address is registered in short.rbl.jp then the DNS query will yield a reply of 127.0.0.4 upon which Sendmail will block the connection. Otherwise there will be simply no IP returned from the DNS query and the connection will be allowed to the SMTP server.

Confirming things are working

After a little bit of time has passed (for a registered server to try and connect to your mail server) look at the maillog. Run the following command:
$ grep short.rbl.jp /var/log/maillog
If you get one or more results similar to the following (with different IPs/addresses most probably) then things are working. Of course nothing will be logged uf no connections have been refused.

Nov 16 22:10:54 mail sendmail[55512]: ruleset=check_relay, arg1=pl393.nas934.k-tokyo.nttpc.ne.jp, arg2=127.0.0.4, relay=pl393.nas934.k-tokyo.nttpc.ne.jp [219.102.45.137], reject=550 5.7.1 Rejected: 219.102.45.137 listed at short.rbl.jp

Warning: If you want to use both short.rbl.jp and virus.rbl.jp please refer to all.rbl.jp's information here for the appropriate configuration.


RBL.JP Services Top