SpamBlocker-Powered exim.conf, Version 4

Is pop/imap before SMTP suppose to work with this version of spamblocker? I'm having troubles with it.

Keefe
 
I believe we should whitelist all of their listed domains, and you should use SpamAssassin to make decisions after that.
That's not how they see it.

Code:
Skip greylisting for all listed IPs (none - high)	All listed hosts are expected to pass greylisting so you are only avoiding delays, not affecting what gets blocked.
Skip blacklisting for all listed IPs (none - high)	All listed hosts are known to send legitimate email and should not be blacklisted.
Skip spam filtering for medium and high ranked IPs.	These are trusted to send spam rarely enough that they are not worth filtering.

I think exim.conf should be modified to only whitelist IPs belonging to the medium and high categories
 
Is pop/imap before SMTP suppose to work with this version of spamblocker? I'm having troubles with it.

Keefe

Sure, it's supposed to work.

Run:

Code:
# ls -l /etc/virtual/pophosts 
# ls -l /etc/virtual/pophosts_user

and

Code:
# ps aux | grep da-popb4smtp

What results?
 
That's not how they see it.

Code:
Skip greylisting for all listed IPs (none - high)	All listed hosts are expected to pass greylisting so you are only avoiding delays, not affecting what gets blocked.
Skip blacklisting for all listed IPs (none - high)	All listed hosts are known to send legitimate email and should not be blacklisted.
Skip spam filtering for medium and high ranked IPs.	These are trusted to send spam rarely enough that they are not worth filtering.

I think exim.conf should be modified to only whitelist IPs belonging to the medium and high categories
Feel free to make the modification if you wish, on your systems. Then report to us later on how it works out.

Personally I don't mind whitelisting all, because the filtering is done for all emails by SpamAssassin, and the rules in SpamAssassin determine what gets filtered, not the rules in SpamBlocker. SpamBlocker doesn't filter; it blocks. I give all whitelisted entries a chance to be examined by SpamAssassin. Perhaps if you don't use SpamAssassin you might want to make the change.

Jeff
 
Is pop/imap before SMTP suppose to work with this version of spamblocker? I'm having troubles with it.
My recollection is that it works for submissions on port 25 but not for submissions on port 587, which must use plaintext authentication.

You can check that supposition yourself.

Jeff
 
Are you asking about using an RBL whitelist, or the simple text-based whitelists I've included?

As for the former, I've not yet found any problems at all; the RBL groups seem to do their homework well.

As for the latter, we've found that spammers never write to be whitelisted.

Using the latest SpamBlocker powered exim.conf file, Version 4, the spam that gets through to to SpamAssassin is less than six per day on my main email address, and of that, over half is caught by SpamAssassin.

Anyway, that's what works for us.

Jeff

I got this reply from the dnswbl admin. He was friendly.
> I dont mind sending other reports, but would appreciate if you can give me a
> config example on how to only whitelist medium and above. I changed to
> "dnslists = list.dnswl.org&0.0.0.2" and I hope is fine.

Yes, that will match both med and high. Mail from addresses listed at none and low should
not bypass a content filter, and some people would also scan mail from med sources. All mail
should be checked for malware, some anti-virus software will also catch phishing spam.

So mail servers in the none group can be sources of spam but are there because they send large amounts of legit email.

I am talking about the RBL whitelist sorry if was confusion.

If you can confirm or not if bypass content filters (like spamassassin) then that should give me a better understanding thanks.
 
dnslists = list.dnswl.org&0.0.0.2 works fine and only whitelists servers that can be trusted. Lots of ISPs are sending spam, no point in whitlisting them imho, unless you have an aggressive blacklisting policy.

@Chris, that rule only allows the message to go to the next step (DATA), so it will still be scrutinized by all the message filtering tools that you have put in place in that ACL.
 
Yes, lots of ISPs are sending spam. But in general we want our users to be able to get mail from ISPs. Can you give me an example of some of the ISPs my setting whitelists but yours doesn't, so I can look into it further?

Thanks.

Jeff
 
Chris should have some IPs since he's been hit by bad Apples.
It would be difficult for me to determine what the differences are without doing a thorough log analysis.
Maybe the rule could be split in two, one would accept the message, the other would write something in the logs.
Millions of customers use the mail servers provided by their ISP. The chances of these sending spam or malware is quite high, thus the classification.
 
I understand your point. But I see it differently.

Here's the order in which happens:

All whitelists get processed first.

Then blacklists.

So if you do it your way, a lot of mail from ISPs is going to be blocked because a few senders are sending spam. In the case of ISPs it's unlikely individual IP#s are going to be sending mostly spam, and if they , they're probably not going to be in the whitelist.

If we block ISP mailservers we get a lot of unblock requests. We choose to whitelist ISP servers and only block non-ISP servers, because whitelisted servers still go through SpamAssassin.

You can certainly choose differently.

Jeff
 
But if you only blacklist non-ISP servers, there is no need to whitelist them, they will reach the DATA acl unless one of them has become blacklisted for one reason or another.
That's why I mentioned that for this setup to work, one has to be careful with his blacklisting policy.
To be honest, I'm not that worried about ISPs, but email marketing companies are on the "none" level list and that's a bigger threat.
 
If I understand Jeff correct he is saying without the dns whitelist he was seeing false positives on spamblocker, legit isp's been blocked by RBL.

I have never had a false positive reported to me using spamblocker but I dont use the more risky rbl's like spamcop and I use the safe sorbs list.

However for me if a false positive occurs, I feel its better to just manually add to the whitelist file than to let spam through the dns whitelist. It is a choice I guess.

So the whitelist bypasses the blacklist rbl's but does not bypass spamassassin, which raises another problem. Spamassassin is quite cpu intensive compared to spamblocker, so whilst spamassassin may catch these emails it does so at higher cost on the server.
 
But if you only blacklist non-ISP servers, there is no need to whitelist them, they will reach the DATA acl unless one of them has become blacklisted for one reason or another.
I blacklist using the lists you see in the Spamblocker-powered exim.conf file. From time to time ISP servers DO get blacklisted. Whitelisting first keeps that from happening.
That's why I mentioned that for this setup to work, one has to be careful with his blacklisting policy.
But we really can't be careful with our blacklisting policy unless we take the trouble to create our own blacklists. If we use blocklists we didn't create (and we create only the plaintext ones in our own files), then we're at the mercy of the blacklist providers. So I find it important to whitelist. It has saved me a lot of unblock requests and it keeps my clients happy.
To be honest, I'm not that worried about ISPs, but email marketing companies are on the "none" level list and that's a bigger threat.
You make an important point, and I think it important to disclose my reasoning:

There are plenty of marketing companies out there who believe in the U.S.-based CAN-SPAM law. I don't like the law, but it exists, and businesses use it (and marketing companies use it) to send to lists that aren't opt-in lists. And yes, they do get whitelisted by whitelist companies. Just as they get whitelisted locally by you, if you implement solutions such as DKIM, since they follow the DKIM rules.

But here are some important facts:

1) Lots of legitimate businesses, with legitimate opt-in lists, use these marketing companies to send their mail. Opt-in mail. Mail that their subscribers in some cases even pay for, and even if they don't, expect to get, and want to get.

2) I get, and probably you get as well, more complaints from clients who don't get mail they should get than from clients who get some spam.

3) SpamAssassin does a fairly good job of managing these emails, and as long as your clients set SpamAssassin to pass the emails through, they can manage them without your involvement.

4) And one thing these marketing companies have in common, is that in my tests, they DO stop sending mail when you follow their instructions for removal. Some of them even maintain double-opt-in policies, and if you report their clients who don't use double-opt-in (but lie and say they do), will stop hosting those lists. I've been testing this over the last few years and I find it's true.

If I understand Jeff correct he is saying without the dns whitelist he was seeing false positives on spamblocker, legit isp's been blocked by RBL.
Yes. Google and Hotmail, specifically, but others as well. And they all have anti-spam policies and many even make it hard to use them to send spam, but spammers still manage them from time to time and they get blocked. So I do want to blocklist them. If you don't, then of course you're welcome to adjust the ACLs any way you want.
I have never had a false positive reported to me using spamblocker but I dont use the more risky rbl's like spamcop and I use the safe sorbs list.
I do. Not often, but occasionally. Often then from clients who get upset and ask me to stop using SpamBlocker on their email. Which then means more mail for SpamAssassin to manage. My recollection is that SpamAssassin checks all mail even if it's turned off for a domain; it just uses a very high trigger score.
However for me if a false positive occurs, I feel its better to just manually add to the whitelist file than to let spam through the dns whitelist. It is a choice I guess.
It is a choice, but as I wrote above, clients are more willing to complain about one false positive than ten pieces or more of spam. And my job is to keep my clients happy, which in turn will keep me happy. Since we started using whitelists we haven't had one client leave because of spam; we haven't had one client ask us to stop using SpamBlocker on his/her account.
So the whitelist bypasses the blacklist rbl's but does not bypass spamassassin, which raises another problem. Spamassassin is quite cpu intensive compared to spamblocker, so whilst spamassassin may catch these emails it does so at higher cost on the server.
Of course. That's why it's important to keep clients willing to let us block spam for them.

We find that over 90% (I've posted actual numbers in the past) is blocked before it gets to our servers, and we've not had a problem with SpamAssassin using to much in the way of resources. If you do, then of course change your whitelist configuration.

On a happier note, have you noticed a decrease in spam? Some reports say there's been over a 30% drop in measured spam since the first of December. I'm not counting, but I do notice less spam coming into our servers.

Note that I'm willing to continue this discussion but unless we start seeing more incoming spam instead of less, it's unlikely I'll make additional changes.

Jeff
 
Thanks for sharing Jeff :)
I do see your point about making customers happy and I've been bitten in the past because a whitelist wasn't enabled. People notice when they don't get their emails anymore, but couldn't care less about the spambox filling up.
I think the best solution for these two levels would be greylisting. Better safe than sorry.

I'm personally not to worried about high server load since I'm using dspam which is both very efficient and flexible (users move their messages to teach the filters), but I'm wondering what the increase in load is like with spamassassin.

I did notice a decrease in spam since the end of last year. It always gets me worried that there is something wrong with my configs :D. It makes it difficult to play with live samples, especially if you're using nolisting.

I guess we just have to be patient, new botnets will rise and databases are stolen every day...
 
I had a user getting about 15k a day in spam, and spamblocker was off, noticed cpu usage was hovering around 30% average. enabled spamblocker on his account and it dropped to 5%. The machine is a dual core amd X2 5600+. So that may give an idea.

I accept Jeff's reasoning and am glad he took the time to explain exactly how its working.

The only greylisting script I have found that would possibly be viable for a across the board all OS DA setup is a perl script, most of the other's are OS dependant and also rely on mysql.
 
Code:
EDIT#38:
Sender verification denies incoming email unless the domain of
the sender address can be verified.  By default we do NOT require
sender verification.

But when I look at the exim.conf file,
Code:
#EDIT#38:
  require verify = sender

That's not commented out by default. Shouldn't it be commented out if we do NOT require sender verification?
 
Which should I change? The documentation or the behavior? I recommend changing the documentation and leaving the behavior. Only the domain is checked, and not the full email address.

Anybody feel differently?

Jeff
 
Usually within one business day. Orders placed over the weekend (as yours was) are managed as if they came in on Monday.

Always feel free to call or write with any follow-up questions. (User hostu actually called as I was composing this reply.)

Jeff
 
you are one seriousfunny guy !! makes me think of a roundcube,,,, thanks for the quick reply and chat.... :D

chuck



Usually within one business day. Orders placed over the weekend (as yours was) are managed as if they came in on Monday.

Always feel free to call or write with any follow-up questions. (User hostu actually called as I was composing this reply.)

Jeff
 
Back
Top