Popular topics: Postfix Message stream

Rspamd Configuration

Configure rspamd to query Abusix Mail Intelligence

Configuring rspamd with Abusix Mail Intelligence is simple!

Summary

rspam is a spam filter that can use domain or IP address, black or whitelists.

Instructions

To add or configure Abusix Mail Intelligence.

Edit

You need to edit the following files (or create them if they don't already exist) replacing <APIKEY> with your key retrieved from The Abusix Intelligence Dashboard.

/etc/rspamd/local.d/rbl.conf

rbls {
    abusix_dnsbls_lasthop {
        symbol = "RBL_AMI_LASTHOP";
        rbl = "<APIKEY>.combined.mail.abusix.zone";
        ipv6 = true;
        received = false;
        unknown = false;
        returncodes {
            RBL_AMI_POLICY = [ "127.0.0.11", "127.0.0.12" ];
        }
    }
    abusix_dnsbls_anyhop {
        symbol = "RBL_AMI_RCVD";
        rbl = "<APIKEY>.combined.mail.abusix.zone";
        ipv6 = true;
        received = true;
        unknown = false;
        returncodes {
            RBL_AMI_BLACK_RCVD = [ "127.0.0.2", "127.0.0.3" ];
            RBL_AMI_EXPLOIT_RCVD = "127.0.0.4";
        }
    }
    abusix_dnswls_lasthop {
        symbol = "RWL_AMI_LASTHOP";
        rbl = "<APIKEY>.white.mail.abusix.zone";
        is_whitelist = true;
        received = false;
        ipv6 = true;
    }
}


/etc/rspamd/local.d/surbl.conf

rules {
    "URIBL_AMI_BLACK" {
        suffix = "<APIKEY>.dblack.mail.abusix.zone";
        check_dkim = true;
    }
}


/etc/rspamd/local.d/groups.conf

group "abusix" {
    symbols = {
        "RBL_AMI_BLACK_RCVD" {
            score = 3.0;
            description = "Received from a host in the Abusix Mail Intelligence Black list";
        }
        "RBL_AMI_EXPLOIT_RCVD" {
            score = 3.0;
            description = "Received from a host in the Abusix Mail Intelligence Expliot list";
        }
        "RBL_AMI_POLICY" {
            score = 2.0;
            description = "Delivered by a host in the Abusix Mail Intelligence Policy list";
        }
        "RWL_AMI_LASTHOP" {
            score = -1.0;
            description = "Delivered by a host in the Abusix Mail Intelligence White list";
        }
        "URIBL_AMI_BLACK" {
            score = 6.5;
            description = "Domain listed in the Abusix Mail Intelligence Black list";
        }
    }
}


The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query our unique and extremely effective Short URL and Disk URL hash zones.

IMPORTANT: At the top of the code you MUST change <APIKEY> to reflect your actual API key or if you use rsync, change the value to reflect the namespace in your local rbldnsd that should be queried.

/etc/rspamd/rspamd.local.lua

local rregexp = require "rspamd_regexp"
local rlogger = require "rspamd_logger"
local rhash = require "rspamd_cryptobox_hash"
local rutil = require "lua_util"

-- IMPORTANT: change <APIKEY> to your actual API key before use!
local check_shorturls_dns = '.<APIKEY>.shorthash.mail.abusix.zone.'
local check_diskurls_dns = '.<APIKEY>.diskhash.mail.abusix.zone.'

local re_short_path = rregexp.create_cached('/^(?!(?:[a-z]+|[A-Z]+|[0-9]+)$)[a-zA-Z0-9]{3,11}$/')

local check_shorturls_cb = function (task)
    local function find_short_urls (url)
        local path = url:get_path();
        if (re_short_path:match(path)) then
        return true
        end
    end
    local shorturls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'shorturls',
    filter = find_short_urls
    });

    if (not shorturls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(shorturls) do
        -- Normalize
        local surl = url:get_host():lower() .. '/' .. url:get_path()
        local surl_hash = rhash.create_specific('sha1', surl):hex()
        local lookup = surl_hash .. check_shorturls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.1') then
                rlogger.errx('found URL %s (%s) in Short URL blacklist', surl, surl_hash)
                return task:insert_result('RBL_AMI_SHORTURL', 1.0, surl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
    end
end

local check_shorturls = rspamd_config:register_symbol({
    name = "RBL_AMI_SHORTURL",
    score = 3.0,
    description = "Short URL found in Abusix Short URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_shorturls_cb
});

local re_disk_urls = rregexp.create_cached('/^(?:drive\\.google\\.com$|yadi\\.sk$|disk\\.yandex\\.)/')

local check_diskurls_cb = function (task)
    local function find_disk_urls (url)
        local host = url:get_host():lower();
        if (re_disk_urls:match(host)) then
        return true
        end
    end
    local diskurls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'diskurls',
    filter = find_disk_urls
    });

    if (not diskurls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(diskurls) do
        -- Normalize
        local durl = url:get_host():lower() .. '/' .. url:get_path()
        local durl_hash = rhash.create_specific('sha1', durl):hex()
        local lookup = durl_hash .. check_diskurls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.2') then
                rlogger.errx('found URL %s (%s) in Disk URL blacklist', durl, durl_hash)
                return task:insert_result('RBL_AMI_DISKURL', 1.0, durl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb, forced = true })
    end
end

local check_diskurls = rspamd_config:register_symbol({
    name = "RBL_AMI_DISKURL",
    score = 3.0,
    description = "Disk URL found in Abusix Disk URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_diskurls_cb
});


Once you have created these files, restart rspamd via:

systemctl restart rspamd


Learn More

Was this article helpful?

Can’t find what you’re looking for?

Our award-winning customer care team is here for you.

Contact Support