SpamBlocker 4.1 blocks legal notifications from PayPal

[zEitEr]

Hello,

SpamBlocker 4.1 blocks legal notifications from PayPal at least when forwarding emails (in my case from one directadmin powered server to another one) as emails come from [email protected]:

2012-09-12 14:20:48 [8571] 1TBhFf-0002EF-N3 DKIM: d=paypal.com s=dkim c=relaxed/relaxed a=rsa-sha1 [email protected] t=1347434446 [verification succeeded]
2012-09-12 14:20:48 [8571] 1TBhFf-0002EF-N3 <= [email protected] H=mx1.slc.paypal.com (mx0.slc.paypal.com) [173.0.84.226]:52102 I=[11.22.33.44]:25 P=esmtp S=15889 [email protected] T="Notification of payment received" from <[email protected]> for [email protected]
2012-09-12 14:20:48 [8572] 1TBhFf-0002EF-N3 => finance <[email protected]> F=<[email protected]> P=<[email protected]> R=virtual_user T=virtual_localdelivery S=16003 QT=1s DT=0s
2012-09-12 14:20:53 [8571] SMTP connection from mx1.slc.paypal.com (mx0.slc.paypal.com) [173.0.84.226]:52102 I=[11.22.33.44]:25 closed by QUIT
2012-09-12 14:20:55 [8572] 1TBhFf-0002EF-N3 ** [email protected] ([email protected]) <[email protected]> F=<[email protected]> P=<[email protected]> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.domain2.com [22.33.44.55]: 550 Forged Paypal Mail, not sent from PayPal.
2012-09-12 14:20:55 [8577] 1TBhFn-0002EL-4v <= <> R=1TBhFf-0002EF-N3 U=mail P=local S=16871 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2012-09-12 14:21:03 [8579] 1TBhFn-0002EL-4v => [email protected] F=<> P=<> R=lookuphost T=remote_smtp S=17220 H=gort.ebay.com [216.113.167.215]:25 X=TLSv1:DHE-RSA-AES256-SHA:256 CV=no DN="/C=US/ST=California/L=San Jose/O=eBay, Inc./OU=Messaging_Team/CN=data.ebay.com" C="250 ok:  Message 1109547579 accepted" QT=8s DT=7s

Note, at the moment of writing this the check was already disabled on domain2.com, but enabled on domain.com

So, I'm quite sure, the check should be removed from the exim.conf.
For those, who does not, how to disable it, here is the guide:

Open /etc/exim.conf for editing in your favorite editor, find EDIT#40:

#EDIT#40:
    deny message = Forged Paypal Mail, not sent from PayPal.
        senders = *@paypal.com
        condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}

and comment it:

#EDIT#40:
##--    deny message = Forged Paypal Mail, not sent from PayPal.
##--         senders = *@paypal.com
##--         condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}

 

[LawsHosting]

I agree, this part is not 100% imo, I get spoof emails through, although Jeff did say its becaouse of the com vs co.uk etc.

 

[zEitEr]

Would it be better to do a DKIM check? I'm not sure who does it, but from the logs I see that the verification was succeeded:

DKIM: d=paypal.com s=dkim c=relaxed/relaxed a=rsa-sha1 [email protected] t=1347434446 [verification succeeded]

 

[LawsHosting]

Jeff did say he'll rewrite that bit of code here if others help give information like I did in the post before.

 

[nobaloney]

I haven't tested but I see how forwarded emails could present a problem. I think the code probably has to be removed, but that's a shame, becaue it blocks quite a few paypal spoofs (I don't think I've ever gotten once since I started using the code).

Anyone know how to use DKIM or SPF to whitelist? On a per-domain basis?

Jeff

 

[zEitEr]

I guess (and it was discussed already here), that DKIM and SPF check are useless when check a forwarded emails.
To use SPF check with Exim, if I'm not mistaken, exim should be compiled with SPF support. That is not included in da_exim:

exim -bV | grep -i spf --color

shows nothing

exim -bV | grep -i dkim

shows this

Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime

About DKIM I found this:

acl_check_dkim: 
accept condition = ${if eq{$dkim_verify_status}{pass}} 
dnslists = _vouch.dwl.spamhaus.org/$dkim_domain 
set acl_c_whitelisted = true 
logwrite = Spamhaus Whitelist (DKIM) $dkim_domain

Here http://www.spamhauswhitelist.com/en/setupfaq.php


And of course this thread http://www.directadmin.com/forum/showthread.php?t=38338&page=1
and this post http://www.directadmin.com/forum/showthread.php?t=38338&p=193769#post193769

 

[zEitEr]

Nevertheless, DKIM verification succeeded (if to believe exim logs) even being forwarded from one directadmin powered server to another one.

2012-09-14 15:15:19 1TCR3W-00068F-JP DKIM: d=paypal.com s=dkim c=relaxed/relaxed a=rsa-sha1 [email protected] t=1347609304 [verification succeeded]

 

[Mitsurugi]

PayPal emails are now coming from ebay.com:

2014-05-16 14:37:44 H=dub-mipot-001.corp.ebay.com [193.28.178.23] F=<***@paypal.com> rejected RCPT <***@***.co.uk>: Forged Paypal Mail, not sent from PayPal.

 

[nobaloney]

Next version (expect it within 24 hours) will not include the block by default, since it can easily fail (and does fail when email is forwarded).

Need a fix before then? If so, then simply comment out the section. See edit#40.

Jeff

 

[nobaloney]

SpamBlocker 4.2.2 has been released with several changes:

1) User vacation and user autoreply code have both been enhanced to only send the automatic reply once every 2 days.

2) The PayPal check to block emails which say they're from PayPal but aren't sent by a server in the paypal.com domain has been commented out because it will break forwarding and because all email from PayPal doesn't come from the PayPal domain.

3) Localhost and 127.0.0.1 have been removed from relay_domains and relay_hosts to block unauthentcated smtp email relaying from the server.

Jeff

 

[SeLLeRoNe]

I've downloaded and "updated" your new version with my customiszations (dkim, greylist, X-auth line to show which user had authenticated for that email).

It work fine.

Regards

 

[nobaloney]

Good to hear, Andrea.

Can I add thos things?

DKIM: Does anything else need to be done on the server to make it work, or just a change to exim.conf?

Greylisting: Same question. does anything else need to be done on the server to make it work? Or just a change to exim.conf?

X-auth: Same question .

For any for which nothing else needs to be done, if it's okay with you please post or send me your modificagtions and I'll add them. I'm making a lot of small changes in the next few weeks before John and I work together to merge into one codebase.

Thanks.

Jeff

 

[SeLLeRoNe]

Hi Jeff,

for the DKIM you need to enable dkim=1 in directadmin.conf (and in case is an already in-production server run the needed scripts to add DKIM Keys to existing domains)

The changes in exim.conf are:

AFTER:

acl_smtp_helo = acl_check_helo

ADD:

acl_smtp_dkim = acl_check_dkim

in #EDIT#25 after the first acl ADD:

  acl_check_dkim:
                                                                                                                                                                                        
        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = invalid
                condition       = ${if eq {${lc:$dkim_verify_status}{invalid}{true}{false}}}
                                                                                                                                                                                        
        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = fail
                condition       = ${if eq {${lc:$dkim_verify_status}{fail}{true}{false}}}
                                                                                                                                                                                        
        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = none
                condition       = ${if eq {${lc:$dkim_verify_status}{none}{true}{false}}}
                                                                                                                                                                                        
        warn    add_header      = X-DKIM-Status: $dkim_verify_status [($dkim_cur_signer) - $sender_host_address]
                sender_domains  = $sender_address_domain:$dkim_signers
                dkim_signers    = $sender_address_domain:$dkim_signers
                dkim_status     = pass
                condition       = ${if eq {${lc:$dkim_verify_status}{pass}{true}{false}}}
        accept

in #COMMENT#61:

AFTER

driver = smtp

ADD  headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}"
  dkim_domain = $sender_address_domain
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$sender_address_domain/dkim.private.key}{/etc/virtual/$sender_address_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0

Note: headers_add = "${if def:authenticated_id{X-Authenticated-Id: ${authenticated_id}}}" is the line that add an X-Authendicated-Id value in all outgoing e-mail header with the username used to authenticate and send that mail (and can be added without any other modification)

Regarding greylisting:
For the greylist part, you need to install greylistd daemon on your server (os package manager is good enough for install it)

Needed exim.conf edits are:

in #COMMENT#43:

BEFORE

accept  domains = +local_domains

ADD

  defer message         = $sender_host_address is greylisted. Please try again later.
         log_message    = greylisted.
         domains       = +relay_domains
#         domains       = +relay_domains : +local_domains ### COMMENTED CAUSE CAUSED AUTH USERS TO BE GREYLISTED ASWELL
         !senders       = : postmaster@*
         !hosts         = : +relay_hosts : \
                           ${if exists {/etc/greylistd/whitelist-hosts}\
                           {/etc/greylistd/whitelist-hosts}{}} : \
                           ${if exists {/etc/virtual/whitelist-hosts}\
                           {/etc/virtual/whitelist-hosts}{}}
                                                                                                                                                                                        
         set acl_m4     = ${mask:$sender_host_address/24}
         set acl_m5     = ${sg{$acl_m4}{/24}{}}
         set acl_m6     = $acl_m5 $sender_address $local_part@$domain
         set acl_m6     = ${readsocket{/var/run/greylistd/socket}{$acl_m6}{5s}{}{false}}
         condition      = ${if eq {$acl_m6}{grey}{true}{false}}

I hope i did not forget anything

Also, i would suggest you to change the line

daemon_smtp_ports = 25 : 587

to

daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465

Cause SSL port should be actually useful to be active

Best regards

 

[SeLLeRoNe]

I'd just noticed another diffence:

in #EDIT#24:

AFTER

accept hosts = +whitelist_hosts_ip : +relay_hosts

ADD

  # Delay. (Spammers doesn't like to wait while connecting)
  # Better do not use on high load servers because it will hold too many open connection
  # 587 port accept connection without delay
  accept condition = ${if eq {$interface_port}{465}{yes}{no}}
  accept condition = ${if eq {$interface_port}{587}{yes}{no}}
                                                                                                                                                                                        
  accept
     logwrite = Delay 10s for $sender_host_address ($sender_host_name)
     delay    = 10s

This part is a delay of 10 seconds (and ofc can be changed/removed) for incoming connection where user are not using port 587 NOR 465 (usually ports that should be used by clients).
So every incoming connection on port 25 (server-server connection) is delayed for 10 seconds (just for prevent spammers), but can easly be set lower or not-added at all.

Thanks

Best regards

 

[nobaloney]

Thanks, Andrea. I recall from some time ago a published greylisting solution set up a database of hosts known to be good automatically so they'd not be subject to delay. Am I dreaming, or do you remember that as well ?

I think ten seconds may be a very long time; do you have any ideas on what may be a server too busy to use this?

Have you done any tests to show that the greylisting significantly decreases spam finally reaching the server?

Thanks.

Jeff

 

[SeLLeRoNe]

mmh honestly no, i dont remember about that, at this moment once an ip is "whitelisted" from greylist it still have the delay.

I did notice a huge decrease of spam, for spamblocker itself and also for dkim and greylist.

At this moment i dont see a busy server, but actually it depend on how many emails you "manage" every day

If you my greylist stats just let me know

Regards

 

[nobaloney]

No need now. Still thinking about adding it to my exim.conf file.

Thanks.

Jeff