empty mails, empty headers

[Duboux]

I understand we can't reject on null senders, since bounced emails that were sent by ur clients will also have a null sender. So if ur client sends an email to a wrong address, he/she would never receive the error message.

So we should probably only reject the combination:
null sender + too short message contents

Altough I doubt those bounce messages have <> as sender, as I think they have no headers at all.. not even those <>

 

[nieuwhier]

Does the exim config first need to test the IP before it gets to the headers?

Exact my thoughts. Why accept a mail if it is listed at zen.spamhaus.org ? If it is listed there I do not want to accept anything from that IP. That normaly works but not in this case ?

Could you perhaps say something about this Jeff ?

 

[Dennis]

Hi,

found some info on another site:

http://skullboxx.net/kb/node/499

Can anyone test and verify this? (Have no testserver anymore )

And maybe a way to check if the message is empty:

# Enforce a message-size limit
#
deny
message = Message size $message_size is larger than limit of \ MESSAGE_SIZE_LIMIT
condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{true}{false}}

# Deny unless the address list header is syntactically correct.
#
deny
message = Your message does not conform to RFC2822 standard
log_message = message header fail syntax check
!verify = header_syntax

# Warn unless there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
#
warn
message = X-Sender-Verify-Failed: No valid sender in message header
log_message = No valid sender in message header
!verify  = header_sender

Source: http://skullboxx.net/kb/node/503

Also another customer came up with this:

1.5 FROM_NO_USER Van: heeft geen lokaal deel voor het @-tje
2.7 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
1.0 BAYES_60 BODY: Bayesiaanse kans op spam is 60 tot 80% [score: 0.6830]
2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare webserver
[B][196.40.10.142 listed in dnsbl.sorbs.net]  2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Recieved via a relay found in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?196.40.10.142>]
3.0 RCVD_IN_XBL RBL: Recieved via a relay found in Spamhaus XBL [196.40.10.142 listed in zen.spamhaus.org][/B]
0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
1.8 MISSING_SUBJECT        Missing Subject: header
1.4 EMPTY_MESSAGE          Message appears to have no textual parts and no
Subject: text

SpamCop is one of the standard lists so why is it not rejected? (sorry for the Dutch)

 

[AndriesLouw]

Have the same problem here since a few days, getting 5 empty message, empty header e-mails/day/account.

Jeff, any ETA on a fix for this? Quickfix is fine too.

 

[nieuwhier]

I am not a exim.conf professional, but I try to

One example is this one:
2011-05-10 14:45:25 1QJmJX-0007WD-0H <= <> H=(ff27480a42304c7) [188.114.14.249] P=smtp S=1042 id=001c01cc0bd4$3d16f9f0$b744edd0$@com T="" from <> for [email protected]

This mail comes through.

Few things are wrong in this log.

The Hostname is invalid.
When I look at the spamblocker config I see check #EDIT#27:
Perhaps put that check a few lines higher, before '# Remaining Mailer-Daemon messages must be for us' ?

The IP is on a blacklist.
The blacklist check is #EDIT#41 but the message is already accepted before as a mailer-deamon message ? Would the trick be to do an extra blacklist check if we think it is a mailer-daemon message ?

 

[Dennis]

# Remaining Mailer-Daemon messages must be for us
   accept senders = :
   domains = +relay_domains

Or can this part be placed after the spamlist checks?

 

[nieuwhier]

# Remaining Mailer-Daemon messages must be for us
   accept senders = :
   domains = +relay_domains

Or can this part be placed after the spamlist checks?

I am testing this on one server for a few hours now. Looks good sofar.

 

[Duboux]

I am testing this on one server for a few hours now. Looks good sofar.

Did you send out a mail to a non existing address, and received the error mail back ?

 

[nieuwhier]

Did you send out a mail to a non existing address, and received the error mail back ?

Yes, was the first thing I tested and that still works. So far so good.

 

[Dennis]

I think it works, put the code after #EDIT42 and comment it out above.

Got in log:

2011-05-11 16:42:55 H=(head) [95.143.208.12] F=<> rejected RCPT <[email protected]>: Email blocked by cbl.abuseat.org | E-mail geblokkeerd door cbl.abuseat.org

And still get al the messages if those are undeliverable....

 

[nobaloney]

Exact my thoughts. Why accept a mail if it is listed at zen.spamhaus.org ? If it is listed there I do not want to accept anything from that IP. That normaly works but not in this case ?

If you've got zen.spamhaus enabled in your copy of exim.conf, mail from IP#s listed therein will be blocked. While we still include zen.spamhaus.org in the latest version of our Spamblocker Powered exim.conf file, we recommend in our ReadMe that you make sure you meet their requirements for use, as it's not always free.

Jeff

 

[nobaloney]

http://skullboxx.net/kb/node/499

Looks interesting; may make it into a future version. Anyone want to test it first?
[/quote]And maybe a way to check if the message is empty:

# Enforce a message-size limit
#
deny
message = Message size $message_size is larger than limit of \ MESSAGE_SIZE_LIMIT
condition = ${if >{$message_size}{MESSAGE_SIZE_LIMIT}{true}{false}}

[/quote]
The above doesn't check for an empty message, but only for a message overlimit.

# Deny unless the address list header is syntactically correct.
#
deny
message = Your message does not conform to RFC2822 standard
log_message = message header fail syntax check
!verify = header_syntax

The problem with the above is that it will refuse certain emails from Microsoft clients. You can add it and test if if you wish.

# Warn unless there is a verifiable sender address in at least
# one of the "Sender:", "Reply-To:", or "From:" header lines.
#
warn
message = X-Sender-Verify-Failed: No valid sender in message header
log_message = No valid sender in message header
!verify  = header_sender

That's only going to put a message into the log; it's not going to do anything with the email. If you want to do that, go ahead, but it seems a bit counterproductive to just fill the log files with more stuff we're not sure what to do with. If you're suggesting we run warn for a while to see what it does, then do it for us, and post further later.

Source: http://skullboxx.net/kb/node/503
Also another customer came up with this:

1.5 FROM_NO_USER Van: heeft geen lokaal deel voor het @-tje
2.7 FH_FROMEML_NOTLD E-mail address doesn't have TLD (.com, etc.)
1.0 BAYES_60 BODY: Bayesiaanse kans op spam is 60 tot 80% [score: 0.6830]
2.2 TVD_SPACE_RATIO BODY: TVD_SPACE_RATIO
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: verzender is een misbruikbare webserver
[B][196.40.10.142 listed in dnsbl.sorbs.net]  2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Recieved via a relay found in bl.spamcop.net
[Blocked - see <http://www.spamcop.net/bl.shtml?196.40.10.142>]
3.0 RCVD_IN_XBL RBL: Recieved via a relay found in Spamhaus XBL [196.40.10.142 listed in zen.spamhaus.org][/B]
0.9 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
1.8 MISSING_SUBJECT        Missing Subject: header
1.4 EMPTY_MESSAGE          Message appears to have no textual parts and no
Subject: text

SpamCop is one of the standard lists so why is it not rejected? (sorry for the Dutch)

My best guess is that we only block based on the server we're getting the mail from; SpamAssassin is catching it based on an earlier server sending it to the server that sent it to you.

Jeff

 

[nobaloney]

Have the same problem here since a few days, getting 5 empty message, empty header e-mails/day/account.

Jeff, any ETA on a fix for this? Quickfix is fine too.

I don't do quick fixes; they tend to bite back when I make the inevitable mistake. You can try something yourself, and then let us know how it works.

Jeff

 

[nobaloney]

The Hostname is invalid.
When I look at the spamblocker config I see check #EDIT#27:
Perhaps put that check a few lines higher, before '# Remaining Mailer-Daemon messages must be for us' ?

I suppose you don't need to accept messages that appear to be from Mailer-Daemons if sure they're not.

The IP is on a blacklist.
The blacklist check is #EDIT#41 but the message is already accepted before as a mailer-deamon message ? Would the trick be to do an extra blacklist check if we think it is a mailer-daemon message ?

I think we should still accept Mailer-Daemon messages if they may be legit. See my next reply.

Jeff

 

[nobaloney]

# Remaining Mailer-Daemon messages must be for us
   accept senders = :
   domains = +relay_domains

Or can this part be placed after the spamlist checks?

Perhaps I should rethink the entire set of checks; perhaps we should check for a few more problems before accepting remaining Mailer-Daemon messages.

Input requested on this.

Jeff

 

[scsi]

I just hope someone can come up with something that works soon. I get at least 7 returns an hour and now my customers are starting to complain as well.

 

[Dennis]

@scsi: I have implemented the code after #EDIT42 and the empty emails are no more. They are blocked now by the right spamlists. So I think we have a work arround. Still as Jeff says, maybe it is good to take a look at the check sequence.

@Jeff: going to take a look at the checks and comming back with my vision soon.
Thanks for the answers on my post earlier.

 

[nobaloney]

@scsi: I have implemented the code after #EDIT42 and the empty emails are no more. They are blocked now by the right spamlists. So I think we have a work arround. Still as Jeff says, maybe it is good to take a look at the check sequence.

Exactly what code did you put after #EDIT#42? which code from which post above?

@Jeff: going to take a look at the checks and comming back with my vision soon.
Thanks for the answers on my post earlier.

I really appreciate your help and look forward to your vision. I've been working on this for a long time and I can certainly use the help.

Jeff

 

[Dennis]

I have comment out the code:

# Remaining Mailer-Daemon messages must be for us
   accept senders = :
   domains = +relay_domains

at #EDIT26 and placed it after the spamlists check #EDIT42. Before the verification of the recipient.

So it is the last check in the line before acceptance of the email. If the communication, ClamAV and local / exernal whitelists / blacklists are ok then it is going to check if it is a "Remaining Mailer-Daemon message".

 

[nieuwhier]

I did exactly the same as Dennis did, moving the code for Mailer-Daemon messages. It has been active now a 2 servers and no more empty mails anymore.

In my opinion we do not need to accept mailer-deamon messages if they are on a blacklist or if the mail server has a wrong HELO name. I think that is what we are talking about ?