Catching SPAM that SA doesn't.

[modem]

On my own daily usage of my own website/email which is hosted on my server running DA (with updated exim.conf) and SpamAssassin 2.63, I have managed to cut the spam load down by 75%. Previously I was getting upwards of 300 spams per 12 hours and now I'm down to about 65 spams per same time period.

SpamAssassin is configured to run at a 4.5 point level of which I have found to be the lowest I can go without it nabbing legitimate emails. BUT what is happening I'm getting alot of spams that are like 0.0, 0.5, 1.2 point levels. Ones where I can't set SA that low because it'd simply trash legitimate ones.

Does SA 3.0 offer more indepth scanning? Are there any specific RBL lists that seem to be best? Anyway to get rid of those 65 messages I still get that slide right through the server??

 

[nobaloney]

I believe that SA 3.0 does a better job, but I'm awaiting official implementation by DA before attempting a switchover.

For RBLs, if you have the newer version of the exim.conf file installed (the one with SpamBlocker built in) you already have a list of RBLs that work very well for us, and it's already installed; all you have to do is copy and paste domain names from /etc/virtual/domains to /etc/virtual/use_rbl_domains to activate it.

(You don't even have to restart exim.)

You can compare your copy of /etc/exim.conf with the one you can find here, and if you don't have this one, you may decide to install it, and follow the instructions in it to get it working.

Then all you'll have to do is copy from /etc/virtual/domains to /etc/ virtual/use_rbl_domains the names of the domains you want the RBLs to work for.

Jeff

 

[modem]

Jeff,

I agree in regards to not using SA 3.0 until the guys give official word on their own implimentation of it or make it available. Since it's just my own account still getting like 65 spams and no customers are getting any I'll live.

I can confirm I am using the latest exim.conf file that you provided DA and it's up to date along with the domains listed in the /etc/virtual/domains is in the use_rbl_domain file. Does that mean for now it's a matter of sitting and waiting until SA 3 is available 'officially'? Also how can I sign up to become apart of these RBL sites to submit emails that are spam or such?

Brad

 

[nobaloney]

I agree in regards to not using SA 3.0 until the guys give official word on their own implimentation of it or make it available. Since it's just my own account still getting like 65 spams and no customers are getting any I'll live.

That's still a lot of spams getting through. On my personal email accounts I've recently seen spam getting through go from three or four a day to ten or so a day, but that's out of over 400 emails.

I can confirm I am using the latest exim.conf file that you provided DA and it's up to date along with the domains listed in the /etc/virtual/domains is in the use_rbl_domain file. Does that mean for now it's a matter of sitting and waiting until SA 3 is available 'officially'?

Unless you want to be a pioneer (hint: the definition of a pioneer in the U.S. 200 years ago was someone who got shot in the back by arrows).

You should probably examine your /var/log/exim/reject log to make sure SpamBlocker is working.

Also how can I sign up to become apart of these RBL sites to submit emails that are spam or such?

Some of them allow reporting, some don't. It's simply an issue of reliability; if they don't know you how can they trust you to not report domains for which you have a personal "agenda"?

To find out, google the names of the RBL lists we use, and read their sites.

We used to belong to and report to SpamCop, but they make it hard (with delays, etc.) to report spam if you're NOT a paid member, and I didn't see why I should have to pay them to add to their database.

We do occasionally report to SORBS.

SORBS allows reports from the general public only for a short subset of their lists; to learn more, look here.

Jeff

 

[modem]

Here is a snippet of the reject log from this morning:

2004-10-11 09:26:12 H=sitemail3.everyone.net (omta10.mta.everyone.net) [216.200.145.37] F=<[email protected]> rejected RCPT <********@modemnet.org>: Sender verify failed
2004-10-11 09:28:31 H=sitemail3.everyone.net (omta06.mta.everyone.net) [216.200.145.37] sender verify defer for <[email protected]>: host lookup did not complete
2004-10-11 09:28:31 H=sitemail3.everyone.net (omta06.mta.everyone.net) [216.200.145.37] F=<[email protected]> temporarily rejected RCPT <********@modemnet.org>: Could not complete sender verify
2004-10-11 09:40:29 H=sitemail3.everyone.net (omta08.mta.everyone.net) [216.200.145.37] sender verify defer for <[email protected]>: host lookup did not complete
2004-10-11 09:40:29 H=sitemail3.everyone.net (omta08.mta.everyone.net) [216.200.145.37] F=<[email protected]> temporarily rejected RCPT <********@modemnet.org>: Could not complete sender verify
2004-10-11 10:12:22 H=mx01.capgemini-kcsc.com (MX01.Farmland.com) [65.212.25.33] F=<> rejected RCPT <[email protected]>: authentication required
2004-10-11 10:51:36 H=sitemail3.everyone.net (omta06.mta.everyone.net) [216.200.145.37] sender verify defer for <[email protected]>: host lookup did not complete
2004-10-11 10:51:36 H=sitemail3.everyone.net (omta06.mta.everyone.net) [216.200.145.37] F=<[email protected]> temporarily rejected RCPT <********@modemnet.org>: Could not complete sender verify
2004-10-11 11:04:17 H=sitemail3.everyone.net (omta08.mta.everyone.net) [216.200.145.37] sender verify defer for <[email protected]>: host lookup did not complete
2004-10-11 11:04:17 H=sitemail3.everyone.net (omta08.mta.everyone.net) [216.200.145.37] F=<[email protected]> temporarily rejected RCPT <********@modemnet.org>: Could not complete sender verify
2004-10-11 11:14:49 H=mailex03.readyhosting.com [63.99.209.87] F=<[email protected]> rejected RCPT <[email protected]>: authentication required
2004-10-11 12:14:50 H=sitemail3.everyone.net (omta06.mta.everyone.net) [216.200.145.37] sender verify defer for <[email protected]>: host lookup did not complete
2004-10-11 12:14:50 H=sitemail3.everyone.net (omta06.mta.everyone.net) [216.200.145.37] F=<[email protected]> temporarily rejected RCPT <********@modemnet.org>: Could not complete sender verify
2004-10-11 12:27:12 H=sitemail3.everyone.net (omta08.mta.everyone.net) [216.200.145.37] sender verify defer for <[email protected]>: host lookup did not complete
2004-10-11 12:27:12 H=sitemail3.everyone.net (omta08.mta.everyone.net) [216.200.145.37] F=<[email protected]> temporarily rejected RCPT <********@modemnet.org>: Could not complete sender verify

* The last lines of /var/log/exim/rejectlogRefresh
* Edited to remove my email address

 

[nobaloney]

While some of these lines do come from blocking techniques I added to SpamBlocker that weren't in the original DA exim.conf file, none of them come from RBL lookups.

Lines that come from RBL lookups will include something like this example, snipped from one of our rejectlogs:

<snip>
2004-10-10 04:03:11 H=bzq-82-80-148-136.red.bezeqint.net (CPQ18116212531) [82.80.148.136] F=<[email protected]> rejected RCPT <[email protected]>: to unblock bzq-82-80-148-136.red.bezeqint.net see http://www.example.com/blocked.html
</snip>

If you're going to use the code you must replace example.com with your own path to your own explanatiory page.

Jeff

 

[hci]

For RBLs, if you have the newer version of the exim.conf file installed (the one with SpamBlocker built in)

Does anyone have a copy of exim.conf before Spamblocker was added? If so could you PM me a copy?

Thanks.

Matthew