NAME rbl-check.pl - a script to check email for evidence that it passed through a mail gateway listed on the RBL or ORBS black-lists. This can help block spam sent via. an unprotected forwarding account. SYNOPSIS rbl-check.pl [-d] [-] [-] ... [exception_file] DESCRIPTION This script will search the headers of an email message for IP addresses, and then look those IPs up in the various anti-spam blackhole listings. The script has the advantage over protection at the mailer level, that it will also block spam sent to an unprotected account and then forwarded to your real one. It returns a non-zero exit code if the message appears to be spam. The script has the disadvantage of being pretty slow. USAGE Command-Line Parameters Usually, rbl-check.pl takes as arguments a list of words or filenames. The reserved words are the names of the lists you want to compare the gateway IP addresses against, the filenames point to one or more lists of exceptions, IP addresses you want to receive mail from even if they are black-listed. The different blackhole lists are checked up in the order they are specified on the command line - specifying them in order of size (largest list first) will save you a few CPU cycles. -d Toggle debugging output to standard error. Depending on where (and how often) this appears on the command line, slightly different things will be debugged. Most useful is a single -d at the beginning or at the end of the command line. -ordb Check the ordb output list. See http://www.ordb.org/ for info. This check appears at the moment to be the most effective spam-stopper (largest list according to dorkslayers.com, 15. september 2001, and my own tests), but it may also discard a signifigant amount of legitimate mail. -orbz Check the orbz input list. See http://www.orbz.org/ for info. -orbz-outputs Check the orbz output list. See http://www.orbz.org/ for info. Using this list will block much more spam, but the false-positive rate (legit. mail blocked) is probably too high for most people. -blackholes Check the MAPS RBL (Realtime Blackhole List). This list contains unrepentant spam-friendly networks. See http://www.mail- abuse.org/rbl/ for info. Always checking this list is probably a good idea, unless you disagree with MAPS methodology and politics... -rss Check the MAPS RSS (Relay Spam Stopper) list. This is a database of spam-relaying mail servers. Only hosts known to have been abused are supposed to be on the list. See http://www.mail-abuse.org/rss/ for info. -dul Check the MAPS DUL (Dial-up User List). Using this list is probably a Very Bad Idea for such an indescriminate test as this. This feature is currently disabled in the script source - enable it at your own risk. See http://www.mail-abuse.org/dul/ for info. -dorks Check the Dorkslayers.com RBL list. The guys running dorkslayers.com have an attitude, and are opposed to automated testing. Their list appears to be based on manual verification and manual selection - or collation from the other lists. It's hard to tell from their web site. /path/to/file The file is read and lines it contains are placed on a white-list. IP addresses found in this list will not be looked up in any of the black-lists (they are assumed to be OK). Example: # This is a comment ^10.1.2.3$ # We like this guy! ^10.1.2.(1|2|45)$ # And these guys! ^10.1. # Heck, we like the whole 10.1. network! Each line is actually a perl regular expression, with the exception that "." characters are not interpreted as wildcards. Note that the ^ character binds to the beginning of the IP address, and the $ character to the end - omitting either may produce unexpected results. Not terminating a network definition (like ^10.1. in the example) with a period may also cause problems. Domain names don't work - only IP addresses. Note: Putting networks you communicate with frequently in an exception list can save quite a few CPU cycles/DNS lookups, which is the preferred reason for using this feature. Please resist the temptation to add black-listed hosts to your exception list - try and get them fixed instead! Using rbl-check.pl with Procmail This script is very easy to use with procmail, just add something like the following lines your .procmailrc file: # Use ORBS to block spam, even from forwarded accounts. :0 i * ! ? /path/to/rbl-check.pl -ordb /path/to/exceptions spamfolder If you want to check all mail received by your host, you can add similar rules to the bottom of /etc/procmailrc: # Creating mailboxes owned by root (or mail) is a bad idea. DROPPRIVS=yes # Use ORBS to block spam, even from forwarded accounts. :0 i * ! ? /path/to/rbl-check.pl -ordb /path/to/exceptions $HOME/spamfolder SCRIPT CATEGORIES UNIX/System_administration Mail AUTHOR AND COPYRIGHT rbl-check.pl was written by Bjarni R. Einarsson . This script is released to the Public Domain. New versions will be put here: http://bre.klaki.net/programs/spam/rbl-check.pl.txt If you like this script, you might also like the Anomy sanitizer at http://mailtools.anomy.net/. :-) README rbl-check.pl - a script to check email for evidence that it passed through a mail gateway listed on the RBL or ORBS black-lists. This can help block spam sent via. an unprotected forwarding account.