BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 313
My conclusions on SpamBlocker3/ClamAV/SpamAssassin. Problems, adjustments, etc. This is not a Howto but rather just feedback that one can take or leave. No disclaimer is required because no advice is given. If you think something might work for you give it a shot.
There are some nice new tricks in the new exim.conf that can cut back on spam considerably. However, there are a couple of caveats to make an admin ask himself if they are really worth it. Lets start with the main problem and work are way down followed by a few of my own adjustments and additions:
------------
deny message = Forged Gmail, not sent from your account.
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}
This is a great new addition in that it will block those nasty spam messages coming off of one host and saying they are for example a gmail account. However here are the issues. As I recall Gmail lets you POP your gmail account and therefore the $sender_host_name doesn't always match the email addy domain. Calls regarding this have been minimal, solution below.
Tell them to use the SMTP server of for instance Gmail and not to use their dsl, cable, or dialin ISP's. Easy resolve.
Here is the BIG issue. Server softwares such as some e-commerce platforms allow for the configuration where when a Consumer places an order, and the Merchant gets the confirmation of the order, the confirmation comes From: the Consumer. This makes it easy for the Merchant to reply to the confirmation email in order to email the Consumer. But guess what happens when the Consumers' email address is a gmail address. The e-commerce software function dies with the error: Forged Gmail, not sent from your account.
Although it currently works badly for our purposes due to our use of two softwares that allow the above configuration, I still think it is a step in the right direction. For now here is the modification I made that allows the software to send if and only if it comes from "localhost".
Forged Gmail, not sent from your account.
deny message = Forged Gmail, not sent from your account.
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com|localhost$\N}{no}{yes}}
This seems to work. I made the changes to all of these except for paypal.com. I only use Gmail here as an example.
In a perfect world there could be added a condition that if $sender_host_name doesn't match gmail and localhost is used that some sort of wrapper is used to log the entry into a /var/log/localforgeries log file. This way Admins can keep an eye on local script that may have been exploited which used a From:*@yahoo.com email address.
------------
Next I added a few parameters to the existing and these work great. I have already seen several bonified denies from what seem like spammers trying to hit the MX of record and doing a sloppy job of it.
smtp_banner = "SMTP" #added
message_size_limit = 20M
smtp_receive_timeout = 5m
smtp_accept_max = 100
message_body_visible = 3000
print_topbitchars = true
smtp_accept_max_nonmail = 7 #added
smtp_max_unknown_commands = 1 #added
smtp_accept_max_per_host = 5 #added
Google the last 3 for more info on those. The SMTP banner should really be a default as it leaves both spammers and hackers in the dark as to what MTA is being used. Always a good option not give them a starting point for their illegal activities.
------------
SORBS.ORG is still reporting DSL and Dialup customers that aren't really spammers but rather got stuck with an IP that previously was. This is a HUGE headache and accounts for about 30% of my customer support calls in a day. So if you want to cut back about 30% comment out the entry for safe.dnsbl.sorbs.net like so.
# deny using safe.dnsbl.sorbs.net
# deny message = Email blocked by SORBS - Some message here.
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = safe.dnsbl.sorbs.net
-------------
I believe highly in fine tuning. The more fine tuning one does the more room is left for research and development. The use of sbl.spamhaus.org and not sbl-xbl.spamhaus.org is just that kind of instance. I have changed the sbl.spamhaus.org to sbl-xbl.spamhaus.org and commented out the cbl.abuseat.org like so.
# deny using spamhaus
deny message = Email blocked by SPAMHAUS - Some message here.
# only for domains that do want to be tested against RBLs
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = sbl-xbl.spamhaus.org
#....snip....#
# deny using cbl
# deny message = Email blocked by CBL - Some message here.
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = cbl.abuseat.org
----------------
Another addition is that I added a couple of recommended ACL usages recommended by comrads on both the Exim and Spamassassin mailing lists.
# acl_smtp_connect = check_connect
acl_smtp_helo = check_helo #added
acl_smtp_vrfy = check_vrfy #added
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
#....snip....#
begin acl
#Right below the future implementation of the check_connect MX record check.
check_helo:
deny message = Your server announcement ($sender_helo_name) is a single word rather than a FQDN. This is in breach of RFC2821
condition = ${if match {$sender_helo_name} {\.} {no}{yes}}
deny message = Your server announces itself ($sender_helo_name) with a plain IP address which is in breach of RFC2821.
condition = ${if match {$sender_helo_name} {^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$} {yes}{no}}
accept
check_vrfy:
deny message = VRFY not allowed - it assists spammers.
----------------
Last but not least I monitored the loads very carefully and saw great spikes due to SpamAssasin scanning friendly file attachments such as users sending others files, pictures, etc. The scores were all very low and I never did see a real piece of spam for this test. In the end I tested the theory that normally spam is always small in size (less than say 80k). So why scan the big stuff and risk the load on the server. So I decided not to scan any piece of mail greater than 80k in size.
In the Spamcheck_Director:
Below this:
{!def:h_X-Spam-Flag:} \
Added this:
{!>={$message_size}{80k}} \
#....snip....#
Below this:
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com
ifrf:scr:vbs
Added this:
warn message = X-Spam-Flag: Skipped scanning; size greater than 80KB
condition = ${if >={$message_size}{80k} {1}{0}}
And that about does it. Everything is smoooooth as silk over here now. Spam is very low or identified properly so that the customer can choose their desired options. Customers aren't calling anymore. Softwares on the servers are running accordingly and so far no vulnerability problems. Now I need a vacation but then again I needed one before I even started.
Big Wil
There are some nice new tricks in the new exim.conf that can cut back on spam considerably. However, there are a couple of caveats to make an admin ask himself if they are really worth it. Lets start with the main problem and work are way down followed by a few of my own adjustments and additions:
------------
deny message = Forged Gmail, not sent from your account.
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}
This is a great new addition in that it will block those nasty spam messages coming off of one host and saying they are for example a gmail account. However here are the issues. As I recall Gmail lets you POP your gmail account and therefore the $sender_host_name doesn't always match the email addy domain. Calls regarding this have been minimal, solution below.
Tell them to use the SMTP server of for instance Gmail and not to use their dsl, cable, or dialin ISP's. Easy resolve.
Here is the BIG issue. Server softwares such as some e-commerce platforms allow for the configuration where when a Consumer places an order, and the Merchant gets the confirmation of the order, the confirmation comes From: the Consumer. This makes it easy for the Merchant to reply to the confirmation email in order to email the Consumer. But guess what happens when the Consumers' email address is a gmail address. The e-commerce software function dies with the error: Forged Gmail, not sent from your account.
Although it currently works badly for our purposes due to our use of two softwares that allow the above configuration, I still think it is a step in the right direction. For now here is the modification I made that allows the software to send if and only if it comes from "localhost".
Forged Gmail, not sent from your account.
deny message = Forged Gmail, not sent from your account.
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com|localhost$\N}{no}{yes}}
This seems to work. I made the changes to all of these except for paypal.com. I only use Gmail here as an example.
In a perfect world there could be added a condition that if $sender_host_name doesn't match gmail and localhost is used that some sort of wrapper is used to log the entry into a /var/log/localforgeries log file. This way Admins can keep an eye on local script that may have been exploited which used a From:*@yahoo.com email address.
------------
Next I added a few parameters to the existing and these work great. I have already seen several bonified denies from what seem like spammers trying to hit the MX of record and doing a sloppy job of it.
smtp_banner = "SMTP" #added
message_size_limit = 20M
smtp_receive_timeout = 5m
smtp_accept_max = 100
message_body_visible = 3000
print_topbitchars = true
smtp_accept_max_nonmail = 7 #added
smtp_max_unknown_commands = 1 #added
smtp_accept_max_per_host = 5 #added
Google the last 3 for more info on those. The SMTP banner should really be a default as it leaves both spammers and hackers in the dark as to what MTA is being used. Always a good option not give them a starting point for their illegal activities.
------------
SORBS.ORG is still reporting DSL and Dialup customers that aren't really spammers but rather got stuck with an IP that previously was. This is a HUGE headache and accounts for about 30% of my customer support calls in a day. So if you want to cut back about 30% comment out the entry for safe.dnsbl.sorbs.net like so.
# deny using safe.dnsbl.sorbs.net
# deny message = Email blocked by SORBS - Some message here.
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = safe.dnsbl.sorbs.net
-------------
I believe highly in fine tuning. The more fine tuning one does the more room is left for research and development. The use of sbl.spamhaus.org and not sbl-xbl.spamhaus.org is just that kind of instance. I have changed the sbl.spamhaus.org to sbl-xbl.spamhaus.org and commented out the cbl.abuseat.org like so.
# deny using spamhaus
deny message = Email blocked by SPAMHAUS - Some message here.
# only for domains that do want to be tested against RBLs
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = sbl-xbl.spamhaus.org
#....snip....#
# deny using cbl
# deny message = Email blocked by CBL - Some message here.
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = cbl.abuseat.org
----------------
Another addition is that I added a couple of recommended ACL usages recommended by comrads on both the Exim and Spamassassin mailing lists.
# acl_smtp_connect = check_connect
acl_smtp_helo = check_helo #added
acl_smtp_vrfy = check_vrfy #added
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
#....snip....#
begin acl
#Right below the future implementation of the check_connect MX record check.
check_helo:
deny message = Your server announcement ($sender_helo_name) is a single word rather than a FQDN. This is in breach of RFC2821
condition = ${if match {$sender_helo_name} {\.} {no}{yes}}
deny message = Your server announces itself ($sender_helo_name) with a plain IP address which is in breach of RFC2821.
condition = ${if match {$sender_helo_name} {^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\$} {yes}{no}}
accept
check_vrfy:
deny message = VRFY not allowed - it assists spammers.
----------------
Last but not least I monitored the loads very carefully and saw great spikes due to SpamAssasin scanning friendly file attachments such as users sending others files, pictures, etc. The scores were all very low and I never did see a real piece of spam for this test. In the end I tested the theory that normally spam is always small in size (less than say 80k). So why scan the big stuff and risk the load on the server. So I decided not to scan any piece of mail greater than 80k in size.
In the Spamcheck_Director:
Below this:
{!def:h_X-Spam-Flag:} \
Added this:
{!>={$message_size}{80k}} \
#....snip....#
Below this:
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:com
ifrf:scr:vbsAdded this:
warn message = X-Spam-Flag: Skipped scanning; size greater than 80KB
condition = ${if >={$message_size}{80k} {1}{0}}
And that about does it. Everything is smoooooth as silk over here now. Spam is very low or identified properly so that the customer can choose their desired options. Customers aren't calling anymore. Softwares on the servers are running accordingly and so far no vulnerability problems. Now I need a vacation but then again I needed one before I even started.
Big Wil
