Greylisting Code? Anti-Dictionary-Attack code?

[thor]

I can check the queue once a week if I want, not get interupted on my desktop with a new spam every 10 minutes...

And if you use an C/R on a form address, your silly.

Bottom line, it has worked for me and I love it.

If the anti-spam community hates it... too bad. There is nothing else that works nearly as well for my inbox. And at the end of the day, that is all I care about.

If greylisting works, fine, I will use that. But filters are just not cutting it.

 

[floyd]

I am curious as to what people call "a lot of spam." I know that in a 24 hour period the spam that makes it through the blocklists to my Inbox is about 300 to 400. I can delete these in about 5 to 10 minutes by simply looking at the subject line. So to me that is not a lot of time to spend filtering my own mail compared to the trouble that a C/R system or any filtering system causes.

So how many spam emails do you have to get to then resort to a C/R system? And when you resorted to a C/R system were you currently using a blocklists system?

 

[nobaloney]

Unfortunately not; we've gotten hung up on some work and far behind in billing .

Jeff

 

[huan]

greylistd working on CentOS 4 + DA

I haven't been able to get greylistd work on a CentOS server, even using an RPM prepared specifically for the version of CentOS we use, which is CentOS 4.4.

I've installed greylistd successfully on CentOS 4 server today. Here's what I did:

rpm -Uvh http://dl.atrpms.net/all/greylistd-0.8.3.2-8.el4.at.noarch.rpm

in /etc/greylistd/config change:

mode         = 0660

to

mode         = 0666

because greylistd is running as user greylistd and we need to read/write to its socket as user mail.

Then in /etc/exim.conf I've found:

# accept mail to [email protected], regardless of source
#   accept  local_parts = errors
#           domains     = example.com

and added following code below it:

#GREYLIST
defer message = $sender_host_address is greylisted
log_message = greylisted.
!hosts = +relay_hosts : \
          ${if exists {/etc/greylistd/whitelist-hosts}\
          {/etc/greylistd/whitelist-hosts}{}}
hosts = !+relay_hosts
domains = +relay_domains
!senders = : postmaster@*
set acl_m6 = $sender_host_address $sender_address $local_part@$domain
set acl_m6 = ${readsocket{/var/run/greylistd/socket}{$acl_m6}{5s}{}{false}}
condition = ${if eq {$acl_m6}{grey}{true}{false}}

Then we start greylistd and restart exim:

service greylistd start
service exim restart

Now we can check if greylistd is running:

greylist stats

Statistics since Sat Mar  3 13:35:23 2007 (1 hour and 31 minutes ago)
---------------------------------------------------------------------
  49 items, matching   65 requests, are currently whitelisted
   0 items, matching    0 requests, are currently blacklisted
1047 items, matching 1158 requests, are currently greylisted

Of 49 items that were initially greylisted:
 - 49 (100.0%) became whitelisted
 -  0 (  0.0%) expired from the greylist

Tested successfully on 2 CentOS boxes.

BTW: I also modified some other config settings in order to delay messages for shorter time. In /etc/greylistd/config:

retryMin     = 300
retryMax     = 86400

 

[smtalk]

Przemek, great work! I appreciate that.

 

[nobaloney]

I'll give it a try.

Jeff

 

[GranTW]

Works perfect with my CentOS 4.4 system.

Just a note I put the greylisting code just under the final RBL check so that alot of spam gets caught before ever being greylisted.

 

[nobaloney]

Since greylisting takes less resources I'd run it first.

Jeff

 

[smtalk]

jlasman, have you tried it (greylisting)? If yes, is there any release date set (for SpamBlocker v3)?

 

[dec]

I would like to know if it is safe to use this version of Spamblocker in production servers. Any reason not to use it? Should i wait more?

Thanks,

 

[nobaloney]

No, we've not had time to test greylisting. I should get the time to build it on a testbed server next week.

Safe to use which version in production servers? The beta? Absolutely; we've been using it since a week or so before I posted it.

Jeff

 

[wallacetan]

Greylisting only for Suspicious Sender's IP address

Greylisting should not be applied to all incoming emails.
It should be use as one of the methods to prevent spam.

I only apply greylisting to suspicious sender's IP.

Suspicious IPs are:
1. Without reverse hostname
2. Reverse hostname does not point back to same IP
3. Reverse hostname is dynamic, e.g. 1-1-168-192.dialuppool.domain

The other cheap spam prevention method I use is checking for valid SMTP HELO.

These 2 methods fiters out more then 90% of spam before SMTP DATA.
The rest can be handled by more expensive process, i.e. ClamAV and SpamAssassin.

Implementation Notes:
I use Berg's exim-greylist, see url:
http://johannes.sipsolutions.net/Projects/exim-greylist/

I've installed exim-greylist on secondary MX server running CentOS 5.0 without DirectAdmin.
Using the default exim 4.63 installed by "yum install exim" which comes with mysql support.

/etc/exim/exim_dynamic_regex is file containing regex matches to dynamic IP's reverse hostname
# Example: (1-1-168-192.dialuppool.domain.)
# Example: (d-1.1.168.192.dialuppool.domai)
See url: http://www.linuxmagic.com/opensource/anti_spam/dynamic_regex/

Example exim.conf

acl_check_rcpt:

  accept  hosts = : +relay_from_hosts

  accept  authenticated = *

  accept  condition = ${if or {\
	                        {eq {$interface_port}{465}}\
	                        {eq {$interface_port}{587}}\
	                      }{yes}{no}}
	  endpass
	  message = relay not permitted, authentication required
	  authenticated = *

  deny	domains       = +local_domains
	local_parts   = ^[.] : ^.*[@%!/|]

  deny	domains       = !+local_domains
	local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

######################################################################
# HELO checks
######################################################################

# HELO is empty or not sent
  deny	message     = You have sent no HELO! Please see RFC 2821 section 4.1.1.1
	log_message = Bad HELO: Empty HELO
	condition   = ${if eq{$sender_helo_name}{}}
	delay       = 30s

# HELO is not a fully qualified domain name
  deny	message     = Your mail server announcement ($sender_helo_name) \
	              is a single word rather than a FQDN. This is in breach of RFC2821
	log_message = Bad HELO: Not FQDN
	condition   = ${if match {$sender_helo_name}{\\.}{no}{yes}}
	delay       = 30s

# IP Only is sent as the HELO
  deny	message     = Your server announces itself ($sender_helo_name) with a plain IP address which is in breach of RFC2821.
	log_message = Bad HELO: IP Only Announce
	condition   = ${if isip{$sender_helo_name}{yes}{no}}
	delay       = 30s

# Someone is trying to spoof your own IPs!
  deny	message     = HELO/EHLO IP is local. You are not this server.
	log_message = Bad HELO: Local IP Spoof Attempt
	condition   = ${if eq{$sender_helo_name}{localhost}{yes}{no}}
	delay       = 30s

# Someone is trying to spoof a domain on the server
  deny	message     = Forged HELO: you are not $sender_helo_name
	log_message = Forged HELO: $sender_helo_name Spoof Attempt
	condition   = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
	delay       = 30s

######################################################################
# GREYLIST checks
######################################################################
.ifdef GREYLIST_ENABLED

# Reverse Host Lookup Failed
defer	!senders    = : postmaster@*
	domains     = +local_domains : +relay_to_domains
	condition   = ${if eq{$host_lookup_failed}{1}}
	acl         = greylist_acl
	message     = greylisted - try again later
	log_message = greylisted_1 - host_lookup_failed [$host_lookup_failed] 

# Reverse Host Lookup Deferred
defer	!senders    = : postmaster@*
	domains     = +local_domains : +relay_to_domains
	condition   = ${if eq{$host_lookup_deferred}{1}}
	acl         = greylist_acl
	message     = greylisted - try again later
	log_message = greylisted_2 - host_lookup_deferred [$host_lookup_deferred] 

# Reverse DNS Rejected - dynamic ip
defer	!senders    = : postmaster@*
	domains     = +local_domains : +relay_to_domains
	condition   = ${lookup{$sender_host_name} nwildlsearch {/etc/exim/exim_dynamic_regex} {yes}{no}}
	acl         = greylist_acl
	message     = greylisted - try again later
	log_message = greylisted_3 - dynamic ip

.endif

 

[mattb]

Since greylisting takes less resources I'd run it first.

Jeff

Hi Jeff,

There is two general thoughts with greylisting.

1. Run Greylisting then DNSBL.
Pro: This has the advantage of limiting the amount of external callouts the system needs to do.
Con: This can mean your greylisting DB can grow quite large. A decent greylistd will normally 'clean out' redundant entries over a given time.

2. DNSBL then greylisting
Con: Means more external calls are undertaken. This can mean more processing/load is required.
Pro: Less to be processed by the greylisting server, thus a small DB is generated.


It's most common to do the greylisting last, as it means all DNSBL checks have been done (and passed) so that the 2nd attempt the user will breeze on past.

Greylisting known spam (ie: stuff caught be DNSBLs), is just replacing their function.... and likely to just add additional disk usage.

I'm neither for/against either method.
Speaking to those that regularly use/maintain a greylist server, it does seen the 2nd approach is often used more often.

 

[mattb]

I've installed greylistd successfully on CentOS 4 server today. Here's what I did:

rpm -Uvh http://dl.atrpms.net/all/greylistd-0.8.3.2-8.el4.at.noarch.rpm

I'm testing this and will be putting up a DirectAdmin plugin that end-users can effectively add their own whitelist entries to.

 

[mattb]

/etc/greylistd/config change:

mode         = 0660

to

mode         = 0666

because greylistd is running as user greylistd and we need to read/write to its socket as user mail.

I imagine assigning exim to the actual greylist group it would resolve this and not make it world writeable? So you can keep the 0660 perm then.

I'll take a peep later today.

So far so good... it's a nice simple and elegant solution.

Statistics since Mon Apr 21 12:00:06 2008 (1 hour and 6 minutes ago)
--------------------------------------------------------------------
3 items, matching  3 requests, are currently whitelisted
0 items, matching  0 requests, are currently blacklisted
8 items, matching 12 requests, are currently greylisted

Of 3 items that were initially greylisted:
 - 3 (100.0%) became whitelisted
 - 0 (  0.0%) expired from the greylist

NB: I'm doing DNSBLs first prior to greylisting. So it knocks a lot out first (80-90%).

Cheers,

Matt.

 

[nobaloney]

But doesn't that run all emails through the DNSBLs twice?

Jeff

 

[Chrysalis]

I played with helo checking and I found legitamate emails blocked, senders particurly outlook users have bad helos that get caught by these checks.

 

[nobaloney]

Which is why by default we do not do helo checking in the SpamBlocker exim.conf files delivered with DirectAdmin.

If you're going to do help checking your users will all have to use port 587 to send outbound email through your server.

Jeff

 

[wallacetan]

HELO checks can be applied if:
1. Your users are using POP before SMTP
OR
2. Your users are using SMTP authentication

POP before SMTP
-----------------
/etc/virtual/pophosts file is created by DirectAdmin.
It contains IP addresses of authenticated POP3 connections.

SMTP authentication
--------------------
Jeff's SpamBlocker also allows SMTP authentication.
However, your users have to setup SMTP authentication on their email client, e.g. Outlook.
Most ISP I know require SMTP authentication, as this is the preferred method to secure against unauthorized or open relay.

Important Note:
---------------
Do not check HELO in acl_check_helo:
See post: http://www.directadmin.com/forum/showpost.php?p=128834&postcount=45

Check HELO in acl_check_rcpt: after "accept hosts" and "accept authenticated"
See code below:

acl_check_rcpt:
  accept  hosts = : +relay_from_hosts : net-lsearch;/etc/virtual/pophosts
  accept  authenticated = *
######################################################################
# HELO checks below
######################################################################

 

[wallacetan]

Hi Jeff,

While reading your SpamBlocker's exim.pl code and thinking about your concern about the default DirectAdmin's exim rpm is without MySQL support.

I think you can use perl's database(MySQL) support to implement Berg's exim-greylist.

I am new to perl, but I would be glad to help writing a few new functions for exim.pl and some exim.conf ACL rules.

Wallace

exim.pl

http://files.directadmin.com/services/exim.pl

That said, it won't be in the release versioon of SpamBlocker3 because it requires a copy of exim with mysql support enabled. I can do that for my platform, CentOS, but I can't do it for every platform, so it's not being included.