virus.rbl.jp (for use with Sendmail)

Along with spam, another problem that has recently been plaguing businesses and people all over the world is computers infected with virii that send copies of themselves by e-mail to any e-mail addresses they find stored on an infected computer (eg. addresses found from the address book). Such virii send themselves as e-mail attachments and all it takes is for the recipient to open the attachment and then another computer becomes infected.

virus.rbl.jp keeps a list of IP addresses of servers found to be sending virus-infected e-mails for 2 days. MTAs (Mailer Transport Agents), such as Sendmail, do a DNS lookup to see if the IP address of a machine attempting to connect to it is registered in virus.rbl.jp. If there is a matching registered IP address, 127.0.0.2 is returned, upon which the MTA refuses the machine's connection. Otherwise a non-existing hostname error is returned and the connection is accepted. Once 2 days has past since the registration of an IP address, the IP address' corresponding DNS record is removed. Read below for more information on how everything works.

How to use

To use virus.rbl.jp you must setup an MTA, such as Sendmail, to perform a DNS query against virus.rbl.jp.

In your Sendmail .mc file add
FEATURE(dnsbl,`virus.rbl.jp')dnl
and create a new sendmail.cf configuration file. Then copy sendmail.cf to the fixed location for your version of Sendmail. Finally, restart Sendmail.

When a machine attempts to connect to your MTA, the MTA does a DNS lookup against virus.rbl.jp and if the IP is registered in virus.rbl.jp 127.0.0.2 is returned and the MTA rejects the connection.

The process can be illustrated more clearly with an example:

Lets say we have an SMTP server/PC X whose IP address is 1.2.3.4. A volunteer (see Data Updating below for more information about registering IP addresses in virus.rbl.jp) finds X trying to send a virus-infected e-mail to one of his mail servers and registers X's IP address in virus.rbl.jp. The Anti-virus RBL system then creates a DNS entry in the form 4.3.2.1.virus.rbl.jp (this DNS record will exist for no more than 2 days (48 hours)).

Now say we have an MTA server Y configured to use virus.rbl.jp. X tries to make a connection to Y to deliver an e-mail (regardless of whether or not it is a virus-infected e-mail). Before Y will let X connect to its MTA, it does a DNS lookup based on X's IP in the format 4.3.2.1.virus.rbl.jp. If the returned IP address is 127.0.0.2 the MTA knows that X's IP address is registered in virus.rbl.jp and rejects the connection. For any other mail server/computer whose IP address is not registered in virus.rbl.jp (and hence there is no matching DNS record for x.x.x.x.virus.rbl.jp (where x.x.x.x is its IP reversed)) then the DNS query results in a non-existing hostname error and the MTA knows it can accept the connection.

You can see if your address is registered in virus.rbl.jp here.

Confirming things are working

After some time has elapsed there will be records in your maillog (/var/log/maillog). Run the following command to see:
$ grep virus.rbl.jp /var/log/maillog
Warning: If you want to use both short.rbl.jp and virus.rbl.jp please refer to all.rbl.jp's information here for the appropriate configuration.


RBL.JP Services Top