PDA

View Full Version : [RELEASE] SpamBlocker released



Pages : [1] 2

nobaloney
05-15-2004, 04:47 PM
EDIT 26 December 2006:

SpamBlocker3 is going into Beta Testing today. It optionally includes ClamAV, for those who've wanted Anti-Virus built into DA.

In order to help us support SpamBlocker as we move forward we've created several new sub-forums; be sure to check out the complete list here (http://www.directadmin.com/forum/forumdisplay.php?s=&forumid=53).

Note that there are both forums and threads on that page, including this thread, which I've moved into the new subforums today.


EDIT 29 Oct 2004:

The second free DA version of SpamBlocker has just been released as Version "RSS-1.2da".

The modifications, (taken from the modifications log) are:

RSS-1.2da 29-Oct-2004

Modified to change use of sbl.spamhaus.org list to use of sbl-xbl.spamhaus.org list.

Modified to add bad_sender_hosts check; see modification instructions.

I highly recommend the update, as it allows you to block by IP# or by hostname in addition to by "From" address.

But it's NOT currently included in DirectAdmin.

Should you decide to use it you MUST make all the modifications you made to the original file, so that anyone who get's a false positive bounce will be able to visit your website to be unblocked.

In addition, you'll also need to add a new file at /etc/virtual/bad_sender_hosts, to be populated by the IP#s and hostnames you want blocked.

End of edits.

I've just released the Free DA version of SpamBlocker.

John and Mark have indicated that they may include it in a future version of DA, and I've given that my blessing.

The advantage of having it included in DA would be that DA would control the contents of the added files.

But you can certainly use it as-is; I do. The file is at:

http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/

and is well documented. Be sure to read the documentation completely before using it to replace /etc/exim.conf on your system, and be sure to keep a copy of your original exim.conf file in the event you'll need to revert.

It does require some well documented file additions to /etc/virtual/ but it should be quite easy to install into your DirectAdmin server.

The license under which exim.conf.spamblocked is released may be found at:

http://www.nobaloney.net/downloads/gnu-gpl-v2.txt

Please post to let me know about your experience with it.

Thanks.

Jeff

jeffery
05-15-2004, 10:46 PM
Thanks Jeff, I will test it out~ :)

I have just read your "README" at the top of the conf, it seems a little bit complicated..
:p

nobaloney
05-15-2004, 10:51 PM
It's really quite simple.

Please ask me any questions you might have.

Here is okay for now; when I release the generic exim version (for exim but not DA) I'll probably start my own forum for it.

Maybe you can write simplified instructions once you understand it.

Jeff

jeffery
05-16-2004, 08:11 AM
:)

Cheers!

nobaloney
05-16-2004, 11:27 AM
What do you think of using SpamAssassin in to block as opposed to just mark?

What I really want to do is block spam at rcpt time (sorry if you're not very familiar with smtp and/or exim language) for listing in various blocklists (which is what the exim.conf.spamblocked file I released last night does) AND at data time for certain scores in spamassassin.

It would require that you use exim with exiscan, but Chris has already done a good job of enabling that, and I'd be building on the work he's done with more custom exim.conf files.

What do you think about that?

SpamAssassin currently (by default) marks as spam, anything that scores 5.0 or above. What score do you think we should use to block?

Thanks for any input, to help make this a better project.

Jeff

jeffery
05-17-2004, 02:10 PM
Sorry I still have no time to squeeze for testing it.. :p

I will try my best to have it tested, and give you some feedback!


SpamAssassin can detect spam quite successfully, but it's not too flexible for customization. For example, till now there is no clear guide to control the way of spamassassin does. At least I have googled for half an hour and can't find one suitable..


Comparing with the blocklist can still have a hole, they can send the email with fake address like bob@somewhereelse.com, which is hard to catch.


5.0 is not a bad idea, if it is really a spam message, it is caught by a high score. If it's a *SMART* spam, score 1.0 may still unable to catch it.

:)

LyricTung
05-17-2004, 02:29 PM
Well, I created the necessary files in /etc/virtual, changed the @example.com addresses, dropped in the exim.conf and restarted exim. Now, when trying to send a test message to a domain on that server I get the following:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

tweedle@dum.com
local delivery failed

The following text was generated during the delivery attempt:

------ tweedle@dum.com ------

An error was detected while processing a file of BSMTP input.
The error message was:

421 Lost incoming connection

The SMTP transaction started in line 0.
The error was detected in line 3.
0 previous messages were successfully processed.
The rest of the batch was abandoned.
421 Lost incoming connection
Transaction started in line 0
Error detected in line 3
_________________________
Any ideas? After replacing with original default config file it works fine.


SOLUTION: Since I am not running Spam Assassin, it was necessry to comment out the Spam Assassin portion of the DIRECTORS CONFIGURATION. All works fine now with the spamblocked exim.conf file.

nobaloney
05-17-2004, 05:06 PM
What OS? You're using Exim 4.24, as I am, and the file works successfully for me.

Are you sure you didn't accidentally change anything else? (use a "diff" to see)

If you edited it on a Windows system did you remember to ftp it back to the server as ascii?

Did you find any log output referring to that email?

I don't have time to do anything tonight, but I'm willing to check on your server if you're willing to let me.

Let me know by email if you'd like me to test this for you.

Jeff

LyricTung
05-17-2004, 05:13 PM
Thanks for your reply! It seems to be a BSMTP and Spam Assassin error when spamc is not running :)

LyricTung
05-18-2004, 04:20 PM
Great job on this! I'm running FreeBSD 4.9, DA Exim 4.24.
I've been examining logs since yesterday evening and I don't think a piece of spam has made it through.

I made 2 changes to the config and life is now happy:

1. Comment out Spam Assassin in the Directors Configuration. Since I'm not running Spam Assassin, the error in my post above was being generated.

2. Comment out: Require sender_verify. While I would like to believe that all mailserver/dns admins do things properly, I know from experience, they don't. This line was causing fits with outsourced domain mail and I didn't want to immediately start trying to whitelist everything. I'm gonna try to work to build a starting whitelist and turn it back on.

nobaloney
05-18-2004, 08:56 PM
Thanks for bringing to my attention that I didn't make a great enough deal of it using SpamAssassin as set up by DirectAdmin.

I'll change the included documentation to show that.

Jeff

dr2web
05-23-2004, 06:33 PM
Jeff,

The install went great, worked like a charm. Thanks for the hard work. The amount of work that you put in was apparent.

I do have a question about it. I have been having a problem with people using my server to send spam, will this conf file filter outgoing mail as well as incoming?

Thanks again for all that you have done.

i2iweb
05-25-2004, 03:23 PM
I can send/receive mail fine but my headers only show the following:

Received: from mail by santacruz.i2iwebsolutions.com with spam-scanned (Exim 4.24)
id 1BSeYc-000LFX-EP

I am using Freebsd 4.9 with spamassasin. Is this header above normal?

thoroughfare
05-26-2004, 03:32 PM
Thanks for releasing this... but I was wondering, what advantage does it have over SpamAssassin etc?

Thanks,
Matt :)

sander815
05-27-2004, 12:02 AM
yes, want to know too

and, how does this work? Does it check validity of email adresses from blacklists at bl.spamcop.net, dnsbl.njabl.org, etc and then either let it pass or not pass?

LyricTung
05-28-2004, 12:18 PM
This exim.conf file will reject mail coming from known spam servers as verified against the blacklists you see in the file. It does this before continuing on with delivery and finally sending it over to SpamAssassin for message scanning.

The advantage: SpamAssassin uses system resources to complete it's tasks. SpamAssassin only gives a "SpamRating" and sends the message on to the recipient (unless you have something else installed to reject/sort/etc.)

This config file rejects a massive amount of Spam (according to my log files) with no (as far as I can tell) false positives. Anything that gets through the blacklists is then sent on to SpamAssassin.

SpamAssassin doesn't work so hard and user mailboxes aren't full of messages marked as ***SPAM***.

LyricTung
05-28-2004, 12:37 PM
i2iweb: That's how my header looked after I installed SpamAssassin from the DA scripts folder. In order to get the SpamAssassin headers, spamd needs to run, I think. I got it all working by:

1. Add: spamd_enable="YES" to /etc/rc.conf

2. Add: spamd.sh file to /usr/local/etc/rc.d folder and chmod file to 744. Mine looks like this:

#!/bin/sh
#
# Startup / shutdown script for SpamAssassin daemon

case "$1" in
start)
/usr/local/bin/spamd -a -d -r /var/run/spamd.pid && echo -n ' spamd'
;;

stop)
/bin/kill `cat /var/run/spamd.pid` > /dev/null 2>&1 && echo -n ' spamd'
;;

*)
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac

exit 0

3. search the /etc/exim.conf for spamc. Replace this:

/usr/bin/spamc

to

/usr/local/bin/spamc

4. I rebooted my server because of the changes to rc.conf :)

sander815
05-28-2004, 02:36 PM
do i need spamassassin for this script to work? i thought it was either spamassasin or this script?

LyricTung
05-28-2004, 02:51 PM
This config is set-up by default to work in conjunction with SpamAssassin. If you wish to use just the blacklists in this exim.conf and not use SpamAssassin, you will need to comment out these lines in this exim.conf. You'll find them under the "Directors Configuration" section. Just put the # sign in front of each line as below:

# Spam Assassin
# spamcheck_director:
# driver = accept
# condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} {!eq {$received_protocol}{local}} } {1}{
0}}"
# retry_use_local_part
# transport = spamcheck
# no_verify

i2iweb
05-28-2004, 07:19 PM
Thanks for the info LyricTung...

I had a client that was literally receiving hundreds of spam per day that he had to download over a dialup connection to weed out the good from the bad emails and this solution here has made it sooo much easier for him now not to mention for me too.

Thanks,

Kevin

blacknight
05-29-2004, 03:19 AM
Originally posted by jlasman
I
John and Mark have indicated that they may include it in a future version of DA, and I've given that my blessing.

The advantage of having it included in DA would be that DA would control the contents of the added files.


If it is included in a future release of DA I hope there will be an option to switch it off.

nobaloney
05-31-2004, 10:01 AM
Originally posted by i2iweb
I had a client that was literally receiving hundreds of spam per day that he had to download over a dialup connection to weed out the good from the bad emails and this solution here has made it sooo much easier for him now not to mention for me too.
In fact, the reason we began work on SpamFilter was because one of our important clients started using a Blackberry for remote email. We've saved him hundreds of spam downloads a day.

Jeff

nobaloney
05-31-2004, 10:03 AM
Originally posted by blacknight
If it is included in a future release of DA I hope there will be an option to switch it off.
When installed, SpamBlocker, by default, is turned off for all domains. You have to turn it on for it to work.

I'd expect that DA would set it up the same way.

Jeff

nobaloney
05-31-2004, 10:07 AM
Originally posted by dr2web
The install went great, worked like a charm. Thanks for the hard work. The amount of work that you put in was apparent.
Thanks <blush>.

I do have a question about it. I have been having a problem with people using my server to send spam, will this conf file filter outgoing mail as well as incoming?
SpamBlocker blocks email from servers in blocklists. You don't want your server in blocklists.

You'll have to use some other method to keep people from spamming through your server.

One idea is to not allow anyone to use your server to send mail. That's actually not a bad idea.

Another is to not rent webspace or email only accounts to spammers. That's perhaps a bit tougher, but definitely worth doing.

Jeff

nobaloney
05-31-2004, 10:11 AM
Originally posted by thoroughfare
Thanks for releasing this... but I was wondering, what advantage does it have over SpamAssassin etc?
I think this has already been well answered, but to make it "official" :) :

SpamBlocker blocks email from known spamming IP#s before it gets to your server. Saves a lot of bandwidth.

Saves a lot of machine cycles as SpamAssassin doesn't have to check email it doesn't get :) .

Saves a lot of download data transfer from your DA server to your clients' desktop systems.

Jeff

nobaloney
05-31-2004, 10:12 AM
Originally posted by sander815
and, how does this work? Does it check validity of email adresses from blacklists at bl.spamcop.net, dnsbl.njabl.org, etc and then either let it pass or not pass?
Yes, SpamBlocker uses block lists. You can look at the source code to see the block lists it uses.

Jeff

twhiting9275
06-01-2004, 01:05 PM
Absolutely wonderful code here! This has cut my spam down from 50-100 mails a day (yeah, that many) to maybe 1-2.

I've included a modification that will work with mailscanner, as well as regular exim. In addition, I included an example spam.php , as seen @ http://www.linux-tech.net/spam.php (image included). Simple I know, but hopefully it helps.

Great job, keep up the good work!

rhoekman
06-02-2004, 09:49 AM
This config file let's spammers use the smtp server as a relay without authentication. Just to let you know.

I have commented out and added the following line so users have to authenticate when they want to send it thru the server.

#hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

hostlist relay_hosts = 127.0.0.1

Further no complaints here it works like charm!

LyricTung
06-02-2004, 11:13 AM
Originally posted by rhoekman
This config file let's spammers use the smtp server as a relay without authentication. Just to let you know.

I have commented out and added the following line so users have to authenticate when they want to send it thru the server.

#hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1

hostlist relay_hosts = 127.0.0.1

Further no complaints here it works like charm!

I'm a lil confused by this. The line you commented out seems to only allow those who have accomplished popb4smtp auth and localhost. The line you added would allow SMTP from localhost only (no authenticated net connections.) I see no open relay with the original code. Am I missing something?

rhoekman
06-02-2004, 11:27 AM
I was able to send email without authentication, no popb4smtp auth enabled. Try to disable popb4smtp and sent something via smtp on the server. Let me know so we can verify this, thanks!

LyricTung
06-02-2004, 12:01 PM
Originally posted by rhoekman
I was able to send email without authentication, no popb4smtp auth enabled. Try to disable popb4smtp and sent something via smtp on the server. Let me know so we can verify this, thanks!

I disabled auth of any kind in my mail client.
I copied /dev/null to /etc/virtual/pophosts to make sure it was empty.
I tried to send mail through the server.

/var/log/exim/exim_mainlog:

2004-06-02 13:55:41 H=bear.dum.net [208.XXX.XX.15] F=<ddancers@dum.com> rejected RCPT <lyric@dum.net>: authentication required
2004-06-02 13:55:41 H=bear.dum.net [208.XXX.XX.15] incomplete transaction (RSET) from <ddancers@dum.com>

I'm guessing that your IP was listed in /etc/virtual/pophosts when you tested it. I think the default time your IP remains permitted to relay is 30 minutes.

rhoekman
06-02-2004, 12:11 PM
I'll look into this.. Some of my clients could use it without authentication and relay tests showed it was getting thru. Odd..

rhoekman
06-03-2004, 06:16 AM
Ok, you are right.. It is not relaying by default. I tested relaying from another pc while my laptop was still pulling email from the server. So the IP of the router was in pophosts. My bad.

nobaloney
06-03-2004, 10:32 AM
Originally posted by twhiting9275
Absolutely wonderful code here! This has cut my spam down from 50-100 mails a day (yeah, that many) to maybe 1-2.
Glad to hear it; we block over 10,000 spams daily with SpamBlocker.

I've included a modification that will work with mailscanner, as well as regular exim.
I'll take a look at your modification. May I merge it into the "official" tree?

I've planned on adding mailscanner and virus checking, but I've been very busy.

Jeff

twhiting9275
06-03-2004, 11:18 AM
Go for it, I technically didn't add much other than what was added to the config files the first time, but it seems to work for me ;)

sander815
06-14-2004, 10:50 AM
if i use this exim.conf, without any domains on the /etc/virtual/use_rbl_domains list, does it work the same way as the original exim.conf?

twhiting9275
06-14-2004, 10:54 AM
The only way to get someone to use the extra "features" of this configuration is to put them in that list, so yeah, I'd say it does.

nobaloney
06-14-2004, 11:16 AM
Well, perhaps not quite, but almost exactly the same.

We do some checking a bit differently than DA does.

You can certainly compare our file against the DA default file. We've documented everything fully.

Jeff

sander815
06-15-2004, 02:49 PM
i got it running
if i want some server on the whitelist, is it enough to have its domain?
or do i need the ipadress or full server name only?

f.i. g69119.upc-g.chello.nl ? it got blocked, but that mail should not be blocked

does exim need a restart when i add domians/ips or when i add a domain to use_rbl_domains?

nobaloney
06-16-2004, 10:16 AM
Originally posted by sander815
f.i. g69119.upc-g.chello.nl ? it got blocked, but that mail should not be blocked
We always put in the fqdn (fully qualified domain name) of the server we want to whitelist.

does exim need a restart when i add domians/ips or when i add a domain to use_rbl_domains?
Nope. The only time you need to restart exim is when you make a change to exim.conf (or for example, when you install the new exim.conf).

Jeff

existenz
06-18-2004, 06:28 PM
Just wondering something...when Spam is recieved does't the mailer get a responce?

Screw-them can't get your mail to me o well. I think for most people it would be better to not respond and let the bot know they your address is real?

Just wondering if I understand this properly...

nobaloney
06-18-2004, 06:57 PM
Spamblocker refuses email with a message that should go back to the sender, if the sender's outging MTA follows the rules.

Jeff

existenz
06-19-2004, 05:19 PM
Why...? Not not just lead it drop? Do you really want to let everyone know that is a valid address? I don't understand the specifics of how you are doing it. Will it send that to *any* including address that don't exist?

I could just see more mail being send to people's servers and if or when they move their website then they are screwed now that it is a published valid address.

Just wondering your thoughts?

nobaloney
06-20-2004, 07:39 AM
Originally posted by existenz
Why...? Not not just lead it drop?
Because dropping email is evil. It's also against the RFCs.

Do you really want to let everyone know that is a valid address?
It doesn't let everyone know it's a valid address; it refuses to accept the email with a permanent error and directs senders to a website where they can learn how to be whitelisted.

Spammers don't see the error message; their servers have been modified to never notice errors if they weren't they'd never be able to send any quantity of spam, as error messages stop the transmission.

If some spammer did see the error message s/he wouldn't bother to follow an html link to learn how to unblock his/her address; it's just not worth it to the her/him for a one time email delivery when s/he's got tens of millions of other addresses.

I don't understand the specifics of how you are doing it. Will it send that to *any* including address that don't exist?
It doesn't send anything anywhere. A spammer tries to connect to our server to send spam; we notice it's IP# is listed as a spammer, so we politely refuse to accept the email and close the connection.

I could just see more mail being send to people's servers and if or when they move their website then they are screwed now that it is a published valid address.
If you could explain what you mean, I could address your point. As of now, I don't understand it, and I can't address what I can't understand.

Note that you can always modify SpamBlocker to do whatever you want, or just not use it if you believe it won't help you on your server.

However it was developed with the help of many important members of the anti-spam community and follows RFCs as well. It successfully blocks over ten thousand spams from jsut one of our reference servers every day.

Jeff

existenz
06-20-2004, 09:13 AM
What I am not following is what address does a user get a email from? If you could specify the address that would be perfect.

Most spammers have intelligent servers that harvest repleys from sent address. If the address returned is one they sent to they validate the address as real.

The last part is if we assume that the above is happening and the address is not generic then the problem to users is once they move to a server without features like this they could be flooded with Spam.

I am not saying SpamBlocker is bad I just disagree with a bounce message from me. That is as bad as people who leave up vacation messages and are flooded with mail.

As as far as the RFC's are concerned we don't allow domain literals :-) We both know you can't follow the RFC's 100% right now till new ones are released to deal with the spam epidemic.

nobaloney
06-21-2004, 09:06 PM
Originally posted by existenz
What I am not following is what address does a user get a email from?
You've still got me completely lost.

A user gets email from whomever sends it to him. In the case of spam the sender address is usually not valid and is not worth considering.

If you could specify the address that would be perfect.
How could I specify an address someone sends me mail from? I have no idea how I could begin to specify an address for a spammer to use when sending me email.

Or do you mean create a blacklist system so the whole world is forbidden, and then a whitelist system so that I could only get mail from someone if they've registered their address with me?

If the latter, then how would I know who to put in the whitelist? This is doable, and there are already some commercial services doing this; it's called challenge/response, and I'll never write it or support it except as a custom project, because I find it too restrictive and I'll never use it.

Most spammers have intelligent servers that harvest repleys from sent address. If the address returned is one they sent to they validate the address as real.
How would the spammer get an "address returned" as you put it, unless you answer their spam? Do you mean the spammer would get an address from a deliver error (which is what a block message really is)? I've already explained why spammers don't read delivery errors; it's in their interest to ignore delivery errors and focus on the email they don't get delivery errors for.

The last part is if we assume that the above is happening
What above is happening? You're writing back to the spammer? I don't see how else he's going to get what you call an "address returned". Or do you really believe that spammers take the time to harvest addresses from delivery errors? If so, then what leads you to believe that, since all it would do is give spammers a list of addresses that are known to be no good?

and the address is not generic
What's your definition of a generic address? I have no idea what you mean.

then the problem to users is once they move to a server without features like this they could be flooded with Spam.
I'd be a bit more forceful than you; I'd say anyone who has a domain hosted somewhere without SpamBlocking will be flooded with spam, which will have to be handled in some way either automatically or manually.

I am not saying SpamBlocker is bad I just disagree with a bounce message from me.
Then don't use SpamBlocker.

Or rewrite it to drop rather than reject.

However if you drop email based on inclusion in spam block lists then you will see some repurcussions, sooner or later:

1) you may drop some legitimate email without warning

2) if you ever need to post for help to any anti-spam lists you won't get much until you become RFC-compliant.

3) you will continue to receive email from the few spammers who would otherwise drop you once they get a certain number of bounces (some spammers do drop; most don't).

That is as bad as people who leave up vacation messages and are flooded with mail.
I have no idea what you mean by this either.

As as far as the RFC's are concerned we don't allow domain literals :-)
Actually a good many of us do, especially for postmaster accounts.

We both know you can't follow the RFC's 100% right now till new ones are released to deal with the spam epidemic.
Do what you want.

Something tells me you will.

Something tells me you will continue to tell people who don't understand the ramifications of doing it your way, to do it your way, because you think it's the best way, and the fact that the concensus of the internet is that you're wrong just doesn't matter to you.

That's fine. Drop anything you want. Tell anyone else to drop anything you want.

Jeff

existenz
06-22-2004, 10:22 AM
I don't think we are on the same page! Bottom line lets say you email me and you are rejected, what address do that email come from?

nobaloney
06-22-2004, 12:01 PM
If I email you, and you reject me using the default installation of SpamBlocker I'll get a message from my mailserver telling me it couldn't deliver the message because your mailserver refused the message.

If my mailserver is properly configured (mine is) it will also tell me the error message your server told it, when it refused to accept the message.

Spamblocker is configured to send a message telling me to go to a website to be unblocked.

Spammers configure their mailservers so they won't get delivery errors; since they get thousands of them an hour they just ignore them.

Jeff

ret
06-29-2004, 11:34 PM
is this conf now included in DA 1.222?

thoroughfare
07-01-2004, 05:19 PM
If this is released as part of the default DA install, can we disable it, or use it on a per-user basis? I already have MailScanner running quite nicely and some customers have expressed concerns over blocking emails according to blacklists rather than content, and I agree with them to some extent. I'd like to at least give them the choice.

Matt

nobaloney
07-01-2004, 05:51 PM
I haven't seen the DA version yet, though I'd bet they implemented it much as I did:

In my implementation no domain will have it's email blocked by blocklists unless it's listed in the file /etc/virtual/use_rbl_domains.

Jeff

sHuKKo
07-05-2004, 01:56 PM
Hi
I want to add a whole /14 ip block to whitelist_from file.
for example I want to unblock for any senders from
122.122.0.0 to 122.125.255.255 ip adresses. will adding 122.122.0.0/14 directly work? or do I have to add all these 262.000 ip addresses line by line ? :)

what are the correct whitelist_from expressions? only 1 line for 1 ip or allows me some kind of wildcards for ip addresses such as 122.122.*.* ?

nobaloney
07-05-2004, 03:38 PM
whitelist_from is a standard exim.conf [i]domainlist[/] file and the entries therein must follow the specifications for such lists.

Check here (http://www.exim.org/exim-html-4.30/doc/html/spec_10.html#SECT10.7) for complete information on exim domain lists.

Or to be just a bit simplistic, they must be domain names, not IP#s.

You can block IP# access to port 25 using your firewall.

Jeff

interfasys
07-08-2004, 04:28 PM
Should we donate $$ so that those blocker projects stay alive?

nobaloney
07-08-2004, 05:47 PM
Speaking for me and for SpamBlocker, it will definitely stay alive.

Of course a new car would be nice ;) .

Jeff

interfasys
07-09-2004, 02:40 AM
So where's the donate button? :)

nobaloney
07-09-2004, 12:31 PM
Sounds as if you're serious :) .

I suppose you could find my main website (info in my sig), find the Payments link, and then click on the PayPal button, but only if you really are serious; I don't require donations to continue doing what I do.

Note if you do that we accept PayPal payments under the name EZInternetUSA, since PayPal limits us to one business account for all our services.

I just spoke to PayPal, and I can set up a personal account, in addition to my business account, but it can only get PayPal balance or checking account.

Should I set that up as well? What do others do when put in the position of getting donations?

Do they take it at their standard PayPal account, or do they create a new personal account where they can't accept Credit Card payments?

Or do they use some other provider?

Thanks for the thought :) .

Jeff

interfasys
07-09-2004, 01:13 PM
I went to your Paypal page, but it was asking for a " Payment on Account" amount, so I figured it would be better to get your opinion on this.

If those blockers are personal projects, I don't see why you wouldn't be able to setup personal accounts. Better check with your company ;)

nobaloney
07-09-2004, 04:06 PM
Hi, Olivier.

I am nobaloney.net, so a Payment on Account to nobaloney.net / EZ Internet USA will come to me :) , and the description of "donation" or anything else would be fine.

Jeff

interfasys
07-09-2004, 04:23 PM
Make sure you add your Paypal email to your posts about GPL apps ;)

nobaloney
07-09-2004, 07:29 PM
What do you think if I set up a PayPal personal account; that way people will only be able to donate by echeck or by PayPal balance, but at least it will be separate.

PayPal only allows you to have one account for either Business or Premier, and I already have the business account.

So what do you think?

Thanks.

Jeff

interfasys
07-10-2004, 03:00 AM
paypal@nobaloney.net worked for me. I think you should just create a donate button that uses that address.

nobaloney
07-10-2004, 08:36 AM
Thanks, Olivier. I'll do it but it'll probably have a slightly different address; I can have multiple addresses with PayPal.

Jeff

hci
07-10-2004, 10:53 AM
Which modifications were made in exim.conf for Spamblocker? I am trying to figure out what was there before since my Directadmin install came with Spamblocker.

I want to use Spamassassin instead and tag all spam so as to give the end email user complete control over what is filtered.

Matthew

nobaloney
07-11-2004, 05:55 PM
Did you install my SpamBlocker file found at "http://www.nobaloney.net/exim/" or some other file, perhaps installed with your DA installation.

Our most recent DA installation was a few days ago, and it did NOT include the SpamBlocker exim.conf file, so I'm not sure what you mean by "my Directadmin install came with Spamblocker".

My SpamBlocker exim.conf file does not block anything by default, and it does have the calls to the standard DA installation of SpamAssassin built into it by default as well, so SpamAssassin should work out of the box.

Jeff

interfasys
07-12-2004, 12:52 AM
hci, you have to download a separate exim pack to get it.

Then, there is an excellent how to that helps you add antivirus scanning to this setup.

Also, don't forget to add domain names with which you want to use RBLs to the special rbl file.

sHuKKo
07-12-2004, 03:32 AM
http://files.directadmin.com/services/8.0/da_exim-4.34-1.i386.rpm

the new exim 4.34 rpm contains spamblocker modifications already.
It's not mentioned anywhere in forum but I think john released it silently :)

just upgrade with rpm -Uvh

ps: this rpm is not creating the necesarry files in /etc/virtual folder you have create them and chown + chmod'em :)

nobaloney
07-12-2004, 08:58 AM
Originally posted by hci
Which modifications were made in exim.conf for Spamblocker? I am trying to figure out what was there before since my Directadmin install came with Spamblocker.
Because I haven't yet installed the new exim update from DA I don't know the contents of their exim.conf file.

Can you please send me a copy, to my email address (below in my sig)? That will help me answer your question.

I want to use Spamassassin instead and tag all spam so as to give the end email user complete control over what is filtered.
My original SpamBlocker exim.conf file automatically had SpamAssassin turned on and SpamBlocker turned off, but I don't know if the DA folk implemented it that way or not. So please send me a copy so I can help you.

Jeff

hci
07-19-2004, 07:20 AM
How about instead of blocking the SPAM mark it all as low priority. Outlook Express can filter based on priority. Hopefully most users that don't want SPAM filtering at all won't be too annoyed by a simple change of priority.

I think Razor and DCC+ are critical for effective SPAM filtering as well. They filter based on signature like a virus scanner.

Matthew

twhiting9275
07-19-2004, 10:44 AM
RBLS have two actions available to them:
warn and block
warn would allow the spam through, but it's not wise to allow an entire rbl such as spamcop through with a simple warning.

In the past few weeks that this thing has been in effect on my server, it's dropped more than 8000 messages that would have been spam, undoubtedly. This saves me the time of having to address each and every one of those, and as we all know time = $ .

Adjusting something's priority really shouldn't be done unless absolutely necessary. When ISP's learn to stop spammers, then they'll have no issue with the RBL's, and we'll be in a far better place as far as the internet is concerned.

sHuKKo
07-19-2004, 03:02 PM
Total domains on server: 546
Total mail addressess on server:2214

Total rejected spam mails for the period of 2004-07-04 04:02:30 till 2004-07-11 04:02:09 / 1 week total: 178.214

It's working :)

nobaloney
07-20-2004, 09:25 PM
Originally posted by hci
How about instead of blocking the SPAM mark it all as low priority. Outlook Express can filter based on priority. Hopefully most users that don't want SPAM filtering at all won't be too annoyed by a simple change of priority.
I don't believe in filtering spam at all.

For several reasons.

Among others:

1) It doesn't work. It just ups the ante; the filter guys create a new filter, the spammers a new way around it. It's a never ending battle. Lately I've seen spam that can make it through any filter at all (and in fact does. It consists of a page from a book [any book] as text in the text part of the message, and in the html message a simple html page that calls up the actual spam over the Internet. It's going to be hard to filter that out.

2) It keeps the cost of spam squarely on the recipient's shoulders, where it doesn't belong.

You, of course, may feel differently, and you can certainly do all the filtering you want.

For example, we offer on our boxes (and the new exim.conf file we've donated to the community does as well) both SpamBlocker and SpamAssassin, so our domain owners can take their choice of what they want on their servers.

I think Razor and DCC+ are critical for effective SPAM filtering as well. They filter based on signature like a virus scanner.
Then go ahead and use them :) .

Jeff

nobaloney
07-20-2004, 09:39 PM
Originally posted by twhiting9275
RBLS have two actions available to them:
warn and block
Actually, as most RBL operators tell you on their home pages, RBLs do nothing at all, except list domains that some people think host spam.

What we do with the RBL lists is entirely up to us. And I choose to block :) . Because I don't want to pay for the spam.

Jeff

nickc
08-01-2004, 08:28 AM
Wow! This looks really good. One question though, how will using this fille affect the prefrences set up in DA itself?

For example, in DA you can block certain e-mail addressess, certain words, etc. Will this still function correctly when used in conjunction with SpamBlocker?

I also can't see any virus filtering in the file. Is this something you will be adding in the future?

nobaloney
08-01-2004, 11:02 AM
Originally posted by nickc
Wow! This looks really good.
Thanks. DA staff seems to think so as well; they tell me they'll be adding it to a future DA release.

One question though, how will using this fille affect the prefrences set up in DA itself?

For example, in DA you can block certain e-mail addressess, certain words, etc. Will this still function correctly when used in conjunction with SpamBlocker?
In a word, yes.

However DA cannot whitelist SpamBlocker; please read the SpamBlocker exim.conf file carefully; it's well documented.

SpamBlocker is turned off for every domain by default. You can turn it on or off on a per domain basis. You can blacklist domains (blacklisting them here is much more efficient than through any other method) and you can whitelist mailservers.

I also can't see any virus filtering in the file. Is this something you will be adding in the future?
Yes, see this thread (http://www.directadmin.com/forum/showthread.php?s=&threadid=3155).

Jeff

sander815
08-02-2004, 01:25 AM
Originally posted by sHuKKo
Total domains on server: 546
Total mail addressess on server:2214

Total rejected spam mails for the period of 2004-07-04 04:02:30 till 2004-07-11 04:02:09 / 1 week total: 178.214

It's working :)


how do you get these figures out of your box? some command?

sHuKKo
08-02-2004, 08:32 AM
examine the log

/var/log/exim/rejectlog

jechilt
08-08-2004, 01:24 AM
greetings....

still green behind the ears with DA and all the cool tools and programs out there.

i am confused with spamblocker.
i definitely want to run spamblocker with spam assassin with something like clamAV...but get confused when i read through the forums whether this stuff is already included with DA or not.
today, i looked at the upgrade info page http://www.directadmin.com/versions.php?action=allversions

I don't see anything about spamblocker being added. So, if I read the upgade info page correct, how can the post in this thread be accurate to the point of spamblocker being included in DA? I am not trying to make a mountain out of a molehill but being new makes it that much harder to get caught up and understand (been in the MS world too long, i guess)...

Since moving from cPanel, things are a little more simple and more challenging at the same time. For example, spamassassin is available via gui. DA apparently is not since I can't find it anywhere.

Our system is running vs 1.224

any guidance would be greatly appreciated.

kind regards...

nobaloney
08-08-2004, 07:20 AM
Take a look at your /etc/exim.conf file.

Does it look like this (http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/exim.conf.spamblocked)?

If it does, it's the spamblocker version.

If not, you can download it from the above URL using wget, right to your server, and install it.

However you MUST add the files and make the changes noted in the notes at the top.

By default, in my download version, SpamBlocker is turned off and SpamAssassin is turned on.

If you want to merge it with an Anti-Virus solution before I do my official one, you're on your own :) .

Jeff

interfasys
08-08-2004, 07:42 AM
A faster way to get going is to install the latest da_exim packages. It comes with spamblocker. Then follow the clamav + exiscan howto and add the domains you want to free from spam to the "rbl whitelist".

nobaloney
08-08-2004, 08:59 AM
Well, I'm not sure that's faster than installing one file and creating three directories...

but if you think so... :)

To each his/her own.

The Anti Virus solution you mention filters viruses, but still accepts them on the server.

Our solution will block them at data time; so they won't end up on your server with you wondering what to do about them.

Either way, SpamBlocker works!

Jeff

interfasys
08-08-2004, 09:11 AM
You're right about the way clamav works, but it's the only available solution right now ;)

Barty
08-11-2004, 01:19 AM
I enabled the spamblocker script yesterday, now i'm getting some weird stuff.

Mail from one of my domains is being redirected (?) to my email adress... somehow...

The mail is directed to user@domain.com, but it ends up in my mailbox.

Excerp from my maillog:
2004-08-11 09:56:16 1Buny3-0005yU-NF => bart <user@domain.com> F=<sender@domain2.com> R=virtual_user T=virtua...

bart is my account. my account is in no way related or linked to user(@domain.com).

Any ideas? Problem is only with this domain afaik, and not all mail gets 'redirected' to my account, i think.

jjma
08-11-2004, 02:11 AM
Originally posted by jlasman
Our solution will block them at data time; so they won't end up on your server with you wondering what to do about them.

Either way, SpamBlocker works!

Jeff

That sounds good - when can we see a solution?

regards

Jon

nobaloney
08-11-2004, 09:46 AM
I don't have a date yet.

i was to have worked on it this week, but I had some car problems, some servers that needed work, and a bad cold that keeps me away from the computer a lot of hours.

:(

I hope, soon.

Jeff

Auraka
08-15-2004, 12:04 PM
Thanks for all your hard work on this project, I just installed the new DA exim package so I guess I'm not using spamblocker as well :-)

nobaloney
08-15-2004, 03:56 PM
In the new DA exim package you should find an exim.conf file that includes DA.

Don't forget to create the necessary directories (see the comments in the exim.conf file) if they're not there already.

But by default no domains make use of SpamBlocker; you'll have to put domain names into /etc/virtual/use_rbl_domains.

(You don't have to restart anything.)

Jeff

sHuKKo
08-17-2004, 07:39 AM
Are there any other special way of adding ip addressess to whitelist_from file to work?

I try to add

*@domain.com
dslxx-xx-50293.adsl.xxnet.net.tr
81.2xx.1x6.117
mailsrv.domain.com
domain.com

not working still mail from this ip adress is blocked.

I also try to add domains just like this into whitelist_from file

whitelist_from user@domain.com
whitelist_from 1.1.1.1
whitelist_from *@domain.com

Its still not working

I double checked permissions etc
-rw-r--r-- 1 mail mail 111 Aug 17 17:15 /etc/virtual/whitelist_from

No solution

I checked exim.conf line bye line nothing wrong I found

what am I doing wrong?

I just want to whitelist an ip address and accept mail from it for all my domains in use_rbl_domains file

nobaloney
08-17-2004, 10:22 AM
It's possible it doesn't work properly by IP#; I'll check into it.

If it needs a change to make it work with IP#s, I'll make the change and announce it in this thread.

Jeff

vincenzobar
08-18-2004, 08:33 PM
EDITED for my own stupididty!!!!!!!

i named the whitelist file wrong, lol

thanks for the mod!

vincenzobar
08-19-2004, 06:12 AM
can someone post an example of text that goes in black list.

I got nailed with Span Assassin, Spam Blocker with about 10 emails from Rx companies and othe BS. Some how they all got through and i want them gone.

These all text messages are trickey, eh. is there a way to block emails that use the whole "mort.gage looan" technique.

Im just learning this spam blocking thing, lots of fun!!!!

:confused: :confused: :confused:

motobrandt
08-19-2004, 07:26 AM
The short answer is that you take a look at the headers of offending spam and find the mailserver that sent it and add the name of that mailserver to /etc/virtual/blacklist_domains .

The problem here is "How does one decipher the headers?" With all of the relaying and spoofing that goes on it's very difficult, for me atleast, to decipher and figure out what mailserver to block. Usually I just find IP addresses andd throw them in the blacklist_domains file. But I don't even know if that really works or not.

Can someone explain how to read a header that contains some BS? Or better yet give a web resource that will help? Here is an offending header. What do I add to the blacklist_domains file?

Received: from mail by lucie.bli.net with spam-scanned (Exim 4.24)
id 1BxefY-000GkW-C0
for carl@domain.com; Wed, 18 Aug 2004 21:36:56 -0700
Received: from lns-th2-4f-81-56-240-210.adsl.proxad.net ([81.56.240.210])
by lucie.bli.net with smtp (Exim 4.24)
id 1BxefS-000GkO-F1
for carl@domain.com; Wed, 18 Aug 2004 21:36:52 -0700
Received: from 12.48.190.46 by web019.mail.yahoo.com; Wed, 18 Aug 2004 22:35:07 -0700
From: "Carla Cummins" <OYVEHY@msn.com>
To: carl@domain.com
Subject: carl@domain.com
Date: Thu, 19 Aug 2004 02:33:07 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--93560288463485817"
X-CS-IP: 248.84.138.42
X-lucieblinet-MailScanner: Found to be clean, Found to be clean, Found to be clean, Found to be clean
X-lucieblinet-MailScanner-SpamCheck: spam (blacklisted), spam (blacklisted), spam (blacklisted), spam (blacklisted)
X-Username: carl@domain.com
Resent-To: "spam@bli.net" <spam@bli.net>
Resent-From: Carl Ratliff <carl@domain.com>
Resent-Date: Wed, 18 Aug 2004 21:49:01 -0700
Resent-Message-ID: <IVPSXZBRXVGWFXQEBWKFJ@hotmail.com>
X-Username: spam@bli.net
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on lucie.bli.net
X-Spam-Level: ****
X-Spam-Status: No, hits=4.6 required=8.0 tests=CLICK_BELOW,EXCUSE_3,
HTML_60_70,HTML_IMAGE_ONLY_04,HTML_LINK_CLICK_HERE,HTML_MESSAGE,
MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,MIME_HTML_ONLY_MULTI,REMOVE_PAGE
autolearn=no version=2.63
X-lucieblinet-MailScanner-Information: Please contact the ISP for more information

vincenzobar
08-19-2004, 07:50 AM
I just spent 30 minutes looking for already created black lists and found this one with over a million.

bigblacklist (http://urlblacklist.com/?sec=download)

I unzipped it and it is a tone of folders all catagorized by genre of spam and insite are list of domains and urls.

I guess i just copy and paste all domains and IPs in list format with no special code into the blacklist_domains File???

I can find nothing on this on the web. google groups is even being a bitch about returning what i want!!!!!!!well I guess its time to experiment

any info is greatly appreciated!

interfasys
08-19-2004, 07:58 AM
motobrandt, you seem to be running Mailscanner. You have to get rid of it before you use Spamblocker (meaning undoing all the changes you have done and removing those folders you did create).

Add you domains to the rbl file, activate spamassassin (follow DA instructions), activate clam (there is a good howto) and that's it.

motobrandt
08-19-2004, 08:56 AM
Originally posted by interfasys
motobrandt, you seem to be running Mailscanner. You have to get rid of it before you use Spamblocker (meaning undoing all the changes you have done and removing those folders you did create).

Add you domains to the rbl file, activate spamassassin (follow DA instructions), activate clam (there is a good howto) and that's it.
What??? Why do I have to get rid of Mailscanner? Everything seems to be working fine. Except the fact that I don't truly know how to read a header or what to put in the blacklist_domains file.

Do tell me what the issue with Mailscanner is.

Thanks,
Brandt

nobaloney
08-19-2004, 10:03 AM
Where did you get your exim.conf file?

Do you have my SpamBlocker code in your eixm.conf file, as well as the MailScanner code?

I suppose you could use both, but I don't know if anyone has properly implemented it.

Anyway, to get the name of the server to block:

The top "Received:" line that's accepting email from an outside email is the line that's got the name of the mailserver you want to stop.

Someone has brought to my attention that IP#s may not be working in the blocklist; I'm not sure, because I use names and not IP#s.

So I'll be checking further as time permits and make any required changes.

Jeff

motobrandt
08-19-2004, 10:42 AM
Jeff,
I am using the original spamblocker exim.conf (not sure if it has changed over the last couple months) I added this at the top for Mailscanner.

spool_directory = /var/spool/exim.in
queue_only = true
queue_only_override = false
no_message_logs
log_file_path = /var/log/exim/%s

And I commented out the spamassassin stuff as it's already running under mailscanner.

# Spam Assassin
#spamcheck_director:
# driver = accept
# condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} {!eq {$received_protocol}{local}} } {1}{0}}"
# retry_use_local_part
# transport = spamcheck
# no_verify

errrr.... well this stuff isn't commented out. It's just down from that last stuff.

# A transport is used only when referenced from a director or a router that
# successfully handles an address.


# Spam Assassin
begin transports

spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
current_directory = "/tmp"
group = mail
home_directory = "/tmp"
log_output
message_prefix =
message_suffix =
return_fail_output
no_return_path_add
transport_filter = /usr/bin/spamc
use_bsmtp
user = mail
# must use a privileged user to set $received_protocol on the way back in!

Do you want to see the whole file? or does it matter to you?
:rolleyes:

nobaloney
08-20-2004, 09:49 AM
Originally posted by motobrandt
I am using the original spamblocker exim.conf (not sure if it has changed over the last couple months) I added this at the top for Mailscanner.
I presume you read the comments in the SpamBlocker exim.conf file and created the necessary directories. I also presume you restarted exim after you installed the new exim.conf file and after each change you made.

Do you want to see the whole file?
That depends what you want me to help you with :) . In my last post I gave you information on what needs to be in the blocklist, and where to find it. Do you need any other information or help from me?

or does it matter to you?
I was wondering how you implemented it because I'm working on my implementation. However my implmentation will working during data time, so I most likely won't use MailScanner.

Jeff

nobaloney
08-20-2004, 09:59 AM
Originally posted by vincenzobar
I just spent 30 minutes looking for already created black lists and found this one with over a million.
it's not one list; it's lots of them.

As currently implemented, the spamblocker blocklist works on domains taken from from-addresses. I'll soon be isuing an update that also works with hostnames. bigblocklist appears to have domains from from-addresses, so the domains should work, though the IP#s won't.

(I'm still studying whether or not IP#s will work in the hostnames blocklist.)

However you should know that exim will parse these lists in realtime each time an email comes in. Do you really want to slow down your server searching over a million?

I wouldn't do it this way.

If I were going to do it (and I'm most likely not) I'd create my own DNS blocklists. There are instructions for doing this; you can google for them if you decide to do it.

Note however that this method requires hostnames, not from-domains, so this list may be useless, depending on how it was created. It does NOT require you know the IP#s; only that you know how to send back an arbitrary IP# that explains the meaning for the block.

Jeff

vincenzobar
08-20-2004, 04:14 PM
Ok these few questions should be all i need before i fully understand this 'ish.




Return-path: <9296.6062652@4oh5.com>
Envelope-to: enzo@underwater-design.com
Delivery-date: Fri, 20 Aug 2004 16:09:08 -0400
Received: from mail by server.Innerearaudio.com with spam-scanned (Exim 4.24)
id 1ByFhD-0005Am-Tf
for enzo@underwater-design.com; Fri, 20 Aug 2004 16:09:08 -0400
Received: from localhost by server.Innerearaudio.com
with SpamAssassin (2.64 2004-01-11);
Fri, 20 Aug 2004 16:09:07 -0400
From: Hot Flashes Be Gone <9296.6062652@4oh5.com>
To: <enzo@underwater-design.com>
Subject: Is there relief from menopause?
Date: Fri, 20 Aug 2004 14:08:32 -0800
Message-Id: <wGgIxbJyihakizKBkihxA-Gsxi@4oh5.com>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on
server.Innerearaudio.com
X-Spam-Level: *****
X-Spam-Status: Yes, hits=5.9 required=5.0 tests=CLICK_BELOW,EXCUSE_16,
FREE_SAMPLE,FROM_ENDS_IN_NUMS,HTML_30_40,HTML_IMAGE_ONLY_12,
HTML_MESSAGE,HTML_TAG_BALANCE_TABLE,HTML_TITLE_UNTITLED,HTML_WEB_BUGS
autolearn=no version=2.64
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_41265A63.F66B82C8"


the bolded From: Hot Flashes Be Gone <9296.6062652@4oh5.com> Is this what you are taling about!

do I enter this into blacklist_domains or use_rbl_domains and do i type it in the file like this:

from-9296.6062652@4oh5.com
or
9296.6062652@4oh5.com

All i have read on the net is all this perl code like S=amazon;hotmail to be entered into files. I have spent 3 days researching on the net and have found nothing useful and im the only computer geek of all the people i know in person. this sux :-(

I see in this thread it talks about enabling SpamBlock in conf but all i did was copy paste and according to my header it seems to be working, i think, but i still get a butt load of spam and SpamAssassin is catching it all. I have read through all the code but can't understand it well enough to figure out what to do exactly ( i need my hand held- *what a b!tch i am when it comes to this stuff*)

Also in reading this post - what do you mean enter domains in use_rbl_domains. My domains like www.underwater-design.com or the ones i don't want coming through. if its for non wanted then whats the black list for? I am so confused, I think my brain is fried!

BTW i have aol IM and am vincenzobar if you think IM would be easier to solve this and clarify my questions!

vincenzobar
08-20-2004, 04:16 PM
oh and yeah i just chose the ones from the majority of the mail i got like from folder drugs and loans or what ever it was!

nobaloney
08-20-2004, 05:11 PM
Originally posted by vincenzobar
the bolded From: Hot Flashes Be Gone <9296.6062652@4oh5.com> Is this what you are taling about!
Part of it.

do I enter this into blacklist_domains or use_rbl_domains and do i type it in the file like this:

from-9296.6062652@4oh5.com
or
9296.6062652@4oh5.com
You enter just the domain part of the from address, to /etc/virtual/blacklist_domains.

In other words, to block emails sent from this sender you'd add:

4oh5.com

into /etc/virtual/blacklist_domains.

use_rbl_domains is for something completely different... it's for the list of domains hosted on your server which should use SpamBlocked features.

For example, if you want all your domains to use SpamBlocked features (we don't recommend this; we recommend making it a domain-owner's option), you could make it a link to /etc/virtual/domains.

Otherwise you can copy and past domains from /etc/virtual/domains to /etc/virtual/use_rbl_domains so these domains will use SpamBlocked features. Any domains on your server not listed in /etc/virtual/use_rbl_domains will NOT use SpamBlocked features.

All i have read on the net is all this perl code like S=amazon;hotmail to be entered into files. I have spent 3 days researching on the net and have found nothing useful and im the only computer geek of all the people i know in person. this sux :-(
I don't know what you're looking for so I can't make sense of this paragraph.

I see in this thread it talks about enabling SpamBlock in conf but all i did was copy paste and according to my header it seems to be working, i think, but i still get a butt load of spam and SpamAssassin is catching it all. I have read through all the code but can't understand it well enough to figure out what to do exactly ( i need my hand held- *what a b!tch i am when it comes to this stuff*)
If you're still getting lots of spam, then it's probably not working. Did you have the same exim.conf file as that downloadable at http://www.nobaloney.net/downloads? If so, did you check to make sure all the required files have been added to the /etc/virtual directory? Have you created the website for the redirect, and changed the exim.conf code to redirect to your own website?

If you've done all of the above and restarted exim, then you shouldn't be getting too much spam caught by SpamAssassin at all.

Also in reading this post - what do you mean enter domains in use_rbl_domains. My domains like www.underwater-design.com or the ones i don't want coming through. if its for non wanted then whats the black list for? I am so confused, I think my brain is fried!
I answered this above. Only thing I'll add here is that we want the domains as people address email to them; in other words example.com, not www.example.com.

BTW i have aol IM and am vincenzobar if you think IM would be easier to solve this and clarify my questions!
I don't use any kind of IM; though I type at over 100 wpm, I think about a hundred times faster than that, and I find IM just a waste of time for me.

The best place to get help from me at no charge is here on the forum. Of course my business is working for webhosting companies, and we can do administration work, or even install software (such as SpamBlocker) for you if you wish. However, for that there is a charge.

Jeff

vincenzobar
08-20-2004, 05:39 PM
Thank you for your responses and trust me i wish i could pay you. But i got 33 dollars to my name until next friday!! lol.

I replaced the example.com with my address but never set up an actual page I will get to that..... Aww DAMN just noticed i must of written over it it wasn't changed... grrrrrrr

Everthing else is created, chmod, and chown.

Thanks for the clarification on the three files that helped alot and as far as the "S=amazon;hotmail" crap... Me either!!!!!!!

Ive been so busy on this server and websites i haven't had time for my own so eventually i will get around to updating it, lol. Ill let you know how it turns out!!

i can't thank you enough!!!!

-vin

motobrandt
08-20-2004, 06:11 PM
Originally posted by jlasman
I presume you read the comments in the SpamBlocker exim.conf file and created the necessary directories. I also presume you restarted exim after you installed the new exim.conf file and after each change you made.

That depends what you want me to help you with :) . In my last post I gave you information on what needs to be in the blocklist, and where to find it. Do you need any other information or help from me?

I was wondering how you implemented it because I'm working on my implementation. However my implmentation will working during data time, so I most likely won't use MailScanner.

Jeff

Jeff,
Actually if you read the post that got me back into this it was simply about what part of the header do you add to the blacklist_domains file. Everything is working great on my server with Mailscanner running spamassassin and clamav. When I started using your exim.conf file (with some small mods listed above) I received way less spam. But now I am getting lots of it. So my main issue is how to continue to make it better.

I guess I've misunderstood this whole time about what should go in the blacklist_domains file. I thought that it had to be a mailserver name not just a domain name. That sure simplifies things if all that is needed is the domain name.

I'll give it a shot.

vincenzobar
08-20-2004, 07:57 PM
I think you got it working!!!!!!! with my hands of course (i type at like 30 words an hour!!)

this is a stat from rejectlog

2004-08-20 20:26:24 H=(65.182.143.151) [65.182.143.151] F=<ebay4391@indiatimes.com>
rejected RCPT <info@innerearaudio.com>:
to unblock see http://www.underwaterdesign.com/

most of the others are old email address that don't exist any more. But that is my first valid email address turn away!!!!

Thanks alot!!!!!!!!!!!!:D :o ;) :) :cool: :D

vincenzobar
08-20-2004, 08:23 PM
Originally posted by sHuKKo
examine the log

/var/log/exim/rejectlog

I don't see it!?!?!?!

what did you do? vi or pico the log and count???? lol

nobaloney
08-21-2004, 10:48 AM
Originally posted by vincenzobar
Thank you for your responses and trust me i wish i could pay you. But i got 33 dollars to my name until next friday!! lol.
You're about $33 ahead of me.

We have a lot of cashflow, but how much I can spend is a different story.

My car broke down two weeks ago, and in the So. Cal. desert you can't really get by without one, so now I have a car rental bill on top of everything else (I'm scheduled to get a car on Monday; I can't wait). The only good news is that this weekend I'm renting a Chrysler PT Cruiser... I always wanted to try that one out :) .

So instead of buying a new high-end desktop system two weeks ago, I'm buying a car. Oh well.

Jeff

nobaloney
08-21-2004, 10:50 AM
Originally posted by motobrandt
I guess I've misunderstood this whole time about what should go in the blacklist_domains file. I thought that it had to be a mailserver name not just a domain name. That sure simplifies things if all that is needed is the domain name.
I'm beta testing now with another file for hostnames. However I don't like frequent changes so I probably won't bring that out until I have the AV stuff.

Jeff

nobaloney
08-21-2004, 10:52 AM
Originally posted by vincenzobar
I think you got it working!!!!!!! with my hands of course (i type at like 30 words an hour!!)

this is a stat from rejectlog

2004-08-20 20:26:24 H=(65.182.143.151) [65.182.143.151] F=<ebay4391@indiatimes.com>
rejected RCPT <info@innerearaudio.com>:
to unblock see http://www.underwaterdesign.com/
You might want to direct people to a specific page; I doubt you'll want to put unblocking information on your main site page.

Jeff

vincenzobar
08-21-2004, 11:31 AM
Yeah i know but i haven't had the time yet. I plan on getting one up within the next couple of days that sent to my error@ account!

I have to cut and format a 400,000 item database then insert it into MySQL by tonight so as you cab=n see im a little busy for my personal site. and if you have visited my site you will see there isn't much there. becuase i did all that in one day!!

work gotta love it!!!!!!!!!!!!!

interfasys
08-23-2004, 06:18 AM
Let's say I have supadupa.com as a main domain name ans supadupa.ws, supadupa.cc as aliases.

Is there a way to add only the main domain name to use_rbl_domains and have all the invalid emails sent to the both the main domain name and the aliases rejected?

nobaloney
08-23-2004, 09:20 AM
Originally posted by interfasys
Let's say I have supadupa.com as a main domain name ans supadupa.ws, supadupa.cc as aliases.

Is there a way to add only the main domain name to use_rbl_domains and have all the invalid emails sent to the both the main domain name and the aliases rejected?
I'm quite confused as to what you want to do.

However I can say that since the tests all occur at rcpt time, each domain is handled separately, whether it's a real domain or just an alias.

All domains entered in any of the added control files will be handled individually.

Jeff

motobrandt
08-23-2004, 10:52 AM
OK After trying to figure out if this is really working for me or not. I find that it is not completely working. It is blocking those that it can't get a return rcpt from but I'm not sure that any of the blacklisting stuff is working at all.

I tried to block a domain on another one of my servers by adding the
IP address - no luck
server name - no luck
domain name - no luck
email address - no luck.

So there must be something wrong with the way that I'm implementing this or something because it doesn't even appear to be looking in the /etc/virtual/blacklist_domains file that I created.

I am using the da_exim-4.34-1.tgz that uses the spamblocker exim.conf file. All I have done is to comment out the spamassassin stuff near the bottom.

Ideas?

interfasys
08-23-2004, 11:07 AM
OK, you've answered my question. I wish we could just include a domain name and that would be a rule for the aliases too.

motobrandt
08-23-2004, 09:35 PM
bump

Can someone explain how this thing looks at the blacklist_domains file? Mine is not working or if it is then it isn't blocking domains that are in there. See above post.

basically I set up the /etc/virtual/blacklist_domains file with information on a domain that I have on another server but I can't block it no matter what I try. Does this even work?

thanks!
brandt

apryan
08-24-2004, 06:12 AM
Hey jeff,
Do you have anything for exim to block attachments like you have for procmail at
http://www.nobaloney.net/downloads/blockattachments/ by chance? I noticed exim blocks some stuff already but was wondering if there were additional ways to do it.

Thanks!

apryan
08-24-2004, 06:12 AM
motor --
The format for the blacklist is:
host.tld: spam. Don't add @'s or it wont work. Just domain names.

apryan
08-24-2004, 06:33 AM
Hey Jeff,

I just installed your exim.conf and Its rejecting all my emails with a spamd error.

2004-08-24 13:23:15 SMTP connection from mail lost while reading message data (header)
spamcheck transport output: An error was detected while processing a file of BSMTP input.
spamcheck_director T=spamcheck: Child process of spamcheck transport returned 2 from command: /usr/sbin/exim

config:

## EXIM CONFIGURATION

# primary_hostname =
# qualify_domain =
# qualify_recipient =
perl_startup = do '/etc/exim.pl'
system_filter = /etc/system_filter.exim
message_size_limit = 10M
smtp_receive_timeout = 5m
smtp_accept_max = 100
smtp_accept_queue = 35
smtp_accept_max_per_host = 5
smtp_accept_max_nonmail = 10
smtp_banner = "$primary_hostname ESMTP Exim $version_number $tod_full"
#received_header_text = "Received: ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t} {${if def:sender_ident {from ${sender_ident} }} ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}} by ${primary_hostname} ${if def:received_protocol {with ${received_protocol}}} ${if def:tls_cipher {${tls_cipher}}}\n\t (Exim ${version_number} id ${message_id}) ${if def:received_for {\n\tfor <$received_for>}}"
helo_allow_chars = _

# define what to log:
# define the => log lines
# +delivery_size
# +sender_on_delivery
#
# define the <= log lines:
# +received_recipients
# +received_sender
# +smtp_confirmation
# +subject
#
# define other non '<= =>' log lines:
# +smtp_incomplete_transaction
###################################
# define what to not log:
# define other non "<= =>' log lines:
# -dnslist_defer
# -host_lookup_failed
# -queue_run
# -rejected_header
# -retry_defer
# -skip_delivery
###################################

log_selector = \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+smtp_confirmation \
+subject \
+smtp_incomplete_transaction \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery

syslog_duplication = false
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

# define local lists

domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains
domainlist whitelist_from = lsearch;/etc/virtual/whitelist_from
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
hostlist auth_relay_hosts = *

# local_domains_include_host_literals
allow_domain_literals = false
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 0s
auto_thaw = 1h
ignore_bounce_errors_after = 2h
timeout_frozen_after = 14h
trusted_users = mail:majordomo:www
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *
#auth_over_tls_hosts = *

begin acl

check_recipient:
accept hosts = :
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept domains = +whitelist_from
accept local_parts = postmaster
domains = +local_domains
accept local_parts = abuse
domains = +local_domains
accept local_parts = hostmaster
domains =+local_domains
accept local_parts = dns
domains = tentric.com
deny message = Go play with your self
domains = +use_rbl_domains
sender_domains = +blacklist_domains
require verify = sender
deny message = Mail from $sender_host_name rejected; see http://rss.mail-abuse.com/cgi-bin/nph-rss?query=$sender_ip_address
domains = +use_rbl_domains
dnslists = relays.mail-abuse.org
deny message = Mail from $sender_host_name rejected; see http://njabl.org/cgi-bin/lookup.cgi?query=$sender_ip_address
domains = +use_rbl_domains
dnslists = dnsbl.njabl.org
deny message = Mail from $sender_host_name rejected; see http://ordb.org/lookup/?host=$sender_ip_address
domains = +use_rbl_domains
dnslists = relays.ordb.org
deny message = Mail from $sender_host_name rejected; see http://www.spamhaus.org/query/bl?ip=$sender_ip_address
domains = +use_rbl_domains
dnslists = sbl.spamhaus.org
deny message = Mail from $sender_host_name rejected; youre domain may be hacked or infected as per http://opm.blitzed.org/proxy?ip=$sender_ip_address
domains = +use_rbl_domains
dnslists = opm.blitzed.org
deny message = Mail from $sender_host_name rejected; youre domain may be hacked or infected as per http://www.dnsbl.us.sorbs.net/lookup.shtml
domains = +use_rbl_domains
dnslists = dnsbl.sorbs.net=127.0.0.5
deny message = Mail from $sender_host_name rejected; youre domain may be hacked or infected as per http://www.dnsbl.us.sorbs.net/lookup.shtml
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.sorbs.net!=127.0.0.6
deny message = Mail from $sender_host_name rejected.
hosts = !+relay_hosts
domains =+use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net : cbl.abuseat.org
deny message = Mail from $sender_host_name rejected.
domains =+use_rbl_domains
dnslists = rhsbl.sorbs.net/$sender_address_domain
accept domains = +local_domains
endpass
verify = recipient
accept domains = +relay_domains
endpass
verify=recipient
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted
deny message = relay not permitted

check_message:
accept

begin authenticators

plain:
driver = plaintext
public_name = PLAIN
server_condition = "${perl{smtpauth}}"
server_set_id = $2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${perl{smtpauth}}"
server_set_id = $1


begin routers

lookuphost:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
transport = remote_smtp
no_more

# domain_literal:
# driver = ipliteral
# transport = remote_smtp

#spamcheck_director:
# driver = accept
#condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} {!eq {$received_protocol}{local}} } {1}{0}}"
# retry_use_local_part
#transport = spamcheck
#no_verify

majordomo_aliases:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/${domain}/majordomo/list.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/list.aliases}}}}
domains = lsearch;/etc/virtual/domainowners
file_transport = address_file
group = daemon
pipe_transport = majordomo_pipe
retry_use_local_part
no_rewrite
user = majordomo

majordomo_private:
driver = redirect
allow_defer
allow_fail
condition = "${if eq {$received_protocol} {local} \
{true} {false} }"
data = ${if exists{/etc/virtual/${domain}/majordomo/private.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/private.aliases}}}}
domains = lsearch;/etc/virtual/domainowners
file_transport = address_file
group = daemon
pipe_transport = majordomo_pipe
retry_use_local_part
user = majordomo

domain_filter:
driver = redirect
allow_filter
no_check_local_user
user = "mail"
file = /etc/virtual/${domain}/filter
file_transport = address_file
pipe_transport = virtual_address_pipe
retry_use_local_part
no_verify

uservacation:
driver = accept
condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/vacation.conf}{yes}{no}}
require_files = /etc/virtual/${domain}/reply/${local_part}.msg
transport = uservacation
unseen

userautoreply:
driver = accept
condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/autoresponder.conf}{yes}{no}}
require_files = /etc/virtual/${domain}/reply/${local_part}.msg
transport = userautoreply

virtual_aliases_nostar:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
unseen
#include_domain = true

virtual_user:
driver = accept
condition = ${if eq {}{${if exists{/etc/virtual/${domain}/passwd}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/passwd}}}}}{no}{yes}}
domains = lsearch;/etc/virtual/domainowners
group = mail
retry_use_local_part
transport = virtual_localdelivery

virtual_aliases:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch*{/etc/virtual/$domain/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
#include_domain = true

userforward:
driver = redirect
allow_filter
check_ancestor
check_local_user
no_expn
file = $home/.forward
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
no_verify

localuser:
driver = accept
check_local_user
transport = local_delivery

system_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
retry_use_local_part
user = mail

begin transports

#spamcheck:
# driver = pipe
# batch_max = 100
# command = /usr/sbin/exim -oMr spam-scanned -bS
# current_directory = "/tmp"
# group = mail
# home_directory = "/tmp"
# log_output
# message_prefix =
# message_suffix =
# return_fail_output
# no_return_path_add
# transport_filter = /usr/bin/spamc
# use_bsmtp
# user = mail

majordomo_pipe:
driver = pipe
group = daemon
return_fail_output
user = majordomo

local_delivery:
driver = appendfile
delivery_date_add
envelope_to_add
file = /var/mail/$local_part
group = mail
mode = 0660
return_path_add
user = ${local_part}

virtual_localdelivery:
driver = appendfile
create_directory
delivery_date_add
directory_mode = 700
envelope_to_add
file = /var/spool/virtual/${domain}/${local_part}
group = mail
mode = 660
return_path_add
user = "${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}"
quota = ${if exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain}/quota}{$value}{0}}}{0}}

uservacation:
driver = autoreply
file = /etc/virtual/${domain}/reply/${local_part}.msg
from = "${local_part}@${domain}"
log = /etc/virtual/${domain}/reply/${local_part}.log
no_return_message
subject = "${if def:h_Subject: {Autoreply: $h_Subject:} {I am on vacation}}"
text = "\
------ ------\n\n\
This message was automatically generated by email software\n\
The delivery of your message has not been affected.\n\n\
------ ------\n\n"
to = "${sender_address}"
user = mail
#once = /etc/virtual/${domain}/reply/${local_part}.once

userautoreply:
driver = autoreply
bcc = ${lookup{${local_part}} lsearch {/etc/virtual/${domain}/autoresponder.conf}{$value}}
file = /etc/virtual/${domain}/reply/${local_part}.msg
from = "${local_part}@${domain}"
log = /etc/virtual/${domain}/reply/${local_part}.log
no_return_message
subject = "${if def:h_Subject: {Autoreply: $h_Subject:} {Autoreply Message}}"
to = "${sender_address}"
user = mail
#once = /etc/virtual/${domain}/reply/${local_part}.once

remote_smtp:
driver = smtp

address_pipe:
driver = pipe
return_output

virtual_address_pipe:
driver = pipe
group = nobody
return_output
user = "${lookup{$domain}lsearch* {/etc/virtual/domainowners}{$value}}"

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

begin retry

* * F,2h,15m; G,16h,1h,1.5; F,4d,8h

motobrandt
08-24-2004, 09:30 AM
Originally posted by apryan
motor --
The format for the blacklist is:
host.tld: spam. Don't add @'s or it wont work. Just domain names.

?? so it needs a colon spam? Like if I wanted to block my own domain bli.net from sendin spam to the server I would add

bli.net: spam

to the blacklist_domains file? hmmm. If this is true then it would solve the mystery for me fo sho. But I can't find anywhere where it says to do this.

???
I'll try it out.

apryan
08-24-2004, 10:00 AM
I dont think it needs the : spam. Thats if you wanted to add a username i think?

If you want to block all of bli.net adding it like this:

bli.net

should do the trick. No user@ in front.
-anth

motobrandt
08-24-2004, 10:24 AM
Originally posted by apryan
I dont think it needs the : spam. Thats if you wanted to add a username i think?

If you want to block all of bli.net adding it like this:

bli.net

should do the trick. No user@ in front.
-anth
Thanks for the help but for some reason that isn't working. That is what I tried originally. So I guess it's back to how do I debug this thing? How do I know if it's looking at the blacklist file?

thx,
Brandt

nobaloney
08-25-2004, 12:23 PM
What you should be adding is the domain name from the "from" address; in other words everything after the @ character.

I'll soon be adding a file you'll be able to add mailservers (MTA hosts) to, but that's not ready yet.

Jeff

motobrandt
08-25-2004, 12:57 PM
Originally posted by jlasman
What you should be adding is the domain name from the "from" address; in other words everything after the @ character.

I'll soon be adding a file you'll be able to add mailservers (MTA hosts) to, but that's not ready yet.

Jeff

It doesn't work.

That's why I'm asking for any tips on debugging this thing. Where do I start? It's like it's not checking the file that I created. I entered gmail.com in there. Then I
#killall exim -HUP
#/usr/local/etc/rc.d/exim start

Everything works fine excpet that I can still send mail from gmail to anyone on the server.

nobaloney
08-25-2004, 02:50 PM
It works properly on my server, from here; I just tested it.

What's the fully qualified path/name of the file you added?

You should not have to restart the server when you change the files; only when you change exim.conf.

Jeff

motobrandt
08-25-2004, 03:23 PM
Originally posted by jlasman
It works properly on my server, from here; I just tested it.

What's the fully qualified path/name of the file you added?

/etc/virtual/blacklist_domains
chmod 644
chown mail:mail

[root@lucie /etc/virtual]# ls -l | grep black
-rw-r--r-- 1 mail mail 7978 Aug 24 12:14 blacklist_domains
[root@lucie /etc/virtual]#



You should not have to restart the server when you change the files; only when you change exim.conf.

Jeff
Oh yeah! hehe I've read that about 50 times. But I keep thinking that I'm doing something wrong so I try everything I can think of.

More details? OK I know that some of the blocking is working as I changed the Deny messages so that I could see what was working and what was not. I have added that section below. In my logs I get msg 1, msg 2, and msg 3 so I know that it is working but no msg 0 which is the blacklist_domains one. I think...

Thanks!
Brandt

# accept mail to errors@example.com, regardless of source
accept local_parts = errors
domains = bli.net

# deny so-called "legal" spammers"
# but do bypass all checking for whitelisted host names
deny message = msg 0 : Your domain $sender_host_name is on a public BLACKLIST to remove send a request to errors@bli.net
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
sender_domains = +blacklist_domains

# Deny unless sender address can be verified:
# This statement requires the sender address to be verified before any
# subsequent ACL statement can be used. If verification fails, the incoming
# recipient address is refused. Verification consists of trying to route the
# address, to see if a bounce message could be delivered to it. In the case of
# remote addresses, basic verification checks only the domain.

require verify = sender

# Deny stuff from insecure hosts & spammers. No exceptions for known users.
# but do bypass all checking for whitelisted host names

deny message = msg 1 : Your domain $sender_host_name is on a public BLACKLIST to remove send a request to errors@bli.net
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
# only smtp.dnsbl.sorbs.net = 127.0.0.5
dnslists = sbl.spamhaus.org : \
relays.ordb.org : \
dnsbl.sorbs.net=127.0.0.5

# Next deny stuff from more "fuzzy" blacklists
# but do bypass all checking for whitelisted host names
deny message = msg 2 : Your domain $sender_host_name is on a public BLACKLIST to remove send a request to errors@bli.net
hosts = !+relay_hosts
domains =+use_rbl_domains
!authenticated = *
# dnslists not including spam.dnsbl.sorbs.net
dnslists = bl.spamcop.net : \
dnsbl.njabl.org : \
cbl.abuseat.org : \
dnsbl.sorbs.net!=127.0.0.6

deny message = msg 3 : Your domain $sender_host_name is on a public BLACKLIST to remove send a request to errors@bli.net
domains =+use_rbl_domains
# rhsbl list is name based
dnslists = rhsbl.sorbs.net/$sender_address_domain

# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify=recipient

nobaloney
08-25-2004, 06:45 PM
I have no idea why it's not working for you.

Surely you don't expect to compare your exim.conf file character for character, do you?

:)

You could always do that yourself.

Have you tried reinstalling exim.conf and restarting exim afterwards?

(If you do, don't forget the changes.)

Jeff

motobrandt
08-25-2004, 07:21 PM
Originally posted by jlasman
I have no idea why it's not working for you.

Surely you don't expect to compare your exim.conf file character for character, do you?

Of course not. I was just showing you that part where I named the messages so that you could see what I meant when I said I wasn't getting any "0 error" messages in the log. But I was getting the others.


Originally posted by jlasman
You could always do that yourself.


I have done this. Every single word. :mad:


Originally posted by jlasman
Have you tried reinstalling exim.conf and restarting exim afterwards?

(If you do, don't forget the changes.)

Jeff
I have done this as well.
I'll keep messing with it I guess and let you know if I ever get it working.

brandt

Yikes2000
08-26-2004, 03:08 AM
Originally posted by motobrandt
basically I set up the /etc/virtual/blacklist_domains file with information on a domain that I have on another server but I can't block it no matter what I try. Does this even work?

Is the other server on the same subnet as SpamBlocker server? Is the other server using this server's MTA to send mail? Are you sure you're sending the mail from MTA on the other server to this one?

Just trying to help... :)

motobrandt
08-26-2004, 12:22 PM
Originally posted by Yikes2000
Is the other server on the same subnet as SpamBlocker server? Is the other server using this server's MTA to send mail? Are you sure you're sending the mail from MTA on the other server to this one?

Just trying to help... :)
yeah I thought the same kind of stuff so I tried using my Gmail account. I added gmail.com to /etc/virtual/blacklist_domains and I couldn't get it to block gmail so...

Thanks though. I'll keep trying.

Brandt

nobaloney
08-26-2004, 09:20 PM
It works here and I have no idea why it's not working for you.

While SpamBlocker does offer technical services, I'm not sure I should advertise here :) .

(We do offer a guarantee on our technical services; if we can't fix it, you don't pay.)

Perhaps someone else on these forums who understands exim can help you, or perhaps you can post specific questions on the exim-users list.

If you do post there, remember that listmembers there will have no idea of the blacklist_domains file or the code I added to exim.conf; you'll have to be very explicit in your questions.

Jeff

twhiting9275
09-29-2004, 09:24 PM
When you're trying to block something, remember you're not blocking the entire domain, you're blocking the ip address. That could be part of the problem here. I bet if you added the gmail ip address to the block list you'd get the mail blocked ;)

nobaloney
09-30-2004, 11:30 AM
Actually, SpamBlocker's blocklist is by domain, not by IP#.

It doesn't work by IP#, but rather by domain in the "From:" field.
We're working on an an enhancement that will also block by IP#.

Jeff

Auraka
10-05-2004, 04:24 PM
I still get about 60 spam emails a day :-(

blacknight
10-05-2004, 04:28 PM
Originally posted by Ross
I still get about 60 spam emails a day :-( Out of how many? 60 out of 100 is a lot, but 60 out of 10000 is nothing.

sander815
10-15-2004, 01:46 AM
i see this in my log, from en emal adress i am expecting some email form:

2004-10-15 09:22:47 H=mail.xx.com [12.x.x.x] F=<SMASTENB@xx.com> temporarily rejected RCPT <info@xx.nl>: Could not complete sender verify
2004-10-15 09:33:28 H=mail.xx.com [12.x.x.xsender verify defer for <SMASTENB@xx.com>: host lookup did not complete

what does this mean?

nobaloney
10-15-2004, 11:01 AM
Exim, by default, makes sure a sender domain exists, as if it doesn't, the email is probably spam.

if it can't find xx.com, it can't presume that it doesn't exist, because the problem could be that DNS is temporarily down, or there could be a problem on the 'net. So it sets it aside and tries again later.

Jeff

nobaloney
10-29-2004, 06:52 PM
I've just updated the SpamBlockd exim.conf file; the new one can be found at:

http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/

and includes the addition of the xbl.spamhaus list, and also a new blacklist for blocking email by hostname or IP#.

Read the original post in this thread for more information.

Jeff

interfasys
10-30-2004, 12:09 AM
Thank you!

nobaloney
10-30-2004, 11:04 AM
You're welcome <blush>.

Next on the list is adding support for SMA over port 587 (see RFC 2476 (http://www.faqs.org/rfcs/rfc2476.html)) so you can offer SMTP AUTH (and only SMTP AUTH) over port 587 to users who need to use your mail server but who's ISPs block port 25.

Jeff

different
11-09-2004, 12:46 AM
my whitelist_from seems doesn't work

I always get this log like
2004-11-09 16:33:09 H=ms2.epaper.com.tw [211.20.188.72] F=<epaper@msx.epaper.com.tw> rejected RCPT <james@fuche.com.tw>: to unblock ms2.epaper.com.tw at sbl.spamhaus.org see http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12186

whitelist_from file is like this
epaper@msx.epaper.com.tw
ms*.epaper.com.tw

it doen't work,

my exim.conf setting is

domains = +use_rbl_domains
# only smtp.dnsbl.sorbs.net = 127.0.0.5
dnslists = sbl.spamhaus.org : \
relays.ordb.org : \
dnsbl.sorbs.net=127.0.0.5

why the whitelist don't work?

another question, the new exim.conf use
sbl-xbl.spamhaus.org to be RBL,
but it include too much IP, and if my client is on the list , he can't use his own mail account to send mail.
because the setting doen't allow authenticated user?
and only
domains =+use_rbl_domains
!authenticated = *
# dnslists not including spam.dnsbl.sorbs.net
dnslists = bl.spamcop.net : \
dnsbl.njabl.org : \
cbl.abuseat.org : \
dnsbl.sorbs.net!=127.0.0.6
will allow authenticated user?
because it set !authenticated = * ???

nobaloney
11-09-2004, 02:34 PM
whitelist_from looks at the email address the server is using to connect; the "mail from" address.

EDIT 11/30/04:

The above statement is in error; I don't recall why I was thinking it at the time.

The whitelist_from needs to have the canonical name or IP address of the sending server to be whitelisted. Full instructions are in the exim.conf file, and below in a post I wrote dated 11/30/40.

Our tests show it works, but we'll be happy to test further once a few more people have replied to this thread telling us of their experiences.

Our experience has been that sbl-xbl.spamhaus.org works well for us without making exceptions for our own (authenticated) users, but you can of course move it.

After the first issue is resolved we'll bring out our next version, and we'll move sbl-xbl.spamhaus.org to the section that bypasses checking for known authenticated senders.

You can do it yourself first, if you'd like.

If you make any changes to exim.conf be sure to restart exim afterwards.

Jeff

jjma
11-30-2004, 02:42 AM
Originally posted by jlasman
whitelist_from looks at the email address the server is using to connect; the "mail from" address. Our tests show it works, but we'll be happy to test further once a few more people have replied to this thread telling us of their experiences.

I've updated to the latest version (two weeks ago) and last night came across my first problem. Our client had sent out a competition newletter and last night was the deadline for the winners to contact them. According to the client alot of the emails seemed not to be getting through to them... so I checked the rejectlog and noticed that the majority of blocks were being made on one isp: ntlworld.com (uk isp provider).

One of the winners used my 'remove me from your spam list' form to contact me and I added his email address to the whitelist. I emailed back to ask him to contact our client again but he was still being rejected by exim?

This is a snippet of our log file:

Legend: "<AT> = @"

2004-11-29 22:03:15 H=mailhost.ntl.com (mta05-winn.mailhost.ntl.com) [212.250.162.8] F=<a.westerman1<AT>ntlworld.com> rejected RCPT <amber<AT>iofilm.co.uk>: to unblock mailhost.ntl.com see http://www.launchsite.co.uk/contact/email.php

Other blocks:


2004-11-29 17:02:18 H=mailhost.ntl.com (mta13-winn.mailhost.ntl.com) [212.250.162.8] F=<flaxmers<AT>ntlworld.com> rejected RCPT <amber<AT>iofilm.co.uk>: to unblock mailhost.ntl.com see http://www.launchsite.co.uk/contact/email.php


2004-11-29 16:56:47 H=mailhost.ntl.com (mta09-winn.mailhost.ntl.com) [212.250.162.8] F=<p.trickett<AT>ntlworld.com> rejected RCPT <amber<AT>iofilm.co.uk>: to unblock mailhost.ntl.com see http://www.launchsite.co.uk/contact/email.php

Our Whitelist:

a.westerman1<AT>ntlworld.com

Eventually I had to remove the clients domain from the "use_rbl" file so that the competition winners could progress.

regards

Jon

nobaloney
11-30-2004, 09:32 AM
Jon,

I've tested the whitelist_from function and it appears to work properly for me.

It appears you're using whitelist_from incorrectly.

Here's the instructions for whitelist_from, taken from the exim.conf file:

# 3) Add a file /etc/virtual/whitelist_from #
# This file should contain the fully-qualified hostnames or IP#s #
# of servers that you DO want to be able to get email from even #
# if they're otherwise caught by blocklists. Your own domain #
# need not be listed here to enable you to get unblock requests, #
# whitelisting of email to your "errors" address will be handled #
# separately, below. #

Here are some further comments on whitelisting, from further down in the exim.conf file:

# You'll need the full name of their server to unblock them, by #
# putting the server name into the /etc/virtual/whitelist_from #
# file. There are two ways you can get this information: #
# #
# 1) You can create a form that will ask them for the address #
# they're trying to reach, the address they're sending the email #
# from, and the canonical name of their email server. Since they #
# may not know the name of their email server, this must be #
# optional, and if they leave it blank you'll have to find their #
# attempt to send email in your exim /var/log/exim/rejectlog file #
# and get the name of the server from there. #
# #
# 2) You can ask them to send you an email from the same address #
# that they were blocked from, but to (for example) #
# "errors@example.com" (but changing it to an address you want to #
# use, at one of your domains). When they send you the email you #
# should be able to find the name of their server in the headers #
# of the incoming email. #
# #
# Either way, you'll need to put the canonical name of their #
# nameserver into your /etc/virtual/whitelist_from file. #

I previously wrote:

whitelist_from looks at the email address the server is using to connect; the "mail from" address.
That's an error in thinking on my part when I wrote the post :( .

I'll edit it now.

Jeff

jjma
11-30-2004, 10:57 AM
Should this have been in the whitelist_from file instead:

mailhost.ntl.com

regards

Jon

nobaloney
11-30-2004, 05:20 PM
If that's what the reverse DNS of the IP# refers to, then yes.

Jeff

different
11-30-2004, 05:35 PM
hello.
this is my situation..

even I add the domain to whitelist_from..
if their ip is on the list of any RBL list..
the exim will reject their connection...

so I had to add this line to my deny messege block..
!sender_domains = +whitelist_from

deny message = to unblock $sender_host_name at $dnslist_domain see $dnslist_text
hosts = !+relay_hosts
domains =+use_rbl_domains
!authenticated = *
# dnslists not including spam.dnsbl.sorbs.net
dnslists = sbl.spamhaus.org : \
relays.ordb.org : \
bl.spamcop.net : \
dnsbl.sorbs.net!=127.0.0.6
!sender_domains = +whitelist_from

if I don't add this line... even I add all address to whitelist_from, if they are on RBL list... the server seems will reject them...

nobaloney
12-01-2004, 10:26 AM
whitelist_from is supposed to be a list of qualified hostnames or IP#s, not of domain names.

If it is, then these two lines, beginning at line 471, should accept all emails from any domains in the whitelist_from file:

# accept email from anyone in the whitelist_from list
accept domains = +whitelist_from
I could add a separate lists for domain names, but I don't think that's as good a test.

Should I?

Consensus, anyone?

Jeff

xgeek
12-28-2004, 12:34 PM
Hi Jeff,

I am using your spamblocker conf 1.2d as well as spamassassin.
Do I need to change the spamassassin parts to match the instructions in the DA Knowledge base found here?
http://help.directadmin.com/item.php?id=36
or is your spamassassin config more uptodate?

Many thanks
Stephen

cprompt
12-29-2004, 05:09 AM
Originally posted by jlasman

I could add a separate lists for domain names, but I don't think that's as good a test.

Should I?

Consensus, anyone?

Jeff

Whitelisting a whole domain by name only seems a drop in the level of protection that your script provides. I think once server admins realise that they need to whitelist mail servers and not email addresses then it's easy enough to look at your exim logs and see which server is getting blocked that you want to allow mail from. I have had to unblock some servers myself and have found it straightforward.

nobaloney
12-29-2004, 12:39 PM
Originally posted by xgeek
I am using your spamblocker conf 1.2d as well as spamassassin.
Do I need to change the spamassassin parts to match the instructions in the DA Knowledge base found here?
The exim.conf file as I deliver it on my website (and as far as I know, as DA still delivers it) has SpamAssassin turned off by default.

To turn it on you must follow the instructions in the DA knowledge base (http://help.directadmin.com/item.php?id=36).

Jeff

jjma
01-11-2005, 07:49 AM
Originally posted by jlasman
If that's what the reverse DNS of the IP# refers to, then yes.

Jeff

I have another client who sends her mail through her isp, Btconnect, there range of ips goes from

81.13.0.0/255
81.134.0.0/255
81.135.0.0/255 and on and on....

I think her ip address is dynamic if that is important in resolving this problem, and her error messages were as follows.


2005-01-11 10:12:34 H=host81-133-190-6.in-addr.btopenworld.com [81.133.190.6] F=<marketing.manager@scot-canoe.org> rejected RCPT <jona@launchsite.co.uk>: to unblock host81-133-190-6.in-addr.btopenworld.com see http://www.launchsite.co.uk/contact/email.php

2005-01-11 10:12:35 H=host81-133-190-6.in-addr.btopenworld.com [81.133.190.6] incomplete transaction (QUIT) from <*@scot-canoe.org>

2005-01-11 14:02:15 plain authenticator failed for host81-134-107-102.in-addr.btopenworld.com [81.134.107.102]: 535 Incorrect authentication data (set_id=*@scot-canoe.org)

2005-01-11 14:02:16 H=host81-134-107-102.in-addr.btopenworld.com [81.134.107.102] F=<*@scot-canoe.org> rejected RCPT <*@scot-canoe.org>: to unblock host81-134-107-102.in-addr.btopenworld.com see http://domains/contact/email.php

2005-01-11 14:02:16 H=host81-134-107-102.in-addr.btopenworld.com [81.134.107.102] incomplete transaction (QUIT) from <*@scot-canoe.org>

I added the following hostnames to whitelist from:

host81-133-190-6.in-addr.btopenworld.com
host81-134-107-102.in-addr.btopenworld.com

plus

host81-133-185-144.in-addr.btopenworld.com
host81-133-185-41.in-addr.btopenworld.com

the email is still being bounced. What am I missing here?

Thanks

Jon

nobaloney
01-11-2005, 10:49 PM
Does she get the error message when she uses your server to send email to people not on your server?

Or when she sends email to addresses on your server?

Either her ISP has seriously misconfigured their DNS or she's NOT using her ISP's server, but rather her own server.

Why do I believe that?

Because the IP# is blocked by Sorbs' Dial Up List.

If she's really using her ISP's mail server then her ISP needs to get her IP address out of the Sorbs list of dialup IP#s.

If she's using her own system to send you mail from a dialup network you could reconfigure exim.conf to use individual Sorbs lists instead of using the combined lists the way I do, but you'll get a lot more spam.

Jeff

jjma
01-12-2005, 06:47 AM
I'll check and get back to you.

regards

Jon

interfasys
02-01-2005, 03:11 AM
I have problems with Spamcop's rbl.

Two important emails have been blocked this week because some of a couple ISP's smtp servers have been blacklisted.

Just an example:

Two hours ago, I got an email just fine.
Now the sender is blocked.
I check spamcop, it tells me that there are no reports and that this server will be delisted in 15 hours.

I think it's a bit too sensitive.


So my suggestion is the following:

Could Spamblocker be tuned to check for a number of hits against rbls?

If the server is blacklisted in n rbls, then block it.

I don't have enough experience to be able to judge if this is a good idea or not.

nobaloney
02-02-2005, 03:43 PM
Originally posted by interfasys
Could Spamblocker be tuned to check for a number of hits against rbls?
Probably. Go for it.

I'm not going to do it. I've got something else in mind for the commercial version:

The commercial version of SpamBlocker will allow each domain to decide which specific RBLs to use.

Jeff

sky
02-27-2005, 02:51 AM
Hi :)
Thx for SpamBloker that i have just configured on a server.

I just wanted to majke shure all whas as simple as it seems :
- Activate spamassasin
- Create the directory /etc/virtual/bad_sender_hosts
- change the etc/exim.conf with your exim.conf file

I dont have any error i think, but, just to feal safe, i wanted to ask :)
Im not getting many email any more so, that is a realy good ,ews !!!

I whas thinking that it would perhaps be good for teting to send a email each time a spam is block so whe can be shure that is seams to be working.
When where feal shure, whe just have to desativate it. (like a 1 for email send and a 0 dor no email send)

Just a idea, i dont know if it is hard :)
But, it seams great work !! bravo !

Another question :
I dont understand what to put in the /etc/virtual/bad_sender_hosts ?
Do i add line by line the domain, or, ip domain?

Thx for your help.
Sky

nobaloney
02-27-2005, 04:06 PM
Sky,

I thought the instructions for bad_sender_hosts are clear enough:

This file should contain the IP#s or "ehlo" names of hosts
of hosts or so-called legal spammers and other spam sources
that don't always get caught in blocklists, but whom you want
to keep from sending spam to domains on your server for which
you've enabled spamblocking.
Please let me know specifically what you don't understand.

Jeff

interfasys
02-27-2005, 04:19 PM
Is there a database online with known legal spammers?

I hate the kornet DC and would love to block them.

nobaloney
02-27-2005, 04:43 PM
Not that I know of.

Anyone else?

Jeff

sky
02-27-2005, 10:45 PM
Hi jlasman.
I mean, i resolve the domain i whant to block, then, i put one by line in the block file?

Thx, i dont now the word ehlo... Not very frensh :)

Thx for your attention!
Sky

nobaloney
03-01-2005, 06:48 PM
"ehlo" is the extended version of helo; helo (mispelled as it is) is how one nameserver greets another.

I'm sorry if you can't understand the documentation I've written, as I've tried hard to make it clear.

I fully understand the language problem, but I don't speak French so I can't help.

Perhaps someone else on the forum can answer for you.

Jeff

sander815
05-12-2005, 01:11 AM
from 1.3da:
# RSS-1.3da 11-Apr-2005 #
# Modified to conform to latest DA release: #
# to conform to per user SpamAssassin & other DA changes. #
# Modified to add additional local blocklist by domain. #
# Modified to give more complete reason for blocking. #

what has changed? do i need more changes? will it still work with SA 2.x AND/OR 3.x

Icheb
05-13-2005, 05:36 AM
As you might have noticed from previous posts, I am absolutely no expert at e-mail processing or Exim...
However I've (after thinking about it, planning with it, and practising to do it fast) migrated our main mailserver from MailScanner to SpamBlocker last night.
So far I am unable to say anything about load increase/decrease as there's a DoS on the particulair server at the moment, but besides that, I think it's working fine. However I still have some old exim stuff processing the last messages in the 'unable to deliver' queue, when this is finished I'll remove the rest of the old MailScanner config.

But I do have a few questions/issues about the new config.
At the moment the system displays a certain anonymous message when there is spam being detected (edited the file mentioning the hostname to make sure the hostname of the server and our company name is only available from the headers, as I've got some resellers who want that). But my problem now is:
I get a lot of spam notifications that have a spam level of > 10, with MailScanner, I edited the config so e-mail with a score > 10 is dropped, as it tends to piss of certain people who have to download a few MB of spam with high scores.
Can this also be done with the SpamBlocker system ?

My second question is also about this, I edited the 10_misc.cf to change the mail subject to {Spam?} if spam is detected. However this doesn't happen.

Is there any way to get these few things out of the way ?

nobaloney
05-16-2005, 09:22 PM
Originally posted by sander815
what has changed? do i need more changes? will it still work with SA 2.x AND/OR 3.x
I merged the latest exim.conf file from DA with my latest changes to add an additional blocklist by domain.

You should grep "example.com" and replace it with your custom page.

Jeff

nobaloney
05-16-2005, 09:24 PM
Originally posted by Icheb
However I've (after thinking about it, planning with it, and practising to do it fast) migrated our main mailserver from MailScanner to SpamBlocker last night.

. . . .

But I do have a few questions/issues about the new config.
None of your questions appear to have anything to do with SpamBlocker, but only with SpamAssassin.

Which is NOT part of SpamBlocker.

Jeff

Icheb
05-17-2005, 02:26 PM
Originally posted by jlasman
None of your questions appear to have anything to do with SpamBlocker, but only with SpamAssassin.

Which is NOT part of SpamBlocker.

Jeff

Should have edited the post, reading stuff is hard sometimes...
Problems aren't solved yet, but spamblocker is indeed doing a great job for some domains already. Spam on a few domains has decreased with about 70% to just a few dozen spam messages per day.

*will not waste anymore time*

nobaloney
05-17-2005, 05:03 PM
Please don't feel you're wasting anyone's time; it's just that I couldn't figure out how to answer anything in your post based on SpamBlocker.

Perhaps a rewrite would be in order, perhaps in another thread.
We all learn from each other's experiences, and there's really no such thing as a waste of time.

Jeff

keefe007
05-17-2005, 11:25 PM
Will this work with Debian?

nobaloney
05-19-2005, 07:39 AM
Will what work with Debian?

SpamBlocker?

SpamBlocker is system independent; it's built entirely into the exim.conf file. The only dependencies are a few files created at /etc/virtual.

If exim runs on Debian, then SpamBlocker will.

In fact, if you've got DA on Debian, it already is. You simply have to define the domains you want it to work for, by adding the domain names to /etc/virtual/use_rbl_domains.

Jeff

keefe007
06-10-2005, 09:36 PM
Originally posted by jlasman
Will what work with Debian?

SpamBlocker?

SpamBlocker is system independent; it's built entirely into the exim.conf file. The only dependencies are a few files created at /etc/virtual.

If exim runs on Debian, then SpamBlocker will.

In fact, if you've got DA on Debian, it already is. You simply have to define the domains you want it to work for, by adding the domain names to /etc/virtual/use_rbl_domains.

Jeff

So this spamblocker release is included in the DA Debian release?

sethp
06-13-2005, 09:18 AM
Two questions:

1. If all of my domains are being spamblocker'd, won't the emailed request to unblock also be blocked? e.g. if my unblock request form sends mail to unblock@domain.com, allegedly it will come from the same hostname and will also be blocked, so I will never see the request. Obviously, I'm missing something.

2. Does anyone want to share an example of their page where they send people who want to be unblocked? I'd like to get some ideas for how to word the language on the form and page.

Thanks!

sethp
06-13-2005, 10:07 AM
Duh. Please ignore question number 1 above. The unblock request will come from my own mail server, submitted through a web-based form.

Still, I'd love to see some of your examples of forms for unblock requests.

nobaloney
06-13-2005, 03:35 PM
I don't use a form, I use email to <errors@example.com> since I've set up the errors username to accept email from everywhere.

You're welcome to look at my page at:

http://www.spamblocked.net/blocked.html

but don't send people there (you wouldn't believe how many administrators do) because if I get an email asking me to unblock a domain not on my server all I can do is write people and say basically "sorry, but I can't help you; I can't unblock what I don't host".

Jeff

sander815
06-28-2005, 12:44 AM
i just wanted to install spamblocked 1.3, but i notice a difference in the SA section:

1.3



# Spam Assassin

# Spam Assassin
spamcheck_director:
driver = accept
condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} {!eq {$received_protocol}{local}} } {1}{0}}"
retry_use_local_part
transport = spamcheck
no_verify



http://help.directadmin.com/item.php?id=36


# Spam Assassin
spamcheck_director:
driver = accept
condition = "${if and { \
{!def:h_X-Spam-Flag:} {!eq {$received_protocol}{spam-scanned}} \
{!eq {$received_protocol}{local}} \
{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$valu$
} {1}{0}}"
retry_use_local_part
transport = spamcheck
no_verify




what should i use?

nobaloney
06-28-2005, 08:22 PM
I'm probably a bad one to ask; my SpamAssassin just stopped working yesterday :( .

I'm busy rewriting SpamBlocker; can you hold off for a few days?

Jeff

nobaloney
06-28-2005, 08:25 PM
I'm probably a bad one to ask; my SpamAssassin just stopped working yesterday :( .

I'm busy rewriting SpamBlocker; can you hold off for a few days?

At this time I recommend using exim.conf and exim.pl from the DA page here (http://files.directadmin.com/services/).

Jeff

interfasys
06-28-2005, 10:58 PM
You can safely use both. The second one is more recent and adds an extra check which had no ill behavior on our setup.

sander815
06-28-2005, 11:45 PM
to me it seems as if the 1.3 version doesn't check if SA is enabled?

interfasys
06-29-2005, 12:06 AM
SA is enabled and works just fine, but usually you can't just use spamblocker like that, you have to sync it with the DA exim.conf and add virus scanning capabilities, complete with ACL.

sander815
06-29-2005, 05:31 AM
i don't mean SA serverwide, i mean this:


{exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$valu$

to be able to trun it on/off per user

nobaloney
07-08-2005, 02:27 PM
The new SpamBlocker 2 should be available in Beta later today; it has the newest code for SpamAssassin.

In the meantime if your copy of exim.conf still has the old code, you can get the latest copy of SpamBlocker 1 from the DA website, here (http://files.directadmin.com/services/exim.conf).

If you download and use the one I pointed to, be sure to uncomment the spamassassin stuff if you want to use spamassassin.

(Always restart exim after changing exim.conf)

Jeff

interfasys
07-16-2005, 10:07 AM
Wow this is a long day ;)

keefe007
07-16-2005, 01:39 PM
Originally posted by interfasys
Wow this is a long day ;)

Don't be cocky or he won't release it :P

nobaloney
07-16-2005, 03:51 PM
I will release it. Hopefully today. If not, hopefully tomorrow.

I do get busy, and client problems always come first.

It's 3:57 here, and I just got to the office. And it's a Saturday. (I'm in California; my day starts later than just about everyone else's day; there are very few of us in later timezones than the one I'm in (PDT, -0700), the same one the forum uses by default, I believe.

Looking up at the schedule board in front of my desk, it's got only 16 projects on it.

But the good news is that very few of them are for clients.

:)

Jeff

interfasys
08-05-2005, 10:26 AM
Interesting Exim module thats adds SA scanning at SMTP time and greylisting:
http://marc.merlins.org/linux/exim/sa.html

Shark
08-11-2005, 09:57 AM
Hey Jeff,

How nice it is to know that you've worked with Raqs and now I see you're responsible for my current exim.conf :) I updated it so I can use the bad_senders_hosts.

If I understand your comments, blacklist_domains are the FROM:s and bad_senders_hosts are for IPs and hosts. Thus, I can copy my Raq4's /etc/mail/access to bad_senders_hosts?

Formatwise, Can I also include the (tab) Reject 550 Mail... msg too? Or do I just follow the same format from the domains file?

Also, does these blocks are server-wide, yes?

DaveR~

P.S. This post was NOT intended to kick-start you thinking of 2.0 again! lol

nobaloney
08-11-2005, 03:21 PM
The simple answer is there are some errors in the way the original SpamBlocker manages whitelisting, so the best thing is to wait for SpamBlocker2 Beta to get those questions answered.

The good news is I'm ready to release Beta4; it will be released later today.

Jeff

keefe007
08-14-2005, 11:02 AM
How does one get ahold of the Beta's that you have been releasing?

Keefe

Shark
08-14-2005, 02:38 PM
Current version I found but it's not the newest (http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/)

It seems as though Jeff is getting closer to releasing a newer version so decide if you'd like to wait a bit...

DaveR~

nobaloney
08-14-2005, 02:38 PM
I announce Betas on these forums and will announce the Version 2Beta4 as soon as I get it up; it's been delayed as client work comes first but it should be uploaded today.

Jeff

nobaloney
08-14-2005, 02:40 PM
Originally posted by Shark
It seems as though Jeff is getting closer to releasing a newer version so decide if you'd like to wait a bit...
The new version is quite stable on Linux versions and we'll probably release the beta today. Barring unforseen issues we'll release it to release status by the end of the next week.

At that time we'll recommend everyone using SpamBlocker update, even everyone who's previously used the version that comes with DirectAdmin, since the older versions all have some problems with whitelisting code.

Jeff

keefe007
08-29-2005, 12:08 PM
Is there a way to use this on all domains automatically without having to edit the use_rbl_domains file every time I add a domain?

Can we test the beta you have as it stands now?

Thanks!

nobaloney
08-29-2005, 04:58 PM
Originally posted by keefe007
Is there a way to use this on all domains automatically without having to edit the use_rbl_domains file every time I add a domain?
Sure, but you should certainly notify your clients if you intend to do this, and be sure you set up the /etc/exim.conf file so that the error messages point to a page on your server which has a way you can be notified to whitelist anyone who gets the message.

Can we test the beta you have as it stands now?
Yes. You should be prepared to let your clients know you now accept authenticated email submisison on port 587 as well as on port 25, as that works now as well.

To get a copy with instructions please send an email to directadmin@nobaloney.net and in your email accept full responsibility for any use of the beta, and I'll send you a tarball you can upload to your server, along with instructions.

Jeff

keefe007
08-31-2005, 11:42 PM
So who has all tried it so far? ;)

nobaloney
09-01-2005, 06:04 PM
I use it and several of my clients use it.

Anyone who wrote me and has asked me for it uses it.

We'll probably release it the first of next week.

Jeff

icepick
09-07-2005, 10:51 PM
Hi,

When a user in the whitelist, i.e.:

root@sophia:/etc/virtual# cat whitelist_from
gmail.com
xproxy.gmail.com
@xproxy.gmail.com


Are they supposed to still be checked for RBL? I have gmail emails being bounced back to users because they were in the 'fuzzy' RBL, however i thought adding gmail.com to the whitelist would ignore gmail from rbl checking.

any advice/

thanks
barry

nobaloney
09-08-2005, 05:45 PM
There are some problems with whitelisting in the current release version. I'll try to get a new release version out this weekend.

In the meantime you can email me and ask for it, adding to your email the standard disclaimer that you know it's in beta and you won't hold me responsible for any failures, and I'll send it to you. You may PM me as well, but I will NOT honor PM requests. I'm specifically requesting an email.

Jeff

tdldp
10-04-2005, 05:42 AM
Hi jeff,

I have the following problem with V1.3 spamblocker.
I have modified it to just accept clamAV use inside exim.conf.

Today i have for my main domain, a listed rbl ip adress.
When trying to send an email to our client, i get an error 550 because it thinks i'm a spammer.

When i check my whitelist_from : i have :
@aquarelle.com
@domain1.com
@domain2.com
@mydomain.fr

How can i sort this round ??? so that when i send an email listed in rbl, he knows that me, i'm allowed as an identified user, to send this email although i am indeed listed...

Thks for your help

Tdldp

Edited : Man i am a newbie, and yet i know i should RTFM,
I resolved my problem : hosts are hosts not @domain.
my whitelist is now :
aquarelle.com
domain1.com
domain2.com
mydomain.fr

And it works, sorry for the bother, and the fuss..

sethp
10-05-2005, 11:38 AM
Originally posted by jlasman
There are some problems with whitelisting in the current release version. I'll try to get a new release version out this weekend.

Jeff - Have you released a newer version yet? If not, can I still contact you via email for the beta version?

If I'm running RSS-1.0da, what changes can I expect if I move to RSS-1.3da? Should I just go to 1.3 or get your beta?

Thanks,
seth.

Shark
10-05-2005, 11:45 AM
In believe you should get the beta. RSS-1.0da came with my setup and I tried 1.3. Had additions like host blocking. I had a problem with whitelisting and a few other things so I went back to 1.0- when I have a moment to breath I will be requesting the new beta unless it is released before hand...

DaveR~

nobaloney
10-05-2005, 03:29 PM
I should have beta4 in production by the end of the week; all it's waiting for now is for me to get it in sync with the latest from DA. I'll be writing John in a moment.

Jeff

tdldp
10-06-2005, 12:51 AM
Hi jeff, here i have this time a real trouble with spamblocker.

Certainly due to my lack of knowledge, i have found no method yet to get round this .
Let me explain :

We have regurlaly a listed IP which blocks us sending mails (this is because the ip has been used by wanadoo users to spam others, and as we have at our work a changing ip for security needs, we have regurlaly listed ip's)
To prevent us from being blocked when sending emails. i added as you can see in my last post our host, in whitelist_from.

Since that another trouble occured.
I have set my adress as catchall, some of our clients having trouble visibly to spell our adress correctly. it was preferable to be sure we get all mails in, even if there is a typo or spelling error.
Problem i have 2 adresses that have been in some manner, added in international spamming lists, and we now get, 6 times an hour, mails to those 2 adresses that land in my mailbox. Fortunately, spamassassin does his job correctly, and it detects it as spam (normal : XBL , Spamcop listing)

What i'd like to know is, how can i block in a specific list : blacklist_to, specific destinatory adresses, so that it is refused by server ??? Is this case planned in future spamblocker version ???This case can be pretty problematic, and it would be good to be able in first check that the adress is in a blacklist with catchall usage.

Your return, or eventual help would be appreciated ;)

yours

Tdldp

nobaloney
10-06-2005, 04:33 PM
Originally posted by tdldp
We have regurlaly a listed IP which blocks us sending mails (this is because the ip has been used by wanadoo users to spam others, and as we have at our work a changing ip for security needs, we have regurlaly listed ip's)
To prevent us from being blocked when sending emails. i added as you can see in my last post our host, in whitelist_from.
I'm confused. The whitelist_host list is a list of systems you want to be able to send you mail; it has nothing to do with whether or not you can send email to other systems.

Since that another trouble occured.
I have set my adress as catchall, some of our clients having trouble visibly to spell our adress correctly. it was preferable to be sure we get all mails in, even if there is a typo or spelling error.
Problem i have 2 adresses that have been in some manner, added in international spamming lists, and we now get, 6 times an hour, mails to those 2 adresses that land in my mailbox. Fortunately, spamassassin does his job correctly, and it detects it as spam (normal : XBL , Spamcop listing)

What i'd like to know is, how can i block in a specific list : blacklist_to, specific destinatory adresses, so that it is refused by server ??? Is this case planned in future spamblocker version ???This case can be pretty problematic, and it would be good to be able in first check that the adress is in a blacklist with catchall usage.
SpamBlocker doesn't offer this in the most recent versions (even the one coming out shortly), but you can do it easily enough by forwarding the specific email addresses to /dev/null. Read elsewhere in the forums for instructions on how to set up a forwarder to a directory.

Jeff

tdldp
10-07-2005, 12:30 AM
Originally posted by jlasman
I'm confused. The whitelist_host list is a list of systems you want to be able to send you mail; it has nothing to do with whether or not you can send email to other systems.


Well weirdly enough and i'll take a concrete example :
we have 5 users in our company, and we send each other mails...
Let's say at time X we get ip : XXX.XXX.XXX.1
this ip is listed in XBL SBL or spamcop.
When sending an email, error 550 from the server : to unblock $sender_host_name see http://www.site.fr/spam.php
Grrrr... This doesn't arrange us :
2 immediate solutions :
Changing IP,
adding our host in whitelist.

Toke second solution, as we can't change every now and then our ip adress, and this worked. We can send anytime, with any ip (even if listed) emails to ourselves and to our clients.

Now if there is another solution in order that our host is always allowed to send mail without checking RBL, i'll appreciate solution.
I may not know yet that other solution exists, that is why i'm asking ...


Originally posted by jlasman
SpamBlocker doesn't offer this in the most recent versions (even the one coming out shortly), but you can do it easily enough by forwarding the specific email addresses to /dev/null. Read elsewhere in the forums for instructions on how to set up a forwarder to a directory.

Jeff

My problem is not to forward a specific email adress. (this adress is not suppose to exist, and those who send emails to this adress are spammers, and nothing else.)
I think that in some case, it could be good to block a destination adress known to be used by spammers, just as spamblocker blocks mail from known hosts.... I'm too newbie to traduce that in script, though i'm trying to and trying to learn. That is why i ask help or a lane to follow...

nobaloney
10-07-2005, 03:27 PM
Originally posted by tdldp
We can send anytime, with any ip (even if listed) emails to ourselves and to our clients.
Now I understand. Yes, this will whitelist your domain name for the same server. However it won't whitelist your domain name for anyone listed on other servers using the blocklisted IP#.

Now if there is another solution in order that our host is always allowed to send mail without checking RBL, i'll appreciate solution.
Get the IP# delisted or move to a different IP#.

My problem is not to forward a specific email adress. (this adress is not suppose to exist, and those who send emails to this adress are spammers, and nothing else.)
I think that in some case, it could be good to block a destination adress known to be used by spammers, just as spamblocker blocks mail from known hosts.... I'm too newbie to traduce that in script, though i'm trying to and trying to learn. That is why i ask help or a lane to follow...
It can certainly be done in SpamBlocker, but we don't do it at this time.

Jeff

nobaloney
10-08-2005, 05:08 PM
SpamBlocker Version 2 has been released.
Please see the new thread in this same forum:

[RELEASE] SpamBlocker Version 2 released (http://www.directadmin.com/forum/showthread.php?s=&threadid=10036)

I'll leave this thread open for a few days in case there are any final questions, but I'll lock it soon and begin to respond to the new thread for the new version.

Thanks for your continued interest in SpamBlocker; I'm sure you'll find the new version features to your liking.

Jeff

jjma
10-09-2005, 12:31 AM
Thanks Jeff

Your support to community is much appreciated.

regards

Jon

tdldp
10-10-2005, 01:06 AM
Originally posted by jlasman Get the IP# delisted or move to a different IP#.

Well i'd love to, but as we do support for customers, this cannot be a solution if we are under support time (which represents 75 % of our online time)


Originally posted by jlasman
It can certainly be done in SpamBlocker, but we don't do it at this time.

Jeff

Can this be indeed thought of, in future versions, not the V2 as this one is released but maybe a V2.1 ;o) ???
Meanwhile, where could i find information on blacklisting a specific destination adress (i will make migration to V2 asap, but i'd like to have found a solution to my problem in same time in order to do the 2 steps in one...) If you know of a doc zone i could find info into i'd appreciate your return ;)

Thks again for your great job ...

Tdldp

nobaloney
10-10-2005, 03:54 PM
tdldp,

You wrote:

I think that in some case, it could be good to block a destination adress known to be used by spammers,
But you don't explain why we should block destination addresses. Just what problem would it resolve that isn't resolved by the forward to /dev/null?

I really haven't studied how to do it; so you should start by studying how exim ACLs work. Your best place to start is probably the exim.org website.

It will require customization of exim.conf.

Jeff

tdldp
10-11-2005, 06:04 AM
Before jeff stops this thread, i'll just post the solution to the problem i faced, as it could interest others :

A simple ACL rule that blocks destination adress is following :


# refuse mail to any identified adress in any local domain, regardless of source
deny recipients = lsearch;/etc/virtual/destination_block
message = The destination adress is not accepted by our services - Stop spamming us.

It must be placed in exim.conf after following lines :

######################################################################
# ACLs #
######################################################################

begin acl

# ACL that is used after the RCPT command
check_recipient:

# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

# Deny for local domains if local parts begin with a dot or
# contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts but blocks outgoing
# local parts that begin with a dot, slash, or vertical bar
# but allows them within the local part. The sequence \..\
# is barred. The usage of @ % and ! is barred as before. The
# motiviation is to prevent your users (or their virii) from
# mounting certain kinds of attacks on reverse sites.

deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


and just before :


# accept email from anyone in the whitelist_from list
accept domains = +whitelist_from


A file, listing of destinations to be blocked, named : destination_block
must be created under /etc/virtual/ near the files created by default by spamblocker...

Works fine for me, and help me reduce 98% spam that had managed to get through spamblocker in a specific catch-all account situation.

interfasys
10-11-2005, 06:51 AM
That could be very helpful against domain names contacts spammers if we could forward those messages to the spam folder.

nobaloney
10-11-2005, 03:16 PM
tdldp,

Personally, if I were going to include the code, I'd probably want to put it after the whitelist code; by definition whitelists should supercede any blocklists.

Or shouldn't they? If not, then for what reason?

Jeff

tdldp
10-12-2005, 02:27 AM
Originally posted by jlasman
tdldp,

Personally, if I were going to include the code, I'd probably want to put it after the whitelist code; by definition whitelists should supercede any blocklists.

Or shouldn't they? If not, then for what reason?

Jeff

I'd do the same as you jeff, but apparently the config i use needs it this way... Maybe i haven't explained correctly situation. (i'm noob, french, and my english a bit rusted)

I use default exim 4.52, with spamassassin 3.1.0.
Our account has a catchall pointing on my adress, as some of our clients are misstyping regulars.
Our main problem is that in france, wanadoo (ISP) is a regular ip blocked addict. Thus as we get pretty often, blocked ip's, the only solution i had in order to contact clients using our servers mailing service, was either :
- get the ip delisted (but this is not instant, does not always work, and does not protect us when we change of ip),
- change ip (but this is impossible if we are under maintenance time and it does represent 75% of our online time, and of our company's working time),
and finally :
- get our domain whitelisted_from by default.

But the main problem in this case, is that whitelisted_from is the whitelist by default for all spamblocker, thus bypassing all further check. In this present case, we get allowed to send to our box, and to our clients (who are in majority, wanadoo clients, and thus accept our incoming mails due to lack of security of this isp : Hey, they sell their antispam and antivirus solution like that), but this also allows externals to send us spam again (as we are in whitelist, we bypass all further spamblocker checks). Fortunately spamassassin does his job correctly, but what i dislike is that spammers, that send to specific unavailable adresses (but who get sent after to catchall account) get their message processed on the server, thus using ressources in clamav, and spamassassin checking.

The solution i used, is in the scheme the following :
- If destination adress is known in a blacklist, (know spammers destination adress, which we do not use, and has no reason to exist) deny processing, may it come from an admin, local or external.
- If server Admin or server main domain sends mail (contact in whitelist) send mail even if host or ip is blacklisted (due to isp blacklisting history), receive mail normally
- if local domain sends / receive, process normally.
- If receive from external, start by checking destination blacklist, before doing any check, then process normally.

Up to know this scheme works for us (98% blocked) except following case :
spam destination adress is existant (thus not in destination blacklist) and destination domain (host) is in whitelist.
In this unique case, spam gets sent normally, but then clamav and spamassassin do their work and we receive headers normally.

This may not be so clear, but it works in our "very" specific case.
It may not be a standard, (and i would understand) but if i posted the solution, it is bcause, others may face our problems, and as i hadn't find answer in these forums, i propose mine...

Please do note, i am not advanced enough, to judge, appreciate, or critic. I just needed a solution to my specific problem. I still do think that up to now : the association : Spamblocker (exim) / SA / ClamAV is the best mail scanning solution and i pretty much appreciate the core solution you provide the DA community...
My next aim, migrate to V2 :=) and wait impatiently that DA proposes spamblocker by default.

Tdldp

nobaloney
10-12-2005, 05:56 PM
Okay, now I understand your position and why you did what you did.

Yes, whitelist_from is for everyone; that was quite intentional as a design decision; doing everything on a domain by domain basis using exim.conf would require that the entire exim.conf file be rewritten each time a domain is added/deleted.

Yes, we could write it all into a separate program, and have all the mail go through that problem. As it would make exim completely nonstandard, for our company it would be a support nightmare.

Your french is much better than mine :) .

SpamBlocker 2 is a simple upgrade, and if you buy SpamBlocker Plugin when it becomes available, it's even easier :) .

I'm not sure what you mean about SpamBlocker becoming a part of DA, since it has been for over a year.


Jeff

Titam
12-05-2005, 12:41 AM
I installed it, and now i have something strange.

2005-12-02 09:55:01 1Ei6h3-00044N-7x H=relay-av.club-internet.fr [194.158.96.107] F=<register@hollinae.com> temporarily rejected after DATA: failed to expand ACL string "${if >{$demime_errorlevel}{2}{1}{0}}": unknown variable name "demime_errorlevel"

So, i look after, and registrer@hollinae.com isn't exist as email adress, so it's blocked, and it's good but the error message "
temporarily rejected after DATA: failed to expand ACL string "${if >{$demime_errorlevel}{2}{1}{0}}": unknown variable name "demime_errorlevel" " is not normal I think.

Thank you for you help

sullise
12-06-2005, 01:48 PM
Spamblocker going to work under the new Dovecot daemon?

hostpc.com
12-06-2005, 02:17 PM
I asked in the plugin thread, I emailed Jeff, PM'd Resolveit... still havent received a reply.. I've got the same question.

ju5t
12-06-2005, 03:17 PM
Dovecot is no MTA if I'm not mistaken. So Spamblocker will keep on working within Exim.

Anyway, whats with Dovecot? Are DA planning on replacing the current IMAP/POP3 software?

sullise
12-06-2005, 06:48 PM
Yup...shortly. At least give clients a choice. :) Exim blows monkey chunks IMHO.

nobaloney
12-11-2005, 09:53 PM
Originally posted by sullise
Exim blows monkey chunks IMHO.
You might as well find another control panel, now, then, sullise, since dovecot doesn't replace exim.

Both Onno and I have been extremely busy and I'm finally trying to catch up with what I can on the 443 messages I never saw on the forums because of my trip and the aftermath.

But SpamBlocker will work fine with exim even after dovecot is installed.

And, btw, private messages on this forum are never a good way to reach anyone who you've got an email address for; some of us just don't have time to log in to the forum when we're busy.

Except in unusual circumstances I log into the forum at least once a day, but when I'm at the office I get email in realtime.

Jeff

nobaloney
12-11-2005, 09:54 PM
Originally posted by Titam
I installed it, and now i have something strange.
Just what did you install, Titam?

demime doesn't appear anywhere in the SpamBlocker exim.conf file.

Jeff

BlueNoteWeb
01-05-2006, 07:12 AM
SpamBlocker has worked wonders on my inbox. My spam folder in Thunderbird is down from 120-150 spams daily to <10 most days. That's a total from about 10 email addresses over three separate domains. Thanks Jeff!

Looking through the logs, I can see that a few machines are responsible for most of the attempted spam that hits my server. I see dozens of dictionary attacks each day, attempting to email dozens (or hundreds) of people at a given domain using common names. Most of this spam is blocked and does not get to my users, but it still annoys me. I'm sure that it's using some resources to check those RBLs and send out the error message.

I'd like to have those servers automatically added to my firewall rules to block them even before they hit the mail server. I've seen similar rules set up for a server that tries a dictionary attack on FTP or SSH logins - more than x login attempts in y minutes and you're firewalled, at least for a while. I could write a bash script of some sort that would parse the mail log and count the bounces from each server to add them to the firewall rules, but the only way I can think to do it would involve running this script on a cron every so often. It seems to be that it would be better to do this somehow through Exim/SpamBlocker. I'm not sure that the resources necessary to grep through the mail logs would justify the savings.

Adding a machine to the firewall could have unintended consequences...if the machine is one of my clients whose local machine is infected, I'm sure I would hear about it. I think that's a risk I'm willing to take at the moment. Perhaps in the long term, however, it would be better to add the domains to one of the blacklist files as those are apparently read before consulting the RBLs.

So, my questions:

-How much of my resources are being used by the hundreds of emails that SpamBlocker is rejecting? I know it's impossible to give a specific answer to that question, but is it more/less resource intensive than blocking a host at the firewall? Would there be a significant difference if a host were blocked at the firewall rather than the mail server?

-In terms of resources used, is there a significant difference between an email that's blocked in the local blacklist and one that's blocked by an RBL?

-Can you see a use in writing a bash script to automatically add the offending hosts to the blacklist or firewall rules?

-Is it possible to accomplish this in real-time directly through Exim, without the need for an additional script?

sullise
01-05-2006, 09:47 AM
I wouldn't worry so much about you clients being blacklisted if they are infected, as a matter of fact, you should embrace that since it would help both you and them. Once they get blacklisted, you could inform them why and they could clean up their machine saving them a lot of future problems.

As for methodology...I'd go with a bash script myself, at least till something better can be found.

I need to actually write one that catches the bots that hit my server trying to find the common exploits...logs are full of them.

nobaloney
01-05-2006, 04:05 PM
SpamBlocker uses a lot less resources than SpamAssassin.

But using the strict meaning of significantly, yes, SpamBlocker uses significantly more resources than a firewall block would use.

I've chosen to not do automatic adding to blocklists or firewall, but if you want to do it, I'd recommend a scriopt to run occasonally and make decisions based on the contents of /var/log/exim/rejectlog.

Jef

BlueNoteWeb
01-06-2006, 02:48 PM
I wrote up a bash script to parse through the logs, and I've found one host that has attempted over 18000 (yes that's three zeroes) and counting entries in the reject log since the first of the month. That's roughly 270 per hour from one machine alone. From eyeballing the reject log I suspect it may be one of my clients, as the incoming messages are all sent to email addresses at his domain hosted on my server. In any case it's obviously a hacked box and I don't want it anywhere near my server.

I've put the script up for inspection here:
http://www.bluenoteweb.com/email_script/parse_email_logs

Any comments, questions or suggestions would be much appreciated. My bash scripting skills are not that great. So far this only puts the offending IPs into a log file, the next step is to add them to the firewall rules.

BlueNoteWeb
01-06-2006, 03:07 PM
I've updated the script to add the IPs directly to the firewall rules. Same link as the above post.

nobaloney
01-06-2006, 04:32 PM
Looks good.

Be sure to update again in a few days letting us know how this is working for you.

Jeff

OxnardMontalvo
01-07-2006, 12:36 PM
Here's a script I found on-line and implemented. It's designed to combat dictionary attacks. It does not directly modify your firewall script but it would be easy to make it do so if you wanted to. Personally, I liked this solution better.

It's a simple perl script that builds a text file of IP addresses. I've modified the SpamBlocker exim.conf file to check that file before allowing connections. Basically, the way it works is after 3 failed email addresses in a single connection, it shuts down the connection and adds the IP address to the text file. Before accepting any emails, the IP is checked against this file and rejected if found.

It's not fool proof and I go through and clean out the file about once a week. (One day I'll write a cron job that cleans it out nightly)

But it does work and some days I catch over 1,000 IP addresses that are trying to spam my server.

To implement:
1: Put dictscan.pl in your /etc dir. make sure mail owns it and can execute it.

2: touch /etc/exim_deny, again make sure mail owns it and can write to it.

edit your exim.conf file, find the check_recipient: ACL and put the code below in it. If you are using the latest SpamBlocker I put it right above the line:

# OPTIONAL MODIFICATIONS:

I hope it works as well for you as it does for me.

Oh and thanks Jeff for the great conf file. Truly, you rock.

=C=

---BEGIN dictscan.pl
#!/usr/bin/perl -w

use strict;

my $file = '/etc/exim_deny';

my $ip = shift;

die "No argument" unless defined $ip;

die "Invalid argument |$ip|" unless $ip =~ /^\d+\.\d+\.\d+\.\d+$/;

# (at this point you _could_ take a look in the file and see
# if the address is already there - can happen occasionally
# e.g when two concurrent dictionary-scan attacks are detected
# from the same IP).

# Since we're doing an append we can ignore file locking...
# (and it's not going to be the end of the world if we sometimes
# manage to list the same address twice...)

open OUT, ">>$file" or die "Couldn't open file, $!";

my $datestamp = scalar localtime;

print OUT "\n\# $datestamp\n$ip\n";

close OUT;
---END dictscan.pl

---modifications to the exim.conf file
#
# http://www.configserver.com/free/eximdeny.html
#
# If they added themselves to the file below, let's block them for Dict Scan!!!
deny message = Blocked because your address is being used for a dictionary attack.
hosts = /etc/exim_deny
!hosts = +relay_hosts
!authenticated = *
delay = 150s
log_message = Blocked because of dictionary scan.

deny message = Max $rcpt_fail_count failed recipients allowed
condition = ${if > {${eval:$rcpt_fail_count}}{2}{yes}{no}}
condition = ${run{/etc/dictscan.pl $sender_host_address}{1}{1}}
!hosts = +relay_hosts
delay = ${eval: ($rcpt_fail_count) * 30}s
log_message = Dictionary scan! $rcpt_fail_count failed recipient attempts
---END modifications to exim.conf.

nobaloney
01-07-2006, 05:40 PM
Originally posted by OxnardMontalvo
Here's a script I found on-line and implemented. It's designed to combat dictionary attacks. It does not directly modify your firewall script but it would be easy to make it do so if you wanted to. Personally, I liked this solution better.
This looks quite good. I think you'd be better off putting it in a firewalling script (see APF/BFD for examples on how to do it) because firewall blocking is a lot more efficient than exim-based blocking. And the advantage is that you can clear the file with the same mechanism you use to clear BFD.

It's a simple perl script that builds a text file of IP addresses. I've modified the SpamBlocker exim.conf file to check that file before allowing connections. Basically, the way it works is after 3 failed email addresses in a single connection, it shuts down the connection and adds the IP address to the text file. Before accepting any emails, the IP is checked against this file and rejected if found.
I hope you don't mind me making a few comments:

1: Put dictscan.pl in your /etc dir. make sure mail owns it and can execute it.
Any unix/linux purist will tell you to never put executable code in your /etc directory. In fact many of us will mount /etc as it's own partition, non-executable. Variable files (files that may change) should be put under /var, and local files (files which are not part of the base OS distribution) should probably be put under local, so I'd put this kind of file under /var/local.

While I know that DA breaks the rules concerning variable files, and that I broke the rules when I wrote SpamBlocker (to match DA's breaking of the rules and put similar files in similar places), I don't think I want to put executable files directly into /etc.

hosts = /etc/exim_deny
!hosts = +relay_hosts
!authenticated = *
delay = 150s
log_message = Blocked because of dictionary scan.
This is probably more personal than anything else but I'd like to see hosts =!+relay_hosts instead of !hosts=+relay_hosts (and similarly for the rest of the conditions) as that's the way the rest of the conditions are written.

Additionally in my opinion the log file message and the error message should be the same, to help you find something in the log file, if the need arises, from email headers someone has sent back to you.

Jeff

OxnardMontalvo
01-08-2006, 06:17 AM
Originally posted by jlasman
This looks quite good. I think you'd be better off putting it in a firewalling script (see APF/BFD for examples on how to do it) because firewall blocking is a lot more efficient than exim-based blocking. And the advantage is that you can clear the file with the same mechanism you use to clear BFD.


I thought about this and am still considering it for the same reason you pointed out. However, I want some mechanism that automatically unblocks an IP after 24 hrs. I'm thinking of modifying the script to block the IP and immediately issue an AT command to unblock it in 24 hrs. That way it's fire and forget.



I hope you don't mind me making a few comments:


You are just way to freakin polite. :)




Any unix/linux purist will tell you to never put executable code in your /etc directory. In fact many of us will mount /etc as it's own partition, non-executable. Variable files (files that may change) should be put under /var, and local files (files which are not part of the base OS distribution) should probably be put under local, so I'd put this kind of file under /var/local.

Yep and the guy who wrote this should be horse-whipped with me. I didn't think of /var but you are right, that's a better place for it. I was going to move it to /etc/virtual or /etc/mail.




Additionally in my opinion the log file message and the error message should be the same, to help you find something in the log file, if the need arises, from email headers someone has sent back to you.

Yes, that need to be cleaned up and standardized like the other block messages. I'm in the process of writing my /unblockme.php and when I finish with that my plan was to clean it up and make it look like the other blocks.

=C=

Dixiesys
01-08-2006, 04:12 PM
I like this dictscan thing, what I would do is make it just issue an iptables blah blah -j DROP but not actually add the ip to my global deny list so when apf restarts (once a day) it'll clear the ips blocked earlier that day.

As soon as an ip is blocked it should quit being able to access the server - so just add a bit to the script that basically says "if an ip is already IN my list that means it was blocked yesterday or some other day so let's email admin and let him know" and then if an ip repeatedly ends up in my list, I add him to the global block list that I keep on a remote server (all my servers use the same deny_list so I only have to edit one deny rule and all servers will block that ip).

Just some musings on it. If someone keeps on ending up on the temp block may as well just add him to the perm block and let him rot there.

My list is so long it takes apf like 4 minutes to restart haha.

BlueNoteWeb
01-09-2006, 05:49 AM
Logrotate ran yesterday, so this morning I split the old Exim rejectlog into sub-logs by date. Check this out:

[root@beethoven exim]# /root/scripts/split_log rejectlog.1 2006 01 08
[root@beethoven exim]# ls -alh *.log
-rw-r--r-- 1 root root 188K Jan 9 07:42 01.log
-rw-r--r-- 1 root root 756K Jan 9 07:43 02.log
-rw-r--r-- 1 root root 1.4M Jan 9 07:43 03.log
-rw-r--r-- 1 root root 1.5M Jan 9 07:43 04.log
-rw-r--r-- 1 root root 1.4M Jan 9 07:43 05.log
-rw-r--r-- 1 root root 201K Jan 9 07:43 06.log
-rw-r--r-- 1 root root 220K Jan 9 07:43 07.log
-rw-r--r-- 1 root root 33K Jan 9 07:43 08.log
[root@beethoven exim]# ls -al *.log
-rw-r--r-- 1 root root 192512 Jan 9 07:42 01.log
-rw-r--r-- 1 root root 774445 Jan 9 07:43 02.log
-rw-r--r-- 1 root root 1429889 Jan 9 07:43 03.log
-rw-r--r-- 1 root root 1522519 Jan 9 07:43 04.log
-rw-r--r-- 1 root root 1423165 Jan 9 07:43 05.log
-rw-r--r-- 1 root root 206230 Jan 9 07:43 06.log
-rw-r--r-- 1 root root 225706 Jan 9 07:43 07.log
-rw-r--r-- 1 root root 34205 Jan 9 07:43 08.log

*.log is the log for that particular day of the month. The sizes of 01.log and 08.log are misleading because logrotate runs sometime in the morning, some of the entries from those dates are in other files.

Notice the difference from 05.log to 06.log - I first implemented the firewall script on the 5th. The size of my rejectlog from the 6th is 1/7th what it was on the 5th.

BlueNoteWeb
01-09-2006, 05:56 AM
I like this dictscan script also - I think I may implement it. Those who attempt an attack are blocked immediately, if they ignore the bounces and try again they get firewalled when the cron runs. I like it.

servertweak
01-09-2006, 10:19 AM
Originally posted by OxnardMontalvo
I thought about this and am still considering it for the same reason you pointed out. However, I want some mechanism that automatically unblocks an IP after 24 hrs. I'm thinking of modifying the script to block the IP and immediately issue an AT command to unblock it in 24 hrs. That way it's fire and forget.



You are just way to freakin polite. :)



Yep and the guy who wrote this should be horse-whipped with me. I didn't think of /var but you are right, that's a better place for it. I was going to move it to /etc/virtual or /etc/mail.



Yes, that need to be cleaned up and standardized like the other block messages. I'm in the process of writing my /unblockme.php and when I finish with that my plan was to clean it up and make it look like the other blocks.

=C=



agreed , i too like to see this

Dixiesys
01-09-2006, 10:54 AM
I fired this up on a server that has a particularly bad problem with spam and since yesterday afternoon (not even 24 hours yet) it's added 7448 ips to the exim_deny list.

I modified the script to use 7 instead of 3 failed messages to make it even harder to be added! And still over 7400 ips in under 24 hours!

OxnardMontalvo
01-16-2006, 02:54 PM
Originally posted by jlasman
This looks quite good. I think you'd be better off putting it in a firewalling script (see APF/BFD for examples on how to do it) because firewall blocking is a lot more efficient than exim-based blocking. And the advantage is that you can clear the file with the same mechanism you use to clear BFD.



Ok, I've thought about this for quite some time and even tinkered with the code for a few hours. Regarding having the firewall block the IP I have the following thoughts:

1: One of the things that makes this solution so effective for my setup is the immediacy of the block. In looking at my log files, after 48 hours I don't see traffic from a blocked IP address. I am assuming that because most of these machines are zombies, I see a lot of traffic from one and then it goes away and another one takes it's place. If I wait until the end of the evening and analyze the log files to see what I should block, a lot of spam gets through.

2: Exim runs as the mail user. I use APF for my firewall script. To make it work within exim, I have to make it so the mail user can execute a lot of stuff I'm not comfortable letting it execute.

3: This configuration still allows legitimate users who 'accidentally' sent mail to 3 bad users on my system, still have a chance and getting themselves unblocked because the only service that won't talk to them is exim.

So while I do take a hit by exim having to make this call, my mail volume is low enough (10k msg a day or less) that it doesn't really matter.

YMMV.

=C=

Cal Evans
http://blog.calevans.com

hostpc.com
01-16-2006, 03:20 PM
Since: # Thu Jan 12 00:25:01 2006

ONE server, 200 websites, has recorded 14,824 UNIQUE IP's it's flagged as "dictionary attacks". 6 hours ago that number was 14,341. 6 hours - 500 new IP's.

http://www33.hostpc.com/exim_deny (Link)

I can't even imagine the time it would take APF or KISS to parse that log every time it was updated.

OxnardMontalvo
01-16-2006, 05:41 PM
Originally posted by hostpc.com

I can't even imagine the time it would take APF or KISS to parse that log every time it was updated.

The approach I was using was to have the replacement for dictscan.pl (a bash script) fire IPTABLES with the proper command to add an IP into the deny chain. (NOt sure if I'm using the right terminology) I wasn't going to store it for later use. Then I wanted to use the AT command to remove it from memory in 24 hours. If APF or the box got rebooted, it would start with a clean list. In theory it would solve the problem of having to parse a huge list.

However, it does't solve the problem of IPTABLES haivng to deal with an extremely large (and in your case, constantly changing) deny chain.

Would exim perform better if the list were sorted? It wouldn't take much to sort it every hour if that would make a difference in speed.

IMHO, etc.

=C=
Cal Evans
http://blog.calevans.com

nobaloney
01-16-2006, 10:06 PM
Exim won't perform as well as firewalling.

Firewalling might be harder to set up and manage, but it's worth it in the long run.

Jeff

OxnardMontalvo
01-17-2006, 05:52 AM
Originally posted by jlasman
Exim won't perform as well as firewalling.

Firewalling might be harder to set up and manage, but it's worth it in the long run.

Jeff

Jeff,

I know in general that is true. However, my hesitation, aside from the points I've already posted is this. Given the number of packets a firewall analyzes vs. the number of emails exim check an IP for before accepting, my gut feeling is that I expend fewer CPU cycles overall filtering from within exim than I do if I start adding these checks to my firewall.

I'm the first to admit that I may be wrong in my logic here. Given your work in this area, I do bow to your knowledge in the subject.

IMHO, etc.

=C=
Cal Evans

sullise
01-17-2006, 11:25 AM
IMHO, the BEST way is the way that works. :)

nobaloney
01-17-2006, 05:24 PM
The firewall runs at the kernel level and is already running and already looking at all the packets.

Anyway, that's my opinion and the opinion of a bunch of people I've called and asked today.

Jeff

sullise
01-17-2006, 08:33 PM
While I respect the opinion...don't see why you found the need to solicit the opinion of "a bunch of people". LOL.

Is there any realistic reason NOT to do it other then it goes against the opinion of a "bunch of people"? Will it cause security problems, servers to crash, upgrade problems?

Don't get me wrong, I respect your opinion, just curious as to why it's an issue to begin with. There are always more the one way to address an issue and not all will be the 'best', but doesn't mean they are wrong or don't work. And I think oxy made some compelling statements as to his reasoning.

nobaloney
01-17-2006, 11:03 PM
Originally posted by sullise
While I respect the opinion...don't see why you found the need to solicit the opinion of "a bunch of people". LOL.
Because I could always be wrong :) .

I don't see a reason for not checking to see if others agree with me. And I'm certainly willing to say so when I've been wrong.

Is there any realistic reason NOT to do it other then it goes against the opinion of a "bunch of people"? Will it cause security problems, servers to crash, upgrade problems?
It will not cause security problems. It will definitely use more machine resources during, for example, a dictionary attack.

Why? Because each email coming in will have to go through the entire multi-packet-exchange smtp handshake (ehlo, mail-from, rcpt-to) before exim (running as a user process) will check it against files on disk to see if it should be accepted or not.

If you use iptables (the userspace interface to the kernel's netfilter, the packet is blocked the moment it's matched against a list residing in memory.

Don't get me wrong, I respect your opinion, just curious as to why it's an issue to begin with.
Being that I wrote the exim blocklist code we're debating, I'm concerned about people having higher expectations for it than they should have.

There are always more the one way to address an issue and not all will be the 'best', but doesn't mean they are wrong or don't work. And I think oxy made some compelling statements as to his reasoning.
The constantly changing deny chain"? A read on the differences between how ipchains and iptables work is probbly in order, though it's probably too technical by several orders of magnitude for a discussion here. And even if we were using chains rather than hashed tables in memory we'd still have all the advantages of the efficient kernel code rather than the slow interpreted lookup (note the code isn't interpreted, but each exim thread must read and interpret the entire exim.conf file, and then in the case of ACLs, read each of the referenced files completely) of exim.

Here's an appropriate quote from a post to exim-users made Jan 17, 2006 by Dr Philip Hazel, the author of exim:

Remember that every Exim process
reads and processes the config file when it starts up, and this happens a lot. I used to get worried at the amount of processing this might require, but nobody else seems to care. :-)
I'm not saying that exim isn't great. I'm not saying that exim isn't elegant. I'm not saying that exim isn't easy to use.

I'm only saying under certain circumstances (and a dictionary attack from one IP# is certainly one of them) exim is slower than using filter tables already built into the kernel.

Jeff

OxnardMontalvo
01-18-2006, 06:22 AM
Jeff,

All good points. I'm still struggling with this though. Yes, I realize now as you have so eloquently pointed out (and BTW, thank you for the research) that it is more efficient to let the firewall do the filtering. But is it practical?

I use APF. It's not great (Shorewall was great but it is now abandoned) but it does the job. It has a block list I can add to. But I really don't want to keep reloading the firewall to have it pickup the changes. I'd much rather just insert the IP address into the ACCEPT chain as a DROP. The problem is that exim does not have permission to do this.

So from a practical standpoint, how can I fire iptables from the mail user? If I could do that, the rest is easy.

The way I see it is, given the ACL changes I proposed easier, instead of firing dictscan.pl you fire dictscan.sh. dictsh does 2 things:

1: Adds the IP address to the chain.
2: Adds an AT job to remove the IP address automatically in 24/48 hours.

This solves the problem of reloading the firewall every time I have a new IP to add. (in my case, that's not too bad but it would mean I'd reload once every 3-4 minutes) If I ever do need to clear things out and start over, all I have to do is restart since I'm not storing these blocks on a perm basis anywhere.

Also importnat, it has an automatic cleanup. Right now, I have to go through exim_deny every few days and delete a bunch of IP addresses.

So does anyone know how to allow mail to run iptables on Linux?

=C=

OxnardMontalvo
01-18-2006, 09:52 AM
Oh and BTW,

I found this interesting article http://deny-spammers.sourceforge.net/deny-spammers/deny-spammers_html/index.html. It discusses the problem and their solution. I don't think there is any practical advice (at least that I can use) but overall it's a good description of the problem and solution we are discussing. (and it has a pretty graph)

=C=

mikenz
01-18-2006, 04:52 PM
Does anyone have a working version of such a script that implements the PF firewall to block the IP's of identified spammers (like the dictionary scanner) ?

Unfortunately I do not know perl.

Any advice would be greatly appreciated

-Mike

hostpc.com
01-18-2006, 04:58 PM
My only issue is loading 20,000 IPs to iptables (using APF glob_deny) everytime the firewall needs to restart - or a change is made. This CAN take a significant amount of time - and it'd probably be reloading every few minutes.

For me, and thats all I'm really concerned about, this works fine.

Thanks to the dictscan original poster.

OxnardMontalvo
01-19-2006, 08:16 AM
Hi All,

Until I can figure out a way to overcome the security issues I've expressed above, I'm using the system as is. (Once I can overcome those issues I will most likely move to a system where the firewall blocks.)

In the mean time, I need something to manage the exim_deny list to keep it from growing out of control. Ok, on my system 100 new IPs a day is a heavy day but still I don't want to have to remember to clean it. So I wrote this quick little script. This needs to be run by a user who has permission to read and write the /etc/exim_deny list. I run it in the root cron on a nightly basis.

I share it here for your use should you need it. Use at your own risk, etc. etc.etc.

=C=
p.s. for those having trouble pasting this into a script, you can download it from:

http://www.calevans.com/exim_deny_filter.txt





#!/usr/local/bin/php
<?PHP
/**
*
* exim_deny_filter
*
* Reads in the exim_deny list of IP addresses and discards
* any that are over X seconds old. This works totally in memory
* so it may not be a good solution for large lists. It is meant
* to be called periodically from a cron job. The user running the
* job has to have permission to read and write the /etc/exim_deny
* file.
*
* The project page for this code is:
* http://www.calevans.com/view.php/page/edf
*
* @author Cal Evans <cal@calevans.com>
* @copyright 2006 Cal Evans
* @license GPL 2.0
* @package exim_deny_filter
* @access public
* @version 1.0
*
*/
$o= &new Exim_Deny_Filter();
$o->main();
$o=null;
exit();

class Exim_Deny_Filter {
var $file;
var $seconds_to_keep;

function Exim_Deny_Filter() {
$this->file = "/etc/exim_deny";
$this->seconds_to_keep = 86400;
} // function Exim_Filter()


function main() {
$lines = file($this->file);
if (count($lines)<1) return;
$ips = array();
$break = mktime()-$this->seconds_to_keep;
$file_handle = fopen($this->file,'w');
for($lcvA=0;$lcvA<count($lines);$lcvA++) {
if (substr($lines[$lcvA],0,1)=="#") {
$time = strtotime(substr($lines[$lcvA],1));
if ($time<$break) continue;
$thisIP = trim(strtr($lines[$lcvA+1],"\n\r\t\0"," "));
if (in_array($thisIP, $ips)) continue;
fwrite($file_handle,"# ".date('m/d/Y h:i:s',$time)."\n".$thisIP."\n\n");
$ips[] = $thisIP;
$lcvA++;
} // if (substr($lines[$lcvA],0,1)=="#")
} // for($lcvA=0;$lcvA<count($lines);$lcvA++)

fClose($file_handle);

} // function main()
} // class Exim_Deny_Filter
?>

hostpc.com
01-19-2006, 08:21 AM
Very handy - thanks Cal!