SpamBlocker 4.3.0, BlockCracking, Easy Spam Figther, and new exim.pl

Regarding forwarders in DirectAdmin. When customer forwards emails to for example their gmail accounts, then spam is also forwarded. Gmail see the spam as if it is sent from our mail server.

I ask that DirectAdmin can change the forwarders so that the envelope sender is not changed when forwarding emails, so that Gmail don't see it as spam sent from our mail server. Here is a quote from "Best practices for forwarding mail to Gmail" at https://support.google.com/mail/answer/175365?hl=en

Not sure if this is the right thread for this request, but I'd like to add my agreement. A couple of clients get LOTS of spam and they insist on forwarding everything to their gmail accounts, so gmail frequently gives warnings about rate-limiting our server.
 
One of our clients is seeing a lot of spam all from a servername ending in .link (which of course doesn't exist). Lots of different IP#s.

I seem to remember someone had a fix to exim.conf so we could use one of our files with a wildcard at the beginning, so it could block all domains ending in .link (for example).

Anyone remember what that was? I'm probably searching wrong because I can't find it :(.

Thanks.

Jeff
 
I seem to remember someone had a fix to exim.conf so we could use one of our files with a wildcard at the beginning, so it could block all domains ending in .link (for example).

Code:
domainlist blacklist_domains = wildlsearch;/etc/virtual/blacklist_domains
hostlist bad_sender_hosts = wildlsearch;/etc/virtual/bad_sender_hosts
...
 
Hey guys,

I've tried this and my feedback is that the default conf is too much aggressive!
This can not be used in production, I saw a lot of false positive.
 
How is aggressive? Any log hint? What rule did was aggressive?

I do use this since month now.. and i had any false positive at all... Just some MX server in some RBL's, but that is not exim.conf SB relative.. the 4.2 had same RBL's...

So, before say "this can not be used in production"... give us some informations in detail about what and how... so that can be "fixed/improoved" in next release

Regards
 
So, before say "this can not be used in production"... give us some informations in detail about what and how... so that can be "fixed/improoved" in next release

You are right, here some details:

I've a lot of temporarily rejected DKIM : DKIM: Deferred. reason='pubkey_unavailable'

Some DKIM: Failed. reason='bodyhash_mismatch'

And a lot of false marked spam with "rejected after DATA: Your message was classified as SPAM"

But the critical issue for me is that the whitelist file is not considered., for example:

2014-12-05 10:24:15 1Xwp7V-0007E0-0o H=(ctu.ctu.iuculano.org) [10.0.0.10] X=TLSv1.1:DHE-RSA-AES256-SHA:256 F=<[email protected]> rejected after DATA: Your message was classified as SPAM. Please add more content, cut down on HTML links, use fewer naughty words etc. Also, ask your IT dept to make sure your mailserver has REVERSEDNS, SPF and is not on any black lists. Your score: 130
(10.0.0.0/24 is whitelisted.)

I don't know if the DKIM issue is misconfiguration or not, I didn't investigate but what I mean is that this is not a configuration that can be used "out of the box", and unfortunately I've no time to debug and tuning this.
 
Well...

Regarding the DKIM: defer you should check this: http://forum.directadmin.com/showthread.php?t=50456&highlight=DKIM:+Deferred.
And check the file: /etc/exim.easy_spam_fighter/check_dkim.conf
Also, keep in mind.. that if a mail server pretend to have mail with DKIM sign and he dont provide the sign key in DNS.. well.. is not your missconfiguration but the sending host's side issue...

Regarding the second issue, i never saw something like that, should be needed an investigation yes...

Regarding the whitelist not working that's actually strange, what whitelist file did you filled?

The error you give is probably set from file /etc/exim.easy_spam_fighter/variables.conf (you should lower values to sign as spam in that file) since its true, the internal IP have no rDNS and SPF (so a local DNS missconfiguration), but itself the whitelist should work...

The file related to whitelist an IP should be: /etc/virtual/whitelist_hosts_ip and it is working since i do use it... so, if you set that file, be also sure is set to mail:mail as owner

Regards
 
Well...

Regarding the whitelist not working that's actually strange, what whitelist file did you filled?

The error you give is probably set from file /etc/exim.easy_spam_fighter/variables.conf (you should lower values to sign as spam in that file) since its true, the internal IP have no rDNS and SPF (so a local DNS missconfiguration), but itself the whitelist should work...

The file related to whitelist an IP should be: /etc/virtual/whitelist_hosts_ip and it is working since i do use it... so, if you set that file, be also sure is set to mail:mail as owner

Regards

The file is processed, infact I've:
2014-12-05 09:01:14 10.0.0.10 whitelisted in local hosts IP# whitelist

But it is rejected.

Regarding other issues, as I wrote before, I don't have time to fix conf and my feedback was simply "this is not a configuration that can be used out of the box" because you will have a lot of false positives.
 
Last edited:
I see your point, maybe the easy_spam_fighter isnt checking the whitelist, that should definitly be a sort of bug and should be fixed.

Regards
 
Ah thanks for the report.
I've moved this line:
Code:
.include_if_exists /etc/exim.easy_spam_fighter/check_rcpt.conf
From just before #EDIT#27
and moved it just before #COMMENT#43

Moving it lower, allows the whitelist bits to do their job.

exim.conf 4.3.0 alpha 4 now available on files1.

John
 
Ah thanks for the report.
I've moved this line:
Code:
.include_if_exists /etc/exim.easy_spam_fighter/check_rcpt.conf
From just before #EDIT#27
and moved it just before #COMMENT#43

Moving it lower, allows the whitelist bits to do their job.

exim.conf 4.3.0 alpha 4 now available on files1.

John


Thanks John, you should also move the whitelist stuff before #EDIT#27. In this way whitelisted hosts will not be checked against HELO_SHOULD_BE_FQDN and they are really whitelisted :)

Cheers,
Giuseppe
 
Uploaded alpha 6.
Did some rework for the white-listing, where it does the checks as soon as it can (moved from the rcpt acl to the mail acl), and then sets a variable:
acl_m_is_whitelisted=1
checked later in the other ACLs.

The future ACLs can then pass early, bypassing possible drops (like SPF, bad hostnames, DKIM, etc..)

It doesn't 100% overrule absolute everything though.. just to be safe.
Specifically, a few checks in acl_check_recipient are still done before the whitelist accepts it.
Still have to pass:
- invalid domains
- send limit already hit (to prevent spammer, even if it's whitelisted)
- too many bounced recipients
- too many failed recipients
- domain is supended
- authenticated, but in /etc/virtual/blacklist_usernames

The diff from alpha4 to alpha5 is here:
http://files1.directadmin.com/servi...chnology-v4.3.0-alphta4-to-v4.3.0-alpha6.diff

Alpha 5 is here:
http://files1.directadmin.com/services/SpamBlocker/4.3.0/exim.conf-SpamBlockerTechnology-v4.3.0.txt

John
 
Last edited:
I suppose you did made already other edits since the newer version is Alpha 6 :)

Also CB doenst recognize with ./build versions the newer version, before it was, but now it show only:

Latest version of exim.conf: 4.3.0
Installed version of exim.conf: 4.3.0


I supose it's cause you moved the alpha version in a new line, this prvent CB to notice updated, could that be fixed?

Regards
 
hi, just for verify, i test on one of ours servers

and i see this error sometimes into /var/log/maillog

Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs


somethings is wrong or not ?

more logs :

Dec 17 04:50:26 box2 spamd[676119]: spamd: connection from 127.0.0.1 [127.0.0.1]:38462 to port 783, fd 5
Dec 17 04:50:26 box2 spamd[676119]: spamd: setuid to nobody succeeded
Dec 17 04:50:26 box2 spamd[676119]: spamd: creating default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: config: cannot create user preferences file //.spamassassin/user_prefs: No such file or directory
Dec 17 04:50:26 box2 spamd[676119]: spamd: failed to create readable default_prefs: //.spamassassin/user_prefs
Dec 17 04:50:26 box2 spamd[676119]: spamd: checking message <[email protected]> for nobody:99
Dec 17 04:50:27 box2 spamd[676119]: plugin: eval failed: bayes: (in learn) locker: safe_lock: cannot create tmp lockfile /.spamassassin/bayes.lock.box2.domaineinternet.ca.676119 for /.spamassassin/bayes.lock: No such file or directory
Dec 17 04:50:27 box2 spamd[676119]: spamd: clean message (6.0/7.5) for nobody:99 in 1.1 seconds, 3897 bytes.
Dec 17 04:50:27 box2 spamd[676119]: spamd: result: . 6 - URIBL_BLOCKED scantime=1.1,size=3897,user=nobody,uid=99,required_score=7.5,rhost=127.0.0.1,raddr=127.0.0.1,rport=38462,mid=<[email protected]>,autolearn=unavailable autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: IB
Dec 17 04:50:27 box2 spamd[676120]: spamd: connection from ::1 [::1]:48425 to port 783, fd 6
Dec 17 04:50:27 box2 spamd[676120]: spamd: setuid to fleblanc succeeded
Dec 17 04:50:27 box2 spamd[676120]: spamd: processing message <[email protected]> for fleblanc:603
Dec 17 04:50:27 box2 spamd[676120]: spamd: clean message (4.1/5.2) for fleblanc:603 in 0.3 seconds, 3885 bytes.
Dec 17 04:50:27 box2 spamd[676120]: spamd: result: . 4 - BAYES_00,URIBL_BLOCKED scantime=0.3,size=3885,user=fleblanc,uid=603,required_score=5.2,rhost=::1,raddr=::1,rport=48425,mid=<[email protected]>,bayes=0.000000,autolearn=ham autolearn_force=no
Dec 17 04:50:27 box2 spamd[676118]: prefork: child states: II
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Connect from local
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237, [email protected]): P58MBb5RkVSNUQoAEmL42g: msgid=<[email protected]>: saved mail to INBOX
Dec 17 04:50:27 box2 dovecot[674142]: lmtp(676237): Disconnect from local: Successful quit
 
without this.. i got one problem into imap support ( for now i just verify in roundcube )

since i installed this, few new messages dont cannot be read and look well, the email on the list dont have any date

http://www.shareimg.co/thumbs/7/141880976863-0.png

i can find the message on the imap folder but he is in Maildir/cur and not Maildir/new but in roundcube he see him same of a new email

and i dont find any error logs about it into roundcube and into maillog

some clues please ?

but its work well into afterlogic webmail

but its since really i install this setup for spamblocker and lmtp..

sorry for my english
 
why this mail is not flag to be spam ?

since few month spamassassin is really bad..

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from box2.domaineinternet.ca
by box2.domaineinternet.ca (Dovecot) with LMTP id Rv6zIwQrlFTBhgMAEmL42g
for <[email protected]>; Fri, 19 Dec 2014 08:48:01 -0500
Return-path: <[email protected]>
Received: from mail by box2.domaineinternet.ca with spam-scanned (Exim 4.84)
(envelope-from <[email protected]>)
id 1Y1xuN-000z3A-F5
for [email protected]; Fri, 19 Dec 2014 08:48:01 -0500
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
box2.domaineinternet.ca
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=6.5 tests=HTML_IMAGE_RATIO_06,
HTML_MESSAGE,RCVD_IN_SORBS_DUL,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY,
URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from j5t2s6r.snoadd.eu ([172.245.242.32])
by box2.domaineinternet.ca with esmtp (Exim 4.84)
(envelope-from <[email protected]>)
id 1Y1xuH-000z2C-H7
for [email protected]; Fri, 19 Dec 2014 08:47:55 -0500
Received: from 1a632d11.j5t2s6r.snoadd.eu (amavisd, port 10572)
by j5t2s6r.snoadd.eu with ESMTP id 1AGNTXN632DYAMGG11;
for <[email protected]>; Fri, 19 Dec 2014 06:46:32 -0700
Subject: Christmas Wine from Virgin: Save $80 on 12 Fantastic + 3 FREE Bottles
Message-ID: <5572YFVVTXDUL442701645-diffusion=fortier-danse.com@j5t2s6r.snoadd.eu>
To: <[email protected]>
From: "Virgin Wines" <[email protected]>
Date: Fri, 19 Dec 2014 06:46:32 -0700
Content-Language: en-us
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: multipart/alternative;
boundary="----=Part.448.5307.1418996792"
SPFCheck: Server passes SPF test, -30 Spam score
SpamTally: Final spam score: -30
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
 
Is there a mechanism to provide a custom override for /etc/exim.easy_spam_fighter/check_dkim.conf (via CB2)? After reviewing my logs, I found that 100% of messages rejected with "DKIM: Failed" were mangled by mailing lists. My users want these messages.

My workaround (not even sure if this is valid syntax) is to change deny to warn in check_dkim.conf:

Code:
sed -i s/deny/warn/ /etc/exim.easy_spam_fighter/check_dkim.conf

Code:
  warn
    add_header = X-DKIM: signer='$dkim_cur_signer' status='$dkim_verify_status' reason='$dkim_verify_reason'

  defer
    dkim_status = invalid
    log_message = DKIM: Deferred. reason='$dkim_verify_reason'
    message = DKIM Signature validation has failed. May be a temporary problem.

  warn
    dkim_status = fail
    log_message = DKIM: Failed. reason='$dkim_verify_reason'
    message = DKIM Signature validation has failed.

  warn
    dkim_status = pass
    set acl_m_easy69 = ${eval:$acl_m_easy69+EASY_DKIM_PASS}
    add_header = DKIMCheck: Server passes DKIM test, EASY_DKIM_PASS Spam score

I suspect this will get overwritten by CB2. I'd like to make it permanent (until I find a more appropriate solution).
 
With exim.conf 4.3.2 you can use whitelists to skip some tests, including DKIM check.
So all what is needed is to add trusted IPs into /etc/virtual/whitelist_hosts_ip (one IP per line with empty bottom line).

At least this is what we started to use. I hope we could disable test other way.
 
Back
Top