Blocking un-authorized local SPAM

[Percy]

I beat you to it in my last post. I already stated "I am not sure."



DirectAdmin uses the ip address and why I commented like I did.

I apologize, but your wording of "... but I do know that even if ..." implied to me that you did know more about SPF.

So, with my knowledge of SPF, the concern you raise should not be an issue. You, as a domain owner, would be able to authorize enom.com or whatever from sending e-mail on your behalf.

 

[floyd]

And yet in the 3 situations you gave as examples, I was able to come up with a better/alternative solution to prevent this from happening.

Interesting. I don't remember giving 3 examples. I can see that I expanded on 1 example already given by Jeff.

I am not hesitant about blocking spam. I am however very against anything that may simply drop or filter an email without me or the sender knowing that it was dropped. I cannot in words express how frustrating it is to send somebody an email and they never get it because they never check their spam folder.

Between using RBL's and Nolisting I get less than 1% spam every day. Since I am sitting at my computer all day I cannot state how long it takes me to delete spam in a day. But I do know that when I check in the morning after 8 or 10 hours it takes me less that a couple of minutes to delete all my nightly spam. What am I doing different than everybody else I don't know. I must be doing something drastically different for me to think spam is a non issue with these two small steps and everybody else to think its a huge problem.

To me it just seems that you are suggesting a lot of work for very little benefit. That is my point of view. Obviously yours is different. I would just like to know what we are doing differently.

 

[Percy]

Interesting. I don't remember giving 3 examples. I can see that I expanded on 1 example already given by Jeff.

My apologies, you are right. In all these messages going back and forth, I missed the fact that it was Jeff that gave the examples and not you.

I cannot in words express how frustrating it is to send somebody an email and they never get it because they never check their spam folder.

I complete agree, however, I would think if we were able to come up with better methods of blocking SPAM that have a lower false-positive rate, then we could likely tone down some likely over-agressive filtering done by some mail administrators, and this might be less of a problem.

It is still my opinion that in this specific situation, there should be simple ways to accurately filter out the difference between a legitimate From==To message and the illegitimate ones.

What am I doing different than everybody else I don't know. I must be doing something drastically different for me to think spam is a non issue with these two small steps and everybody else to think its a huge problem.

I also personally get a very low rate of SPAM that gets through all my filtering. Especially if you consider that most of my domains have catch-alls enabled so that I can easily create [email protected] addresses for websites that I question their "ability" to keep my e-mail private. However, if you read the original post, you will find that the original problem was not to do with the amount of SPAM I was personally getting in my inboxes, but rather the fact that this "whitelisting" of To=From messages was affecting the reputation of my servers when combined with some of my clients who used forwarding. This still was an issue until I was forced to simply disable all forwards for all of my clients because I could not allow Barracuda to constantly block my server for SPAM that was not originating from my server (but *was* being passed through).

To me it just seems that you are suggesting a lot of work for very little benefit. That is my point of view. Obviously yours is different. I would just like to know what we are doing differently.

Perhaps it might be a bit of work. I really don't know since I'm not an Exim expert in any sense of the word. But in my opinion it is a "leak" that spammers appear to be taking advantage of, and I thought it was a leak that could be fixed somewhat easily.

Kind regards,
-Andrew

 

[handrea]

Hi Floyd,
I think You're mistaking the way to valutate to problem, it sounds like "I haven't this problem.. so nobody has it". Spam amount is not uniform but related to addresses / domains.
I'm personally in Your scenario, deleting that 10 spam emails a day is not a problem at all.
But some customers of us as a loooooooot of spam all sent by this artefact.
So what should I say?

Dear Customer, I haven't this problem, so you're simple ludicrous.
​

In addition when you say "small benefit" it make me think that perhaps you're still doing a wrong valutation or didn't understand the problem at all.

Nobody what to break or block anything, we're offering professional services not alcatraz systems. In any case I cannot say it seems you have a really collaborative approach, perhaps this is logic by your perspective: because you simply don't have this problem.. .. so the problem doesn't exist.

What I'll do is studying exim configuration / routing system (or think to another filtering solution) and I'll post here the solution for those crazy man like me or Percy who thinks that this server behaviour is good and logic.

regards
Andrea

 

[handrea]

Perhaps it might be a bit of work. I really don't know since I'm not an Exim expert in any sense of the word. But in my opinion it is a "leak" that spammers appear to be taking advantage of, and I thought it was a leak that could be fixed somewhat easily.

Kind regards,
-Andrew

I fully agree!

 

[floyd]

I think You're mistaking the way to valutate to problem, it sounds like "I haven't this problem.. so nobody has it".

No that is not what I am saying. What I am saying is "what am I doing different than everybody else so as to not have this problem."

I understand some have this problem. I want to know why they have the problem. If we know what some (like me) are doing differently than others then we can find the solution.

This morning after 12 hours of not checking email it took me less than one minute to delete all the spam. All I am using is the RBL's and Nolisting. I do not even use Spamassassin since it will not reject email. If you are not using the RBL's AND Nolisting then you are suffering from spam for no reason at all. Enable those first and then starting using some sort of filtering and rewriting exim.

 

[floyd]

In addition when you say "small benefit" it make me think that perhaps you're still doing a wrong valutation or didn't understand the problem at all.

No I think you are ignoring the solutions. Are you indeed using the RBL's? Have you included all your domains in the file /etc/virtual/use_rbl_domains or created a symlink from it to /etc/virtual/domains?

Are you indeed using Nolisting as well?

 

[nobaloney]

There's been a lot said on this thread since I last visited, so I'm just going to post some general points, and my point of view.

Yes, SPF can be used to whitelist/blacklist. I've never checked to find out how because I've found so many SPF records to be improperly maintained (including my own from time to time) that I'd never consider using it as an authoritative way to authenticate or not authenticate email.

Someone wrote that s/he isn't interested in writing an exim.conf file for everyone, but just for him/her self. My response would be to then go ahead and write your own. Or pay me or someone else to write one for you. And worry about maintaining it.

The methods we (and obviously Floyd) use to block spam do much better than the admitted industry average. I use mail to myself when travelling, and I use reseller accounts to sell products. I believe in John Postel's point about being conservative in what you send but liberal in what you receive (I don't remember his exact words and I'm not taking the time to look it up).

Even with that in consideration, I've still written an exim.conf file that works well for me, and works well for others. I'm not going to do what a few people want; blocking mail using a from address on my server from outside my server.

You can do it yourself. You can hire someone to do it. You can find another solution.

Or you can convince JBMC, the publishers of DirectAdmin, to do one of the above, even though the current solution works well for so many of us, and well above the industry average for spam-blocking.

Jeff

 

[handrea]

Thank you for your point of view Jeff.
Perhaps the reason I was posting the first message and still working on this problem is that:

• I believe that is better verify identities rather that accept people saying "I'm john@example"
• Using an auth-required model I didn't find a particular situation / scenario / configuration I cannot manage.

Perhaps I'm a little obstinated or simply "temporary blind" (I mean that at present I'm unable to understand if I'm missing something). However, suggestions or examples to help me understand are welcome.
In the meantime I'll work on this problem and, once solved, I'll post here the solution for free for further references.

Regards
handrea

 

[nobaloney]

It's not that you or anyone else has the problem. It's just that fixing it for you breaks email for a lot of people, so I won't use it as a default.

As I wrote previously, you, and others, are welcome to do so.

Jeff

 

[handrea]

It's not that you or anyone else has the problem. It's just that fixing it for you breaks email for a lot of people, so I won't use it as a default.

As I wrote previously, you, and others, are welcome to do so.

Jeff

The only think that makes me difficult to understand your (and others) general disappointment is that, by design, I don't want to break anything and I'm convicend that the auth-always model can be used without break anythink.
Of course is not my habit abuse of others's patience and I don't want abuse of yours: anyway I cannot hide that a discussion on these conseguences (and how to eventually fix them) would be really appreciated.

In general I've got a little curiosity: according to you, what seems more logical from a security / filtering perspective:

1. that someone claims to be [email protected]?
2. that an authority verify and state that the user is [email protected]?

As you know, my answer is clearly the (2): so what I want is follow that idea without breaking anything.

 

[floyd]

The problem is that the server is set up to accept mail TO [email protected]. The FROM address doesn't matter at that point. The mail server has to accept the email before it can know the FROM address. After it accepts it there is no way to then go back and make them authenticate. (As I understand it.)

The filter can look at it after it has been accepted and then do something with it based on certain criteria. But at that point it can only delete it or filter it to another box. If you try to reject it at that point then the rejection is going to go to the FROM address, which is [email protected].

 

[handrea]

The problem is that the server is set up to accept mail TO [email protected]. The FROM address doesn't matter at that point. The mail server has to accept the email before it can know the FROM address. After it accepts it there is no way to then go back and make them authenticate. (As I understand it.)

The filter can look at it after it has been accepted and then do something with it based on certain criteria. But at that point it can only delete it or filter it to another box. If you try to reject it at that point then the rejection is going to go to the FROM address, which is [email protected].

Perhaps is here the misunderstanding. I don't want to reject the email, or worse, blindfold reject it, I just want filter it considering spam. Infact I'm working more on the Spamassassin configuration rather than exim.conf.
Once rated as spam his management is flexible: you can discard, deliver in a different folder, account or read it (conservative approach).

 

[floyd]

I just want filter it considering spam

Like I said that IS one of your options. Its in the control panel for spam filters.

Once rated as spam his management is flexible

BTW who is "his"?

 

[handrea]

BTW who is "his"?

Sorry for my bad english . I meant: "the management of an email marked as spam is flexible".
This simply because spam <> deleteted/lost forever

 

[nobaloney]

@floyd,

You're last post above is generally correct. To add a bit of detail: the only way to bypass rejection by validation is to always use your own mailserver (generally port 587) when you're sending mail from yourself to yourself.

Since that's not always possible, I can't see allowing it in a default configuration.

@handrea,

You're welcome to do anything you want with either Spam Filters or with SpamAssassin, but neither knows anything about authentication; the information is lost as soon as the email is accepted by exim.

What you can do is create an ACL rule which writes an additional header in the email if it's from a user on the server; to be RFC compliant the header must begin with X-. Then later in SpamAssassin or in Spam Filters you can filter based on the absence or presence of that filter.

I'm not going to add such a rule. But you can, in your own exim.conf file. Or as I said previously, you can create a request for it in these forums in the Requests subforum.

Jeff

 

[handrea]

@handrea,

You're welcome to do anything you want with either Spam Filters or with SpamAssassin, but neither knows anything about authentication; the information is lost as soon as the email is accepted by exim.

What you can do is create an ACL rule which writes an additional header in the email if it's from a user on the server; to be RFC compliant the header must begin with X-. Then later in SpamAssassin or in Spam Filters you can filter based on the absence or presence of that filter.

I'm not going to add such a rule. But you can, in your own exim.conf file. Or as I said previously, you can create a request for it in these forums in the Requests subforum.

Jeff

Hi Jeff,
I was thinking to use/catch the presence of esmtp / ehlo part in headers. What do you think about this approach?

Thank you

 

[nobaloney]

I haven't looked. Does it tell you if the user is authenticated?

I hope to not have to spend any additional time on this thread as I've already pointed out what I think, what I feel, and why I won't do anything about it.

Jeff

 

[handrea]

I haven't looked. Does it tell you if the user is authenticated?

Hi Jeff,
for my knowlegde, the EHLO SMTP verb is used (in replace of HELO) when you want to use Enhanced SMTP protocol (which support authentication). So, I thought to filter emails without EHLO or ESMTP into headers.
I need to check these assumptions are right and implement it into SpamAssassin.

 

[nobaloney]

What will you search for and how will you use the results? Today I got an email from my friend Rob. He has his own server and is NOT an authenticated user on my server.

His email to me had neither ESMTP or EHLO headers. The word EHLO didn't appear in any headers. The word ESMTP appeared in the Received header where my server received it from his server.

Jeff