How reject spam at high score in exim.conf
- Thread starter xemaps
- Start date
duke28
Verified User
i have the same question here
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
Ok well this little tidbit looks helpful but my research tells me that it is going to cause alot of false positives. Shortened it for R&D purposes.
drop message = Spam Score is $spam_score
spam = nobody:true
condition = ${if >{$spam_score_int}{70}{1}{0}}
Using this method tells me that $spam_score is 12.3 and the message is of course rejected. But when I turn it off and let the same exact spam go through I get this:
Content analysis details: (8.3 points, 3.9 required)
This is of course a difference of 4.0 which can be a very significant difference. In looking over the regular spamassasin rules violations I can see here that -4.0 was applied from the autowhitelist.
-4.0 AWL AWL: From: address is in the auto white-list
So I am taking a guess that $spam_score doesn't include the total of all of the rules and configurations. If this is the case various conditions could be met that would give you the wrong score to work with and thus blocking good ham.
[edited] In conclusion if you want to use this tidbit in your exim.conf it isn't a bad thing to do but you will want to add or subtract a few points just to be on the safe side. All depends on if you have auto-whitelisting or not really.
Big Wil
drop message = Spam Score is $spam_score
spam = nobody:true
condition = ${if >{$spam_score_int}{70}{1}{0}}
Using this method tells me that $spam_score is 12.3 and the message is of course rejected. But when I turn it off and let the same exact spam go through I get this:
Content analysis details: (8.3 points, 3.9 required)
This is of course a difference of 4.0 which can be a very significant difference. In looking over the regular spamassasin rules violations I can see here that -4.0 was applied from the autowhitelist.
-4.0 AWL AWL: From: address is in the auto white-list
So I am taking a guess that $spam_score doesn't include the total of all of the rules and configurations. If this is the case various conditions could be met that would give you the wrong score to work with and thus blocking good ham.
[edited] In conclusion if you want to use this tidbit in your exim.conf it isn't a bad thing to do but you will want to add or subtract a few points just to be on the safe side. All depends on if you have auto-whitelisting or not really.
Big Wil
Last edited:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Make sure you're not rejecting incoming mail, but only outgoing email.
If you reject incoming email because of a high score you'll by default (unless you rewrite exim.conf) end up sending email back to senders who never sent it to you (because spammers use forged return addresses). And you'll be a spammer yourself.
And you will get blocked.
Jeff
If you reject incoming email because of a high score you'll by default (unless you rewrite exim.conf) end up sending email back to senders who never sent it to you (because spammers use forged return addresses). And you'll be a spammer yourself.
And you will get blocked.
Jeff
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
Ahhhh big happy dance. You are totally right so I made a couple of mods to this one:
discard message = $spam_score/15.0 spam points
spam = nobody:true
condition = ${if >{$spam_score_int}{150}{1}{0}}
Drops it no matter who it is from if it has a score of 15 and it doesn't bounce back because discard strips it of all recipients and throws it in the blackhole. Nice!
Big Wil
discard message = $spam_score/15.0 spam points
spam = nobody:true
condition = ${if >{$spam_score_int}{150}{1}{0}}
Drops it no matter who it is from if it has a score of 15 and it doesn't bounce back because discard strips it of all recipients and throws it in the blackhole. Nice!
Big Wil
jlasman said:
You won't be blocked because you reject at data time and not after. Since you don't relay, there is no problem, the connection is open and wait aknowledge.
By rfc you have right to reject if you give reason.
This is the same when you reject virus.
So i can't agree with you.
BigWil said:
There are a lot of variation, this is a nice one ! but not rfc compliant : if you accept message you have to deliver it (rfc rules). My original post reject it.
Don't forget if you get error due to high load (lot of spam/message) to change the spamd call method, spam check on same children against children multitask.
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
Well the only problem with deny and drop as Jeff said is that a spammer can use the function to send their spam back to the RCPT as the Mailer-Daemon. This is just as bad as an open relay.
RFC is a specification. FTC, State and Federal are laws. Which is worse? Besides that the majority of the original emails are non-RFC compliant in the first place. Fighting fire... with fire.
Big Wil
RFC is a specification. FTC, State and Federal are laws. Which is worse? Besides that the majority of the original emails are non-RFC compliant in the first place. Fighting fire... with fire.
Big Wil
Again,
The last sender becomes back a deny message that's all, the message is NOT ACCEPTED, so this is NOT a bounce.
There is no problem at all.
Most spammer send from hacked/compromiser computer/server, not from legal way.
If you filter at SMTP time, most of spammer can't even post their messages.
I'm sorry but seems many people have to read how exim runs.
I'm just learning that since a year, and applying very good solutions, because the standard exim.conf is obsolete.
I suggest you to read this good article : http://www.tldp.org/HOWTO/text/Spam-Filtering-for-MX
Look at the end.
The last sender becomes back a deny message that's all, the message is NOT ACCEPTED, so this is NOT a bounce.
There is no problem at all.
Most spammer send from hacked/compromiser computer/server, not from legal way.
If you filter at SMTP time, most of spammer can't even post their messages.
I'm sorry but seems many people have to read how exim runs.
I'm just learning that since a year, and applying very good solutions, because the standard exim.conf is obsolete.
I suggest you to read this good article : http://www.tldp.org/HOWTO/text/Spam-Filtering-for-MX
Look at the end.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
As implemented in both SpamBlocker2 and in SpamBlocker3 exim.conf files, SA is run after the email is accepted.
It's much better to run it at data time before the mail is accepted, but that requires (for clarity) perhaps a bit of a change to the DA SA page in the control panel. This is something we'll work with DA staff on for the next SpamBlocker exim.conf release.
I haven't seen any suggestions in the SpamBlocker4 section of the forum yet; I'm waiting for them.
If you're running SA only on incoming mail, well it's your server, so you can break RFCs at the risk of getting your customers mad at you. If you're running SA on outgoing email as well then you have a contractural duty to your clients. So if you tell them (perhaps in your TOS) that you won't deliver spam, but rather will drop it, then you most likely can get away with it.
It would be nicer to return the email to your client; you know it's him because he used authentication, right?
But the problem is one of two things is going to happen:
1) You're going to overload email on your own server, if the spammer is on your server. And you're quickly going to run out of space.
2) He's going to have all those messages forward to his account on AOL, Hotmail, or his ISP, and they're going to instantly block your server for sending them thousands of spams (perhaps millions). You'll find it hard to get off a blocklist if this is why you got on it.
I don't believe in rejecting emails from servers for just any RFC noncompliance; there are an awful lot of legitimate senders out there on non-compliant servers. If you do that you should probably let your customers know they won't be getting email from over half the world.
Jeff
It's much better to run it at data time before the mail is accepted, but that requires (for clarity) perhaps a bit of a change to the DA SA page in the control panel. This is something we'll work with DA staff on for the next SpamBlocker exim.conf release.
I haven't seen any suggestions in the SpamBlocker4 section of the forum yet; I'm waiting for them.
If you're running SA only on incoming mail, well it's your server, so you can break RFCs at the risk of getting your customers mad at you. If you're running SA on outgoing email as well then you have a contractural duty to your clients. So if you tell them (perhaps in your TOS) that you won't deliver spam, but rather will drop it, then you most likely can get away with it.
It would be nicer to return the email to your client; you know it's him because he used authentication, right?
But the problem is one of two things is going to happen:
1) You're going to overload email on your own server, if the spammer is on your server. And you're quickly going to run out of space.
2) He's going to have all those messages forward to his account on AOL, Hotmail, or his ISP, and they're going to instantly block your server for sending them thousands of spams (perhaps millions). You'll find it hard to get off a blocklist if this is why you got on it.
I don't believe in rejecting emails from servers for just any RFC noncompliance; there are an awful lot of legitimate senders out there on non-compliant servers. If you do that you should probably let your customers know they won't be getting email from over half the world.
Jeff
It Will be stupid to run SA for outgoing mail,
this has been discussed several times on respective SA & exim forums.
If you accept all mail this is your problem.
I handle only with rfc compliant servers.
I never had ONE problem with hotmail, aol and others, never been blacklisted (4 dedicated servers at this time).
You forget that the battle is against spammers, the rule is to stop them, they are stopped first at SMTP time. Do you think they will complain ? even they do this is not receivable.
After this big barrier, stay only a few spam.
High score spam are ONLY new spam servers or hacked computers, so you can easily reject them.
Exim has evolued with new acl (like acl_check_mime and other)
Please read the small manual from tim http://www.timj.co.uk/linux/Exim-SpamAndVirusScanning.pdf
seems there are on my mind.
this has been discussed several times on respective SA & exim forums.
If you accept all mail this is your problem.
I handle only with rfc compliant servers.
I never had ONE problem with hotmail, aol and others, never been blacklisted (4 dedicated servers at this time).
You forget that the battle is against spammers, the rule is to stop them, they are stopped first at SMTP time. Do you think they will complain ? even they do this is not receivable.
After this big barrier, stay only a few spam.
High score spam are ONLY new spam servers or hacked computers, so you can easily reject them.
Exim has evolued with new acl (like acl_check_mime and other)
Please read the small manual from tim http://www.timj.co.uk/linux/Exim-SpamAndVirusScanning.pdf
seems there are on my mind.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
If SA is run at data time (not before, but at) you get the chance to refuse the spammy email. You can't do that if you run it after the email has been accepted.BigWil said:
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Can you set it to bounce? I don't run SA on our servers so I've checked the DA demo on the DirectAdmin demo server; they only show these options:
Yes, that could be worked out but DA staff and I would have to work on SA in SpamBlocker3 at the same time to make it happen; it won't be in the first release but could follow soon.
SpamAssassin would continue to be optional, but we'd have to make it optional via a different system so we don't run it on emails for which we won't use it. We'll have to work that out with DA staff as well, but we'll most likely use a file such as: /etc/virtual/use_sa_domains similar to how we now use /etc/virtual/use_rbl_domains.
Of course for that to work, DA will have to have an interface to the file.
I'm asking John to look at this thread and tell us how he feels.
Jeff
Yes, that could be worked out but DA staff and I would have to work on SA in SpamBlocker3 at the same time to make it happen; it won't be in the first release but could follow soon.
SpamAssassin would continue to be optional, but we'd have to make it optional via a different system so we don't run it on emails for which we won't use it. We'll have to work that out with DA staff as well, but we'll most likely use a file such as: /etc/virtual/use_sa_domains similar to how we now use /etc/virtual/use_rbl_domains.
Of course for that to work, DA will have to have an interface to the file.
I'm asking John to look at this thread and tell us how he feels.
Jeff
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
Jeff,
The use_sa_domains sounds like a great option if possible. Looking forward to it.
Now in regards to my previous on the elimination of high spam scored emails.... DON'T USE IT ON HIGH TRAFFIC SERVERS!!!
drop message = Spam Score is $spam_score
spam = nobody:true
condition = ${if >{$spam_score_int}{70}{1}{0}}
This does not work for a couple of reasons. For starters it is running a second instance of "spam" and therefore twice the load. Secondly it is running it as the user nobody. BAD VERY BAD!!! The setuid in SA is there for darn good reasons. Not to mention the log files all get filled up because user nobody uses /nonexistent home directory and it should never exist and thus causes errors about Bayes and user_pref being unwritable.
So I would suggest anybody that tried this option remove it immediately.
I am checking into an alternative and will post it here when I am done testing it. And yes I will test it better than I did the last one before posting it here. ;-)
Cheers,
Big Wil
The use_sa_domains sounds like a great option if possible. Looking forward to it.
Now in regards to my previous on the elimination of high spam scored emails.... DON'T USE IT ON HIGH TRAFFIC SERVERS!!!
drop message = Spam Score is $spam_score
spam = nobody:true
condition = ${if >{$spam_score_int}{70}{1}{0}}
This does not work for a couple of reasons. For starters it is running a second instance of "spam" and therefore twice the load. Secondly it is running it as the user nobody. BAD VERY BAD!!! The setuid in SA is there for darn good reasons. Not to mention the log files all get filled up because user nobody uses /nonexistent home directory and it should never exist and thus causes errors about Bayes and user_pref being unwritable.
So I would suggest anybody that tried this option remove it immediately.
I am checking into an alternative and will post it here when I am done testing it. And yes I will test it better than I did the last one before posting it here. ;-)
Cheers,
Big Wil
xemaps2
Verified User
sure at high load, no filter is good, even clamav !
Example : without sa without clamav you can pass 100 mails in a certain time, with clamav only 10 mails, with both only 1 mail.
Remember i adviced anyone can use exim options to limit load (aso...)
and change the multitask spamd to single task.
For the user choosen, this is your choice
If you are an admin you know what you do.
Example : without sa without clamav you can pass 100 mails in a certain time, with clamav only 10 mails, with both only 1 mail.
Remember i adviced anyone can use exim options to limit load (aso...)
and change the multitask spamd to single task.
For the user choosen, this is your choice
If you are an admin you know what you do.