PDA

View Full Version : spamhaus not working properly



miguelito
05-05-2009, 01:55 AM
Hi,

Im using dovecot and custombuild in a fedora DA box.

Using spamblock with spamcop for a while....
sundently spamhaus stop filtering adresses

my mailboxes are full of spam.


using Mailwasher at home, it filters correctly with spamhaus & spamcop.

I tried to get a new exim.conf from the directadmin KB article, patch applied as indicated.

i got : "SpamBlocker.exim.conf.2.1.1-release " and
exim.pl dated: 28/march/2008

/etc/virtual/use_rbl domains is a link to /etc/virtual/domains.
rest of files: whitelist_senders, whitelist_host, whitelist_from blacklist_senders, blacklist_domains and bad_sender_host are there, but empty files.

this exim,conf ( testing) is 'as is' no modifications, to test.
Must I change something?

Is mandatory to give " primary_hostname " value correctly?
my uname ( from shell) gives me:

uname -a
Linux luna.gnomo.net 2.6.5-1.358smp #1 SMP Sat May 8 09:25:36 EDT 2004 i686 i686 i386 GNU/Linux

or must I indicate
primary_hostname=luna.gnomo.net

SORBS & SAFESORBS are working and filtering as indicated in /var/exim/rejectlog

I included spamcop, but its too restrictive ( too much false positives)


Any ideas??
Thanks.

my ACL in exim.conf looks like this:



######################################################################
# ACLs #
######################################################################

begin acl

# ACL that is used after the RCPT command
check_recipient:

# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{587} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *

# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts.
# Block outgoing local parts that begin with a dot, slash, or vertical
# bar but allows them within the local part.
# The sequence \..\ is barred. The usage of @ % and ! is barred as
# before. The motivation is to prevent your users (or their virii)
# from mounting certain kinds of attacks on remote sites.
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

# local source whitelist
# accept if the source is local SMTP (i.e. not over TCP/IP).
# Test for this by testing for an empty sending host field.
accept hosts = :

# sender domains whitelist
# accept if sender domain is in whitelist
accept sender_domains = +whitelist_domains

# sender hosts whitelist
# accept if sender host is in whitelist
accept hosts = +whitelist_hosts
accept hosts = +whitelist_hosts_ip

# envelope senders whitelist
# accept if envelope sender is in whitelist
accept senders = +whitelist_senders

# accept mail to postmaster in any local domain, regardless of source
accept local_parts = postmaster
domains = +local_domains

# accept mail to abuse in any local domain, regardless of source
accept local_parts = abuse
domains = +local_domains

# accept mail to hostmaster in any local domain, regardless of source
accept local_parts = hostmaster
domains =+local_domains

# OPTIONAL MODIFICATIONS:
# If the page you're using to notify senders of blocked email of how
# to get their address unblocked will use a web form to send you email so
# you'll know to unblock those senders, then you may leave these lines
# commented out. However, if you'll be telling your senders of blocked
# email to send an email to errors@yourdomain.com, then you should
# replace "errors" with the left side of the email address you'll be
# using, and "example.com" with the right side of the email address and
# then uncomment the second two lines, leaving the first one commented.
# Doing this will mean anyone can send email to this specific address,
# even if they're at a blocked domain, and even if your domain is using
# blocklists.

# accept mail to errors@example.com, regardless of source
# accept local_parts = errors
# domains = example.com

# deny so-called "legal" spammers"
deny message = Email blocked by LBL - /
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
sender_domains = +blacklist_domains

# deny using hostname in bad_sender_hosts blacklist
deny message = Email blocked by BSHL - /
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
hosts = +bad_sender_hosts

# deny using IP in bad_sender_hosts blacklist
deny message = Email blocked by BSHL - /
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
hosts = +bad_sender_hosts_ip

# deny using email address in blacklist_senders
deny message = Email blocked by BSAL - /
domains = use_rbl_domains
deny senders = +blacklist_senders

# By default we do NOT require sender verification.
# Sender verification denies unless sender address can be verified:
# If you want to require sender verification, i.e., that the sending
# address is routable and mail can be delivered to it, then
# uncomment the next line. If you do not want to require sender
# verification, leave the line commented out

require verify = sender

# deny using safe.dnsbl.sorbs.net
deny message = DENYMAIL - SAFESORBS - /
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = safe.dnsbl.sorbs.net


# deny using spamhaus
deny message = DENYMAIL SPAMHAUS - /
# only for domains that do want to be tested against RBLs
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = zen.spamhaus.org

# deny using njabl
deny message = DENYMAIL - NJABL - /
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.njabl.org

# deny using cbl
# deny message = DENYMAIL - CBL - /
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = cbl.abuseat.org

# deny using sorbs name based list
deny message = DENYMAIL - SORBS - /
domains =+use_rbl_domains
# rhsbl list is name based
dnslists = rhsbl.sorbs.net/$sender_address_domain

# deny using bl.spamcop.net
deny message = DENYMAIL - SPAMCOP - /
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net

# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
message = "Unknown User"
verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify=recipient

# accept if message comes for a host for which we are an outgoing relay
# recipient verification is omitted because many MUA clients don't cope
# well with SMTP error responses. If you are actually relaying from MTAs
# then you should probably add recipient verify here

accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted

# default at end of acl causes a "deny", but line below will give
# an explicit error message:
deny message = relay not permitted

# ACL that is used after the DATA command
check_message:
accept

scsi
05-05-2009, 09:56 AM
What do you see in exim log files?

nobaloney
05-07-2009, 12:02 PM
And ... how do you know that spamhaus isn't working properly?

Jeff

daveyw
05-08-2009, 01:03 AM
If you don't paste any logs like errors etc we can't help you with this. We are not magic!

miguelito
05-20-2009, 12:37 PM
sorry for the delay...

i was looking my log files..
and see that spamcop, safe.sorbs and so are really blocking spam and working

but there are NO messages blocked by spamhaus.

when the message pass it and came to my local client ( mailwasher ) and spamhaus detect it and mark it, correctly as spam.


what would you need exactly to solve this cuestion?

my


my ACL looks like this:



require verify = sender

# deny using spamhaus
deny message = ***sbl.SPAMHAUS***
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = zen.spamhaus.org

# deny using safe.dnsbl.sorbs.net
deny message = ***safe.SORBS***
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = safe.dnsbl.sorbs.net

# deny using bl.spamcop.net
deny message = ***SPAMCOP***
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net


# deny using njabl
deny message = ***NJABL***
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.njabl.org

# deny using sorbs name based list
deny message = ***SORBS***
domains =+use_rbl_domains
dnslists = rhsbl.sorbs.net/$sender_address_domain



I f I understand correctly, order matters and spamhaus must be the first check.

Is it possible to log the answer from spamhaus ??

nobaloney
05-20-2009, 12:48 PM
grep SPAMHAUS /var/log/exim/rejectlog

Jeff

miguelito
05-20-2009, 01:23 PM
grep SPAMHAUS /var/log/exim/rejectlog

Jeff

Thanks Jeff.

the grep return nothing for "SPAMHAUS".. i checked with different strings to verify that my syntax is correct:
grep with SPAMCOP , for example, returns each line it appears in that log.


But when i wrote ' is it possible to log.. ' i meant to FORCE Log the response from spamhaus i mean, error 5XX, or no conected, accept, deny..or whatever.

I suspect that my server can not connect to spamhaus, so exim can not use it

miguelito
05-20-2009, 01:42 PM
also lots of messages like this are passing my spam control:



Return-path: <taller@lokaku.com>
Envelope-to: taller@lokaku.com
Delivery-date: Wed, 20 May 2009 21:30:21 +0200
Received: from 187-24-16-106.3g.claro.net.br ([187.24.16.106] helo=189-92-186-233.3g.claro.net.br)
by luna.gnomo.net with smtp (Exim 4.50)
id 1M6rUZ-0000gB-Jq
for taller@lokaku.com; Wed, 20 May 2009 21:30:21 +0200
To: taller@lokaku.com
Subject: trabajo para "Aurora Consulting"
From: taller@lokaku.com
MIME-Version: 1.0
Importance: High
Content-Type: text/html


lokaku.com is a local domain in my server (luna.gnomo.net)

but that mail is fake FROM and Return-path


another one similar:


Return-path: <appeaser@merlin.vispa.com>
Envelope-to: miguel@gnomo.net
Delivery-date: Wed, 20 May 2009 21:34:51 +0200
Received: from [186.9.70.198] (helo=LTQNUMKS)
by luna.gnomo.net with esmtp (Exim 4.50)
id 1M6rYw-0000nZ-Ie; Wed, 20 May 2009 21:34:51 +0200
Message-ID: <000d01c9d981$d20102e0$6400a8c0@appeaser>
From: "Dixie Winters" <appeaser@merlin.vispa.com>
To: <mdawolteajvxzhm@gnomo.net>
Subject: With a mega instrument you will feel a more important man.
Date: Wed, 20 May 2009 14:33:15 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C9D981.D20102E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

This is a multi-part message in MIME format.


http://www.spamhaus.org/query/bl?ip=186.9.70.198 returns:



186.9.70.198 is not listed in the SBL
186.9.70.198 is listed in the PBL, in the following records:

PBL225753
186.9.70.198 is listed in the XBL, because it appears in:

CBL


why is not blokaed by spamhaus in the server?



hope this data helps.

nobaloney
05-21-2009, 11:15 AM
also lots of messages like this are passing my spam control:


Return-path: <taller@lokaku.com>
Envelope-to: taller@lokaku.com
Delivery-date: Wed, 20 May 2009 21:30:21 +0200
Received: from 187-24-16-106.3g.claro.net.br ([187.24.16.106] helo=189-92-186-233.3g.claro.net.br)
by luna.gnomo.net with smtp (Exim 4.50)
id 1M6rUZ-0000gB-Jq
for taller@lokaku.com; Wed, 20 May 2009 21:30:21 +0200
To: taller@lokaku.com
Subject: trabajo para "Aurora Consulting"
From: taller@lokaku.com
MIME-Version: 1.0
Importance: High
Content-Type: text/html


lokaku.com is a local domain in my server (luna.gnomo.net)

but that mail is fake FROM and Return-path
Perhaps you've whitelisted your local domains? I don't know without looking at your server and tracing logs.

http://www.spamhaus.org/query/bl?ip=186.9.70.198 returns:



186.9.70.198 is not listed in the SBL
186.9.70.198 is listed in the PBL, in the following records:

PBL225753
186.9.70.198 is listed in the XBL, because it appears in:

CBL


why is not blocked by spamhaus in the server?
I don't know. Perhaps you don't have the receiving domain listed in/etc/virtual/use_rbl_domains?

I don't know why it doesn't work for you. On one of my servers I just checked

# grep SPAMHAUS rejectlog --count
returns 136,444 hits in the last four days and seven hours.

For several reasons, my exim.conf file is no doubt not the same as yours.

Have you tried a manual lookup from your server command line?

I'm happy to help you resolve the issue for you as a commercial service if it's important to you and if you cannot figure it out on your own.

If you're interested in hiring us then please contact me through the email address in my siglines below.

Otherwise there's really no way I can help further on this issue, as I'd need to log in and do some studies and tests on your server. And for that, we charge.

Jeff

miguelito
05-21-2009, 02:52 PM
thanks, jeff, I understand you.

i was only thinking in a silly typo ( as usual ) in my config :D