url.rbl.jp (for use with SpamAssassin)

url.rbl.jp (for use SpamAssassin)

Most recent spam work by disguising the e-mail address in the From: field by using a false one and thus effectively ignoring any replies sent to that address. Instead they rely on either the reader clicking on a URL or replying to an e-mail address included inside the body of the spam. As a result of this the domain name in the URL or mail address can be detected as belonging to a spammer.

For example, in the spam there might be a line saying something like:

"Please click http://www.pornadultdvds.com/unsubscribe.html"
or
"Please reply to XXXX@pornadultdvds.com. We await your reply."

The culprit domain in this case is pornadultdvds.com. If this domain is registered in url.rbl.jp and your SpamAssassin is configured to use this RBL then any spam with a URL or mail address using this domain will have the corresponding number of SpamAssassin points allocated to it, effectively marking the e-mail as spam.

Not only the body, but also the Subject: field is checked to see if it contains any domains. The From:, Return-Path:, Received: and To: fields are not checked.

In the case of URLs, the actual domain is checked, not the IP address corresponding with that domain. This means that in the case of servers with virtual hosts (which have the same IP), only the domains registered in the RBL will be tagged as spam, thus not affecting legitimit sites.

However, in the case where the URL doesn't use a hostname, just an IP address, then the IP address may be registered.

Because only the domain name is checked, URLs with different sub-domains or e-mail addresses with different user names will still be detected the same each time. For example all the following will be detected as having the domain pornadultdvds.com:

http://www2.pornadultdvds.com/
http://asdf.pornadultdvds.com/
yoko99@pornadultdvds.com
yoko-love@subdom.pornadultdvds.com

This RBL.JP service can only be configured with SpamAssassin, not Sendmail.

Data in this RBL will be automatically deleted 60 days after the day of registration.

How to use

Add the following to your SpamAssassin's local.cf configuration file, or user_prefs for user-specific configuration:

# the following config will only detect URLs which use hostnames urirhssub URLBL_RBLJP url.rbl.jp. A 2
body URLBL_RBLJP eval:check_uridnsbl('URLBL_RBLJP')
describe URLBL_RBLJP Has URI in url.rbl.jp
tflags URLBL_RBLJP net
score URLBL_RBLJP 4.0

# the following config will only detect URLs which use IP addresses uridnsbl URLBL_IP_RBLJP url.rbl.jp. TXT
body URLBL_IP_RBLJP eval:check_uridnsbl('URLBL_IP_RBLJP')
describe URLBL_IP_RBLJP Has IP URL in url.rbl.jp
tflags URLBL_IP_RBLJP net
score URLBL_IP_RBLJP 4.0

uridnsbl_skip_domain livedoor.com reset.jp asahi-net.or.jp hi-ho.ne.jp 2ch.net hatena.ne.jp
uridnsbl_skip_domain mixi.jp yahoo.co.jp

The "score URLBL_RBLJP 4.0" and "score URLBL_IP_RBLJP 4.0" are the number of SpamAssassin points that will be given to the spam if there is any domains found in the e-mail that are registered in url.rbl.jp. The default in SpamAssassin is that if the total number of points is greater than 5.0 then the e-mail is tagged as spam. You may modify this value (4.0) to a higher or lower number if you please.

If you're only using SpamAssassin then even e-mail tagged as spam will be delivered (and left to your mail client's filters to handle). However, if you're also using the likes of procmail then there's a chance that some e-mail might get mistakingly tagged as spam and thrown away before it even is delivered your mail box. You may want to consider changing the SpamAssassin values allocate when a spammer's domain is detected if you use procmail etc.

The "uridnsbl_skip_domain" configuration is a whitelist of domains that will be ignored even if they are found in an e-mail. It is advisable to include your server's domain name in here just in case it is accidentally registered by someone. Like above, you can use this configuration on more than one line.

The majority of the default whitelisted domains registered in SpamAssassin are related to American organizations so it might be a good idea to whitelist some of your own ones like commonly used Japan ISP domains etc.

With SpamAssassin configured to use url.rbl.jp, then a mail from a friend with a line in the body saying something like "Hey, I just got an advertisement from http://www.pornadultdvds.com/. What's up with this?" then it will get allocated the number of predefined SpamAssassin points and thus most probably tagged as spam. In such cases changing the domain to something like "http://www.pornadultdvds.com-PADDING/" will avoid this problem.

The pornadultdvds.com domain used here in this document as an example does not mean we register all adult site domains in our RBL. In the case of adult sites, only domains which have been used in spam advertising them will be registered.

Confirming things are working

If you get messages like the the following in a e-mail tagged as spam things are working:

4.0 URLBL_RBLJP            Has URI in url.rbl.jp
                            [URIs: perome.com]

4.0 URLBL_IP_RBLJP         Has IP URL in url.rbl.jp
                            [URIs: 66.63.160.48]

To see if your domain has accidentally been registered in url.rbl.jp you can check here or use nslookup on your domain by prepending it to url.rbl.jp. For example;

$ nslookup mydomain.com.url.rbl.jp

and if 127.0.0.2 is returned then that means your domain has accidentally been registered in url.rbl.jp. If this is the case please refer here for information about getting it removed.

Testing

There is one URL registered in url.rbl.jp for testing purposes. It is:

we-wish-nobody-register-this-domain.co.jp

Try sending a mail from your mailer to the mail server running SpamAssassin that you've setup to use url.rbl.jp.

Put the following URLs and e-mail address in the body of the test e-mail:

http://we-wish-nobody-register-this-domain.co.jp/
http://www.we-wish-nobody-register-this-domain.co.jp/
http://asdfafdafasd.we-wish-nobody-register-this-domain.co.jp/
hello@subdom.we-wish-nobody-register-this-domain.co.jp

You could also trying sending one URL/e-mail address per e-mail to test individually.

Once the mail has been delivered, if there is a part in the header close to the X-Spam-Status: field that says "URLBL_RBLJP" then things are working.

You can do further testing by adding the we-wish-nobody-register-this-domain.co.jp domain to the uridnsbl_skip_domain configuration. After having restarted spamd and sending the same test e-mail as above then the same "URLBL_RBLJP" message should not be displayed in the header.

RBL.JP Services Top