Pieter Droogendijk pieter@binky.org.uk http://binky.org.uk Qmail SURBL interface SURBL is a blacklist that contains domain names related to URI's that have appeared in spam messages. The URI's in question are pulled from the mail body. For this interface to work, I had to patch qmail to store a bit of the mail body, filter it through the interface directly after the client is done feeding us mail body, and if the message was blocked, tell the client and do not accept the mail. The only place where the client can be told the message will not be relayed is qmail-smtpd. The only way I could get the mail body in qmail-smtpd is by copying what it sends to qmail-queue (or it's replacement). This is why we have to stop after the body is sent, because qmail-smtpd sends some additional things we want nothing to do with. To make it work, the environment variable SURBL must be non-zero. There may be certain addresses an admin doesn't want filtered, such as the abuse mailbox, postmaster, things like that. So an RCPT whitelist is also available. The control file for this is: control/surblrcptwhite There might also be a need to whitelist certain domains that have been wrongly (in the eyes of the admin, or the admin of said domain) blacklisted. So URI domain whitelist support is also added. The control file for this is: control/surbldomainwhite and it controls a list of all whitelist domains used. The absolute maximum body size that the patch will buffer is 500.000 bytes. A lower maximum may be set by the admin in the control file: control/surblmax The blacklist used is, by default, multi.surbl.org. This may be overridden using the control file: control/surbldomain The admin may also choose to cache the results locally, instead of relying on a cacheing nameserver. This is simply done by creating the directory surbl/cache owned by qmaild:qmail, in the qmail root. If this directory is present, things will be cached. The cache lifetime is five minutes by default, but can be set in control/surblcachetime (in seconds). If the directory surbl/store/busy exists, incoming mail will be stored in either surbl/store/spam/ or surbl/store/nospam/, depending on what surbl classifies the message to be. If either directory does not exist, messages of that type will not be stored. You can safely annihilate these directories. The number of messages filtered is contained in surbl/store/.msgnum and is used to name a new message, en then incremented. It's a good idea to stop qmail while modifying it, or lock it using surbl/store/.lock When resetting the msgnum, you usually also want to delete all messages. Do so first. Check the ownerships of the directories under surbl/.
Data Feed Request
Our Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.
The main data set is available in different formats:
Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.
For more information, please contact your reseller or see the references in Links.
Sign up for Data Feed Access.
Sign up for data feed access
Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for Data Feed Access.
Supported Applications
Learn more ...