SpamRATS

Using SpamRats IP Reputation with Cisco Devices

We welcome the use of SpamRats IP Reputation and RBL's with your 3rd party filtering appliances, however for this use you WILL have to have an API Key for access

SpamRats for Cisco Appliances

While Cisco is not yet a technology partner, we have many Cisco users that wish to use SpamRats RBL's with their appliances. However, there ARE problems reported, depending on the DNS Resolvers configured in the device. While Cisco supports the use of 3rd party RBL's, it is important that you ONLY configure SpamRats using an API key. You should also confirm that it works, and no firewall rules or policies prevent you from reaching the SpamRats RBL mirrors.

For more information, please consult your Cisco XDR documentation, or contact your Cisco Support representative

SpamRats for TrendMicro

While Trend Micro is not yet a technology partner, we have many Trend Micro users that wish to use SpamRats RBL's with their appliances. However, currently it is reported that TrendMicro does not support the use of 3rd party RBL's other than the ones it currently uses. The choice of default RBL's can be controversial. Other products such as SonicWall Email Security or WebSense DO allow this. However, it is important that you ONLY configure SpamRats using an API key when using a commercial filtering appliance of any type. You should also confirm that it works, and no firewall rules or policies prevent you from reaching the SpamRats RBL mirrors.

SpamRats for IronPort

While IronPort is not yet a technology partner, we have many IronPort users already trying to use SpamRats RBL's with their appliances. Setting up SpamRats on IronPort is simple and easy, but there are a few things to watch out for. It is important that you ONLY configure SpamRats using an API key. You should also confirm that it works, and no firewall rules or policies prevent you from reaching the SpamRats RBL mirrors.

SpamRats on IronPort can be configured both from the GUI as well as the command line (CLI>

Configuring SpamRats on IronPort via GUI

For adding SpamRats RBL's to the IronPort GUI, we recommend that you follow IronPorts' own documentation, but in brief.. 

   Log into the ESA (Web GUI) eg.. https://:8443
   GoTo Mail Policies → HAT Overview
   Choose the 'listener' where you want the RBL's to be applied, eg InboundMail
   Edit the Mail Flow Policy for the “UNKNOWNLIST” sender group
   In policy editor, look for: DNS Listeners (DNS-based Blackhole Lists / RBLs)
   Click "Add" and enter your RBL information, eg DNS Server name ..
       [YOUR_API_KEY].dyna.spamrats.com
   Set the action for hits: (Drop/Quarantine)
   Commit Changes

Configuring SpamRats on IronPort via CLI

   ssh admin@esa-hostname
   > listenerconfig
   > edit 
   > hostaccess
   > policyconfig
   > rblconfig
   > new
     Name: SpamRats RATS-DYNA
     Query string: [YOUR_API_KEY].dyna.spamrats.com
     Timeout: 5
     Enabled: Y
   > commit

Using SpamRats RATS-AUTH to prevent Email Compromise

Very Important! Using this on your authentication listeners is powerful... for all authentication surfaces, including POP/IMAP/SMTP(25,465,587) and WebMail. You can even use it to protect other logins on your server. SpamRats has multiple other RBL lists available that can further help secure your attack surfaces.

Warning: Please remember that you MAY not be able to query from some DNS servers, especially without an API key. You should use a DNS servers that clearly identifies who is making the query (PTR Record). Consider using your own local resolver if you have troubles. With a subscription, there are alternative ways to get data.

Caveats and Testing that it Works

RBL's work using DNS, and you should ALWAYS look for the correct IP Address being returned. Simply getting a "result" doesn't always mean the IP is listed. It should return the specific IP address, anything else might mean an error, and should be ignored and NOT rejected. Also, your DNS needs to be able to correctly query our mirrors. Bad firewall rules that prevent you from reaching our mirrors, means that you are not protected. You can always test at the command line first. A simple.. 

  host 36.0.0.127.[YOUR_API_KEY].dyna.spamrats.com
  host 1.0.0.127.[YOUR_API_KEY].dyna.spamrats.com

.. the first example should work and return 127.0.0.36, while the second example should return NXDOMAIN. (IP Not found). If that doesn't work, check your firewalls first, and check which DNS servers you are using, and finally test/check your API key is correct, and active before reaching out to us for support.

Blocked Users

You may find that your ability to query the SpamRATS DNSBL Public Mirrors has been restricted. This could be due to the usage not falling within our Terms of Service. Before restricting any queries we try to reach out via email. Please check to see if you received an email from sales@mthreat.com at your public email address. If you have received the message, please reply to it.

If you would like to continue using the SpamRATS RBLs, please contact us and include the IP(s) that you used to query in your email.

Go back to Usage page

Many thanks to our Sponsors, Subscription Holders, Users and Contributors.