All incoming mail blocked by bl.spamcop.net

[Richard G]

I have the /etc/exim.strings.conf but of course it has only strings in it. I know you can do more with *.custom by reference by I wasn't using it.

I got the answer about using the exim.strings.conf.custom to remove (or add) RBL's present in exim.conf from smtalk. Can't find it anymore so probably was in a ticket. I always keep these things up to date. Maybe for me that's easy because we almost don't have any customisations.

My initial reaction is to dump spamcop.net,

That was my initial reactie too. But as soon as I've seen they renewed, I was fastly cooled down because of the good experience I had with them until now.

The only thing I don't really understand is that you can register ip's for using barracuda. However, it's by default in exim.conf and everybody can use it without any issues. So I don't understand the benefit of registering the ip's there.

However, teaching my customers... I don't start with that. I've got extensive installation instructions for both imap and pop3 prepared with screenshots for every screen visible in outlook with explaining text and examples and still they don't succeed.... so no... I won't take the risk teaching them anti-spam.

 

[IT_Architect]

Maybe for me that's easy because we almost don't have any customisations...The only thing I don't really understand is that you can register ip's for using barracuda. However, it's by default in exim.conf and everybody can use it without any issues. So I don't understand the benefit of registering the ip's there...
so no... I won't take the risk teaching them anti-spam.

I'm getting away with fewer customization and maybe can do almost without now, I just haven't gone through things thoroughly lately. A lot of spam Exim never sees because PF kills it before it can ever do a DDOS on me. It updates tables every night plus we do some GEO.

I have registered with Barracuda but it was only because I had an issue with them when I went to the new server. I don't know if that fixed anything or me contacting them but I do it. If I hadn't had an issues I wouldn't have thought about it. So if it works fine, don't worry about it.

There are a couple ways I do spam outside of Exim. POPFile can work with iMAP too, and it's a little safer in that regard and works at the virtual level. SA-Learn of course works at the user level, and there are pros and cons to both. As you say, they can shoot themselves in the foot with SA-Learn and you will have to clear their data so they can start over if they do so I don't blame you if you don't want to go there. I don't tell everyone it is available, only if they want me to implement it for them after they have reoccurring issues. I think I only have 3 on it. They are careful, and after the first week or two, they never work with it anymore because they don't have to. They seem to have no instances of false positives but they are careful. They also know that if something comes in somewhat related they don't do teach-isspam on it, which is probably why they don't have false positive issues.

 

[Richard G]

@IT_Architect I just found out again where I got that custom strings.conf information about the RBL's.
It was here:

https://help.directadmin.com/item.php?id=610

As for DDOS, we luckily have our datacenter doing protection for that. But then again, the brute force attempts are continuously like always.

 

[IT_Architect]

@IT_Architect I just found out again where I got that custom strings.conf information about the RBL's.
It was here:

https://help.directadmin.com/item.php?id=610

As for DDOS, we luckily have our datacenter doing protection for that. But then again, the brute force attempts are continuously like always.

Our DC does that too (Softlayer/IBM) to a large degree and it's not nearly as bad as five years ago and before, and PF with the lists, plus some geo, helps against that as they never get to the server processes. However, we still get attacked where they start and stop connections, multiple sessions, etc. over and over again from different addresses. PF is designed to be flexible in catching things like that at the connection level, but we've learned that more often good traffic triggers it, so some we do by hand. I'd say this happens once a month or so. Our clue is a process load out of limits text from Zabbix. There is a way to determine the source of the processes but I never got it to work so we ending up taking an educated guess from logs and usually doesn't take more than 45 minutes from start to finish.

Thanks for the link. That looks like the one I used before but I obviously didn't on the newest server that was giving the Spambot trouble. I will wait until the weekend, notify people, save off a permanent backup, set a snapshot, and run DA's update processes, rewrite configs, fix any update rashes, and then determine where I should put the overrides. One would think the logical, and documented place to put it would be /etc/exim.variables.conf.custom but there are no references to it on the newest server. I'll find out of a new configs fixes that issue or not. If there are still no references anywhere to /etc/exim.variables.conf.custom, then I'll check if there is to /etc/exim.strings.conf.custom, and if so, I'll put it there IAW the link.

Thanks, Jack

 

[factor]

Hey Jack,

If there are still no references anywhere to /etc/exim.variables.conf.custom,

Configuring and customizing Exim | Directadmin Docs

PF with the lists, plus some geo, helps against that as they never get to the server processes

I know PF is so awesome. I like the FreeBSD spamd as well.

 

[Richard G]

I know PF is so awesome.

What is PF again? Popfilter?

 

[factor]

Its one of the firewalls on FreeBSD

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them

docs.freebsd.org

FreeBSD doesn't use IpTables

 

[iamthezio]

Why does exim.conf still have cbl.abuseat.com listed, when it was deprecated and removed in January 2021? DA needs to update the configuration.

RBL_DNS_LIST==\
cbl.abuseat.org

Causes lots of issues for new domains if you use the DA server as the primary MX.

https://www.abuseat.org/cutover.html

I Did not notice since I use Barracuda and MailCleaner to filter mail before sending mail to the DA Exim. Just an FYI.

 

[Richard G]

Why does exim.conf still have cbl.abuseat.com listed, when it was deprecated and removed in January 2021?

Was it?

The page you're referring to says this:

Therefore, queries made using public DNS resolvers may start failing. The ACL is likely to be switched in February or March 2021.

Likely is not a certain term.

However, it needs indeed to be removed, because DA is also using zen.spamhaus.org which already contains the XBL list where Abuseat is converting to.

Which mailcleaner are you using?
I'm using Spamcop. I don't like spamhaus since they block to many valid emails.

 

[iamthezio]

I use the Enterprise version of MailCleaner. Excellent, and almost as good as a Barracuda Spam/Virus at 1/2 the price (amortized over 5 years).

All my mail, destined for my DA servers goes thru mail cleaner before hitting the Exim service on the DA server.

Best of luck to all, bye.