Open Relay - Masses of Spam being sent

[nobaloney]

Maybe his server isn't an open relay in the traditional sence of the word, but it is still expoitable. I assume there is a reason why abuse.net included it as one of their tests. If they do, so could spammers scanning for mail servers to exploit.

And they do. Which is why abuse.net includes the test.

Removing the host from whitelist_domains may solve the problem, but I feel that it is a hole that should be plugged, or at the very least a bit more text should be added to the spamblocker readme.

The hole exists for any domain in whitelist_domains, because if you put a domain in whitelist_domains what you're telling the system is to allow any email from the domain to be relayed. That's not a problem for most domains because spammers generally don't know which domains are whitelisted for which server.

For example, if you whitelist example.com on your server, then I can send email with a from address of example.com to anyone in the world, through your server. But it's doubtful I'd ever know that.

Maybe listings in whitelist_domains should only apply to RCPT TO addresses but not to MAIL FROM addresses?

Sure but that's not the intent. The intent of whitelist_domains isn't to allow mail to domains but with return addresses from domains.

Perhaps whitelist_domains is too insecure for me to include it? The main reason we allow it is because a lot of admins really don't know how to determine which servers a domain uses, so they can't use whitelist_hosts.

Or perhaps you want to get mail from all the users of example.net, but the people all send email from their homes.

Perhaps the best bet is to only allow it to be used for delivery on the server. So do some studying and tell me what the change needs to be, and I'll implement it so it only accepts whitelists for delivery on the server .

Or maybe the mail server itself sould be excluded (or ignored) if it is listed in whitelist_domains?

I have no idea what you mean. Can you explain?

Thanks.

Jeff

 

[nobaloney]

If you use an email account that is ON the system... then it will "Relay" the message to any domain _on that server_ but it wont relay (in the true sense of the word) any mail THROUGH the server to another email account on another server.

I believe it will, and I'm looking into fixing that hole.

Jeff

 

[keefe007]

Did you ever fix this bug?

 

[nobaloney]

We still recommend not putting domain names hosted on the server into the whitelist.

We have a fix as of yesterday which we'll test over the next week before releasing it.

Jeff

 

[gcypher]

Hi, am sorry to bump in like this but yesterday i downloaded the fresh exim.conf copy from files.directadmin.com
and exim was configured as open relay again. so i needed to change the auth_hosts line again.

 

[xemaps]

there are bugs DA with spamblocker exim.conf
example
- alias spam receive as per user spambox,
could not catch spam mail
( i will try a fix from John this week-end - first fix had no success )
- dns rbl seems not work : not reject messages.
- ip blocklist doesn't seem to work

 

[nobaloney]

gcypher,

The SpamBlocker exim.conf file (Version 2) absolutely does NOT configure exim as an open relay.

But YOU can configure it as an open relay by by simply whitelisting domains that exist on your server. I've already written to not do that. I've not been successful in managing a workaround.

I don't know what you mean by changing auth_hosts as there's no other reference to auth_hosts in this thread.

xemaps,

I'm not sure what you mean.

- alias spam receive as per user spambox,
could not catch spam mail

The SpamAssassin code was written by DirectAdmin; John will need to work with you on the fix. SpamAssassin and SpamBlocker code are both in the exim.conf file, because DA by default includes SpamAssassin, but I don't believe in SpamAssassin and generally don't use it.

- dns rbl seems not work : not reject messages.

I'm not sure what you mean. All the blocklists we use are DNS based. Which one isn't rejecting messages?

- ip blocklist doesn't seem to work

Again, I'm not sure what you mean.

The spamblocker exim.conf file works for many of us including for many of our servers.

We block thousands of emails daily. Please give me an example of something that doesn't work, so I can fix it.

Thanks.

Jeff

 

[xemaps]

Jeff,

1. setting up a forwarded mailbox with spamassasin on : spam stay in the user_spam directory and grows, in fact it should to be added in forwarded mailbox, or at user choice in the da panel
sa in panel is set up to redirect to user_spam
There is no normal way to unblock/move the spam in da panel

But later i founded alternative solution from John here :
http://www.directadmin.com/forum/showthread.php?s=&threadid=12039&perpage=20&pagenumber=2

2. I use spamassassin

exim.conf => this doesn't work :
# deny using spamcop
deny message = Email blocked by SPAMCOP
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net

this work :
# dnslists contains * bl.spamcop.net and other rbl
deny message = $sender_host_address is blacklisted at $dnslist_domain\n$dnslist_text
!authenticated = *
dnslists = ${lookup{${lc:$local_part@$domain}}lsearch*@{/etc/virtual/dnslists}}
delay = 20s

so i can now reject message before accept
i had 90% spam from volume, now 20% but only 10% volume

3. i added ip's to bad_sender_hosts
these are not rejected. Don't know why

It's not easy for me to understand how to make sa/exim well working. Sorry for my very bad english.

 

[nobaloney]

exim.conf => this doesn't work :
# deny using spamcop
deny message = Email blocked by SPAMCOP
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net

I don't know why it doesn't work for you. It works with the standard exim.conf SpamBlocker version 2 file provided with DirectAdmin, the one that begins with this line:

SpamBlocker.exim.conf.2.0-release

this work :
# dnslists contains * bl.spamcop.net and other rbl
deny message = $sender_host_address is blacklisted at $dnslist_domain\n$dnslist_text
!authenticated = *
dnslists = ${lookup{${lc:$local_part@$domain}}lsearch*@{/etc/virtual/dnslists}}
delay = 20s

If the above works then you've made some changes to your DA configuration. Which is fine, no one says you have to use the default. But the default definitely works. Checking my rejectlog on one of my servers, it's worked 872 times in the last 3-1/2 days.

so i can now reject message before accept

Which our code does in the standard exim/DirectAdmin configuration.

If it doesn't work for you it's possible you didn't populate the /etc/virtual/use_rbl_domains file.

Jeff

 

[xemaps]

Jeff,

i use this file 2.0 from da but it never worked, i don't know why.
So i added some acl and settings from internet and now spam is very small even server load.
I erased also some inoperant acls rules with rbl after looking the logs.

Didn't know how to populate files, found no manuals.

I made a few change this week again, and with bl & more acl rules receive less viruses. These are my results for one domain until now :

--CWEEK--
spam:205
ham:1026
rejected:3385
-virus:92
-rbl blacklist:1092

--LASTW--
spam:523
ham:1014
-rejected:4285
-virus:578

-- W-2 --
spam:522
ham:1024
rejected:4258
-virus:720

-- W-3 --
spam:544
ham:863
rejected:3437
-virus:474

-- W-4 --
spam:477
ham:1269
rejected:4003
-virus:467

notice that i extra classify spam hotmail,msn,*mail.*,aol by blacklist (sa=100)

this domain has never had so many spam in spambox, even filtered by spamcop itself with all bl activated (account 30$/year)

I will try to undersand sa little more to have better results.

 

[mbaboo]

Hello,

This is still an issue and caused massive headaches for me.

My DA server was rejecting all mail from Gmail. Apparently some of Gmail's server's are blacklisted on some of the blacklist services that SpamBlocker uses. So Spamblocker was rejected valid emails from Gmail accounts.

So I using the "whitelist_domains" file. I added gmail.com, yahoo.com and all other domains that I knew NOT to be spammers.

I wanted all mail from these domains to pass through the Spam Blocker filters and arrive in my Inbox. So far so good. That works fine.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

In the end my server ran out of inodes due to the million odd message in the exim queue. I eventually had to remove my whitelist_domains file to rectify the problem.

The solution as I see it is for domains listed in whitelist_domains to be allowed ONLY for local delivery. Anything else must fall through to the next test. Which means local users will pass because they are authenticated or are in the pop_hosts file. Other unauthorised users will fail.

Does this make sense? Anyone not agree?


Regards,

Mustapha

 

[Aspegic]

This is still an issue and caused massive headaches for me.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

I agree. I have the exact same problem, except it's not with gmail but with a different provider, one of the largest providers in my country unfortunately, so I cannot have them blacklisted. But if I whitelist them (the way it currently works) it causes problems as well.

Can someone please come up with a clever solution to have the ability to have domains whitelisted for spamblocker, without that automatically meaning it allows full relay for that domain?

 

[xemaps]

Whose have exim 4.6x can use that in acl

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#

You don't have to use any whithelist, whithelisting is bad.

 

[Aspegic]

Thanks fot that tip! Unfortunately I'm still using 4.5 and upgrading is not an option (at least not at this moment).

Although your solution may work, I really would like to see a solution in spamblocker itself if possible.

The way I see it, if a domain is whitelisted, it should only mean that the "from" domain should be accepted, regardless of wether it's blacklisted somewhere or not, but ONLY if the recipient address is an account on my server. (At least I think that's how it should work).

 

[Chrysalis]

Whose have exim 4.6x can use that in acl

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#

You don't have to use any whithelist, whithelisting is bad.

am I right this will still allow legit yahoo email through?

 

[xemaps]

Please try and help to make it better if you find this acl wrong ;-)
notice no / yes order

 

[dan35]

Hello,

This is still an issue and caused massive headaches for me.

My DA server was rejecting all mail from Gmail. Apparently some of Gmail's server's are blacklisted on some of the blacklist services that SpamBlocker uses. So Spamblocker was rejected valid emails from Gmail accounts.

So I using the "whitelist_domains" file. I added gmail.com, yahoo.com and all other domains that I knew NOT to be spammers.

I wanted all mail from these domains to pass through the Spam Blocker filters and arrive in my Inbox. So far so good. That works fine.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

In the end my server ran out of inodes due to the million odd message in the exim queue. I eventually had to remove my whitelist_domains file to rectify the problem.

The solution as I see it is for domains listed in whitelist_domains to be allowed ONLY for local delivery. Anything else must fall through to the next test. Which means local users will pass because they are authenticated or are in the pop_hosts file. Other unauthorised users will fail.

Does this make sense? Anyone not agree?


Regards,

Mustapha

Same spam issue here! Someone please sticky this thread!

 

[gcypher]

Did you make shure your server request for authentication on non local domains ?

This should solve your problem

 

[dan35]

Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.

 

[SupermanInNY]

Whose have exim 4.6x can use that in acl

#
drop message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
#

You don't have to use any whithelist, whithelisting is bad.

Has this been confirmed to be a working solution?
I'm just trying to verify that this is what I need to do for:

#
drop message = Faked Microsoft
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
#


#
drop message = Faked Gmail
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngamil.com$\N}{no}{yes}}
#

etc.. etc..?

I believe there are about 10 or so 'famous' domains that I need to allow to send emails to my users on my server and I don't mind adding as many lines as it takes to exim, if this works.

BTW, is there a preference or order matters to where this bit should be placed in the exim.conf file?

Please let me know.

Thanks,

-Alon.