SpamBlocker2.1.1 released

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,113
Location
California
SpamBlocker version 2.1.1 has been released. It offers a completely reworked and optimized set of blocklists, and a fix (which you may or may not already have on your server) to help with plaintext authorization when using certain email clients.

While SpamBlocker version 2.1.1 is not mandatory, it's strongly suggested, since it removes a nonworking blocklist and will fix authentication issues for some clients.

SpamBlocker version 2.1.1 requires the latest version of exim.pl.

SpamBlocker version 2.1.1 is currently only available for mbox-based systems. The exim.conf.dovecot.patch file available dated 15-December-2005 will NOT convert it to work with Dovecot/Maildir, so if you're running Dovecot/Maildir you should either wait until a new patch file is available, manually patch your new exim.conf file, or update to the SpamBlocker3 file specifically available for your Maildir configuration (either with or without ClamAV).

Remember that the SpamBlocker version 2.1.1 file you down load will not include your changes to point senders of emails detected as false positives to your whitelist page; be sure to search and replace for all instances of example.com before installing the file.

SpamBlocker version 2.1.1 may be found here:
Code:
http://files.directadmin.com/services/exim.conf
and also at:
Code:
http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker2/SpamBlocker.exim.conf.2.1.1-release
The latest exim.pl file may be found here:
Code:
http://files.directadmin.com/services/exim.pl
and also at:
Code:
http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker2/exim.pl

Jeff
 
I posted somewhere (obviously not here :( ) that the patch published by DA should work. At least that's what John told me.

Have you tried it?

Jeff
 
Took me some time to do this..

Had to update exim first, which I thought I already did earlier, but apparently http://help.directadmin.com/item.php?id=51 doesn't work for me.
But http://help.directadmin.com/item.php?id=126 plus this did the trick.

I downloaded the http://www.nobaloney.net/downloads/spamblocker/DirectAdmin/exim.conf.spamblocker file, edited it into notepad, got it as exim.conf using VI. (just noticed that I could have used DA to edit the exim.conf file -_-; )

Anyway, got it to work, with a lovely help page for non-spammers.
That's a form that sends an email from me to me, and from me to the client that the non-spammer whishes to contact (from me so spamblocker, me and the client knows it's good).
It checks on all the bot-infiltrate-nastyness stuff, like headers, bad email addresses, and even checks with a captcha and the php function: gethostbyname() if the domain matches the ip-range we have.

If my client replies to me with OK, then then I'll add that address to the whitelist and send an email. :)
(I suppose I could automate this as well, but let's see how often it will be used)
 
Last edited:
Yes, Duboux; please keep us posted. I never automated because on average I get less than one whitelist request a week.

Jeff
 
Okay, since the update, I've seen Exim log lines like these:

Exim Mainlog said:
2007-08-01 21:52:42 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <[email protected]>
2007-08-01 21:52:42 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 21:52:47 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <[email protected]>
2007-08-01 21:52:47 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 21:52:51 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <[email protected]>
2007-08-01 21:52:51 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 21:52:56 H=([89.240.167.159]) [89.240.167.159] incomplete transaction (connection lost) from <[email protected]>
2007-08-01 21:52:56 unexpected disconnection while reading SMTP command from ([89.240.167.159]) [89.240.167.159]
2007-08-01 22:17:52 H=(yahoo.com) [12.32.39.254] F=<[email protected]> rejected RCPT <****@****>: Email blocked by SPAMHAUS - to unblock see http://****
2007-08-01 22:17:52 H=(yahoo.com) [12.32.39.254] incomplete transaction (connection lost) from <[email protected]>
2007-08-01 22:17:52 unexpected disconnection while reading SMTP command from (yahoo.com) [12.32.39.254]

Exim Paniclog said:
2007-08-01 02:14:14 1IG0i0-0006l6-JD User 0 set for local_delivery transport is on the never_users list
2007-08-01 02:14:14 1IG1qw-0007rw-N8 User 0 set for local_delivery transport is on the never_users list
2007-08-01 04:02:44 1IG3Xw-0000XJ-IH User 0 set for local_delivery transport is on the never_users list
2007-08-01 04:02:45 1IG3Xx-0000Xd-Da User 0 set for local_delivery transport is on the never_users list

Exim Reject Log said:
2007-08-01 21:49:26 H=cpc3-stkn8-0-0-cust696.midd.cable.ntl.com (GRAHAM-EFNU14F3) [81.96.158.185] F=<[email protected]> rejected RCPT <****@****.com>: Email blocked by SPAMHAUS - to unblock see http://*****
2007-08-01 21:49:28 H=cpc3-stkn8-0-0-cust696.midd.cable.ntl.com (GRAHAM-EFNU14F3.2euu91.org) [81.96.158.185] F=<[email protected]> rejected RCPT <****@****.com>: Email blocked by SPAMHAUS - to unblock see http://*****
2007-08-01 21:49:31 H=cpc3-stkn8-0-0-cust696.midd.cable.ntl.com (rr1a4.e9aai.ameritech.net) [81.96.158.185] F=<[email protected]> rejected RCPT <****@****.com>: Email blocked by SPAMHAUS - to unblock see http://*****
2007-08-01 22:17:52 H=(yahoo.com) [12.32.39.254] F=<[email protected]> rejected RCPT <****@****>: Email blocked by SPAMHAUS - to unblock see http://****@****

Seems all spammers, but are the "unexpected disconnection while reading SMTP command" lines in the Main log errors or rejection lines from spamblocker ?

And I see double lines in both EximMain and EximReject on the same actions. Are the rejections supposed to show in the main log as well ? or can they only show in the rejectlog ?

Also I used to receive emails from US NMA, who use different email addresses and domains with every message. But I don't know if they are blocked yet. (hard to see in the logs as the email address is varies constantly). Is there a way to filter on contents too ?
 
Last edited:
Seems all spammers, but are the "unexpected disconnection while reading SMTP command" lines in the Main log errors or rejection lines from spamblocker ?
The sender is closing the connection.
And I see double lines in both EximMain and EximReject on the same actions. Are the rejections supposed to show in the main log as well ? or can they only show in the rejectlog ?
I never heard of EximMain or EximReject; do you mean the exim mainlog and the rejectlog? Yes, they'll both show the same information; the purpose of the mainlog is to give you one log where you see everything; the purpose of the rejectlog is to help you focus on just rejected email, for example if you get a whitelist request and you want to look instead of just whitelist.
Also I used to receive emails from US NMA, who use different email addresses and domains with every message. But I don't know if they are blocked yet. (hard to see in the logs as the email address is varies constantly). Is there a way to filter on contents too ?
Yes, but not in SpamBlocker. You can use the mail filter settings from the control panel. I hate those emails too :0 .

Jeff
 
Bugger, Spam Cannibal blocks smtp servers o_0

And who's ip are in the mail logs... indeed the smtp servers'

Spam Cannibal blocked an ip that wasn't blocked on it's own, but 2 ip's that looked alike were blocked, so this one got blocked as well:
http://spamcannibal.org/cannibal.cgi search on: 213.75.38.85
hpsmtp-eml20.kpnxchange.com
spam source
see
213.75.38.115
213.75.38.116

Another thing.
A client has 2 client-accounts on that block.
He sends an email from one account to the other.
But get's rejected by SpamCannibal, because his ISP's smtp server (he obviously doesn't use the mail.hisdomain.com for smtp) is marked as spam.
ANd with SpanCannibal the whole ip get's blocked after someone used it to send a spam message :eek:



Some global data:
# grep -c 2007-08-02.*"Email blocked by SPAMCANNIBAL" /var/log/exim/mainlog
31
# grep -c 2007-08-02.*"Email blocked by SPAMHAUS" /var/log/exim/mainlog
2072
# grep -c 2007-08-02.*"Email blocked by LBL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by BSHL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by BSAL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by NJABL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by CBL" /var/log/exim/mainlog
0
# grep -c 2007-08-02.*"Email blocked by DSBL" /var/log/exim/mainlog
3
# grep -c 2007-08-02.*"Email blocked by SORBS" /var/log/exim/mainlog
0
 
Last edited:
I've removed the SpamCannibal blocklist on my own system and will block it on final releases and next updates.

Jeff
 
Is it possible to use more than 1 line in the reply message when an email is blocked ?

Like that line "blocked by SPAMHAUS, see http... for details"
Could it be multiple lines ?
 
oi.. when installing this on another box, I got this line in the Exim paniclog:
2007-08-16 03:01:29 non-existent configuration file(s): /config/file.new

What does this mean ?
 
Is it possible to use more than 1 line in the reply message when an email is blocked ?

Like that line "blocked by SPAMHAUS, see http... for details"
Could it be multiple lines ?
It's been many years since I visited this issue.

I think you can do it (my guess is you'd add something which would be understood by mail programs as a newline character; you can find that on the 'net). However my understanding is that most error handling systems will only return the first line.

Jeff
 
oi.. when installing this on another box, I got this line in the Exim paniclog:


What does this mean ?
I actually get this too on the first box I installed it on..

# exim -C /config/file.new -bV
Exim version 4.67 #1 built 31-Jul-2007 22:10:38
Copyright (c) University of Cambridge 2006
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (September 21, 2004)
Support for: crypteq iconv() Perl OpenSSL move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Size of off_t: 8
2007-08-17 00:18:05 non-existent configuration file(s): /config/file.new

:(
 
What were you installing when you got this? Exim? DirectAdmin?

On what OS Distribution?

Were you installing from a DirectAdmin supplied RPM, or some other kind of package? Or from source?

Why were you running this line:
Code:
# exim -C /config/filenew -bV
Where did you get the instructions to run that?

Jeff
 
What were you installing when you got this? Exim? DirectAdmin?

On what OS Distribution?

Were you installing from a DirectAdmin supplied RPM, or some other kind of package? Or from source?

Why were you running this line:
Code:
# exim -C /config/filenew -bV
Where did you get the instructions to run that?

Jeff
I was updating exim and installing SpamBlocker.
OS = FC3

I started from the rpm:
# wget http://files.directadmin.com/services/da_exim-4.67-2.src.rpm

That # exim -C /config/filenew -bV line, I ran to check, as was advised by your SpamBlocker txt file.
 
Back
Top