rbl.orbitrbl.com – Dead

If you’re currently using rbl.orbitrbl.com for spam blocking or filtering, you should probably remove it from your configuration immediately.

Luckily this DNSBL was not widely used, and is not part of a default MDaemon configuration, so most MDaemon administrators will not need to take any action. If you do have MDaemon configured to use it, you’re currently seeing either timeouts or errors, and shortly you will find a majority of inbound mail will be flagged as spam.

Mark Jeftovic of EasyDNS recently posted the following to the mailop mailing list.

As some of you may know, we recently took over ZoneEdit.com and it’s customer base.

We’ve found a domain on the system: rbl.orbitrbl.com which is delegated to zoneedit nameservers, broken (it is not allowed to zone transfer from it’s designated master), unresponsive (account owner is not answering email, has an address in Sri Lanka and no telephone number), is using excessive queries (~ >500M queries per day on a “free dns” domain) and attracting repeated, multiple DDoS attacks.

As such, we will be wildcarding this zone and setting a long TTL fairly soon.

If you’re actually using this RBL in your MTAs, now’s a good time to stop. (this RBL is broken on 5 out of it’s 6 delegated nameservers across 3 separate providers).

I’d like to thank Mark for giving everyone advanced warning.

Another DNSBL lost, NJABL shutdown

Accordnig to NJABL’s website, they’re shutting down effective immediately:

March 1, 2013: NJABL is in the process of being shut down. The DNSBL zones have been emptied. After “the Internet” has had some time to remove NJABL from server configs, the NS’s will be pointed off into unallocated space to hopefully make the shutdown obvious to those who were slower to notice.

If you have NJABL listed in your MDaemon or SecurityGateway configuration, you should probably remove it immediately. MDaemon’s SpamAssassin automatically uses NJABL as well, but as long as you have automatic updates enabled no action is required, SpamAssassin will be disabling NJABL per bug 6913.

To NJABL’s operators: Thanks for all your time and efforts, it was appreciated!

Image-only adult themed spam

Lately there is a new batch of spam going out that tends to use adult themed subjects, but has no content in the body aside from a single image.

It has been reported that this SpamAssassin rule helps:

header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
score MIME_IMAGE_ONLY 2.00
describe MIME_IMAGE_ONLY Image body part but no text body parts

To use it, copy these five lines into the bottom of your \MDaemon\SpamAssassin\rules\local.cf file, then either restart MDaemon or create a mdspamd.sem file in the \MDaemon\App\ directory.

You may want to tweak the “Score”, but start with 2.0 as this rule hasn’t been aggressively tested so there is a higher risk of false positives then with the default SpamAssassin rules.

Lastly, it’s also worth mentioning that Outbreak Protection (part of SecurityPlus 4 and higher) is flagging these messages as spam.

UPDATE 2009/05/19: The above rule only works in MDaemon 10 and higher, for earlier versions, you’ll need one more line:

mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
(Thanks goes to “Greg Vancardo” for tracking this one down)