There are currently two ways in which sites contribute to our open relay and open proxy detection effort.
In the first method, contributing sites generate lists of relay IPs that have sent mail into their servers. This is usually done once a day by parsing the system's mail log. Our system picks up these relay lists each morning via HTTP and tests the IPs. The data format is ASCII text, one IP address per line. We can also handle files formatted with each line containing 'Relay: a.b.c.d' where a.b.c.d is an IP address. For systems running sendmail, this perl code will read syslog/maillog data on STDIN and write relay IP addresses on STDOUT. If you rotate your maillog daily, just have a cron job cat maillog.1 | rtgrab.pl | sort | uniq >relays after log rotation. If you rotate logs less frequently, this script can be run shortly after midnight to prepare a list of the previous day's relays. An NJABL contributor wrote and submitted this perl script that will create a file listing all relay IPs from the previous day using log data in one or more log files all in one command, without piping data from one program to another.
In the newer (and prefered) method, we generate relay lists by watching qwdnsbl.njabl.org and qwdynablock.njabl.org DNS queries. These zones are identical to dnsbl.njabl.org and dynablock.njabl.org, and were setup so that contributing servers running software like SpamAssassin, which will lookup IPs in more than just the last Received: line, can still have their MTA's queries watched by sending those queries as qwdnsbl.njabl.org or qwdynablock.njabl.org rather than dnsbl.njabl.org or dynablock.njabl.org. SpamAssassin, which may be configured to check against dnsbl.njabl.org (a default in recent SpamAssassin versions), will generate dnsbl.njabl.org queries, which will no longer be "watched" and queued for testing. In order to limit these relay lists to only those IPs that have actually connected to participating mail servers, we can only watch the queries from servers that meet the following criteria:
There are more complicated DNS configurations that meet the spirit of the above and are acceptable. i.e. Use of a DNS server configured to only allow recursive qwdnsbl.njabl.org or qwdynablock.njabl.org queries from certain hosts (i.e. your mail server(s)).
Using this method, IP's are normally queued for testing within minutes of being queried. This method is therefore preferred as it results in open relays or proxies being detected nearly immediately.
Ideally, all contributing mail server's SMTP banners should also include something along the lines of:
This can be done in sendmail by adding the following line to your mc
file:
define(`confSMTP_LOGIN_MSG', `$j Sendmail $v/$Z; $b. By connecting to this
server, you agree to be open relay tested.')
In qmail, you would add this to your qmail/control/smtpgreeting file.
We've gotten some complaints from remote admins that our relay test messages are unsolicited, and therefore spam. It's ironic that in our fight against spam, we've been branded spammers. Adding a message similar to the above to SMTP banners may make our tests seem a little less "unsolicited", but I'm sure to some it will make absolutely no difference. It does at least notify / warn anyone connecting to the mail server that they may be relay tested.
If you would like to contribute relay lists or you maintain servers that meet the above requirements and would like to be a contributor, please contact help at mail.njabl.org.
We've also begun to archive spams from direct spam sources as evidence / proof that they are spam sources. We are currently able to accept such submissions only from a few trusted sources. We plan to setup a system to handle such submissions from a wider selection of sources at some time in the future.