👋 How can we help you?

Setting up different systems

Find out which systems can be combined with AMI.

Last updated on Invalid Date

Exim

To add Abusix Mail Intelligence to Exim, open exim.conf and find the "acl_check_rcpt:" section and add:

deny message = $dnslist_text
dnslists = APIKEY.combined.mail.abusix.zone

Then restart Exim

 

Microsoft Exchange

To use Abusix Mail Intelligence with Microsoft Exchange, use the following code below as described in the following Microsoft Support Documentation:

Add-IPBlockListProvider -Name "Abusix" -LookupDomain APIKEY.combined.mail.abusix.zone -RejectionResponse "Source IP address is listed by Abusix Mail Intelligence" -AnyMatch $true
 

Qmail

Edit your /var/qmail/supervise/qmail-smtpd/run file, adding "-r" or "-a" to the configuration file, so that rblsmtpd runs prior to Qmail.

Create a run file using the following sample code and replacing APIKEY with your key retrieved from the Dashboard:

exec
    /usr/local/bin/softlimit -m 30000000 \
    /usr/local/bin/tcpserver -v -H -R -l 0 -x /etc/tcp.smtp.cdb -c MAX-SMTP-CONNS -u QMAIL-USER -g QMAIL-GROUP 0 smtp \
        /usr/local/bin/rblsmtpd -t 5 \
            -b -r APIKEY.combined.mail.abusix.zone \
        /var/qmail/bin/qmail-smtpd 2>&1
 

Postfix

There are various ways to configure Postfix and this is our preferred method.

Edit /etc/postfix/main.cf

Add the following in the "smtpd_recipient_restrictions" parameter. It should be placed after "reject_unauth_destination".

For example:

smtpd_recipient_restrictions =
    ...
    reject_unauth_destination
    # Check rDNS in domain blacklist (optional)
    reject_rhsbl_client APIKEY.dblack.mail.abusix.zone
    # Check HELO/EHLO in domain blacklist (optional)
    reject_rhsbl_helo APIKEY.dblack.mail.abusix.zone
    # Check FROM domain in blacklist (optional)
    reject_rhsbl_sender APIKEY.dblack.mail.abusix.zone
    # Check connecting IP in whitelist (optional)
    # permit_dnswl_client entries should be placed before any reject directives
    # that want to skip, but should always be before any reject_rbl_client
    # entries to ensure that any IP listed on the whitelist not rejected.
    permit_dnswl_client APIKEY.white.mail.abusix.zone
    # Reject any IP listed in the blacklist
    reject_rbl_client APIKEY.combined.mail.abusix.zone

rbl_reply_maps = texthash:/etc/postfix/rbl_reply_map

Where APIKEY is replaced with the key from your Dashboard.

Next, to prevent your APIKEY from being leaked, create /etc/postfix/rbl_reply_map with the following:

APIKEY.combined.mail.abusix.zone        $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using Abusix Mail Intelligence${rbl_reason?; $rbl_reason}
APIKEY.dblack.mail.abusix.zone        $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using Abusix Mail Intelligence${rbl_reason?; $rbl_reason}

If you are using Postscreen, you can omit the "reject_rbl_client" entry and instead add:

postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply_map
postscreen_dnsbl_sites = APIKEY.combined.mail.abusix.zone

Then to prevent your APIKEY from leaking, create /etc/postfix/postscreen_dnsbl_reply_map which should contain the following:

APIKEY.combined.mail.abusix.zone                mail.abusix.zone

Then reload Postfix to activate this configuration.

 
 

Sendmail

To add Abusix Mail Intelligence to your Sendmail configuration edit your sendmail.mc file (usually found in /etc/mail) and add the following:

FEATURE(`dnsbl',`APIKEY.combined.mail.abusix.zone',`"554 Rejected " $&{client_addr} " is listed by Abusix Mail Intelligence see http://abusix.ai/search?q="$&{client_addr}')dnl

Replace APIKEY with your key retrieved from the Dashboard.

Compile sendmail.mc by running “make” in the same directory and then restart the sendmail daemon.

 
 

SpamAssassin

Edit local.cf (usually found in /etc/mail/spamassassin) as follows, replacing <APIKEY> with your key retrieved from the Dashboard.

ifplugin Mail::SpamAssassin::Plugin::DNSEval
    header    __RCVD_IN_AMI       eval:check_rbl('ami', '<APIKEY>.combined.mail.abusix.zone.')
    describe  __RCVD_IN_AMI       Received via a relay in Abusix Mail Intelligence
    tflags    __RCVD_IN_AMI       net

    header    RCVD_IN_AMI_BLACK   eval:check_rbl_sub('ami', '^127\.0\.0\.[23]$')
    describe  RCVD_IN_AMI_BLACK   Received via a relay in Abusix Mail Intelligence Black
    score     RCVD_IN_AMI_BLACK   3.0
    tflags    RCVD_IN_AMI_BLACK   net

    header    RCVD_IN_AMI_EXPLOIT eval:check_rbl_sub('ami', '127.0.0.4')
    describe  RCVD_IN_AMI_EXPLOIT Received via a relay in Abusix Mail Intelligence Exploit
    score     RCVD_IN_AMI_EXPLOIT 3.0
    tflags    RCVD_IN_AMI_EXPLOIT net

    header    RCVD_IN_AMI_DYN     eval:check_rbl('ami-lastexternal', '<APIKEY>.combined.mail.abusix.zone.', '^127\.0\.0\.1[12]$')
    describe  RCVD_IN_AMI_DYN     Received via a relay in Abusix Mail Intelligence Dynamic
    score     RCVD_IN_AMI_DYN     3.0
    tflags    RCVD_IN_AMI_DYN     net

    header    RCVD_IN_AMI_WHITE   eval:check_rbl('ami-firsttrusted', '<APIKEY>.combined.mail.abusix.zone.', '127.0.2.1')
    describe  RCVD_IN_AMI_WHITE   Received via a relay in Abusix Mail Intelligence White
    score     RCVD_IN_AMI_WHITE   -0.1
    tflags    RCVD_IN_AMI_WHITE   nice net
endif

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
    urirhsbl  URIBL_AMI_DBLACK    <APIKEY>.dblack.mail.abusix.zone. A
    body      URIBL_AMI_DBLACK    eval:check_uridnsbl('URIBL_AMI_DBLACK')
    describe  URIBL_AMI_DBLACK    Contains a spam URL listed in the Abusix Mail Intelligence domain blocklist
    score     URIBL_AMI_DBLACK    3.0
    tflags    URIBL_AMI_DBLACK    net

    urirhssub URIBL_AMI_WHITE     <APIKEY>.white.mail.abusix.zone. A 127.0.2.1
    body      URIBL_AMI_WHITE     eval:check_uridnsbl('URIBL_AMI_WHITE')
    describe  URIBL_AMI_WHITE     Contains a domain listed in the Abusix Mail Intelligence domain whitelist
    score     URIBL_AMI_WHITE     -0.1
    tflags    URIBL_AMI_WHITE     nice net
endif

Then restart SpamAssassin.

 
 

Rspamd

You need to edit the following files (or create them if they don't already exist) replacing <APIKEY> with your key retrieved from the Dashboard.

/etc/rspamd/local.d/rbl.conf

rbls {
    abusix_dnsbls_lasthop {
        symbol = "RBL_AMI_LASTHOP";
        rbl = "<APIKEY>.combined.mail.abusix.zone";
        ipv6 = true;        from = true;
        received = false;
        unknown = false;
        returncodes {
            RBL_AMI_POLICY = [ "127.0.0.11", "127.0.0.12" ];
        }
    }
    abusix_dnsbls_anyhop {
        symbol = "RBL_AMI_RCVD";
        rbl = "<APIKEY>.combined.mail.abusix.zone";
        ipv6 = true;        from = true;
        received = true;
        unknown = false;
        returncodes {
            RBL_AMI_BLACK_RCVD = [ "127.0.0.2", "127.0.0.3" ];
            RBL_AMI_EXPLOIT_RCVD = "127.0.0.4";
        }
    }
    abusix_dnswls_lasthop {
        symbol = "RWL_AMI_LASTHOP";
        rbl = "<APIKEY>.white.mail.abusix.zone";
        is_whitelist = true;
        received = false;
        ipv6 = true;        from = true;
    }
}

/etc/rspamd/local.d/surbl.conf

rules {
    "URIBL_AMI_BLACK" {
        suffix = "<APIKEY>.dblack.mail.abusix.zone";
        check_dkim = true;
    }
}

/etc/rspamd/local.d/groups.conf

group "abusix" {
    symbols = {
        "RBL_AMI_BLACK_RCVD" {
            score = 3.0;
            description = "Received from a host in the Abusix Mail Intelligence Black list";
        }
        "RBL_AMI_EXPLOIT_RCVD" {
            score = 3.0;
            description = "Received from a host in the Abusix Mail Intelligence Exploit list";
        }
        "RBL_AMI_POLICY" {
            score = 2.0;
            description = "Delivered by a host in the Abusix Mail Intelligence Policy list";
        }
        "RWL_AMI_LASTHOP" {
            score = -1.0;
            description = "Delivered by a host in the Abusix Mail Intelligence White list";
        }
        "URIBL_AMI_BLACK" {
            score = 6.5;
            description = "Domain listed in the Abusix Mail Intelligence Black list";
        }
    }
}

The following code can be added to /etc/rspamd/rspamd.local.lua to enable rspamd to query our unique and extremely effective Short URL and Disk URL hash zones.

IMPORTANT: At the top of the code you MUST change <APIKEY> to reflect your actual API key or if you use rsync, change the value to reflect the namespace in your local rbldnsd that should be queried.

 

./etc/rspamd/rspamd.local.lua

local rregexp = require "rspamd_regexp"
local rlogger = require "rspamd_logger"
local rhash = require "rspamd_cryptobox_hash"
local rutil = require "lua_util"

-- IMPORTANT: change <APIKEY> to your actual API key before use!
local check_shorturls_dns = '.<APIKEY>.shorthash.mail.abusix.zone.'
local check_diskurls_dns = '.<APIKEY>.diskhash.mail.abusix.zone.'

local re_short_path = rregexp.create_cached('/^(?!(?:[a-z]+|[A-Z]+|[0-9]+)$)[a-zA-Z0-9]{3,11}$/')

local check_shorturls_cb = function (task)
    local function find_short_urls (url)
        local path = url:get_path();
        if (re_short_path:match(path)) then
        return true
        end
    end
    local shorturls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'shorturls',
    filter = find_short_urls
    });

    if (not shorturls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(shorturls) do
        -- Normalize
        local surl = url:get_host():lower() .. '/' .. url:get_path()
        local surl_hash = rhash.create_specific('sha1', surl):hex()
        local lookup = surl_hash .. check_shorturls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.1') then
                rlogger.errx('found URL %s (%s) in Short URL blacklist', surl, surl_hash)
                return task:insert_result('RBL_AMI_SHORTURL', 1.0, surl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb })
    end
end

local check_shorturls = rspamd_config:register_symbol({
    name = "RBL_AMI_SHORTURL",
    score = 3.0,
    description = "Short URL found in Abusix Short URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_shorturls_cb
});

local re_disk_urls = rregexp.create_cached('/^(?:drive\\.google\\.com$|yadi\\.sk$|disk\\.yandex\\.)/')

local check_diskurls_cb = function (task)
    local function find_disk_urls (url)
        local host = url:get_host():lower();
        if (re_disk_urls:match(host)) then
        return true
        end
    end
    local diskurls = rutil.extract_specific_urls({
        task = task,
    limit = 5,
        prefix = 'diskurls',
    filter = find_disk_urls
    });

    if (not diskurls) then return false end

    local r = task:get_resolver()

    for _, url in pairs(diskurls) do
        -- Normalize
        local durl = url:get_host():lower() .. '/' .. url:get_path()
        local durl_hash = rhash.create_specific('sha1', durl):hex()
        local lookup = durl_hash .. check_diskurls_dns
        local function dns_cb(_,_,results,err)
            if (not results) then return false end
            if (tostring(results[1]) == '127.0.3.2') then
                rlogger.errx('found URL %s (%s) in Disk URL blacklist', durl, durl_hash)
                return task:insert_result('RBL_AMI_DISKURL', 1.0, durl);
            end
        end
        r:resolve_a({ task = task, name = lookup , callback = dns_cb })
    end
end

local check_diskurls = rspamd_config:register_symbol({
    name = "RBL_AMI_DISKURL",
    score = 3.0,
    description = "Disk URL found in Abusix Disk URL blacklist",
    group = "abusix",
    type = "callback",
    callback = check_diskurls_cb
});

For rspamd versions 3.0 we also recommend that you add the following to

/etc/rspamd/local.d/options.inc (create it if it doesn't already exist):

monitoring_watch_interval = 3600

This is because earlier versions of rspamd < 3.0 had an issue with the RBL monitoring that caused excessive queries to be sent.

 

Once you have created these files, restart rspamd.

 
 

Barracuda Email Firewall

To add Abusix Mail Intelligence to your Barracuda Spam Firewall go to:

BLOCK/ACCEPT -> IP Reputation, and under Custom External RBLs, add:

APIKEY.combined.mail.abusix.zone

replace APIKEY with the key shown in the Dashboard.

And select "BLOCK".

 

Example

Once set-up, you will start to see "Blocked" items in the Message Log and you'll see within those that they were blocked by Abusix Mail Intelligence.

 

Example

 
 
 

Symantec Email Gateway

To set-up Abusix Mail Intelligence to work on your Symantec Email Gateway appliance, in the Control Center, go to Reputation -> Bad Senders, ensure that 'Enable Third Party Bad Sender detection' is enabled, click 'Add' and enter:

APIKEY.combined.mail.abusix.zone.

(Replace APIKEY with your key from the Dashboard)

Make sure the Action is set to 'Reject SMTP Connection' and then click 'Save'.

 
 
 

Plesk

In the Plesk console, go to "Tools & Settings" and "Mail Server Settings" under the "Mail" heading. Scroll to the bottom of the page and enabled the option "Turn on spam protection based on DNS blackhole lists", then set "DNS zones for DNSBL service" to:

APIKEY.combined.mail.abusix.zone

(replace APIKEY with your API/Query key which you can find in your Dashboard)

Then click 'OK'

SpamAssassin can also be installed on Plesk to which allows Abusix Mail Intelligence to provide additional filtering.

This can be installed by going to "Tools & Settings", "Plesk", "Updates", "Add/Remove Components", expand "Mail Hosting" by clicking the + next to it, select "Install" under "SpamAssassin" and click "Continue"

Once SpamAssassin is installed, you can use the following instructions to configure it to use Abusix Mail Intelligence. Note that you will need to use SSH and edit the necessary files by hand as Plesk does not provide a way to do this via the console.

 

Instructions

Edit local.cf (usually found in /etc/mail/spamassassin) as follows, replacing <APIKEY> with your key retrieved from the Dashboard.

ifplugin Mail::SpamAssassin::Plugin::DNSEval
    header    __RCVD_IN_AMI       eval:check_rbl('ami', '<APIKEY>.combined.mail.abusix.zone.')
    describe  __RCVD_IN_AMI       Received via a relay in Abusix Mail Intelligence
    tflags    __RCVD_IN_AMI       net

    header    RCVD_IN_AMI_BLACK   eval:check_rbl_sub('ami', '^127\.0\.0\.[23]$')
    describe  RCVD_IN_AMI_BLACK   Received via a relay in Abusix Mail Intelligence Black
    score     RCVD_IN_AMI_BLACK   3.0
    tflags    RCVD_IN_AMI_BLACK   net

    header    RCVD_IN_AMI_EXPLOIT eval:check_rbl_sub('ami', '127.0.0.4')
    describe  RCVD_IN_AMI_EXPLOIT Received via a relay in Abusix Mail Intelligence Exploit
    score     RCVD_IN_AMI_EXPLOIT 3.0
    tflags    RCVD_IN_AMI_EXPLOIT net

    header    RCVD_IN_AMI_DYN     eval:check_rbl('ami-lastexternal', '<APIKEY>.combined.mail.abusix.zone.', '^127\.0\.0\.1[12]$')
    describe  RCVD_IN_AMI_DYN     Received via a relay in Abusix Mail Intelligence Dynamic
    score     RCVD_IN_AMI_DYN     3.0
    tflags    RCVD_IN_AMI_DYN     net

    header    RCVD_IN_AMI_WHITE   eval:check_rbl('ami-firsttrusted', '<APIKEY>.combined.mail.abusix.zone.', '127.0.2.1')
    describe  RCVD_IN_AMI_WHITE   Received via a relay in Abusix Mail Intelligence White
    score     RCVD_IN_AMI_WHITE   -0.1
    tflags    RCVD_IN_AMI_WHITE   nice net
endif

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
    urirhsbl  URIBL_AMI_DBLACK    <APIKEY>.dblack.mail.abusix.zone. A
    body      URIBL_AMI_DBLACK    eval:check_uridnsbl('URIBL_AMI_DBLACK')
    describe  URIBL_AMI_DBLACK    Contains a spam URL listed in the Abusix Mail Intelligence domain blocklist
    score     URIBL_AMI_DBLACK    3.0
    tflags    URIBL_AMI_DBLACK    net

    urirhssub URIBL_AMI_WHITE     <APIKEY>.white.mail.abusix.zone. A 127.0.2.1
    body      URIBL_AMI_WHITE     eval:check_uridnsbl('URIBL_AMI_WHITE')
    describe  URIBL_AMI_WHITE     Contains a domain listed in the Abusix Mail Intelligence domain whitelist
    score     URIBL_AMI_WHITE     -0.1
    tflags    URIBL_AMI_WHITE     nice net
endif

Then restart SpamAssassin.

Once you have made these changes, run "systemctl restart spamassassin" to restart it.

 
 
 

CPanel

  1. Log into WHM.
  1. On the left, select "Exim Configuration Manager", then select the "RBLs" tab.
  1. Select "Manage Custom RBLs".
  1. Under "Add a new RBL" enter the following:
    1. Rbl Name: abusix
      Rbl Info URL: https://lookup.abusix.com
      Dns List: <APIKEY>.combined.mail.abusix.zone
      (replace <APIKEY> with your API key from the User Portal)
  1. Click "Add" - you'll be shown a notification page directing you to enable it in your Configuration Editor, then rebuild your Exim config.
  1. Click "Exim Configuration Editor" and select the "RBLs" tab.
  1. To the right of "Custom RBL: abusix", select "On"
  1. Click "Save" to rebuild the Exim Configuration.
 
 
 

Cisco Email Security Appliance

To add Abusix Mail Intelligence to your Cisco Email Security Appliance:

  • Go to "Mail Policies" -> "HAT Overview"
  • Click on the BLACKLIST or BLOCKED_LIST sender group (this depends on which version of the software you are running)
  • Click Edit settings and under the DNS lists section add <APIKEY>.combined.mail.abusix.zone (replace APIKEY with the API/Query key that you can find in the customer portal).
 
Did this answer your question?
😞
😐
🤩