Using SpamRats IP Reputation with Spamassassin
While we normally recommend that our reputation lists be checked earlier, at the network or MTA layer, SpamAssassin is still one of the world's most popular filtering engine, and allows the use of RBL's as part of their 'scoring' methods. This also allows for custom creative filters like being on an RBL + some other indicator. It can also be used by other tools that are SpamAssassin aware. Of course, doing these checks earlier greatly reduces server loads.
SpamAssassin comes in many versions, and has full and flexible support for RBL's, however it does have some complications when using an API key that you might need to be aware of.
And many deployments of SpamAssassin have different setups and file layouts. As such, we highly recommend you use the SpamAssassin User Mailing List for any questions particular to your distribution. Flagging and Scoring based on being on RATS-SPAM, RATS-DYNA, and RATS-NOPTR are relatively easy, however you should make sure that you only filter those cases on port 25, where there is NO authentication. You can even make custom filters based on the IP that was used to originally authenticate, to help you identify hacked email accounts from other servers using RATS-AUTH.
Using SpamRats RATS-AUTH to prevent Email Compromise
Protecting all authentication surfaces, including POP/IMAP/SMTP(25,465,587) and WebMail is critical. SpamRats has multiple other RBL lists available including RATS-AUTH that can further help secure your attack surfaces, IF you use spamassassin for outbound filtering, however it is more effective if you can check it earlier in transit.
Warning: Please remember that you MAY not be able to query from some DNS servers, especially without an API key. You should use a DNS servers that clearly identifies who is making the query (PTR Record). Consider using your own local resolver if you have troubles. With a subscription, there are alternative ways to get data.
Caveats and Testing that it Works
RBL's work using DNS, and you should ALWAYS look for the correct IP Address being returned. Simply getting a "result" doesn't always mean the IP is listed. It should return the specific IP address, anything else might mean an error, and should be ignored and NOT rejected. Also, your DNS needs to be able to correctly query our mirrors. Bad firewall rules that prevent you from reaching our mirrors, means that you are not protected. You can always test at the command line first. A simple..
host 36.0.0.127.[YOUR_API_KEY].dyna.spamrats.com host 1.0.0.127.[YOUR_API_KEY].dyna.spamrats.com
.. the first example should work and return 127.0.0.36, while the second example should return NXDOMAIN. (IP Not found). If that doesn't work, check your firewalls first, and check which DNS servers you are using, and finally test/check your API key is correct, and active before reaching out to us for support.
Blocked Users
You may find that your ability to query the SpamRATS DNSBL Public Mirrors has been restricted. This could be due to the usage not falling within our Terms of Service. Before restricting any queries we try to reach out via email. Please check to see if you received an email from sales@mthreat.com at your public email address. If you have received the message, please reply to it.
If you would like to continue using the SpamRATS RBLs, please contact us and include the IP(s) that you used to query in your email.
Many thanks to our Sponsors, Subscription Holders, Users and Contributors.
