Popular topics: Spam blocklist Abuse Contact ValidationPolicy blocklistWelcome listPotentially compromised accountsExploit blocklistCombined blocklistDomain blocklistRspamdWhat is XARF?

Rspamd

How to setup rspamd to use Abusix Mail Intelligence

Instructions

You need to edit the following files (or create them if they don't already exist) replacing <APIKEY> with your key retrieved from the Dashboard.

/etc/rspamd/local.d/rbl.conf

rbls {
    abusix_dnsbls_lasthop {
        symbol = "RBL_AMI_LASTHOP";
        rbl = "<APIKEY>.combined.mail.abusix.zone";
        ipv6 = true;
        received = false;
        unknown = false;
        returncodes {
            RBL_AMI_POLICY = [ "127.0.0.11", "127.0.0.12" ];
        }
    }
    abusix_dnsbls_anyhop {
        symbol = "RBL_AMI_RCVD";
        rbl = "<APIKEY>.combined.mail.abusix.zone";
        ipv6 = true;
        received = true;
        unknown = false;
        returncodes {
            RBL_AMI_BLACK_RCVD = [ "127.0.0.2", "127.0.0.3" ];
            RBL_AMI_EXPLOIT_RCVD = "127.0.0.4";
        }
    }
    abusix_dnswls_lasthop {
        symbol = "RWL_AMI_LASTHOP";
        rbl = "<APIKEY>.white.mail.abusix.zone";
        is_whitelist = true;
        received = false;
        ipv6 = true;
    }
}


/etc/rspamd/local.d/surbl.conf

rules {
    "URIBL_AMI_BLACK" {
        suffix = "<APIKEY>.dblack.mail.abusix.zone";
        check_dkim = true;
    }
}


/etc/rspamd/local.d/groups.conf

group "abusix" {
    symbols = {
        "RBL_AMI_BLACK_RCVD" {
            score = 3.0;
            description = "Received from a host in the Abusix Mail Intelligence Black list";
        }
        "RBL_AMI_EXPLOIT_RCVD" {
            score = 3.0;
            description = "Received from a host in the Abusix Mail Intelligence Exploit list";
        }
        "RBL_AMI_POLICY" {
            score = 2.0;
            description = "Delivered by a host in the Abusix Mail Intelligence Policy list";
        }
        "RWL_AMI_LASTHOP" {
            score = -1.0;
            description = "Delivered by a host in the Abusix Mail Intelligence White list";
        }
        "URIBL_AMI_BLACK" {
            score = 6.5;
            description = "Domain listed in the Abusix Mail Intelligence Black list";
        }
    }
}

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query our unique and extremely effective Short URL and Disk URL hash zones.

IMPORTANT: At the top of the code you MUST change <APIKEY> to reflect your actual API key or if you use rsync, change the value to reflect the namespace in your local rbldnsd that should be queried.

/etc/rspamd/rspamd.local.lua

local rregexp = require "rspamd_regexp"
local rlogger = require "rspamd_logger"
local rhash = require "rspamd_cryptobox_hash"
local rutil = require "lua_util"

-- IMPORTANT: change <APIKEY> to your actual API key before use!
local check_shorturls_dns = '.<APIKEY>.shorthash.mail.abusix.zone.'
local check_diskurls_dns = '.<APIKEY>.diskhash.mail.abusix.zone.'

local re_short_path = rregexp.create_cached('/^(?!(?:[a-z]+|[A-Z]+|[0-9]+)$)[a-zA-Z0-9]{3,11}$/')

local check_shorturls_cb = function (task)
    local function find_short_urls (url)
        local path = url:get_path();
        if (re_short_path:match(path)) then
        return true
        end
    end
    local shorturls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'shorturls',
    filter = find_short_urls
    });

    if (not shorturls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(shorturls) do
        -- Normalize
        local surl = url:get_host():lower() .. '/' .. url:get_path()
        local surl_hash = rhash.create_specific('sha1', surl):hex()
        local lookup = surl_hash .. check_shorturls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.1') then
                rlogger.errx('found URL %s (%s) in Short URL blacklist', surl, surl_hash)
                return task:insert_result('RBL_AMI_SHORTURL', 1.0, surl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb })
    end
end

local check_shorturls = rspamd_config:register_symbol({
    name = "RBL_AMI_SHORTURL",
    score = 3.0,
    description = "Short URL found in Abusix Short URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_shorturls_cb
});

local re_disk_urls = rregexp.create_cached('/^(?:drive\\.google\\.com$|yadi\\.sk$|disk\\.yandex\\.)/')

local check_diskurls_cb = function (task)
    local function find_disk_urls (url)
        local host = url:get_host():lower();
        if (re_disk_urls:match(host)) then
        return true
        end
    end
    local diskurls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'diskurls',
    filter = find_disk_urls
    });

    if (not diskurls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(diskurls) do
        -- Normalize
        local durl = url:get_host():lower() .. '/' .. url:get_path()
        local durl_hash = rhash.create_specific('sha1', durl):hex()
        local lookup = durl_hash .. check_diskurls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.2') then
                rlogger.errx('found URL %s (%s) in Disk URL blacklist', durl, durl_hash)
                return task:insert_result('RBL_AMI_DISKURL', 1.0, durl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb })
    end
end

local check_diskurls = rspamd_config:register_symbol({
    name = "RBL_AMI_DISKURL",
    score = 3.0,
    description = "Disk URL found in Abusix Disk URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_diskurls_cb
});


For rspamd versions 3.0 we also recommend that you add the following to /etc/rspamd/local.d/options.inc (create it if it doesn't already exist):

monitoring_watch_interval = 3600

This is because earlier versions of rspamd < 3.0 had an issue with the RBL monitoring that causes excessive queries to be sent.


Once you have created these files, restart rspamd.

Was this article helpful?

Can’t find what you’re looking for?

Our award-winning customer care team is here for you.

Contact Support