SpamAssassin, the most popular open-source spam fighting software, is used by email server administrators to reduce spam and improve user productivity. One of the features of SpamAssassin is dynamic lookups of domain names to see if they are on a DNS blocklist maintained by web authorities.
First – a little background regarding the URIDNSBL component. This tool does not perform lookups on the actual email address domain names. Instead, the tool scans the content of the message for any URLs, and then runs the blocklist lookup against the domain names in those URLs.
The URIDNSBL extension should be initialized by default in most SpamAssassin installations. If you are not sure, open the init.pre configuration in /etc/mail/spamassassin, and check to make sure that the URIDNSBL plugin is loaded on startup. The file should contain the line below:
Next, check the location where updates are downloaded, and make sure that sa-update is consistently run, and that recent definitions have been installed. The update location should be /var/lib/spamassassin, followed by a folder with the most recent software version.
Finally, it’s time to test and debug the plugin. The easiest way is to download the SpamAssassin test message and run a manual check. Note – the built-in test using “–lint” will not work in this situation, since DNS checks are not enabled using that method.
Download the test SPAM email called “GTUBE” using wget, save it as gtube.txt, and add a line to the body of the message with a URL. Next, run the command below:
spamassassin -D < gtube.txt
This command will run SpamAssassin in debug mode, and display every filter executed during the spam check. If you want to save the output to a file, use the following command:
echo "spamassassin -D < gtube.txt" > testspam.sh
sh ./testspam.sh &> spamoutput.txt
Note the use of the ampersand redirect. This is necessary because the debug output prints to an auxiliary pipe instead of to the default output pipe. Now, read through spamoutput.txt and check if the DNS blocklists are checked. There should be lines containing RBL checks for the main blocklists. Make a note of the DNS servers used for the checks.
The last step will be to perform packet sniffing in a parallel command line instance to see if the DNS resolutions are actually performed. Run the following command in a parallel session:
tcpdump -i eth0 -ln host 192.168.1.1
In this example, replace 192.168.1.1 with the IP of your DNS server, and replace eth0 with your network interface. If you have several DNS servers, you may need to try more than one DNS server to see which one is currently used for the DNS resolution.
Now that you have the packet sniffing in progress, run the spam test one more time and review the TCP packet trace. See which DNS lookups were made, and make sure that they were actually performed. Using these advanced Linux debugging techniques, the URIDNSBL component of SpamAssassin can be fully tested and verified for proper function.
Written by Andrew Palczewski
About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.