Salam to all,

Today, while implementing MON, and failing again and again to get the smtp.monitor working for two of my mail servers, I found out something interesting. Actually I was monitoring three mail servers for different clients, but only one of them responded to MON’s smtp.monitor, one was my own!. Manually running the monitor was giving timeouts:

[root@www mon.d]# ./smtp.monitor www.wbitt.com  
www.wbitt.com                                  
www.wbitt.com failed with error timeout        
detail for www.wbitt.com                       
==============================================================================  
no detail                                                                      
  
[root@www mon.d]#

I sensed something related to DNS, but decided to do more checks. While trying to find out what is different between that one server and the other two servers was RBLSMTPD and GreyListing. I disabled GreyListing on one of them and the problem remained. I disabled RBLSMTPD and there you go! The problem was gone. I sensed that may be my RBLSMTPD list was a little aggressive and had sort of redundant entries. My qmail server had the following entries:-

rblsmtpd
-r sbl.spamhaus.org \
-r zen.spamhaus.org \
-r bl.spamcop.net \
-r list.dsbl.org

I checked spamhaus.org and found out that ZEN itself is a comprehensive list and contains SBL within itself. So removed sbl.spamhaus.org. Then bl.spamcop.net is a valid list , as per the spamcop.net website. Retained that. Then I checked dsbl.org and found out that it has died ! Here is a little text from the DSBL website for your reference:

DSBL is GONE and highly unlikely to return. Please remove it from your mail server configuration.

DSBL was a blocklist specialized in listing open relays and open proxies. To put it simply, DSBL listed IP addresses of computers that could be tricked into sending spam by anybody. This was a very successful strategy. Nowadays open relays and open proxies are rare, spammers hardly ever use them any more and no software seems to come with an open-by-default policy any more.

Click “read more” to find out more about how DSBL worked and why it is obsolete.

How DSBL worked

DSBL relied on volunteers who, upon receiving spam, would test the IP addresses that sent them spam for open relay and open proxy vulnerabilities.

The tests consisted of doing a straightforward open relay test on the sending IP address, as well as open proxy tests on a few well-known proxy ports (1080, 3128, etc), with the aim of relaying a test message to DSBL. Upon receipt of the test message, DSBL would add the IP address to its database.

What spammers did

Because easy to detect spam relays were quickly listed, spammers have switched to new methods:

  • Trick PC users into installing special spam delivery software onto their PCs, aka “spam zombies”.
  • Probe mail servers for easily guessable user/password combinations.

In the case of spam zombies, the normal mode of operation is that the exploited computer asks the spammer’s computer what to spam and who to send it to. The typical zombie does not listen for incoming network traffic. This means that there is no way for other people, eg. DSBL testers, to prove the vulnerability of those computers.

The second case, probing mail servers for easily guessable user/password combinations, is just not something that the good guys can do while still claiming to be the good guys.

So that means I had to remove “list.dsbl.org” as well.   And my code in my qmai-smtpd “run” file now looks like:-

rblsmtpd
-r zen.spamhaus.org \
-r bl.spamcop.net

Now when I ran the test manually against this, I got correct results:-

[root@www mon.d]# ./smtp.monitor www.wbitt.com  
  
www.wbitt.com succeeded  
detail for www.wbitt.com  
==============================================================================  
220 www.wbitt.com ESMTP  
250 www.wbitt.com  
221 www.wbitt.com  
  
[root@www mon.d]#

MON, was all happy now! So time to clean up your RBLSMTPD lists, all of you. Hope this is helpful.

Kamran