One of the keys to the rapid adoption of Sender Score Certified has been
its ease of use. Sender Score Certified works just like a standard DNS-based
blacklist, except in reverse.
Integrating Sender Score Certified with email software is easy. Receivers
of email can use the DNS query commonly used by blacklist services to take
advantage of Sender Score Certified.
Support is currently provided for the packages below. Click on the links
below for the code submitted by the respective authors for inclusion in their
distribution. If your software isn't supported, contact us
with your request.
SpamAssassin
2.4x/2.5x
SpamAssassin 2.2x/2.3x
SpamBouncer
Procmail
Vipul's
Razor
Sendmail
Postfix
qmail
Exim 4.0x/4.1x
Declude
JunkMail for IMail
James
Sender Score Certified uses the same DNS query/response syntax as RBL (realtime black list) style DNS systems. Given an email sender's IP address in its dotted-quad form, the octets are reversed and queried under the query.bondedsender.org domain. For example, if a mail sender's IP address is 192.168.1.2, the mail server or spam filter using Sender Score Certified would attempt to resolve the address resource record (A RR) for 2.1.168.192.query.bondedsender.org. The nameserver for query.bondedsender.org will return the address 127.0.0.10 if the address is registered as a Sender Score Certified. This address is arbitrary, but will not change. If the address is not registered, the nameserver will indicate that the name is invalid.
For senders, after registering your address with the Sender Score Certified program, simply do a DNS lookup to verify that your address has been successfully registered. If 192.168.1.2 was your outbound SMTP IP address, you could run the following command at either a DOS or Unix prompt:
nslookup 2.1.169.192.query.bondedsender.org
If your address has been successfully registered, the command will display the address 127.0.0.10.
Although we recommend using the official Sender Score Certified DNS servers, some large ISPs and corporations likely to make over 250,000 queries per day may want to do zone transfers to their local DNS servers. If interested, please contact us.
SpamAssassin 2.4x/2.5x
Versions 2.40 and later of SpamAssassin have Sender Score Certified support
built-in. SpamAssassin automatically performs DNS lookups and gives Sender
Score Certified members an appropriate negative (non-spam) score. There is
a recommended change to configurations 2.40 and later configuration Sender
Score Certified. The default behavior for SpamAssassin 2.40 and later is
to only check addresses reported by the first (chronological) two relays
(the bottom two Received headers in a message). While this works in many
situations, specifying which header to match against starting with the last
(chronological) header (the top Received header in a message) instead will
give you more consistent and trustworthy results. It is suggested that you
replace the following line in /usr/share/spamassassin/20_head_tests.cf (may
be /usr/local/share/spamassassin/20_head_tests.cf):
header RCVD_IN_BONDEDSENDER
rbleval:check_rbl('relay', 'query.bondedsender.org.')
with, for example:
header RCVD_IN_BONDEDSENDER rbleval:check_rbl('relay-last1',
'sa.bondedsender.org.')
In this example, only the address reported by the second-to-last (chronological) MTA will be used during the whitelist lookup. If you wanted to test the very last reported IP address, you would specify "relay-last0". Exactly which address you wish to match against depends on the number of email gateways each message traverses between the Internet and the destination host.
SpamAssassin 2.2x/2.3x
For versions 2.2x and 2.3x, configuring SpamAssassin to use Sender Score
Certified requires you to add the following lines to your local SpamAssassin
configuration file (such as /etc/mail/spamassassin/local.cf):
header RCVD_IN_BONDEDSENDER
eval:check_rbl('relay', 'sa.bondedsender.org.')
describe RCVD_IN_BONDEDSENDER Received via a whitelisted Sender Score Certified address
score RCVD_IN_BONDEDSENDER -100.000
The large negative value informs SpamAssassin that the message is less likely to be spam.
It's suggested that you apply two patches to the SpamAssassin distribution to make it work optimally with Sender Score Certified. The first patch, spamassassin-Dns.pm-bsp applies to the Dns.pm file in the SpamAssassin distribution. It fixes a problem with SpamAssassin's idea of "reserved" IP address ranges that makes it impossible for some addresses to be whitelisted.
The second patch, spamassassin-EvalTests.pm.bsp applies to the EvalTests.pm file in the SpamAssassin distribution and will allow you to match starting from the last (chronological) header. It allows you to specify exactly which Received header is to be checked in your incoming messages. It is suggested that, instead of the eval:check_rbl line specified above, you use this patch to specify which Received header to use, such as:
header
RCVD_IN_BONDEDSENDER eval:check_rbl('relay-last1', 'sa.bondedsender.org.')
In this example, only the address reported by the second-to-last (chronological) MTA would be used during the whitelist lookup. If you wanted to test the very last reported IP address, you would specify "relay-last0". Exactly which address you wish to match against depends on the number of email gateways each message traverses between the Internet and the destination host.
SpamBouncer
Versions 1.8 (11/26/03) and later of the SpamBouncer have Sender Score Certified
support built-in. If Sender Score Certified support is enabled, the SpamBouncer
automatically performs DNS lookups and whitelists email sent by Sender Score
Certified members. Whitelisted email is not subject to further filtering
by the SpamBouncer.
To enable Sender Score Certified support, you must set the following variable in your .procmailrc file prior to the line that invokes the SpamBouncer:
IBSCHECK=yes
Once you have enabled Sender Score Certified support, email from Sender Score Certified members will have the following headers added to it:
X-SBRule: IP ###.###.###.### is in the IBS
X-SBPass: Whitelisted (Ironport Sender Score Certified)
Depending on your local settings, this email is returned to the mail stream or delivered directly to the user's inbox.
Procmail
You can check for Sender Score Certified members in your procmail filters
by downloading procmail-bsp.sh and
calling it from your procmailrc config file. An example progcmailrc might
look like:
# send to default location if the sender is bonded:0 w* ! ? /usr/local/bin/procmail-bsp.sh${DEFAULT}#
insert spam filters here# resort to default:0:${DEFAULT}
Vipul's
Razor
The current versions of the Razor client require a patch to use DNS-based
whitelists such as Sender Score Certified.
For Razor 1.20, download razor-1.20-bondedsender and run:
patch -p0 <path-to-site_perl>/Razor/Agent.pm razor-1.20-bondedsender
For example:
patch -p0 /usr/lib/perl5/site_perl/5.005/Razor/Agent.pm razor-1.20-bondedsender
For Razor 2.20, download razor-2.20-bondedsender and
run:patch -p0 <path-to-site_perl>/Razor2/Client/Agent.pm razor-2.20-bondedsender
For example:
patch -p0 /usr/lib/perl5/site_perl/5.005/Razor2/Client/Agent.pm
razor-2.20-bondedsender
After the patch is applied, add a line to your razor configuration file (such as /etc/razor.conf or /etc/razor-agent.conf) containing "dns_whitelist=razor.bondedsender.org". Razor will then skip over any whitelisted messages.
Sendmail
Configuring Sender Score Certified for sendmail requires a custom m4 configuration
macro to be installed under your sendmail cf directory. Download bondedsender.m4 and
save it as /usr/share/sendmail/cf/feature/bondedsender.m4 (the exact path
may vary depending on your system).
To use the above macro, add the following lines to your sendmail mc file (before any blacklist or spam filter lines):
FEATURE(bondedsender,
`sendmail.bondedsender.org')
Then rebuild your sendmail cf by running "make" in
/etc/mail, then restart sendmail.
A second sendmail option is to use the Sender Score Certified milter. It
will perform lookups on the connecting IP address and either skip other milter
calls or add an X-Bonded-Sender header to the email with a value of either "yes" or "no".
This can be used by downstream to whitelist based on the contents of this
header rather than trying to find the correct IP address in the Received
headers. The milter can be downloaded here.
The comments at the top of the file contain instructions on compiling and
running the milter.
Postfix
Postfix requires a patch to support DNS whitelists. To apply the patch to
Postfix 1.1.11, download postfix-1.1.11-bondedsender and
apply it in the top-level of the postfix source distribution, for example:
tar
zxvf postfix-1.1.11.tar.gz
cd postfix-1.1.11
patch -p0 < ../postfix-1.1.11-bondedsender
After building and installing the patched version of Postfix, add the following
lines to your config file (such as /etc/postfix/main.cf):
smtpd_client_restrictions = reject_maps_rbl
maps_rbl_domains = blackholes.mail-abuse.org
maps_rbl_wl_domains = postfix.bondedsender.org
Then restart Postfix for the
changes to take effect.
Configuring Sender Score Certified on Postfix 1.1.12 (the current development
branch), download postfix-1.1.12-20021124-bondedsender
and apply it in the top-level of the postfix source distribution as described
above. The configuration changes needed for this patch differ from the previous
version. Example configuration:
smtpd_client_restrictions = permit_dnswl_client
query.bondedsender.org, reject_rbl_client blackholes.mail-abuse.org, <additional
restrictions>
This patch has been tested on the Postfix 1.2.12-20021124 experimental release, but will most likely work on future releases as well.
qmail
qmail comes with an wrapper program called "rblsmtpd" that handles
RBL blacklists. It also has built-in support for RBL-style whitelists such
as Sender Score Certified. To configure qmail to use the Sender Score Certified
system, you need to call the rblsmtpd command with an extra argument. For
example, you could change your /var/qmail/run script from:
exec /usr/local/bin/tcpserver
smtp rblsmtpd \
-r blackholes.mail-abuse.org \
qmail-smtpd 2>&1
To:
exec /usr/local/bin/tcpserver smtp rblsmtpd \
-a qmail.bondedsender.org \
-r blackholes.mail-abuse.org \
qmail-smtpd 2>&1
It is necessary for the -a argument to be called before any -r arguments, since the first list with a match will be the one applied. In this case, Sender Score Certified would only be negating any mistakenly blacklisted entries in the mail-abuse.org database.
Exim 4.0x/4.1x
Exim provides flexible support for DNS blacklists and whitelists in its new
ACL format, which was introduced in version 4.00. To configure Exim to use
Sender Score Certified, add the following line to one or more of its ACL's
(such as "acl_check_rcpt" in Exim's default configuration):
accept
dnslists = query.bondedsender.org=127.0.0.10
Since Exim's ACL rules are applied in the same order in which they're specified, the Sender Score Certified rule should be placed above any spam filtering rules.
Declude
JunkMail for IMail
The Declude JunkMail spam filtering package for IMail makes it easy to
assign a negative (less spammy) weight to bonded messages. Just add the
following line to JunkMail's global.cfg file:
BONDEDSENDER ip4r query.bondedsender.org
127.0.0.10 -20 0
Apache
James
To validate Sender Score Certified members from Apache James, insert:
<mailet
match="InSpammerBlacklist=query.bondedsender.org" class="ToProcessor">
<processor> transport </processor>
</mailet>
into the root processor.
Privacy | Copyright 2008 Return Path, Inc.
