Open Relay - Masses of Spam being sent

xemaps · Oct 20, 2006

you can try and adapt it
this work for me
copy that before the following line to avoid load and dns check

require verify = sender

################
# FORGED MAIL CHECKS#
################

#host name based !

drop message = Forged Yahoo mail, connection denied!
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
delay = 20s

drop message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 20s

drop message = Forged MSN mail, connection denied!
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
delay = 20s

drop message = Forged AOL mail, connection denied!
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Netscape Mail, connection denied!
senders = *@netscape.com
condition = ${if match {$sender_host_name}{\Nnetscape.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Netscape Mail, connection denied!
senders = *@netscape.net
condition = ${if match {$sender_host_name}{\Nnetscape.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Comcast Mail, connection denied!
senders = *@comcast.net
condition = ${if match {$sender_host_name}{\Ncomcast.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Comcast Mail, connection denied!
senders = *@comcast.com
condition = ${if match {$sender_host_name}{\Ncomcast.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Verizon Mail, connection denied!
senders = *@verizon.com
condition = ${if match {$sender_host_name}{\Nverizon.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Verizon Mail, connection denied!
senders = *@verizon.net
condition = ${if match {$sender_host_name}{\Nverizon.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Paypal Mail, connection denied!
senders = *@paypal.com
condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Prodigy Mail, connection denied!
senders = *@prodigy.com
condition = ${if match {$sender_host_name}{\Nprodigy.com$\N}{no}{yes}}
delay = 20s

drop message = Forged Prodigy Mail, connection denied!
senders = *@prodigy.net
condition = ${if match {$sender_host_name}{\Nprodigy.net$\N}{no}{yes}}
delay = 20s

drop message = Forged RoadRunner Mail, connection denied!
senders = *@rr.com
condition = ${if match {$sender_host_name}{\Nrr.com$\N}{no}{yes}}
delay = 20s

drop message = Forged RoadRunner Mail, connection denied!
senders = *@rr.net
condition = ${if match {$sender_host_name}{\Nrr.net$\N}{no}{yes}}
delay = 20s

drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 20s

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

SupermanInNY · Oct 20, 2006

xemaps said:
you can try and adapt it
this work for me
copy that before the following line to avoid load and dns check

require verify = sender

################
# FORGED MAIL CHECKS#
################

#host name based !

drop message = Forged Yahoo mail, connection denied!
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}
delay = 20s

drop message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 20s

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

I hate to be a pain,. but I'd like to make sure that I understand what I'm doing. sometimes,. explicit examples as you gave are simply the base way for me to follow and append as neccessary.

require verify = sender

Currently it is Disabled on my server, However, when users wants to send mail out, they have to have "my outgoing server requires authentiction" checkbox enabled. Otherwise, they cannot send mail.
Is that the same thing? I'm thinking it is not, but I'm not sure.

Second,

drop message = Forged hotmail mail, connection denied!
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}
delay = 20s

That is your bit.
Does the next bit need to match it?

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

The reason I ask is because I don't understand what is a Forged HELO,
or better put, is this a different check than the former specific hosts names?
If I add for instance microsoft.com as a new host, do I need to add it both in the :

drop message = Forged Microsoft, connection denied!
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
delay = 20s

AND in here:

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com|microsoft\.com)\$}}
delay = 20s

Last, does order matters?

I mean, does this part of the code needs to be placed BEFORE the filters? or after the filters? or does it not matter at all?

Thanks for the contribution.

-Alon.

xemaps · Oct 20, 2006

i think you have to read exim manual, possible it will be clear after.

require_verify = sender
just make a verification if the sender exist, aka real mailbox...

for the rules yes it does matter
make on top the most targeted on your system
such 5 or 20 'light' rules will not affect your server.

it is important to make this verification BEFORE dns checking because it cost time and power for the server.
Better reject before using dnsrbl then spamassasin.

Make your own cooking now.

SupermanInNY · Oct 21, 2006

xemaps said:
i think you have to read exim manual, possible it will be clear after.

require_verify = sender
just make a verification if the sender exist, aka real mailbox...

for the rules yes it does matter
make on top the most targeted on your system
such 5 or 20 'light' rules will not affect your server.

it is important to make this verification BEFORE dns checking because it cost time and power for the server.
Better reject before using dnsrbl then spamassasin.

Make your own cooking now.

Well.... before I try to cook anything.. (at best I can boil an egg),. I checked some feedback at exim newsgroup to verify any action I take. Here is a snippet of a response that I got:

The question I asked them was:

Should I enable the require_verify = sender or not.

> 5. If this is such a good feature, why would it be disabled...

- Not all sender's servers can/do respond properly or promptly to the query.

- Some very large / major ISP's do not have usable DNS records for their 'pools'
of servers.

- Many operators do not appreciate being hit with the query.

- A few may even blacklist those who attempt such queries.

Feature is perhaps at its best when used within a known-responsive environment -
say one company's intranet or a 'pool' of MX or relay hosts.

hosts / !hosts and hostlists or lookups can be used to specify which/which-not
to apply it to if you choose to use it.

Bill

Hmm.. get myself blacklisted.. that doesn't sound good.
but assuming that is not the issue,. if legitimate large provider fail to adhere to this requirment, I'll be fighting windmills and I'll have really angry users at my end.

EDIT:

I'm still not clear about one thing:

Does this code bit allows for those domains to send mail to the server even if they appear in a blacklist further down?
My question is,.. if I'm using sbl-xb.spamhaus.org and they blacklist microsoft.com will this "whitelist" safely the domain "microsoft.com"?
I'm looking for such a particular solution.

Thanks,

-Alon.

SupermanInNY · Oct 23, 2006

Hi All,

With further checks, I've noticed that I have few mail service providers
that are listed as FREE email providers.
That does not mean by itself that they are spammers.

I'm using:

dnslists = blackholes.five-ten-sg.com

as one of the filters.
It is very effective, but also blocks one of our large free mail providers.
Will the following syntax work to still use the filter with the exception of
deny the free servers?

# deny using blackholes.five-ten-sg.com
deny message = Email blocked by FIVETEN - to unblock see
http://www.myserver.com/spamlist.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.five-ten-sg.com!=127.0.0.12

http://www.five-ten-sg.com/blackhole.php?ip=192.118.71.127&Search=Search

thanks for the input,

- Alon

nobaloney · Oct 24, 2006

dan35 said:
Warning: Avoid using the whitelist domains file. It allows relays, that's how it was setup for the spamblocker scripts.

This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.

Or use it with the Forged Mail Checks ACL addition found in this thread.

Jeff

nobaloney · Oct 24, 2006

SupermanInNY said:
I'm using:

dnslists = blackholes.five-ten-sg.com

as one of the filters.
It is very effective, but also blocks one of our large free mail providers.
Will the following syntax work to still use the filter with the exception of
deny the free servers?

# deny using blackholes.five-ten-sg.com
deny message = Email blocked by FIVETEN - to unblock see
http://www.myserver.com/spamlist.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.five-ten-sg.com!=127.0.0.12

That depends on what 127.0.0.12 means in that blocklist.

This code means that every returned server in the blocklist will be checked to see what IP# is listed with it, and if 127.0.0.12 is the IP# listed, it won't be blocked; otherwise it will be.

Why not just find out the servers being blocked by the blocklist and put them into whitelist_hosts?

That should do what you want.

Jeff

SupermanInNY · Oct 24, 2006

jlasman said:
That depends on what 127.0.0.12 means in that blocklist.

This code means that every returned server in the blocklist will be checked to see what IP# is listed with it, and if 127.0.0.12 is the IP# listed, it won't be blocked; otherwise it will be.

Why not just find out the servers being blocked by the blocklist and put them into whitelist_hosts?

That should do what you want.

Jeff

Hi Jeff,

Great to get the feedback from you

.

Sorry for the double post (as you probably saw it in the other thread).
My understanding is that you belive that whitelists + matching_acl_forged_email_check will do the trick to allow for safe APPROVAL of senders.

As xemaps explained, ORDER matters and as such,. I want to configure the exim.conf file correctly to make sure it is both effective, correct, safe and economic.

Effective - add the needed filters that block the spam - no just adding lists to no end,. but to use the most used lists. No point in adding BLARS as it seem to block half the world, but sbl-xbl.spamhause.org seems to be just as effective, and is not blocking "everyone" so aggressively

Correct - "whose on first":

Which check should precede the other check?

Here are snippets of the exim.conf in the order that I have it. Would you re-arrange it differently? AND,. do you have #require verify = sender enabled on your servers? Or is it too restrictive?

------------------------------------------------------------

#require verify = sender

###################################################################
# FORGED MAIL CHECKS #
###################################################################

# host name based !

drop message = Forged Microsoft, connection denied!
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}
delay = 20s

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

###################################################################
# FILTER CHECK - RBL subscriptions #
###################################################################

# deny using .spamhaus
deny message = Email blocked by SPAMHAUS SBL+XBL- to unblock see http://www.shev.com/spamlistschecker.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = sbl-xbl.spamhaus.org

# deny using ordb
deny message = Email blocked by ORDB - to unblock see http://www.shev.com/spamlistschecker.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = relays.ordb.org

# deny using sorbs smtp list
deny message = Email blocked by SORBS - to unblock see http://www.shev.com/spamlistschecker.html
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = dnsbl.sorbs.net=127.0.0.5

# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
message = "Unknown User"
verify = recipient

# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify=recipient

---------------------------------------------------------------

Safe: USING the snippet above, would it be safe to put microsoft.com in the whitelist_domains file? I don't have enough understanding of what does the FORGED MAIL check actually do and how does it 'verify' the sender true identity - can it be 'faked' or spoofed in some way?

Economic: This actually ties back to the Effective construct. If the Forged fails, does it stop the check and Reject? Also, going back to the reply you had for the exclusion of IPs, I think you confirmed my understanding, but somehow the wording you chose didn't leave me assured that I actually did understand, so I'll rephrase your answer to lamen words and see if you agree or disagree with it:

# deny using blackholes.five-ten-sg.com
deny message = Email blocked by FIVETEN - to unblock see
http://www.myserver.com/spamlist.html
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = blackholes.five-ten-sg.com!=127.0.0.12

In the above bit, the check will DENY and REJECT any email that will have it's IP listed in the blackholes.five-ten-sg.com list,. Excluding those that are labeled/marked with 127.0.0.12. That means that if an IP is found in the RBL and is labeled/marked with 127.0.0.4 it will be REJECTED, but if it is labeled/marked with 127.0.0.12 it will be APPROVED.

AND TWO last things in the Economic:
1. if I whitelist a domain, does it go through the RBL checks still?
2. Assuming I want to exclude 127.0.0.12 and 127.0.0.8 what is the syntax to exclude from both?
is it:
blackholes.five-ten-sg.com!=127.0.0.12 || 127.0.0.8

Or is it:

blackholes.five-ten-sg.com!=127.0.0.12 && 127.0.0.8

Thanks for the input.

-Alon.

mbaboo · Oct 25, 2006

jlasman said:
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.

Jeff

Hi Jeff,

But that is a problem. SpamBlocker regularly blocks mail from Gmail. I'm not sure what problem the various spam databases have with Gmail's mail server.

Nonetheless that means that legitimate Gmail mail is not coming through. So I HAD to add gmail.com to the whitelist_domains. I could not ignore them as you suggest. That is when my server got used as a relay by someone spoofing a Gmail address.

I've since moved to using whitelist_from to allow through specific email addresses but as you can imagine, this is a nightmare to maintain. But it's better than having my server killed by a spammer.

Regards,

Mustapha

dan35 · Oct 25, 2006

Originally posted by jlasman
This statement is totally untrue. We've been using whitelist_domains since I wrote the SpamBlocker exim.conf file and we've never been an open relay.

All you have to do is make sure you use it with some understanding. Don't use it for any domains on the server, and don't use it for domains popularly used by spoofers.

Or use it with the Forged Mail Checks ACL addition found in this thread.

Jeff

I disagree, jlasman! Many servers got blocked due to the open relays caused by the whitelist_domains file. One of my servers got in spam list too since I put yahoo in its whitelist_domains file. 2GB-4GB of spams were sent through my server daily.
So I complained to DirectAdmin 'cause DA installed it by default, and I didn't see any warning about the whitelist_domains file in the config files.
Then John told me to avoid using the whitelist domains file because it allows relays, that's how it was setup for the spamblocker scripts.

So I have to warn other people to go to this thread if they don't want their servers in the spam blocklists.

dan35 · Oct 25, 2006

mbaboo said:
Hi Jeff,

But that is a problem. SpamBlocker regularly blocks mail from Gmail. I'm not sure what problem the various spam databases have with Gmail's mail server.

Nonetheless that means that legitimate Gmail mail is not coming through. So I HAD to add gmail.com to the whitelist_domains. I could not ignore them as you suggest. That is when my server got used as a relay by someone spoofing a Gmail address.

I've since moved to using whitelist_from to allow through specific email addresses but as you can imagine, this is a nightmare to maintain. But it's better than having my server killed by a spammer.

Regards,

Mustapha

You may comment out the spamcop section in exim.conf. Spamcop blocks some Gmail servers. And spamcop is very aggressive, so many people in here don't like it either.

# deny using spamcop
# deny message = Email blocked by SPAMCOP - to unblock see http://yourdomain.com
# hosts = !+relay_hosts
# domains = +use_rbl_domains
# !authenticated = *
# dnslists = bl.spamcop.net

nobaloney · Oct 25, 2006

SupermanInNY said:
Hi Jeff,

Great to get the feedback from you .

Alon, I like the order you're using; in fact we're experimenting with the same order now, on one of our testbeds that gerts thousands of spams daily.

My understanding is that you belive that whitelists + matching_acl_forged_email_check will do the trick to allow for safe APPROVAL of senders.

Click to expand...

It will cause it's own set of problems since plenty of people may use their gmail return address or their hotmail return address, plus their own server. No easy way to resolve these issues until something like SPF becomes mandaatory and I don't see that happening this year or next.

Effective - add the needed filters that block the spam - no just adding lists to no end,. but to use the most used lists. No point in adding BLARS as it seem to block half the world, but sbl-xbl.spamhause.org seems to be just as effective, and is not blocking "everyone" so aggressively

Click to expand...

People differ in their ideas of course .

Which check should precede the other check?

Click to expand...

Let's leave it this way until we see more information in the logs. I like it this way because, the domain checks don't use any DNS lookups at all, and therefore use less resources.

Here are snippets of the exim.conf in the order that I have it. Would you re-arrange it differently?

Click to expand...

I don't think so.

AND,. do you have #require verify = sender enabled on your servers? Or is it too restrictive?

Click to expand...

I'd love to enable it but I don't because I think it is too restrictive.

AND TWO last things in the Economic:
1. if I whitelist a domain, does it go through the RBL checks still?

Click to expand...

No.
[qoute]2. Assuming I want to exclude 127.0.0.12 and 127.0.0.8 what is the syntax to exclude from both?
is it:
blackholes.five-ten-sg.com!=127.0.0.12 || 127.0.0.8

Or is it:

blackholes.five-ten-sg.com!=127.0.0.12 && 127.0.0.8[/quote]
At this hour of the morning, having been up all the preceeding day, I'm not sure . You can always read the exim docs .

Thanks for the input.

Click to expand...

You're welcome.

Jeff

nobaloney · Oct 25, 2006

dan35 said:
I disagree, jlasman! Many servers got blocked due to the open relays caused by the whitelist_domains file. One of my servers got in spam list too since I put yahoo in its whitelist_domains file. 2GB-4GB of spams were sent through my server daily.

And that's somehow my fault? Okay. I fullly accept responsibility for your misuse of my tool.

So I complained to DirectAdmin 'cause DA installed it by default, and I didn't see any warning about the whitelist_domains file in the config files.
Then John told me to avoid using the whitelist domains file because it allows relays, that's how it was setup for the spamblocker scripts.

I think that it's simplistic to say it was designed to allow you to be an open relay. It was designed to give you flexibility. We use its flexibility and have never been an open relay. I'm sure others do as well.

So I have to warn other people to go to this thread if they don't want their servers in the spam blocklists.

Or of course you could spend your time creating your own solution.

Jeff

roarkh · Oct 25, 2006

I just saw these entries in my exim rejectlog (after adding the forged mail ACL's mentioned in this thread)...

Code:

2006-10-25 09:25:55 H=ug-out-1314.google.com [66.249.92.172] F=<[email protected]> rejected RCPT <***removed***>: Forged Gmail, connection denied!
2006-10-25 09:49:58 H=ug-out-1314.google.com [66.249.92.171] F=<[email protected]> rejected RCPT <***removed***>: Forged Gmail, connection denied!

Do you think that changing this...

Code:

drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngmail.com$\N}{no}{yes}}
delay = 20s

to this is a good idea? It seems to fix the problem for me.

Code:

drop message = Forged Gmail, connection denied!
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}
delay = 20s

nobaloney · Oct 26, 2006

Problems in Paradise

I'm beginning to see some problems with this addition to exim.conf:

1) drop is probably not the best solution because any errors are not communicated back to the sender. I prefer to use deny because that way the sender sees a refusal to connect. Spammers ignore it, but legitimate senders get it bounced back from their mail server and know their email didn't go through; kind of like the way the blocklists works now.

Can this happen? Absolutely. How? For example if [email protected] is travelling with his laptop and wants to send an email with his comcast.net address but can't use his comcast.net server because he's not on the network. At least if you use deny he'll get bounced and can apply to be on your whitelist (at least he can if you've set up a whitelist page).

2) the delay = 20s isn't necesary at all; all it does in a drop is makes the server wait before testing the next address. And it means the logs entries generated will be separated with perhaps a lot of unrelated entries between them, making it hard to trace in the logs. Admittedly some spam servers won't wait that long and will give up, but not enough to make it worthwhile compared to the inconvenience in checking logs.

3) This section:

Code:

#helo based !

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}
delay = 20s

doesn't work. In fact in our systems tested it causes email to completely break for incoming and outgoing email with this error:

2006-10-26 11:29:06 H=hermes1.example.net [123.45.67.8] F=<[email protected]> temporarily rejected RCPT <[email protected]>: failed to expand ACL string "${if match {$sender_helo_name}\{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}}": missing 2nd string in {} after "match"

because it's missing the {no}{yes} section; it should look like this:

Code:

drop message = Forged HELO: you are not $sender_helo_name
condition = ${if match {$sender_helo_name}\
{^(gmail\.com|msn\.com|yahoogroups\.com|aol\.com)\$}{no}{yes}}
delay = 20s

Fortunately it causes only a temporary rejection so as long as you fix the problem within four days no email should be lost.

4) But even after the helo based section is fixed as above it still fails ALL email that comes from any other sender except for gmail, msn, yahoogroups, and aol. The condition should only be evaluated on a match {sender_helo_name} that evaluates to one of the same senders. This isn't a hypothetical issue; I tested thoroughly.

I've commented out the helo based section on the servers where I'm beta testing; I hope the original author will do the fix for us.

That said, it's great code and I look forward to using it in the next SpamBlocker exim.conf release.

Jeff

roarkh · Oct 26, 2006

Jeff, you make a lot of good points. Thank you for your input. After taking your and others advice I have come up with the following changes to my exim.conf. I realized that some of the existing ACL's really needed to move above the forged header checks to work. I had never included the forged HELO code in my config as I had not had time to look at it closely enough that I was comfortable with it yet.

I am including my exim.conf file from the beginning of the ACL section to the Optional Modification section of the ACL section. These changes seem to be working well for me now.

Code:

######################################################################
#                               ACLs                                 #
######################################################################

begin acl

# ACL that is used after the RCPT command
check_recipient:

# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
  deny  domains       = +local_domains
        local_parts   = ^[.] : ^.*[@%!/|]

# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept  hosts = +auth_relay_hosts
        condition = ${if eq {$interface_port}{587} {yes}{no}}
        endpass
        message = relay not permitted, authentication required
        authenticated = *

# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts.
# Block outgoing local parts that begin with a dot, slash, or vertical
# bar but allows them within the local part.
# The sequence \..\ is barred. The usage of @ % and ! is barred as
# before. The motivation is to prevent your users (or their virii)
# from mounting certain kinds of attacks on remote sites.
  deny  domains       = !+local_domains
        local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

# local source whitelist
# accept if the source is local SMTP (i.e. not over TCP/IP).
# Test for this by testing for an empty sending host field.
  accept  hosts = :

### the following checks need to happen before forged header checks

# envelope senders whitelist
# accept if envelope sender is in whitelist
  accept  senders = +whitelist_senders

# accept mail to postmaster in any local domain, regardless of source
  accept  local_parts = postmaster
          domains     = +local_domains

# accept mail to abuse in any local domain, regardless of source
  accept  local_parts = abuse
          domains     = +local_domains

# accept mail to hostmaster in any local domain, regardless of source
  accept  local_parts = hostmaster
          domains     =+local_domains

### modify for your organization
# accept mail to ***@somewhere.org, regardless of source
  accept  local_parts = ***
          domains     = somewhere.org

### Check for forged headers

deny message = Forged Yahoo mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@yahoo.com 
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Forged hotmail mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@hotmail.com 
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

deny message = Forged MSN mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@msn.com 
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

deny message = Forged AOL mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@aol.com 
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}

deny message = Forged Netscape Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@netscape.com 
condition = ${if match {$sender_host_name}{\Nnetscape.com$\N}{no}{yes}}

deny message = Forged Netscape Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@netscape.net 
condition = ${if match {$sender_host_name}{\Nnetscape.net$\N}{no}{yes}}

deny message = Forged Comcast Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@comcast.net
condition = ${if match {$sender_host_name}{\Ncomcast.net$\N}{no}{yes}}

deny message = Forged Comcast Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@comcast.com
condition = ${if match {$sender_host_name}{\Ncomcast.com$\N}{no}{yes}}

deny message = Forged Verizon Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@verizon.com 
condition = ${if match {$sender_host_name}{\Nverizon.com$\N}{no}{yes}}

deny message = Forged Verizon Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@verizon.net 
condition = ${if match {$sender_host_name}{\Nverizon.net$\N}{no}{yes}}

deny message = Forged Paypal Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@paypal.com 
condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}

deny message = Forged Prodigy Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@prodigy.com 
condition = ${if match {$sender_host_name}{\Nprodigy.com$\N}{no}{yes}}

deny message = Forged Prodigy Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@prodigy.net 
condition = ${if match {$sender_host_name}{\Nprodigy.net$\N}{no}{yes}}

deny message = Forged RoadRunner Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@rr.com 
condition = ${if match {$sender_host_name}{\Nrr.com$\N}{no}{yes}}

deny message = Forged RoadRunner Mail, to unblock send email to [email]***@somewhere.org[/email] 
senders = *@rr.net 
condition = ${if match {$sender_host_name}{\Nrr.net$\N}{no}{yes}}

deny message = Forged Gmail, to unblock send email to [email]***@somewhere.org[/email]
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}

### the following checks need to happen after forged header checks

# sender domains whitelist
# accept if sender domain is in whitelist
  accept  sender_domains = +whitelist_domains

# sender hosts whitelist
# accept if sender host is in whitelist
  accept  hosts = +whitelist_hosts
  accept  hosts = +whitelist_hosts_ip

# OPTIONAL MODIFICATIONS:

You will of course need to change ***@someplace.org to match something that makes sense for your organization.

I left the gmail test to work for gmail.com and google.com to cover all the bases, it looks as though google.com may be all that is really necessary now though.

Thanks again for all your help.

nobaloney · Oct 30, 2006

A check of our logs indicates we may be bouncing some legitimate gmail mail. Are you certain you've got the right hostname setup?

Jeff

roarkh · Oct 30, 2006

Jeff,

I just went back through my logs and since the 25th I have not bounced any gmail messages where the senders host resolved to gmail.com or google.com so as far as I can tell using gmail|google works for us here.

I just checked through the mainlog and see that some gmail mail has been delivered and it all came from hosts that end in google.com so maybe it would be worth a try changing...

Code:

senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(gmail|google).com$\N}{no}{yes}}

to...

Code:

senders = *@gmail.com
condition = ${if match {$sender_host_name}{\Ngoogle.com$\N}{no}{yes}}

Has anyone else experienced any problems with these settings? I definitely would not call myself an expert on this so I could be mistaken about something. I used xemacs previous entry for hotmail.com to determine how to test for the possibility of two different servers. Here's the line from his config...

Code:

drop message = Forged MSN mail, connection denied!
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}
delay = 20s

mbaboo · Nov 8, 2006

Hi,

This is so ironic.

I am now listed on SORBS because of this incident. And SORBS now demands a $50 ransom to get unlisted. I'm not paying it so I stay blocklisted. Those of you with Spamblocker won't even get my mails. It's so funny I could cry.

jlasman might think that myself, dan35 and others used Spamblocker incorrectly. I think we made a very reasonable assumption about what the config did and how Exim was meant to behave.

I suggest that DA put a big disclaimer or warning into the Exim config because I doubt I will be the last person to make this "mistake".

M

mbaboo said:
Hello,

This is still an issue and caused massive headaches for me.

My DA server was rejecting all mail from Gmail. Apparently some of Gmail's server's are blacklisted on some of the blacklist services that SpamBlocker uses. So Spamblocker was rejected valid emails from Gmail accounts.

So I using the "whitelist_domains" file. I added gmail.com, yahoo.com and all other domains that I knew NOT to be spammers.

I wanted all mail from these domains to pass through the Spam Blocker filters and arrive in my Inbox. So far so good. That works fine.

Problem is that someone started to relay spam through my server. They pretended to be mailing from yahoo by sending a spoof yahoo.com "From" address, DA accepted the email no questions AND **relayed** it to anywhere. That is the problem. Those mails should pass Spamblocker but it should fail the relaying.

In the end my server ran out of inodes due to the million odd message in the exim queue. I eventually had to remove my whitelist_domains file to rectify the problem.

The solution as I see it is for domains listed in whitelist_domains to be allowed ONLY for local delivery. Anything else must fall through to the next test. Which means local users will pass because they are authenticated or are in the pop_hosts file. Other unauthorised users will fail.

Does this make sense? Anyone not agree?

Regards,

Mustapha

nobaloney · Nov 13, 2006

It's unlikely (but possible) that one can get on SORBS because of this kind of problem; I had the problem myself until I realized the issue.

And it didn't get me on SORBS.

Please respond to my private message.

Jeff

Open Relay - Masses of Spam being sent

Verified User

Verified User

Verified User

Verified User

Verified User

NoBaloney Internet Svcs - In Memoriam †

NoBaloney Internet Svcs - In Memoriam †

Verified User

Verified User

Verified User

Verified User

NoBaloney Internet Svcs - In Memoriam †

NoBaloney Internet Svcs - In Memoriam †

Verified User

NoBaloney Internet Svcs - In Memoriam †

Verified User

NoBaloney Internet Svcs - In Memoriam †

Verified User

Verified User

NoBaloney Internet Svcs - In Memoriam †