RBL - how to Whitelist a host or IP that is in a blacklist?

S

SupermanInNY

Verified User
Joined
Sep 28, 2004
Messages
419
Hi All,

While I'm using RBL very successfuly in eliminating high loads of spam, I do have on occation one or two hosts or IPs that need to be excluded from the blacklists, even though they are showing in the RBLs that I'm using.
How, or where do I put the whitelists such that it will exclude it from the RBL. The whitelist should take precedence over the blacklist. How do I accomplish that?

Thanks,

-Alon.
 
You can put them in the following files.

Code: 
/etc/virtual/whitelist_domains

and

/etc/virtual/whilelist_hosts
 
Hi Chatwizrd,

Thanks for the quick response.

I'll probably be using: whitelist_domains for specific domains that needs to be whitelisted.

I'm trying to confirm here something:

I'm placing domains like:


microsoft.com
someotherdomain.tld
blahblah.tld


Each domain in separate line.

And I'm just confirming, that means that traffic comming from any of the domains listed in the whitelist_domains file will be allowed to send email and passthrough even though they are showing up say in sbl.spamhaus.org which I'm using as one of the filters.
Is this correct? Am I doing it right?

Thanks,

-Alon.
 
Yes you are right. I have used it for quite some time with gmail because they seem to be blocked sometimes on the major spam engines.
 
chatwizrd said:
Yes you are right. I have used it for quite some time with gmail because they seem to be blocked sometimes on the major spam engines.
Click to expand...

Thanks for the confirmation, my spam level have now reached dramatic lows of 5 emails per day,... and those that did pass the rbl filters were captured in the spam assassin spam box.

This is great :)

I'll watch the mail and users on my server for the next week and see if there are any misouts for specific domains that are supposed to be kept in. If I'll be lucky and it will be almost clean,. I'll post my new exim.conf on the forum with my working filters :).

thanks,

-Alon
 
I forgot to confirm one more thing:

Whitelists do not need to have exim restarted....right?
Only what is in the exim.conf needs to have exim restarted. Correct?

Thanks,

-Alon.
 
Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.
 
dan35 said:
Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.
Click to expand...

walk me through this logic please.

I have an RBL that lists microsoft (hmm... maybe I should actually leave it :D :D ).
How would you suggest I would deal with such a listing?

I don't expect to have more than 10 domains in the whitelist_domains file, most of the spam we get is usually viagra, antarim (whatever that is) and random stuff.
I have few clients who are genuie subscribe to a Microsoft's newsletter, so how do I do the override for them?

Thanks for the input.

-Alon.
 
dan35 said:
http://www.directadmin.com/forum/showthread.php?s=&threadid=3067
Click to expand...

Interesting.. I wish the discussion was outlined in the first page. I almost missed the important stuff which was only on the third page :)).

Thanks for the tip.

Now.. there was a suggestion by xemaps to do this:

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#


I'm not sure what does that do.
Should I plug this into exim.conf with each of the domains that I was planning to use in the whitelist_domains?

Will this do the trick?
Is this how I should have if for Microsoft?

#
drop message = Faked Microsoft
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
#

Is this the 'magic' fix?

thanks,

-Alon
 
Is there a safe way to ACL/whitlist a mail server?

lycos is blacklisted for me and I have few users who are legitimate on it and they tried to email me,. but got rejected.

If I can't use whitelistdomains, what can I use instead??
 
dan35 said:
Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.
Click to expand...
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.

Or use it with the Forged Mail Checks ACL addition found here.

Jeff
 
SupermanInNY said:
Is there a safe way to ACL/whitlist a mail server?

lycos is blacklisted for me and I have few users who are legitimate on it and they tried to email me,. but got rejected.

If I can't use whitelistdomains, what can I use instead??
Click to expand...
You can use either whitelist_senders for specific email addresses, or whitelist_hosts if you can determine the hostnames.

Jeff
 
jlasman said:
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.

Or use it with the Forged Mail Checks ACL addition found here.

Jeff
Click to expand...

I disagree, jlasman! Many servers got blacklisted due to the open relays caused by the whitelist_domains file. One of my servers got in spam list too since I put yahoo in its whitelist_domains file. 2GB-4GB of spams were sent through my server daily.
So I complained to DirectAdmin 'cause DA installed it by default, and I didn't see any warning about the whitelist_domains file in the config files.
Then John told me to avoid using the whitelist domains file because it allows relays, that's how it was setup for the spamblocker scripts.

So I have to warn other people to go to this thread if they don't want their server IPs in the spam blacklists.
 
I agree that SpamBlocker allows you to put your foot in your mouth if you want, in the interest of flexibility.

Don't use whitelist_domains for your own domains, or for domains that are likely to be forged, and you won't have any problems.

We've NEVER had a problem and we've got hundreds of domain names in some of our whitelist_domains files.

Here's what we do... when people ask to be whitelisted we whitelist their domain if it's their own, or if it's not, then we whitelist their email address (whitelist_senders). If we can get the list of outgoing email programs for hotmail and the like we put the server names into whitelist_hosts.

It works well for us. I'm sorry if it doesn't work for you. It was not a design decision to make your server an open relay as you imply.

I suppose you'd rather we not have a whitelist_domains file, but of course you don't have to use it.

Jeff
 
I do believe that whitelist_domains has its uses and would not want to see that functionality go away but at the same time I can understand people's frustration with the open relaying hole it causes.

When I installed the Spamblocker 2 upgrade I followed the instructions here...

http://www.directadmin.com/forum/showthread.php?s=&threadid=10036&highlight=spamblocker

There is nothing in these instructions that indicated any potential security risk and nothing in the documentation inside the exim.conf file I have either (my version is SpamBlocker.exim.conf.2.0-release).

I understand that it is only a risk if people can guess what domains you have whitelisted but considering the problems that gmail (and others) have had keeping off of blocklists I would guess that many of us have included gmail.com in in the whitelist file. If I was a hacker looking for an open relay that is where I would start.

I was lucky, I don't believe my server was ever exploited that way (except by me as a test to determine that the problem did indeed exist.)

It seems that the solution is fairly simply, include some code like the following in the exim.conf file to check for forged headers. You will need one entry like this for each domain in your whitelist_domains file.

Code: 
drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 20s

I believe that the best place to insert this is after "accept hosts = :" in the "local source whitelist" section and before the "sender domains whitelist" section in /etc/exim.conf. If you put them after the "sender domains whitelist" section I don't think they will work because exim will accept the email before checking for the forged header.

More information on this can be found here...

http://www.directadmin.com/forum/sh...7&perpage=20&highlight=delay 20s&pagenumber=4

Thank you to xemaps for his work on this and to Jeff for providing us with SpamBlocker in the first place.

It seems to me that it may be a good idea to include the forged mail checks in the default exim.conf file for some of the major domains (like gmail and paypal). I would think that doing so could help block email from scammers engaging in phishing schemes.
 
There is some question on another thread about google servers being used for gmail. That needs to be resolved before we start using the code for Google.

Jeff
 
You want a list of BLs?


Here is a great tool I found,. tells you exactly why is the IP you are checking is listed and where.


http://openrbl.org/client/

I used this list and it makes it really easy to see which lists are more active.
 
Please see my post on the other thread; I found some important issues that break email if the helo based checking is used.

Jeff
 
You must log in or register to reply here.
Back
Top