Page 14 of 21 FirstFirst ... 41213141516 ... LastLast
Results 261 to 280 of 408

Thread: SpamBlocker-Powered exim.conf, Version 4

  1. #261
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    Also, started to get lots of :
    2012-07-27 16:57:14 Received from <> R=1Sumuc-0006xA-S5 U=mail P=local S=1048 T="Autoreply: \"FW: Test message\""
    2012-07-27 16:57:14 routing failed for xxxx@hotmail.com F=<>: Unrouteable address
    *** Frozen (delivery error message)
    What is that all about

    Might as well revert back to v2 config.

    Edit: Ok, I know why: "The unknown account has just finished sending 1000 emails." is blocking but ever since I changed to 4.1, I get these messages.....

    Edit:
    Received from <>
    I'm not sure why Vocation replies are not setting a sender address, therefore adding to the unknown usage? Am I right there's no sender address?
    Last edited by Peter Laws; 07-28-2012 at 02:29 AM.

  2. #262
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    Maybe you should ask Jeff Lasman (nobaloney) that wrote spamblocker file and can for sure give a better reply.

    Honestly i dont know where you can edit the file to fit your needs.

    Sorry

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  3. #263
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    I just don't know why the unknown user is being used a lot - there's no hacked accounts (even though most are set to a 260 day limit), nor any dodgy phpmail forms being used (wouldn't even register with exim would it, if phpmail() was used?).

    But yeah, lets hope Jeff see's this..... In the meantime, I've increased the limit_unknown file, so that mail can get to its destination at least within 24hours....

    Shame though, it's doing such a good job in detecting and rejecting pesky spam. lol

    Also, the reason the "HELO" block was happening still: as the client using Outlook 2003, it seems it wasn't saving any preferences. I think we have sorted this part out at least.

  4. #264
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    Did you update the exim.pl file once you did update the exim.conf?

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  5. #265
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    Quote Originally Posted by SeLLeRoNe View Post
    Did you update the exim.pl file once you did update the exim.conf?
    VERSION=10

    To be honest, I only updated it when this limit feature was implemented, so I automatically assumed it was compatible with SB4.1?

  6. #266
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    I see it. I don't know what to do about it because I'm still unsure of the exact issue. Exim is designed to work according to the RFCs and my spamblocker file as closely to the RFCs as possible. I recommend NOT opening up your server to be an open relay on port 25, for obvious reasons.

    And I believe (am I wrong?) that exim isn't responsible if your email isn't being sent as the correct user.

    I recommend using latest version of exim.pl, and when I rebuild exim.conf I only test against latest version of exim.pl.

    If I've missed something, or if you have a specific question within the realm of SpamBlocker exim.conf version 4.1, ask and I'll do my best to respond.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  7. #267
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    Which is the latest exim.pl? Version 10? If so, already got that

    Even with increasing limit_unknown, still get warnings.

    Maybe I'm not explaining properly. The issue was that a client was getting this "HELO" block even if he was using port 587. Turns out that it was their fault as Outlook never saved any preferences, hence still trying to connect to port 25.
    This part has all been sorted. Now it's this unknown user issue.

    And I believe (am I wrong?) that exim isn't responsible if your email isn't being sent as the correct user.
    Here's a snippet of my last warning today:
    After some processing of the /etc/virtual/usage/unknown.bytes file, it was found that the highest sender was pgarcia@credilasa.com.mx, at 3 emails.
    Not sure what that means, unless DA gets the highest sender? I also get some with blank as the sender:
    After some processing of the /etc/virtual/usage/unknown.bytes file, it was found that the highest sender was , at nn emails.
    All I can think is this unknown user is being used for bounces? (If it was an actual account, it'll say the user and their limit in the admin's warning of the limit hit email that's sent). As when they get frozen, the Sender column in the Mail Queue in DA is blank (well, <>). But 2,500 (was set to 1,000) bounces or unknown senders is a hell of a lot?

    I admit that I'm no expert with exim's logs etc, so I can't really debug as I'm do not know what to look for.

  8. #268
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    To add, and as I'm using RBLs now.

    My DNS servers (at data centre) are dodgy, so I opted to us Google & OpenDNS. However, I was advised not to as:
    You end up with invalid responses from SBLs like Spamhaus because the lookups are DNS based (and Google will reply with NXDOMAIN, whilst OpenDNS will reply with a default IP address for their search page). So on a mail server, install your own internal DNS resolver or use DNSMASQ.
    This true?

    I tried 127.0.0.1 and some RBL couldn't be found (using nslookup), whereas using Google or OpenDNS could
    # nslookup zen.spamhaus.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53
    Non-authoritative answer:
    *** Can't find zen.spamhaus.org: No answer
    ~# nslookup zen.spamhaus.org
    Server: 208.67.222.222
    Address: 208.67.222.222#53

    Non-authoritative answer:
    Name: zen.spamhaus.org
    Address: 67.215.77.132
    Are there any drawbacks from using local 127.0.0.1 for look ups?

  9. #269
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Quote Originally Posted by Peter Laws View Post
    Are there any drawbacks from using local 127.0.0.1 for look ups?
    The main reason is that you shouldn't have your local DNS server set to do recursive lookups; authoritative nameservers should be just that, and only that, to avoid DNS cache poisoning issues.

    I've never had a problem with using Google's nameservers, but I have no idea what you mean by for their search page so maybe I'm missing something in your post.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  10. #270
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    #EDIT#40:
    deny message = Forged Paypal Mail, not sent from PayPal.
    senders = *@paypal.com
    condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
    I'm noticing that spoof emails are getting through. Is this 100% working does it work intermittently?
    From - Thu Aug 16 11:19:37 2012
    X-Account-Key: account13
    X-UIDL: 000000384dc98c70
    X-Mozilla-Status: 0000
    X-Mozilla-Status2: 00000000
    X-Mozilla-Keys:
    Return-path: <wwwrun@gvelho.ulusofona.pt>
    Envelope-to: accounts@co.uk
    Delivery-date: Thu, 16 Aug 2012 10:49:54 +0100
    Received: from mail by server3.laws-hosting.co.uk with spam-scanned (Exim 4.76)
    (envelope-from <wwwrun@gvelho.ulusofona.pt>)
    id 1T1wiA-0007Cu-H2
    for accounts@co.uk; Thu, 16 Aug 2012 10:49:54 +0100
    X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
    server3.laws-hosting.co.uk
    X-Spam-Level:
    X-Spam-Status: No, score=0.3 required=4.0 tests=BAYES_00,HTML_IMAGE_RATIO_06,
    HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,MIME_HTML_ONLY,RDNS_NONE autolearn=no
    version=3.3.1
    Received: from [193.137.75.138] (helo=gvelho.ulusofona.pt)
    by server3.laws-hosting.co.uk with esmtp (Exim 4.76)
    (envelope-from <wwwrun@gvelho.ulusofona.pt>)
    id 1T1wiA-0007Co-9I
    for accounts@co.uk; Thu, 16 Aug 2012 10:49:54 +0100
    Received: by gvelho.ulusofona.pt (Postfix, from userid 30)
    id 0B6FCD66F; Thu, 16 Aug 2012 10:30:16 +0100 (WEST)
    To: accounts@co.uk
    Subject: Limited Account !
    X-PHP-Originating-Script: 30:slave1.php
    From: PayPal <service@paypal.co.uk>
    Content-Type: text/html
    Message-Id: <20120816093016.0B6FCD66F@gvelho.ulusofona.pt>
    Date: Thu, 16 Aug 2012 10:30:16 +0100 (WEST)
    X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner

  11. #271
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    It should work. Is the mailbox address on this server, or is it being forwarded elsewhere?

    Is the email being whitelisted or accepted above the #Edit#40 stanza?

    I've never seen these forgeries get through.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  12. #272
    Join Date
    Oct 2004
    Location
    London, UK
    Posts
    6,641
    Just a question about this.

    To me seems to be normal cause the rule is: senders = *@paypal.com
    And the email source yoou posted have: From: PayPal <service@paypal.co.uk>

    So, there is no match on the domain and the rule should not be called, am i wrong?

    Regards
    SeLLeRoNe - Andrea Iannucci
    DevOps Engineer - System Administrator
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  13. #273
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    Quote Originally Posted by SeLLeRoNe View Post
    Just a question about this.

    To me seems to be normal cause the rule is: senders = *@paypal.com
    And the email source yoou posted have: From: PayPal <service@paypal.co.uk>
    AFAIK, it checks the hostname:
    condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
    so regardless whether the Sender is @paypal.xxx, it still would be blocked?

    Wrong/Fake:
    Received: from [193.137.75.138] (helo=gvelho.ulusofona.pt)
    by server3.laws-hosting.co.uk with esmtp (Exim 4.76)
    (envelope-from <wwwrun@gvelho.ulusofona.pt>)
    Right/Genuine:
    Received: from mx3.slc.paypal.com ([173.0.84.228] helo=mx2.slc.paypal.com)
    by server3.laws-hosting.co.uk with esmtp (Exim 4.76)
    (envelope-from <payment@paypal.com>)
    Last edited by Peter Laws; 08-17-2012 at 06:54 AM.

  14. #274
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Quote Originally Posted by Peter Laws View Post
    AFAIK, it checks the hostname:

    so regardless whether the Sender is @paypal.xxx, it still would be blocked?
    I see what SeLLeRoNe means.

    My code checks the sender against the hostname, and if the sender is @paypal.co.uk, falsifications will get through because the hostname won't even be checked.

    So to fix it I need to know which domains PayPal sends from.

    Please let me know by replying here of all the known senders from which you get known good PayPal emil, and I'll be happy to make the code more robust.

    Thanks for bringing this to my attention SeLLeRoNe.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  15. #275
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    It's always paypal.com (host) for me, but it could be paypal.co.uk as the sender/from (but still paypal.com in the return-path, etc headers), if someone sends money then their email is useed as the sender/from.

    As the return-path is always paypal.com (afaics), wouldn't it be better to check that instead? - I know it can be forged, but web forms will return differently, unless they're sophisticated.

  16. #276
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    I believe the Sender is the same as the Return Path. Care to do some testing?

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  17. #277
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    when payment is received:
    Return-path: <payment@paypal.com>
    From: <service@paypal.co.uk> (or it could be the email of the buyer)
    Sender: sendmail@paypal.com (not always included)
    from T&C/etc updates:
    Return-path: <JQ9OHYV-XRRKW-IYBAZS-ACJXEI-PR19BQ-H-M2-20120807-e3d6897b79527bb@emea.e.paypal.com>
    no Sender

    for any account updates (change password, withdraw, suspicious activity, etc):
    Return-path: <service@paypal.co.uk>
    From: <service@paypal.co.uk>
    no Sender

    replies from contact us form:
    Return-path: <webform@paypal.co.uk>
    From: <webform@paypal.co.uk>
    no Sender

    Not sure this helps.
    Last edited by Peter Laws; 08-21-2012 at 01:27 AM.

  18. #278
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    Quote Originally Posted by Peter Laws View Post
    Not sure this helps.
    It helps, but I don't want to make changes each time someone discovers another return address for PayPal. So what I need is a list of domains for differrent countries that PayPal uses for outgoing email. So let's see if more people respond.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  19. #279
    Join Date
    Jun 2006
    Posts
    70
    I received a call today from a hosting client who said that he wasn't receiving email from one particular sender (jmullen@sender.com). I dug into the mainlog file and found the following (I've obscured the IP address for the receiver and domain names with "sender.com" and "receiver.com").

    Code:
    2012-08-23 11:50:45 1T4Zfv-0001OS-Tp <= jmullen@sender.com H=smtpauth20.prod.mesa1.secureserver.net [64.202.165.36] P=smtp S=15773569 id=0ee501cd8146$b91928a0$2b4b79e0$@com T="FW: Waverly Quarterly" from <jmullen@sender> for bob.smith@receiver.com
    2012-08-23 11:50:46 1T4Zfv-0001OS-Tp => bob.smith <bob.smith@receiver.com> F=<jmullen@sender.com> R=virtual_user T=virtual_localdelivery S=15773687
    2012-08-23 12:01:09 H=(pps.com) [7.8.5.33] F=<> rejected RCPT <jmullen@sender.com>: We didn't send the message
    The sender never received a failure notification. For now I've added the sender's domain name to the whitelist_domains file and seem to have gotten around the problem temporarily.

    The obscured IP of 7.8.5.33 is the IP address of my client's Exchange 2003 server that retrieves email from DA via POP3 Connector.

    Can anyone decipher this and help me understand what might be happening?

  20. #280
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Quote Originally Posted by Peter Laws View Post
    It's always paypal.com (host) for me, but it could be paypal.co.uk as the sender/from (but still paypal.com in the return-path, etc headers), if someone sends money then their email is useed as the sender/from.

    As the return-path is always paypal.com (afaics), wouldn't it be better to check that instead? - I know it can be forged, but web forms will return differently, unless they're sophisticated.
    Aren't all notifications from PayPal coming from service@intl.paypal.com? Anyway here is at least one email on host @paypal.com mentioned (it is spoof@paypal.com):

    https://www.paypal.com/webapps/helpc...11500023&m=TTQ
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

Page 14 of 21 FirstFirst ... 41213141516 ... LastLast

Similar Threads

  1. Which version of Exim is SpamBlocker compatible with?
    By Christopher in forum SpamBlocker4
    Replies: 2
    Last Post: 01-04-2013, 11:40 AM
  2. Replies: 4
    Last Post: 02-23-2012, 04:40 PM
  3. SpamBlocker-Powered exim.conf Version 4 changelog
    By nobaloney in forum SpamBlocker4
    Replies: 2
    Last Post: 06-19-2011, 02:51 PM
  4. Spamblocker Version
    By chrisrandell in forum SpamBlocker
    Replies: 8
    Last Post: 05-03-2009, 04:36 PM
  5. Turning Spamblocker on in exim.conf
    By louie55 in forum E-Mail
    Replies: 4
    Last Post: 01-31-2005, 06:19 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •