Solved Does the dnswl list overrule the blacklist_domains file?

[Richard G]

We are still getting spam from Mailgun. Which more and more spammers seem to use.
Mailgun is on the dnswl whitelist so it won't be blocked. That is not so bad, but at least senders must be able to be blocked.

We get mail from senders like this:

Received: from a225-30.mailgun.net ([143.55.225.30])
    by server.mydomain.nl with esmtps  (TLS1.3) tls TLS_AES_256_GCM_SHA384
    (Exim 4.98)
    (envelope-from <[email protected]>)

So I put autoserve1.* in the /etc/virtual/blacklist_domains file but it's not blocked.

I also put it in the blacklist_senders file but made a typo so that wouldn't have blocked, but I wonder why the blacklist_domains file did not block in this case.

 

[zEitEr]

Hello,

Check exim logs, it should be logged:

         logwrite = $sender_host_address whitelisted in list.dnswl.org

 

[Richard G]

Check exim logs, it should be logged:

I know for sure the domain is not in list.dnswl.org but mailgun is, although I don't see this one in the exim log (I've seen others where it's mentioned).

This is an example of a mail a customer got today again:

2025-01-05 07:49:40 1tUKSC-00000000Hnu-0p12 <= [email protected] H=a225-30.mailgun.net [143.55.225.30] P=esmtps X=
TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=4930 DKIM=autoserve1.com [email protected] T="=?UTF-8?B?8J+QpyBEb27igJl0IE1p
c3MgT3V0IOKAkyBDbGFpbSBZb3VyICRQRU5HVSEg8J+QpyA=?=" from <[email protected]> for [email protected]
2025-01-05 07:49:41 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1tUKSC-00000000Hnu-0p12
2025-01-05 07:49:41 1tUKSC-00000000Hnu-0p12 => info <[email protected]> F=<[email protected]> R=virtual_user T=do
vecot_lmtp_udp S=5185 C="250 2.0.0 <[email protected]> 3koUAYUremeJBQEAugeUdg Saved"
2025-01-05 07:49:41 1tUKSC-00000000Hnu-0p12 Completed

From mailgun.net but other ip from mailgun is listed like this:

69722 H=mxa.mailgun.org [34.149.236.64] X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=yes C="250 Great success"
2025-01-05 13:09:53 1tUPS3-00000005uIi-2Tfq Completed
2025-01-05 13:10:09 108.174.0.149 whitelisted in list.dnswl.org

(this is not a spam example by the way, just a whitelist I found).

If I'm correct I have seen other mailgun.net ip's in dnswl.

Anyway, the domain being autoserve1.com is not listed in dnswl.org.
Even this evening I can see in the mainlog that autoserve1.com domain is still trying to send mail, this time to a suspended receiver, but still... it should be refused because of the blacklist_domain and even since this afternoon the blacklist_sender files.

This is the content of blacklist_domains for this domain:
autoserve1.*

and I put it like this in the blacklist_senders file:
*@*.autoserve1.*
*@autoserve1.*

And I did reload Exim. So I'm very confused as to why they still can send mail to the server. I now also put them in the bad_sender hosts like this:
*.autoserve1.*

So now wait and see, but I'm wondering why the other files are not already blocking this spam.

 

[zEitEr]

exim.conf has:

    deny message = 554 denied. 5.7.1 BLOCKED_DUE_TO_SPAM_DOMAIN
       domains = +use_rbl_domains
       domains = !+skip_rbl_domains
       hosts = !+skip_rbl_hosts : !+skip_rbl_hosts_ip
       sender_domains = +blacklist_domains

For the block to work your recipient domain should be listed in use_rbl_domains and to be missing in skip_rbl_domains

As well as a sender should NOT be listed in skip_rbl_hosts and skip_rbl_hosts_ip and any other lists/checks which come prior to the block.

 

[Richard G]

For the block to work your recipient domain should be listed in use_rbl_domains and to be missing in skip_rbl_domains

Yes indeed, that's what I thought too. But all domains from my customer, including the one from this part of the log are in the use_rbl_domains file. And the skip_rbl_domains does not contain any customer domains.

But even today, after I even put the autoserve1.com domain into the bad_sender_hosts file, the mail is still being received:

2025-01-05 07:49:40 1tUKSC-00000000Hnu-0p12 <= [email protected] H=a225-30.mailgun.net [143.55.225.30]

So beats me, it's in every file now and still not blocked. Maybe #edit 35 in exim.conf has something to do with it. I don't know.
Before it always worked if I entered a domain with wildcard in those files.

 

[zEitEr]

bad_sender_hosts is used for listing hostnames

You might try with another random domain from which you can email to your server. And see whether or not you can block it in blacklist_domains

 

[Richard G]

bad_sender_hosts is used for listing hostnames

Yep I know, but I just added it there since the other files are not blocking.
I will try testing and then report back.

 

[Richard G]

I can confirm that the blacklist_domains is not working! But I found the cause.

As test I added this to my blacklist_domains file:
gmx.*
then I restarted Exim and send a mail to my company using my gmx.com mail address and this is the result:

2025-01-07 16:37:09 1tVBdh-00000007m2n-4AnE <= [email protected] H=mout.gmx.net [212.227.17.22] P=esmtps X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no S=7821 DKIM=gmx.com [email protected] T="test" from <[email protected]> for [email protected]
2025-01-07 16:37:09 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1tVBdh-00000007m2n-4AnE
2025-01-07 16:37:09 1tVBdh-00000007m2n-4AnE => info <[email protected]> F=<[email protected]> R=virtual_user T=dovecot_lmtp_udp S=8115 C="250 2.0.0 <[email protected]> AIlhLiVKfWeC3xsAugeUdg Saved"
2025-01-07 16:37:09 1tVBdh-00000007m2n-4AnE Completed

In other words, the block did not work at all.

I found the culprit. And I don't know why this is not working anymore, because it did work before without problems as far as I know.
Wildcards are not working. Or at least not as expected.

When I change gmx.* to gmx.net and gmx.com so using the TLD instead of the wildcard, then mail gets blocked.

2025-01-07 16:43:52 H=mout.gmx.net [212.227.17.20] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no F=<[email protected]> rejected RCPT <[email protected]>: 554 denied. 5.7.1 Domain Blocked due to SPAM

This is odd because also in the docs it says wildcard are allowed:

The blacklist_domains is a nwildlsearch file, meaning you can use wildcards. It will contain any sending address domain you wish to block. Valid entries might be:

So can we confirm this as a bug? Or is something else going on?

 

[Richard G]

Ah seems problem solved then... looks like a trailing asterisk is not working in any of those files:

The wildcarding done natively for wildsearch only supports
a leading asterisk.

Pity as a lot of spammers often use the same names with different .tld's so an asterisk at the end would be great.
I'll have to adjust all my block files then.

LoL, never known that a trailing wildcard was not allowed. Not mentioned in the docs either.

 

[zEitEr]

Good work, Richard.

Exim documentation proves your finding:

3.11. (n )wildlsearch​

wildlsearch or nwildlsearch: These search a file linearly, like lsearch, but instead of being interpreted as a literal string, each key in the file may be wildcarded. The difference between these two lookup types is that for wildlsearch, each key in the file is string-expanded before being used, whereas for nwildlsearch, no expansion takes place.

addresslist blacklist_senders = nwildlsearch;/etc/virtual/blacklist_senders
domainlist blacklist_domains = nwildlsearch;/etc/virtual/blacklist_domains

 

[Richard G]

Exim documentation proves your finding:

Yep, found it there too after looking around. Had too lookup first what they ment with expansion.
Still... would have been nice if trailing wildcard would be allowed to prevent spammers using various tld's with the same domain name.

Thanks for helping me looking into this!! Very much appreciated!