Why don't ESF and Exim block this mail???

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,554
Location
Maastricht
Content of /etc/virtual/blacklist_domains
Code:
[root@server18: /etc/virtual]# less blacklist_domains 
.date
.loan
.website

Received mail, which ip IS present in the Spamhaus blacklist.

Code:
Return-Path: <maely@symine[b].loan[/b]>
Delivered-To: [email protected]
Received: from server18.hostingserver.com
	by server18.hostingserver.com with LMTP id eNTLMtCVwVkSUgAADNWw8g
	for <[email protected]>; Wed, 20 Sep 2017 00:10:24 +0200
Return-path: <maely@symine[b].loan[/b]>
Envelope-to: [email protected]
Delivery-date: Wed, 20 Sep 2017 00:10:24 +0200
Received: from [192.162.24.180] (helo=symine[b].loan[/b])
	by server18.hostingserver.com with esmtp (Exim 4.89)
	(envelope-from <maely@symine[b].loan[/b]>)
	id 1duQif-0001JC-9W
	for [email protected]; Wed, 20 Sep 2017 00:10:24 +0200
From: " Julia Peterson" <[email protected]>
Date: Tue, 19 Sep 2017 16:52:24 -0500
MIME-Version: 1.0
Subject: Download The Best Flight Sim Game Over 120 Aircrafts & Real Airports
To: <[email protected]>
Message-ID: <vnZNZXl0W-E2cWDup4QZFktrUZ8p_C5zd6FJsemnQ0M.9CZzFINKblc10LQyB-k-2viBmyjw3GyYBBlzn7-yRLE@symine.loan>
Content-Type: multipart/alternative;
 boundary="------------19141990633071142810361"
SPFCheck: Soft Fail, 30 Spam score
X-Spam-Score: 3.2 (+++) (????)
X-Spam-Report: Spam detection software, running on the system "server18.hostingserver.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Nationality, and ethnicity are a large beaming part of identity
    for most people. Factors chiropractic like this matter more for some people
    strong than others and for some groups stampede more than others but a sense
    rochester of group awareness or membership exists in rockwell varying degrees
    across all segments of American dawson . Often its easy to see the kurdish
    signifiers of such group identity, in distinctive holmes , food or clothing,
    for example. But commons sometimes when symbols or language are co-, dilemma
    it is harder to spot. In 2015, more Donald J. Trumps make America great again
    alternate and build a wall started out as gangster simple but powerful slogans.
    As time went diluted on, they became more infused with a impeccable specific
    meaning that symbolized the concerns and varicose preferences of a substantial
    set of white stockton Americans. Mr. Trumps appeals were a form greenwich
    of group politics or identity politics, and supremo he continues to focus
    on threats to file white identity as president. Some Trump critics melt find
    his focus on whites as a speed group outrageous or counterproductive. But
    survey data intrusion suggest that many white Americans do feel sever threatened,
    and that they think there are part policies that discriminate against them
    and should mission be changed. Two examples of the presidents mouthpiece
   efforts and the underlying support for his bethlehem positions illustrate
   these trends. On Wednesday, he discontinued offered his support for a bill
    that salt would cut legal immigration to the United swept States in half,
    saying this legislation demonstrates lambert our compassion for struggling
    American families who budapest deserve an immigration [...] 
 
 Content analysis details:   (3.2 points, 7.5 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.9 SPF_HELO_SOFTFAIL      SPF: HELO does not match SPF record (softfail)
  0.0 HTML_MESSAGE           BODY: HTML included in message
  1.3 RDNS_NONE              Delivered to internal network by a host with no rDNS
  0.0 T_REMOTE_IMAGE         Message contains an external image
SpamTally: Final spam score: 62
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

This is a multi-part message in MIME format.
--------------19141990633071142810361
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Can anybody explain me this because of these default ESF settings:
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) (+30)
0.9 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) (+30)
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS (+100)
SpamTally: Final spam score: 62???
To my calculations this should at least be 130. (At least 1 time +30 and 1 time +100)

Next to that, it seems that in the processing time, this ip came on the blacklist:
Code:
2017-09-20 00:10:24 1duQif-0001JC-9W <= [email protected] H=(symine.loan) [192.162.24.180] P=esmtp S=14052 d=vnZNZXl0W-E2xxxxxxxxxtrUZ8p
C5zd6FJsemnQ0M.9CZzFINKblc10LQyB-k-2viBmyjw3GyYBBlzn7-yRLE@symine.loan T="Download The Best Flight Sim Game Over 120 Aircraft
s & Real Airports" from <[email protected]> for [email protected]
2017-09-20 00:10:24 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1duQif-0001JC-9W
2017-09-20 00:10:25 1duQif-0001JC-9W => info <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=14407 C="250 2.0.0 <[email protected]> eNTLMtCVwVkSUgAADNWw8g Saved"
2017-09-20 00:10:25 1duQif-0001JC-9W Completed
2017-09-20 00:12:57 H=(symine.loan) [192.162.24.180] F=<[email protected]> rejected RCPT <[email protected]>: Email blocked by zen.spamhaus.org

As you can see, it was delivered to me, but 2 minutes later, all mail coming from that .loan domain was blocked by Spamhaus and Exim rejected, so that's good.

Questions:
1.) Why wasn't this email blocked by Exim, due to the blacklist_domains setting?
According to this thread, I did not use *.loan but just .loan as stated in there.
2.) Why wasn't this email blocked by ESF, since the result was wide over the +100 score, which even ESF detected.
And the default setting is EASY_HIGH_SCORE_DROP = 100
3.) Why wasn't this email blocked by Exim because of the invalid helo/ehlo?

Can anybody help me figure out why this mail was not blocked???
 
Hi Richard,

1) The blacklist_domains uses an nwildsearch, so if you're trying to use a sub-string match, you'd need the * character, eg:
Code:
*.date
*.loan
*.website
assuming those are the extensions you're after.

2) As for the ESF score of 62, that would be 30 for the failed SPF, and 32 for the SpamAssassin report (3.2 x 10).
The lookup:
Code:
dig -x 192.162.24.180
does have a valid rDNS ... but the resulting hostname does *not* resolve, which is likely what SA is talking about. ESF does not do this extra check.

The spamhaus not blocking, then blocking could be either the IP not being listed yet, then being flagged 20 minutes later (seems to still be listed, when I manually checked, returns 127.0.0.3)
OR it might be the dns servers being used, in case they're doing too many RBL queries, and the RBL servers end up blocking them.
We do recommend using 127.0.0.1 in the /etc/resolv.conf so that your own server does the dns lookups, as it would have fewer total queries from you IP, vs any mass recursive servers, which would quickly get blocked.

3) The HELO, I don't believe ESF checks. That's probably doing a forward dns check, where the rDNS must match the forward dns IP from the result.
So the 0.9 you're trying to count 30 for ESF isn't there. Only the 1.0 SPF check is the 30.

---

Anyway, the spam looks like it wasn't spammy enough to get through.
You could bump up the forward lookup score a bit.. but many servers will fail that, so I wouldn't go anywhere above 1.5-2.0 (from 0.9):
https://help.directadmin.com/item.php?id=531

But using the correct *.loan in the blacklist_domains would solve that, assuming you never want *.loan emails.

John
 
Hello.

Thank you,
1.) So Jef was wrong in the post that wildcard character should not be used? I'm going to try that.
2.) Oke I understand.

3.) I don't understand this one, it was in fact an invalid helo/ehl which you can see from the Exim logfile I posted:
Received: from [192.162.24.180] (helo=symine.loan)
This is a domain name but not a hostname, or is a domain name sufficient to be a valid helo/ehlo?
 
1) The exim.conf versions have come a long way; they now support wildcards in certain areas. Just check the exim.conf to see if the load of the file in question is nwildsearch or something containing "wild".

3) Helo can absolutely be a domain name. Usually not in DA itself though, as you'd typically want to be using it under some User. It's only a DirectAdmin restriction because of how system accounts vs virtual domain accounts are setup.
In fact, our main server has a hostname value of jbmc-software.com, because we don't use it as a User domain. The restriction is just that your hostname cannot be a User domain, or your system account emails won't work correctly. Ignore our jbmc-software.com case, as it's a custom setup :)

I believe the issue is the mismatch between the hostname lookup, vs the IP lookup. They should create a loop, but they don't in this case:
Code:
[root@forum custombuild]# dig symine.loan +short
192.162.24.180
[root@forum custombuild]# dig -x 192.162.24.180 +short
vps16.canal1news.com.
[root@forum custombuild]#
John
 
1.) Ah oke, I've got them in wildcards now, hope this fixes it.

3.) Indeed. The RFC says it needs to be a FQDN, dus a qualified domain name, not a qualified hostname. Exim also says that if it blocks something because it's only an ip or unqualified domain name like .local so that's clear then.
Thank you.

The restriction is just that your hostname cannot be a User domain, or your system account emails won't work correctly
What do you mean by this? Because a hostname is a hostname and not a domain name.
We use the admin domain for that, which is also used for the admin's website and stuff, that's working without any issues.
Ofcourse the hostname is then a real hostname, so server.admindomain.com and not only admindomain.com because that would be a domain name and not a hostname. Correct?
 
The restriction is just that your hostname cannot be a User domain, or your system account emails won't work correctlyi
What do you mean by this? Because a hostname is a hostname and not a domain name.
We use the admin domain for that, which is also used for the admin's website and stuff, that's working without any issues.
Ofcourse the hostname is then a real hostname, so server.admindomain.com and not only admindomain.com because that would be a domain name and not a hostname. Correct?

Not relating to any RFCs here, just the needs of DA's mail setup itself.

A User domain always has their system account name as an email, by default, which cannot be removed: this is actually not an email, but a forwarder to the hostname account .
This means that all DA Users on the system have their own hostname email address.

If a Use was to create a hostname as a User domain, eg:
Code:
User Level -> server.hostname.com
this sets up all of the email bits in /etc/virtual/server.hostname.com, which then hijacks the system accounts, and makes them all virtual accounts, thus breaking everyone's system email address (for crons, etc), and sending those results into:
Code:
/home/baduser/imap/server.hostname.com/user/Maildir
instead of
Code:
/home/user/Maildir
So that's why DA blocks Users from adding the current hostname their User Level.

Now, I'm referring to the hostname, as the output of
Code:
hostname --fqdn
and not the actual format of it.

Yes, a hostname is usually going to be server.hostname.com, but it really shouldn't matter, in terms of RFCs, where it should just mean "the name of your host/server".
We use jbmc-software.com as our hostname, because it's not added to any User, thus doesn't have a passwd file setup in /etc/virtual/jbmc-software.com/passwd, so the [email protected], still goes to /home/user/Maildir (jbmc-software.com is not in the domainowners).... but again, I've got this very customized, so don't really compare it to your own system.

But I believe DA will want your hostname to be the double-dot format of server.hostname.com, just to avoid any confusion. It just makes everything consistent.


So if you have a "hostname --fqdn" output of server.admindomain.com, but also have "server.admindomain.com" in your admn's User Level, then it will likely have broken all system account deliveries.
For example, if you have User "user", and it creates a cron output, that would try to deliver to:
Code:
/etc/virtual/server.admindomain.com/passwd or
/etc/virtual/server.admindomain.com/aliases
which would probably not have "user", thus would likely :fail: due to the * wildcard in the aliases file.

John
 
Thank you for the clarificatino.

I just now worry about 1 thing.
So if you have a "hostname --fqdn" output of server.admindomain.com, but also have "server.admindomain.com" in your admn's User Level, then it will likely have broken all system account deliveries.
We don't have it like that as a domain like in the list you see as "admindomain.com", "otherdomain.com", "thirdrdadmindomain.com" out of which you can choose to enter admin's userlevel.

However, the hostname serverxx.admindomain.com is present in admin's userlevel of domain admindomain.com in DNS like this:
serverxx -> A -> 46.4xx.xxx.xxx

So it does exist, but it does not break anything as far as I can see.
We don't use this hostname in a subdomain like /public_html/serverxx but only as hostname which also is the ehlo/helo hostname.

The directory /etc/virtual/serverxx.admindomain.com does not contain any passwd or aliases files, only dkim keys.
If I visit serverxx.admindomain.com it says "apache is functioning normally" which seems fine, correct?

Or do you mean somewhere else in user level?
 
Yes, that's totally fine.
The empty /etc/virtual/server.admindomain.com/* is correct.
(although, it can have dkim files there if you setup dkim for the hostname, which is valid)

John
 
Back
Top