[Mimedefang] late rbl checks, stats, sample code

Jeremy Mates jmates at sial.org
Sat Aug 9 17:15:00 EDT 2003

* Jason Gurtz <jason at jasongurtz.com>
> If you can at all enable rbl checking in the MTA and disable that
> option it would be *much* better then having SA do it. It's a lot
> cheaper for the MTA to just bounce the crap because of being linked
> directly to name lookup libs and all than if it has to accept the mail
> and then feed it off to several somewhat Memory, CPU, and I/O hungry
> processes.

On the other hand, I recently moved rejects to after the SMTP DATA phase
due to a large portion of mail for my site being "User unknown" DSN due
to forged mail being sent out as sial.org. Late rejects allow the user
unknowns to fail quickly without generating extra DNS traffic, but the
blocks to still work should the request not be for an unknown user. This
method does increase bandwidth costs on late rejected mail.

Some data for sial.org over the last 50 days, stats on per-day basis:

rejects:  919   total   18.4  mean, 14.9  s.deviation, 2   min, 86  max
unknowns: 12380 total   247.6 mean, 112   s.deviation, 69  min, 528 max
total:    19152 total   383   mean, 129.4 s.deviation, 134 min, 714 max

Unfortunately, 16 spam did get through in the above timeframe, the last
one on Jul 24. Adding the following to /etc/mail/spamassassin/sa-
mimedefang.cf has helped tag those who forge things:

header SIALFORGEREPLYTO In-Reply-To =~ /\@sial\.org>/
header SIALFORGEREF References =~ /\@sial\.org>/

Sample mimedefang-filter code for delayed rejects and spamhaus blocks.
Note trailing dot on spamhaus.org to prevent extra DNS lookups; enabling
DNS query logging on small test systems is a good way to see how many
requests are being made.

# Not for use in production!
our $reject_later;

sub filter_recipient {
  undef $reject_later;

  # TODO add "sometimes y" support with rand()
  if ($helo =~ /[aeiou]/) {
    $reject_later = 'reject: illegal use of vowel in HELO from '
     . $ip . ': ' . $helo;
  return 'CONTINUE', 'ok';

sub filter_end ($) {

  return action_bounce($reject_later) if $reject_later;

  # prevent lookups on RFC 1918 stuff
  unless ($RelayAddr =~ m/^(192\.168\.|172\.16\.|10\.)/) {
    # TODO screen out IPv6 stuff
    if (relay_is_blacklisted($RelayAddr, "sbl.spamhaus.org.")) {
      return action_bounce('reject: mail from '
         . ($RelayHostname || $RelayAddr)
         . ' rejected due to http://www.spamhaus.org/SBL');

More information about the MIMEDefang mailing list